In this post we will briefly present and comment on a few stories and items that came to our attention in recent weeks, this time, covering more on the Ashley Madison breach, the TSA’s lock security being “hacked”, and a new executive order bearing on data breach law enforcement.
The Ashley Madison saga is not over, as this latest news shows For those unfamiliar with the technicals, on virtually all modern systems, passwords to computer logins are not stored in clear text, they are encrypted by various means (typically, when you log in to an online account, an encrypted version of what you enter in is compared with the stored password; nothing is decrypted/put into clear text).
Because of this, as is the design for all such situations, when the Ashley Madison site was hacked and the password file was breached (along with all other user data), it didn’t automatically mean that the hackers (and the general public) had access to the users’ passwords.
That has now changed, and much of the password information has been released in clear text. The reason is, like all encryption, password encryption is imperfect, and (as in this case), can be implemented badly. As a result, the (ahem) poor saps who registered on the site and were (ahem) victims of the breach have now been subjected to one more indignity: everyone being able to see their passwords, which means in a large number of cases, see how bad they were. To wit, nearly 170,000 of the users used the passwords “123456” or “12345”; almost 40,000 used the password “password” (see more details here).
Everyone knows users should choose “good” passwords, but we’d like to drive home some additional lessons here. First, the requirement of quality passwords should be part of any information security management system (ISMS) — don’t leave it up to users. Many modern systems tell users in real time if their passwords are good, most require the use of more than just since case alphabetical and impose length limits, and optimally, should not even let users go with a password that isn’t “good” (doesn’t meet algorithmic randomness tests). Don’t be lazy: go with a quality-enforcing user password selection interface.
Second, the back-end encryption and handling of passwords should be done right. That means using the latest, known-reliable best practices algorithms (certainly, nothing with known, glaring flaws), and implementing them properly (bug-free). This is of course the type of requirement everyone thinks they are fully competent to, and are indeed implementing properly — but like many IT security issues, it is easy to make subtle mistakes that totally undermine the “security” adopted. Thus, at the end of the day, we recommend that third-party security testing is performed including simulated front-end and back-end password hack attempts, to at least provide reasonable assurance that password security has been implemented properly.
The background on this is that, since soon after 9/11, normal luggage locks were banned by the TSA, leaving those who want to protect their luggage (from at least some third parties) to use only the TSA’s “approved” luggage locks. “Approved” means that the TSA can open any such locks with its skeleton key. The TSA itself is supposed to be the only entity that has this skeleton key.
In what was surely only a matter of time, the skeleton key was “leaked” when a Washington Post story on the article was briefly accompanied by photos that included shots that (incidentally) included the key. Once upon a time, this would not have led to much in the way of consequences, but in today’s amped-up digital world, that meant the keys were now permanently “out there” for the curious and malicious alike, and in short order, someone modeled the key as a 3D-rendering data file and released the file for consumption by the 3D-printing public. Soon after, it was verified that the model key, when printed by a conventional 3D printer — even in plastic — actually worked to open TSA-approved locks.
So now, basically, the air-traveling American public cannot expect their TSA-approved luggage locks to offer much in the way of protection from malicious third parties.
To us, the lesson here is simply “security through obscurity fails again” (as well as a more specific instance: backdoors are a bad idea). The TSA’s scheme for luggage locks was already dubious in that it represented a back door, because of the classical reasons that (1) government agents themselves cannot necessarily be trusted with direct means of access in all cases (which is why they should have to go through reasonable legal procedures to gain access), and (2) the back door, once it exists, can be compromised by malicious third parties (with or without the complicity of an “insider”). However, this case proved even worse, because of the ineptitude of the TSA in not realizing the discretion that is required in today’s world to keep this key — their means of back door access — secure.
Which suggests to us a “silver lining”: that it may be something of a “rule” that ham-handed government bureaucracy will tend to combine with security-through-obscurity schemes to quickly “self destruct” any such insecure “security” regime.
Finally, an executive order issued by President Obama on 4/1/2015 entitled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” met with surprisingly little fanfare. The executive order seeks to extend the Treasury’s now well-known fine-grained financial sanctions tools (famous for being applied since 2014 to Russian oligarchs) to those engaging in “malicious cyber-enabled activities”. A brief read of the executive order shows that its description of such “malicious” activities indeed broadly encompasses most of what we consider data breaches, as well as other disruptive computer-based activities (such access-denial attacks). Under the order, foreign individuals deemed to have been involved in such activities can have their US-based assets, or those under the control of some US-based instrumentality, frozen or seized. So this appears to be the first major policy move of the executive branch at large against the wave of data breaches.
Will the result be impactful? At this point we can only speculate. While the Treasury’s modern financial sanctions tools certainly have delivered a meaningful wallop against the nations whose governments and elites it has been targeted toward, it isn’t clear that they would do much to dissuade non-state affiliated actors perpetrating data breaches. Instead, the measures may just result in more financial evasion (e.g., parking “profits” in bitcoin, rather than as dollar deposits in bank accounts).
The other way the order could have an impact is, instead of dissuading attacks, helping to recover stolen assets. In that department, the order seems likely to have a clearer benefit: to the extent such assets can be identified, it should help meaningfully for them to be able to be frozen in place before they can be moved or depleted by the malevolent.
At any rate, it is good to see some initial steps being taken by the Executive branch.