The art of getting security right-an observation
Posted by Martin Bach on October 7, 2011
A number of high-profile hacks recently (and not so recent) has caught my attention. Well I thought, not such a big problem-I don’t have a PS3 and hence don’t have an account that can be hacked. I was still intrigued that the hackers managed to get hold of the passwords. I may be wrong here, as I haven’t followed the developments not close enough (as I wasn’t affected), but the question I asked myself: how can they be obtained? Surely Sony must have used some sort of encryption for passwords. It’s so far-fetched that anybody stores passwords in clear text somewhere!
Oh well then, Sony has been targeted a number of times and time and time again the security was breached. They only consolation is that the intruders have made it very public when they were successful, otherwise we’d have never learned about the problems Sony has with security.
Now other sites were hacked as well, and somehow I felt the impacts coming closer, such as kernel.org and others.
Oh well the world is a bad place and the bad guys are way ahead of the good ones I thought, for as long as I’m not affected… That held until today when the ISP and infrastructure provider I am hosting my lab at sent an email out that their systems have been compromised and every customer should change all the passwords they have used with their administrative, web based interface as well as accounts on the servers themselves. I was very happy with Hetzner as their EQ8 server offering was a system I used extensively.
What can I say? I’m very not impressed. Again, how can passwords be stored in a system in a way that makes it easy to compromise them? Was that an Excel Sheet? Why can’t passwords be sensibly encrypted so they are just garbage to intruders. I think a global standard has to be put in place similar to the PCI standard which makes password encryption with strong algorithms mandatory. Better still, failing to do so should be fined. In a way that it hurts.
For those who are interested, the website www.hetzner-status.de has the latest. I was considering moving some of my other domains over to them but may have to rethink that strategy.
Clear text passwords in email
But it’s not only the careless storage of sensitive information on one’s own system. How many times did you get emails stating “welcome to service xyz, your username is abc and your password def”. They might as well send your bank details as well including credit card numbers and expiration date.
There has to be a wakeup call in the industry: it is far too simple to outsmart you! Do use strong encryption to protect customer data and identities. Failing to do so can, and maybe one day will cripple the online business of many companies, causing so-called financial analysts to spread panic and sell lots of shares plunging economies into difficult times.
Passwords aren’t a good enough solution to protecting identity and access to ones accounts. IMO there should be better ways of ensuring unauthorized access to your confidential data. What about a finger print reader? Or an iris scan? Sounds James Bond at the moment but if we are to trust the infrastructure again, we need to think of alternatives to passwords. To be secure they are long, clumsy, hard to memorise so you end up using one for almost everything. Also, root kits undermine your home PC and can make almost all online banking a very dangerous game. Trojans are able to undermine security of the iTAN system, yet my bank, HSBC doesn’t offer one of the only safe options for Internet banking: HBCI. Are we just too naïve? A 16 year old schoolboy from Germany performed a “safety audit” for many German banks’ online applications and found that most of them were insecure (XSS the main problem)
If anyone knows a reliable, responsible service provider where I can move my domains to, please get in touch!