February 07, 2015

Stop the Mass Hacks Attacks: Use Strong 2-Factor Authentication or Go to Jail!

I'm opposed to capital punishment for a whole slew of reasons, but every time I hear about a hack attack exposing masses of innocent persons' information, I find myself reconsidering that penalty -- not for the hackers, but for the irresponsible system administrators and their bosses who leave their operations so incredibly exposed when effective solutions are available -- and have been for quite some time.

OK, perhaps capital punishment for them would be going a bit too far, but I'll bet that spending a couple of years shackled in a cell with their new best friend "Bubba" would impress upon them the seriousness of the situation.

If we look at what is publicly known about the recent Sony hack, and the just announced and potentially much more devastating Anthem attack -- plus a whole list of other similar mass data thefts, a number of common threads quickly emerge.

First, these typically have nothing to do with failures of communications link security. They weren't attacks on SSL/TLS, they didn't involve thousands of supercomputer instances chomping on data for months to enable the exploits. Nor were they in any way the fault of weak customer passwords -- which are bad news for those customers of course, but shouldn't enable mass exploits.

By and large, what you keep hearing about these case is that they were based on the compromise of administrative credentials.

What this means in plain English is that an attacker managed to get hold of some inside administrator's login username and password, typically via email phishing or some other "social engineering" technique.

When these successful attacks are belatedly reported to the affected customers and the public, they're almost always framed as "incredibly sophisticated" in nature.

That's usually bull, a way to try convince people that "Golly, those hackers were just so incredibly smart that even our crack IT team didn't have a chance against them!"

Usually though, the attacks are incredibly unsophisticated -- they're simply relentless and keep pounding away until somebody with high level administrative access falls for them. Then, boom!

It's often argued that important financial and similar data should be kept encrypted -- and this is certainly true. But so long as system administrators have the need and ability to access data in the clear, encryption alone doesn't address these problems. Rigorous control and auditing systems to prevent unnecessary access to data en masse can also help ("Does Joe really need to copy 80 million customer records to a Dropbox account?") -- but this won't by itself solve the problem either.

The foundational enabling feature of so many successful mass attacks is failures of authentication protocols and processes in the broadest sense, and ironically, getting a handle on authentication is at least relatively straightforward.

Many firms aren't terribly interested in implementing even middling quality authentication, because they have faith in their firewalls to keep external attacks at bay.

This is an incredibly risky attitude. Over-reliance on firewalls -- that is, perimeter computer security -- is sucker bait, because once an intruder obtains high level administrative credentials, they can often plant software inside the firewall, and send data out in various ways with relative impunity. After all, most corporate firewalls are designed to keep outsiders out, not to wall insiders off from the public Internet.

To put this another way, a properly designed security system should in most instances be location agnostic -- employees should be able to work from home with the same (hopefully high) level of security they would have at the office. This isn't to say that secure deployment and administration of VPNs and associated systems are trivial, but they aren't rocket science, either.

Yet the real elephant in the room is at the basic authentication level, the usernames and passwords that most firms still rely upon as their only means of administrator authentication on their internal systems. And so long as this is the case, we're going to keep hearing about these mass attacks.

Yes, you can try force employees to choose better passwords. But passwords that are hard to remember get written down, and forcing them to be changed too often can make matters worse rather than better. The problem cannot be solved with passwords alone.

And -- "surprise, surprise, surprise" (as Gomer Pyle used to say -- go ahead, Google him) -- the technology to drastically improve the authentication environment not only exists, but is already in use in many applications that arguably are of a less critical nature in most cases than financial and insurance data.

I'm speaking of 2-factor or "multiple factor" authentication/verification systems, the requirement that system access is based on "something you know" and "something you have" -- not on just one or the other.

One of the best implementations of 2-factor is that deployed by Google, which offers a variety of means for fulfilling the "what you have" requirement -- text messages, phone calls, phone apps, and cryptographic security keys.

Different forms of multiple factor have varying relative levels of protection. For example, the use of "one time passwords" generated by apps or hardware tokens is not absolutely phishing-proof, but is a damned sight better than a conventional username and password pair alone. Security keys, which can interface with user systems via USB or in some cases NFC (Near Field Communications) technology, are the most secure method to date, and a single key can protect a whole variety of accounts -- even at different firms -- while still keeping the associated credentials isolated from one another.

And this brings us back to Bubba. While one never wants unnecessary mandates and legislation, sometimes you can't depend on industry to always "do the right thing" when it comes to security, when the intrinsic costs for the sloppy status quo are relatively low.

So while some countries and U.S. states do have laws about encryption of customer data, or notification of customers when breaches occur, there is little sense of closing the barn door before -- not after -- the cows have escaped.

After all, these careless firms usually have pretty easy outs when big breaches occur. They offer you free "credit monitoring" after the fact. Gee, thanks guys. They usually manage to pass along associated costs and fines to their customers. Another big thank you punch to the gut.

How to really get their attention?

Maybe they'd notice potential prison time for top executives of firms that deal primarily with sensitive consumer personal information (like banks, insurance companies, and so on) who voluntarily refuse to implement appropriate, modern internal security controls -- such as strong multiple factor logins -- and then suffer mass consumer data hacks as a result.

I'm not even arguing here and now that they must provide such systems to their individual customers -- though they really, seriously should. Nor am I suggesting such sanctions for failure of security systems that were deployed and operating competently and in good faith. After all, no security tech is perfect.

But I am putting forth the "modest proposal" that these types of firms be given some reasonable period of time to implement internal security systems including strong multiple factor verification, and if they refuse to do so and then suffer a mass data breach, the associated executives should be spending some time in the orange or striped jumpsuits.

Perhaps that prospect will light a fire under their you-know-whats.

Now, do I really believe it's likely that anything of this sort will actually come to pass? Hell no, after all, these are the kinds of firms that basically own our politicians.

But then again, if enough of these mass data thefts keep occurring, and enough people get seriously upset, the dynamic might change in ways that would have seemed fanciful only a few years earlier.

So despite the odds, my free advice to those execs would be to get moving on those internal multiple factor authentication systems now, even in the absence of legislative mandates requiring their use.

Because, ya' know, Bubba will be patiently waiting for you.


Posted by Lauren at February 7, 2015 09:40 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein