Learning from 2014 Security Hacks

Raj Bhargava (CEO of JumpCloud) and I got into a discussion at dinner the other night about the major security hacks this past year including Sony, eBay, Target, and The Home Depot. Raj spend over a decade in the security software business and it was fascinating to realize that a common thread on virtually all of these major compromises was hacked credentials.

I felt this pain personally yesterday. A bunch of random charges to Match.com, FTD.com, and a few other sites showed up on Amy’s Amex card. We couldn’t figure out where it got stolen from, but clearly it was from another online site somewhere since it’s a card she uses for a lot of online purchases, so I cancelled it. Due to Amex’s endless security process, it took almost 30 minutes to cancel the card, get a new one, and add someone else to the account so I wouldn’t have to go through the nonsense the next time.

In my conversation with Raj, we moved from basic credential security to the notion that the number of sites we access is exploding. Think about how many different logins you have to deal with each day. I’m pretty organized about how I do it and it’s still totally fucked.

Every major new service is managed separately. Accounts to AWS or Google Compute Engine or Office 365 are managed separately. Github is managed separately. Google Apps are managed separately. Every SaaS app is managed separately. All your iOS logins are yet another thing to deal with. The only thing that isn’t managed separately are individual devices – as long as you have an IT department to manage them. Oh wait, are they managing your Mac? How about your iPhone and other BYOD devices? Logins and passwords everywhere.

Raj’s assertion to me at our dinner was that there are too many different places, and too many scenarios, where something can be compromised. For instance, some companies use password managers and some don’t. Some companies that take password management to an individual level – where a single employee manages her own passwords – end up with many login / password combinations which are used over and over again. Or worse, the login / password list ends up in an unencrypted file on someone’s device (ahem Sony.)

If you are nodding, you are being realistic. If you aren’t nodding, do a reality check to see if you are in denial about your own behavior or your organization’s behavior. Think about how new services enter your organization. A developer, IT admin, marketing person, executive, or salesperson just signs up for a new online service to try. When doing so, which credentials do they use? If it is connecting to your company’s environment, it’s likely they are using your organization’s email address and a verbatim password they use internally as well. That’s a recipe for getting hacked.

So, Raj and I started discussing solutions. Some of it may just be unsolvable as human nature may not let us completely protect users online. But it seems like there are areas where we can make some immediate headway.

  • Secure directory services (the approach JumpCloud is taking)
  • Multi-factor authentication has become all the rage (I use it)
  • Different strong passwords for each service, possibly via a password manager like LastPass (which is what I use)

What other approaches exist that would scale up from small (10 person orgs) to large (100,000 person orgs) and provide the same level of identity and credential security?

  • http://beerdreamer.com/ Jordan Elpern-Waxman

    Why no mention of biometrics?

    • Rob

      Agreed Jordan. I was thinking the exact same thing. Maybe I am naive, but I absolutely love how easy it is for me with my iphone 6. If I want to buy something at walgreens, a thumbprint is all I need. If I want to download an app off the app store, a thumbprint again. I am sure that somewhere, in the apple world, there could be a compromise of some sorts that may expose my thumbprint to the world. But I think at some point, we have to admit that if people want to steal, they will find a way. It does not mean that we just give up and don’t keep trying to stay one step ahead, but that is all we will ever be is one step ahead. I guess I would rather see money being spent in R&D and with VCs on technology that is able to diagnose the compromise faster and shut it down faster. If we admit that we will always have people that will want to steal, lets minimize what they can take and create better ways of tracking them down. And lets make my thumb even more useful than it is today so I don’t have to remember any passwords.

  • Tracy

    I’m working with a business called Passrock. It’s a young,
    boot-strapped business that is build around the idea of providing a practical
    approach for enterprises to address today’s problems related to password reuse
    and account hacking. While enterprises can secure their own sites, user
    behavior related to password re-use and breaches on other sites continue to
    make enterprises vulnerable. So, Passrock goes where the hackers share their
    spoils – a “white knight” in the darkweb. Passrock built software to aggregate
    stolen customer information and credentials in hacker communities. Passrock
    collects massive volumes of raw data in real-time, processes and interprets the
    data, and makes the data available to enterprises with compromised user credentials in these hacker communities.

  • http://plus.google.com/+DaryllStrauss Daryll Strauss

    I’m using Yubikey with LastPass. Two factor is a big step in the right direction, but I worry about the damage losing a phone could cause.

    Phones have as much access as a desktop. They are easy to lose. They are the primary device for two factor checks. Lose your phone and you’re relying on a weak pin code.

    NFC on the neo provides two factor for the phone itself.

    • Topher Marie

      Big fan of Yubikey here too!

  • Fletcher Richman

    We’ve been using Meldium at PivotDesk as a solution for this and its working incredibly well: https://www.meldium.com/. I also am a big fan of Dashlane, which I use for my personal passwords.

