Will tech companies ever figure out how to deal with passwords?
CIOs should worry about seeing their companies targeted, hacked and eventually vilified in the press
By Jeff Vance | CIO US | Published: 17:55, 18 July 2012
After the recent security breach that hit professional social networking site LinkedIn, social media companies are scrambling to patch over their poor security practices.
The list of major breaches gets longer every day: LinkedIn, eHarmony and Last.fm are just the recent ones. Add to that list the Department of Defense, TJX, Sony, Heartland Payment Systems, Emory Healthcare, Global Payments ... well, you see where this is going.
Damaging data breaches are the norm in 2012, not the exception.
Related Articles on Techworld
According to the Identity Theft Resource Center, there were 189 known breaches from 1 January of this year through the beginning of June. Those breaches have exposed approximately 13.7 million records.
Why LinkedIn is different (and why it's not)
The nature of the data involved helps explain why the LinkedIn breach has gotten so much attention. "LinkedIn's data is of much higher quality than other sites," says Paul Kocher, president and chief scientist at Cryptography Research. "There is just so much information about who people really are and what is important to them."
With high-quality information, attackers can launch much more sophisticated and targeted attacks.
But in other respects, the attack isn't out of the norm. "People are shocked by LinkedIn's poor security practices, but this is widespread," Kocher noted. "Plenty of organizations are far worse off than LinkedIn. It's easy to start fixing security when you're motivated by a breach, but until then, many organizations hope for the best."
Passwords: The root of all data breach evils
A number of recent high-profile attacks (Aurora, RSA, Stuxnet, LinkedIn and attacks on many defense contractors) have been traced to compromised passwords.
"The modus operandi has been similar - a targeted email containing malware infiltrates a PC and hides its tracks using a rootkit. Later it contacts its command server and downloads a keylogger/screen scraper module, which performs the intended objective: stealing user credentials resulting in the theft of vital data," says George Waller, executive vice president at security firm StrikeForce Technologies.
To make matters worse, in this age of cloud computing, SaaS and increased mobility, users are spreading their credentials everywhere. Passwords are inherently weak. Dictionary attacks are standard and rainbow tables can be used to crack more sophisticated passwords.
"The concept of having users deploy their passwords to every cloud site is nuts," says Garret Grajek, CTO of SecureAuth Corporation. "It would be a mistake, however, to conclude that this makes the cloud inherently insecure."
The standard method for authenticating users to cloud services is the hardly revolutionary: user names and passwords. We're left with two choices: either improve on what we have, or replace it with something better. There is no real consensus, however, on which path to take.
For instance, when users are told to strengthen their login credentials by crafting strong passwords that are essentially gibberish with random capital letters, numbers and special characters, no one remembers them. Thus, everyone reuses their complex passwords, writes them down, or creates a "passwords" file, which is the first thing hackers look for when they access your device.
Potential password replacements don't offer any magic bullets. Solutions like hard tokens are expensive and hard to administer, and, as the RSA breach proved, they can be cracked too.
Grajek compares the authentication challenge to the AC/DC current battles of the 1880s. When DC was winning, New York City had wires strung so thickly that they almost blocked out the sky. The problem was that DC doesn't travel well, requiring sub-stations every mile and a half.
"The same mistake is true of the distribution of user's passwords at every cloud service," he says.
Every security expert that I talked to made the same point: There is no easy way to fix passwords, but standardisation would certainly help us get closer to that goal.
SSO and SAML to the rescue?
For several years now, the enterprise has been searching for single sign-on (SSO) solutions. Early ones were proprietary and unwieldy, but standards have been emerging, most notably Security Assertion Markup Language, or SAML.
"SSO is a must," says Mike Kail, vice president of IT operations at Netflix. "Once your employees start using Workday, Box and other cloud services, they start littering those services with passwords -- some unique, some not - and any business is only as secure as its weakest password."
SAML is an XML-based framework that lets service providers exchange security information. That way, a third-party or cloud application doesn't need to store any authenticating information from your organization. Instead, SAML will deliver your users' credentials (typically from Active Directory or LDAP) to the service provider, which won't need to maintain those credentials.
Through SAML, your organisation can deliver information about user identities and access privileges to a cloud provider in a safe, secure and standardised way.
The only trouble is that SAML is a B2B solution, and it's not currently set up so that it can be easily extended to consumers. This is important because if a new social network comes along that your business hasn't authorized, your employees will still set up their own credentials with that service provider. Hackers will still be able to glean valuable information from other sites in order to socially engineer attacks. If your employees have reused a strong password elsewhere, hackers may even be able to use that to penetrate your organisation.