The recent attacks that leaked millions of passwords from LinkedIn and eHarmony accounts is almost becoming a daily news event for those of us who monitor the security field.
YADAB! (Yet Another Data Breach!) might become a new buzzword.
We have conversations ranging from threat and risk analysis to whether the attackers are actually doing society a favor by exposing vulnerable applications and forcing the hand of the provider to pay more respect to the implied trust that customers have in them.
In the meanwhile the question lingers, why can't it just be prevented?
In my security classes, we always discuss the countermeasures to any attack that is demonstrated. Even though some attacks are close to 100 percent preventable, the fact remains that millions of websites do not take advantage of even simple controls. Users must do their part as well. The practice of security is a cooperative effort.
For example, the recent LinkedIn breach leaked SHA-1 hashes that were not salted.
A hash is a representation of data that cannot be reversed. It is attacked by a method called “brute forcing” where a hash for every combination of a set of characters is calculated until a matching hash is discovered (called a collision).
SHA-1 produces 160-bit hashes for any size data. Just going up to SHA-256 would double the amount of possible hashes by a factor of 96. Using SHA-384 would double the collision space and then double it again 224 times.
Salting introduces random data into the password so that a prepared “lookup” table becomes impractical because of the size it would require for storage. Multiply the collision space of the hash by the number of possible salts, and you get a storage number larger than the molecules in the observable universe.
Even the Amazon cloud or Google can't store it -- but that could change in a few years. I'll update this article if it does.
The problem is that lengthening the hash and salting doesn't prevent “guessing” or “dictionary” attacks. That doesn't mean that organizations liked LinkedIn shouldn't do it, but nothing can protect a weak password.
This might be one reason the site providers don't bother. Another reason is they don't want to alienate some customers by requiring unwieldy passwords or being forced to educate them as to why the policy exits.
The lure of what social networking sites provides to us is fertile ground for many types of attacks because it is just human nature that we pay more attention to possible dangers when in a dark alley, yet take our surroundings for granted when at the amusement park. In the light of risking less fun or convenience, we will usually choose to perceive these types of threats as less significant.
Our goal as security practitioners is to help people understand and be proactive before they have to learn the hard way. We cannot make businesses concentrate on security or prevent attackers from eventually breaching them.
But, we can improve on making sure that what criminals get for a reward is nothing but a large file they can't do much with. It's like they teach in self-defense classes: “Don't be an easy target."
We have to be diligent about education without sounding horns and overreacting with FUD (fear, uncertainty and doubt). Although we should encourage businesses to improve how they protect our data, the reality is that we have to do our part also as our society increasingly depends upon social network connectivity, smartphones and children coming of age in a world when all of this seems normal and routine to them.
Here are a few simple tips we can all give to friends and family:
- Don't be socially engineered: When attacks such as LinkedIn, eHarmony, Sony, and others are made public, social engineering attacks to collect passwords from users who are reacting to the hype are common. Don't visit sites that advertise that they will check to see if your password was compromised. Whether they are legitimate or not, by the time you find out it is too late.
- Respect the hackers' password-cracking tools: It is helpful to know a little about how they work. Do not use the name of the website in your password -- that was how most of the LinkedIn hashes were cracked -- or any personally identifiable information (PII). PII wasn't in the leaked files, so giving it away in the password only gives the attackers more data. Their tools try all of these things first. They also know that many users like to place a tw- digit number at the end of their password, or spell a dictionary word backward, or rely too much on changing cases.
- Make cracking your accounts impractical: Change your password often. Use the maximum strength password that the website will allow. Don't use the same one for every website. Some websites only let you use letters and numbers, so be mindful about what PII you give to those. If they support it, just one or two punctuation characters will dramatically decrease the chance of it being cracked. Do not use typical character substitutions such as an “@” for the letter "a." Choose something more random that is a personal secret.
Attackers know about the common techniques. With a little creativity and not much effort, we can dramatically improve how we protect our own data. We can make the impact of these breaches into a positive by encouraging conversations about awareness and making training more available.