  • http://www.rassoc.com/gregr/weblog greinacker

    I use 1Password, plus MFA on most sites where it’s supported. IMHO everyone should be at least using something like 1Password or LastPass…

  • http://www.dudumimran.com/ Dudu Mimran

    Directory is the most sensitive organization may have and puts a lot of money to make it secure. There are quite a few startups also innovating around active directory. Do you think a saas proposition for such sensitive service would be accepted by CISOs? Which companies are the targeted first by them?

    • Topher Marie

      It used to be that CISOs resisted moving email infrastructure offsite for exactly the same concerns — now a great many companies use Gmail. It hasn’t been a security concern because they’ve done it well. (Privacy, on the other hand…)

      That’s not to say that there isn’t resistance from large enterprise. But I think SaaS-based approaches for these infrastructure plays are pretty well embraced by “cloud-native” organizations.

  • http://about.me/frank_miller Frank W. Miller

    This is IMHO the most pressing issue on the Internet today. However, I don’t think its necessarily a technical problem. I think its a business/cultural problem. While I’d luv to have a single login to get on “the net”, the desires of individual companies to keep control of their silos for business reasons are strong. Until we can get a “Google” for login, this problem will persist. There was an effort using OpenID a couple years ago and the Facebook and/or Twitter logins seems now to be proliferating somewhat but I really can’t wait until I’ve got my single “fwmiller” login everywhere. Hurry up and fund the solution!! ;)

    • Rick

      You’re right it’s not a technical issue.
      .
      But I think that most people don’t want to log in at all for most things on the web. Most people don’t want their web usage tracked and you can keep what data is needed to improve their experience without going bonkers about it.

    • Rick

      “Hurry up and fund the solution!!”
      .
      I agree. When you gonna’ open those purse strings? :-)

  • http://blog.timothypost.com/ Timothy Post

    Steve Gibson (Security Now podcast w. Leo Laporte) has developed a replacement for usernames and passwords called SQRL (Secure Quick Reliable Login)… pronounced like the furry little animal that climbs trees and likes to bury nuts.

    It’s really quite elegant. Here’s some pages with info on SQRL:

    a. Wikipedia page on SQRL (http://en.wikipedia.org/wiki/SQRL)
    b. Steve’s own page on SQRL https://www.grc.com/sqrl/sqrl.htm
    c. Security Now podcast (Youtube… starts at the 5:14 minute mark) were Steve details SQRL, himself http://www.youtube.com/watch?v=PtfFwOYxCnc

    Interested to hear your thoughts, once you’ve had some time to analyze it.

  • http://www.eliotpeper.com/ Eliot Peper

    The silver lining of widespread security breaches? Ample material for new technothriller novels… :)

    • williamhertling

      Heck, yes. :)

  • StevenHB

    Most of the security people I know dislike password managers. They tell me that it’s just too easy to compromise a machine and then capture all keystrokes, particularly for known password managers.

    Nonetheless, I use one because there doesn’t seem to be any better solution.

  • http://www.about.me./Mariah.Lichtenstern Mariah Lichtenstern

    This is why we’re going to end up with chips embedded in our head / hand – probably genetic authentication of all our payments. Rather than pesky logins on websites characterizing the data entry buying / browsing experience of today, the future of passwords and commerce is probably going to revolve around sensors.

    • http://www.feld.com bfeld

      I am the first in line for augmentation.

      • http://www.about.me./Mariah.Lichtenstern Mariah Lichtenstern

        Speaking of augmentation / augmented reality, have you seen the Microsoft HoloLens demo?

        Microsoft’s HoloLens Live Demonstration: http://youtu.be/b6sL_5Wgvrg

        I could see ocular scanning integration in this kind of OS. Which brings the movie “I Origins” to mind. No holograms, but if you haven’t seen it, I think you and Amy would enjoy the /romantic take on Sci-Fi.

  • JT

    I have been in IT Audit, Assurance and Security Practice for more than a decade and agree with you with all the pain around user credentials/access management. Most of the breaches happen due to weak practices around user credentials management.

    Many corporations are jumping onto IdM (Identity Management) implementations and hoping that IdM applications might be their silver bullet.

    • http://www.feld.com bfeld

      Yeah – IdM doesn’t seem like it goes all the way.

      • Greg Keller

        Right. We’re seeing an interesting effect SSO providers have had on the market – that being their assertion of being the silver bullet in IdM. Generally speaking, their coverage focuses on SaaS authentication and is only a ‘layer’ of the touch points that require governance. Machine endpoints (cloud/virtualized and physical), network endpoints (file shares, intranet services), etc are all part of the authentication/authorization need for IdM – requiring an IT team to have complete control and knowledge of where an employee’s ID has been provisioned to.

  • Steven Webster

    I’m also a user of LastPass, and am institutionalizing this across our team. I think LastPass (and similar offerings) have an opportunity to make their technology a much more seamless layer of corporate IT infrastructure, such that passwords are pushed down a tier for the user, and can be adminstered centrally.

    Any time I onboard a new member of staff, I’d like to enforce at the browser level, that their passwords are managed by a 3rd party (such as LastPass) and that the passwords are extremely strong passwords, that rotate on an incredibly frequent basis. I’d like to immediately provision them access to properties that I with them to have access, but revoke that access at any moment and they never knew the password. If you never actually know your password, it also removes one of the weakest links – social engineering/hacking.

