At the beginning of June, approximately 6.5 million LinkedIn password hashes were posted on an online forum by a hacker requesting help in reversing the hashes into valid passwords. This was followed, apparently by the same group of hackers, by passwords from the dating website eHarmony. In July, Formspring and Yahoo passwords were compromised. Then, on September 3, a list of 1,000,001 Apple unique device identifiers (UDIDs) out of a supposed 12,367,232 were posted; hackers claimed to have compromised an FBI laptop to obtain the UDIDs as well as associated user names, cell phone numbers, and addresses. After further investigation, it was determined that the source of the compromise was actually the Tampa, Fla.-based mobile publishing company Bluetoad, which had been compromised back in March. That’s right — it took six months for Bluetoad to be alerted that the data breach had even occurred!
While these very public compromises may have just begun to hit mainstream news, there have been hundreds of compromises in 2012 already (only 26 fewer than the highest number reported in any previous year). And the scariest part? According to an FBI survey, only about 34 percent of compromises are ever reported. Now, more than ever, is the right time for your business to take the steps to ensure customer data and proprietary information are secure.
Learning From Others
LinkedIn took hours to respond publicly after its users’ hashed passwords were posted online. Even after finally acknowledging the compromise, it still hasn’t confirmed that it’s determined when and how hackers accessed its users’ account information. More importantly, it hasn’t announced that the vulnerability that led to the compromise has been discovered and resolved.
Formspring and Yahoo, on the other hand, confirmed their breaches and applied fixes within 24 hours. Formspring went further and provided detail on how the breach was fixed.
In addition to these examples of reactions to compromises, it’s important to focus on why these compromises were able to affect users. Since the compromise, LinkedIn has implemented salted hashing of user passwords. This security best practice makes it much more difficult for attackers to reverse the hashed passwords into the original passwords. Other important practices are regular network security reviews, testing of implemented information security controls, and attention to an array of system and network hardening standards to give your information systems the best chance against would-be hackers.
The Importance of Passwords
Upon hearing about the LinkedIn and Yahoo breaches, most companies immediately sent internal e-mails to employees to change passwords, which missed the real intent of the hack. Hackers never wanted the LinkedIn passwords, as access to those accounts simply isn't very valuable. So what were they after? E-mail addresses and account passwords. They hope you, like so many others, reuse the same password across many or all of the sites you use.
If you use the same password to log into LinkedIn as you do for your e-mail account, stop reading, and change your e-mail password now. Access to your e-mail provides a hacker with the ability to view all the other sites you’ve signed up for using that e-mail address. This means they can locate accounts like your online banking sites, online shopping (particularly sites where you've stored your credit card information), and online payment sites like Google Checkout or PayPal. Using the information they originally gained from accessing LinkedIn, they can then purchase goods and sell them for cash. Often, large compromises of username/e-mail and password combinations would be sold off on hacker sites leaving cyber criminals with smaller chunks of user data they could take advantage of in whatever way they see fit.
These breaches at large institutions will continue to occur, so where does that leave the end user? Vulnerable…but that vulnerability can be decreased by following these three tips:
- Use tiered passwords. Don’t use the same password for all sites. The key to your office door shouldn’t open the front door of your house or safe, so why should one password access different sites/systems? Just like you have different keys for different doors, you need to use different passwords for different sites (especially financial and e-mail sites).
- Change your passwords more frequently. When was the last time you changed your password for your online banking account or your Facebook account? Ideally, you should change passwords to sensitive accounts at least every 30 days.
- Set strong passwords. Setting long passwords that contains letters, numbers, and characters for numerous websites can be difficult to memorize. So what can a user do? Use paraphrases. For example “MyBirthDate?June15,90.” It’s long, it has all the letters, numbers, and characters, and it’s easy to remember.
As Americans become increasingly comfortable with computers and information systems, they also become more aware of the threats posed to their identities and lives. This is largely due to the media, who are particularly attuned to reporting these compromises. This means that any compromise of your systems is more likely than ever to generate bad press. Even worse, with hackers now commonly posting data they’ve obtained on public websites, the risk to your company or customer data is significantly heightened. Your chance to prevent an attack can be significantly affected by proper planning and an aggressive information security program. And, if you are compromised, your chance to react and halt an attack in progress can be improved with new tools and properly developed reaction plans.
Is you can see by the chart courtesy of the Open Security Foundation, technology breaches continue to plague individuals and companies at alarming rates. These best practices can be the difference between security and vulnerability. For more information, feel free to give us a call.