Data breach can affect other “SoNet” Junkies
The hack of the social networking (“SoNet”) giant LinkedIn may have made your company more vulnerable to a data breach. The recent attack where 6.5 million passwords were posted on a Russian online forum has been well reported. The combination of insecure data files, outdated cryptography and user-managed passwords should make every corporate officer to demand a network security audit. So what happened?
There were a number of security failures:
- The inability to first authenticate who’s “knocking” on the firewall before allowing them access
- The use of outdated, weak encryption to secure the password data files, and
- Users having the ability to implement weak passwords.
Authenticate before access
Many security schemes like User Name and Passwords, One Time Passwords, Single Sign On and even PKI are useless if the person typing the information or holding a token is not first authenticated. Typing a password only proves that someone or thing knows the secret. Reading a token only proves that someone has it.
This is where multi-levels of assurances are required. There first need to be multi-factor authentication between the user and the token. Next there needs to be multi-factor authentication between token to the computer that is independent of the user. Still not finished, now you want to authenticate the card to the server with a challenge/response. And finally, authenticate the server to the user with an encrypted classification code stored in the token.
Power LogOn offer all these security features and more.
People are often the weakest security link
I have written numerous blogs about how people are the weakest link to password based security. They will pick easy to remember passwords, passwords that are often found in the dictionary, and use a password that many others also use. Do you know what the five most common passwords are?
- 123456
- 12345
- 123456789
- Password
- iloveyou
Security pundits will tell you that passwords 1) need to be complex, 2) be unique for every site, 3) must be changed frequently, and 4) should never be write them down for others to find. Would it shock you to know that after all the hacks, identity thefts and data breaches that have gone on that the strength of user-based passwords has not changed in the past 20 years. The reason being is that people can’t manage them.
Power LogOn takes password management out of the hands of the employee and puts it back in control of IT security.
Outdated encryption of data file
LinkedIn encrypted their password account list with an outdated cryptology called SHA-1. SHA-1 encrypts the same word the same way every time. Since people are terrible at picking passwords as discussed above, the breaking of the password files becomes a simple game of “Cryptogram” that a computer plays 24/7.
Power LogOn assigns long, complex, unique passwords to every account.
How to fix the problem.
This attack is another reminder that companies must put security in place to protect password files and don’t allow your employees to manage their passwords. Here are my tips:
First, the user has to be taken out the security process in picking and managing passwords.
Second, the use of a multi-factor password manager that authenticates the user to the card, the card to the computer and the card to the server is required. A product like Power LogOn.
Third, use a better encryption algorithm and/or “salt” password entries with random characters to make every SHA-1 entry different.
Finally, the media is reporting that t everyone needs to change their passwords. While a good short term remedy, but not if you revert back to:
- Simple passwords
- Writing passwords down on notes or storing them in files
- Using the same password for multiple sites.
Data breaches are getting more pervasive. Many computer security networks have not been checked or updated in years. While in-house IT is constantly working to keep everything running, sometime you need to call in a specialist. No different than when you see your doctor.
Contact Access Smart for a free, no obligation consultation, or check out our technology partner’s page to find the security specialist you need.