    Get this right, and as end users, we will never have to think up, remember, change or enter a password again. And security will be greater across the organization.

    It’s a rare opportunity to move the needle on end-user delight AND increased security at the same time.

    • http://www.feld.com bfeld

      Good feature suggestions for LastPass. Jumpcloud should also look into direct integration with the password managers – I’ll suggest that.

      • Greg Keller

        Agreed Steven & Brad – These types of integrations and partnerships will be an obvious next step for our Directory service. We look at the world mainly as being the authoritative source of identity within a company…and would like to ensure these authentication mechanisms take their cue from us. e.g., setting policy about the identity and how services (like password managers) need to instantiate the required policy (hardening passwords or 2FA as examples). These integrated ‘services’ we believe should still tie back to one authoritative ‘truth’ for control and management about the identity (the Directory). That’s the vision anyways!

  • ken keller

    2FA + password mgrs are a good step. For internal apps, network admission is a technology that companies use on VPN but not enough on the internal network. When an emp is terminated, it is hard to revoke access to SaaS apps though a directory service is helpful for individual credentials. The trouble is if the ex-emp can get on the internal network, he might know a system account’s credentials. CyberArk claims to address this but I haven’t used the product.

    • Topher Marie

      That’s a great point Ken. Not only could they still get onto a particular machine inside your network, but you might have a scenario where you have cloud-based infrastructure with incoming IP restrictions. Our AWS machines will only allow us to SSH in from our company’s IP range, for instance. If a former employee sat outside with a laptop and joined the wifi, that would be a vector of attack.

      We got tired of changing our WPA password every time an employee left. Now we have individual passwords (controlled by our directory, of course) with Meraki.

  • zmre

    The future will bring cryptographic key based identities that can be used across apps and devices. Passwords or biometrics will be local and used to unlock the keys. Some interesting proposals on how this will work (with 2fa aspects optional) coming out of the FIDO Alliance.

    • http://www.feld.com bfeld

      Biometrics feel like the ultimate answer to a lot of this, except when the bad guys start cutting off fingers and ripping out eyeballs.

      • http://www.rassoc.com/gregr/weblog greinacker

        Related to this, there’s also that recent court decision, saying that your fingerprint is not covered by the 5th amendment, unlike passwords…here’s a link:

        http://hamptonroads.com/2014/10/police-can-require-cellphone-fingerprint-not-pass-code?wpisrc=nl-swbd&wpmm=1#

        • http://www.feld.com bfeld

          Wow – that’s seriously scary.

          • zmre

            Fascinating. So if your device is the key to your identity and you protect your key with biometrics, you have two issues: law enforcement (potentially), and physical coercion (or thumb removal to go to Brad’s extreme). That makes protection of the keys on your device via passcode look much better despite the negative usability tradeoff.

            For what its worth, until we hit the happy place, I use unique passwords *and email addresses* per app/site that I sign up to. The passwords I generate via an algorithm so I can know my password on each site. Then I back that up with 1Password and 2FA wherever possible. But this sucks and I’m looking forward to a simplified future with cryptographic identities made simple and commonplace.

  • DA

    You’re making the reasonable assumption that the hack is from an online purchase. Despite using password vaults and strong unique passwords everywhere, my husband’s card has recently been hacked for third time in less that 2 years. Mine hasn’t. We both shop online. I’m the Target and Home Depot shopper. The difference? He usually handles the resturant checks. The latest was with a new chip & pin card — useless when vendors can’t support it.

    • http://www.feld.com bfeld

      Good point – it’s possible it’s from a physical purchase, but unlikely since we rarely use that card for anything other than online.

  • williamhertling

    I think behavior will become a third factor in authentication. That is, it’s not enough to have the device and the (password/fingerprint/whatever). You have to behave like you: how you move the mouse, how you touch the screen, how you type, which websites you visit, which applications you use in what order.

    So behavior, device, legacy authentication combine to assert that it’s you. Stop behaving like you, and the device through which you are interacting will stop validating your identity.

    Then the problem becomes how you log in when you’re injured in some way that changes your behavior.

    Combine that with either pervasive use of SSO or robust password managers, and then the password itself will no longer be the vulnerable point.

    Of course, both SSO and password managers have problems, too. If you defer identity manager to a service, you’ve got to trust that service. Do you trust Google to authenticate you, to hold your biometric data, your behavioral data? What happens if you get bought into Google IDM, and then they make opting into Google+ a prerequisite to using the IDM?

    And with password managers, you’ve got to trust that your device isn’t compromised.

    • Topher Marie

      That’s an interesting point William, and I think something that’s overlooked as identity is starting to get centralized — not only does the service provider have to trust the identity manager (Google, in your example) but I, as the end user, ALSO have to trust the identity manager.

      And not just to accurately authenticate me, but also to safeguard my data and my privacy. So when a site or app requires Facebook authentication for me to use their service… I’m out!