Yesterday, it was announced that a Russian Crime syndicate has stolen 1.2 billion
identities. As of the next day it is was still not known where or who’s IDs were stolen.
The media is suggesting that we change all usernames and passwords. I like many, have at least one hundred
usernames and password and this would be no small feat to change them and most likely won't. Many times it is difficult or impossible to
change usernames.
One of
the primary issues leading to all of these cyber attacks is that millions of
places that passwords are stored. Each
website keeps your username and password on their systems. There are systems (OAuth) that allow sites
like Google and Facebook to share credentials with other sites to allow access
to their systems without setting up new credentials, however that means you have to trust sites like Facebook to
store your credentials. Since these
companies make their money from selling information via advertising, well you
get it.
We must
ask why these passwords were not encrypted? It was poor design and oversight. Data at rest is always vulnerable; it is the
“edge” that gets hacked, i.e., data can be sent over a secure links, such as
SSL but when it is moved or temporarily stored during processing it vulnerable
and if the data is not encrypted when stored, it remains vulnerable to
thief. Credit Card data before PCI compliance rules had the same issues. Compliance, however isn’t a
law such as HIPAA, but maybe it is time for legislation for all password data.
There
needs to be a better system for identification and authorization. Usernames and passwords have met their
match, the well funded, sophisticated hacker, the new cyber criminal.
Jeff Brandt
www.deKaG.com
No comments:
Post a Comment