Monday, December 13

Protection and Response to User Account Leaks

Today it is being widely published that Gawker media has had their entire databased of user accounts and passwords (DES encrypted) leaked to the public.  Although this event may have been limited to those with user accounts on Gawker properties, imagine this happening on a major service like google, hotmail, or your bank.

The two most significant impacts to most people are:

1)  Gaining access to the Gawker services exposed.  Once the encryption is brute forced on the password data it is possible for someone to directly login to the service as you.

2)  Reuse of passwords on other services.  Because humans are creatures of habit, we tend to reuse usernames and passwords across services, so if someone can find your email address and password, they can attempt to login to other services as you as well.

This provides an opportunity to reflect on methods of preventing and responding to these types of events.

Response - Although it appears to be a good idea to change the password on the affect service account immediately, one of the serious issues with this is that the systems on which you are changing the password may be compromised which would lead to the attacker knowing the new password.

Also, if you are the security manager for an organization, get a copy of the dumped account information and find out if you have any affected users.  Do a search for your company name / domain name, and/or search for hashes of email addresses.

Prevention - IMPORTANT - stop using the same passwords across systems.  Although this is an inconvenience, using different passwords across services will prevent someone from using a compromised password on other services.  Come up with a scheme that works for you to create unique passwords for different services that you can remember.

Use strong passwords.  There are great strong password generators that you can use to come up with good passwords.

Change your passwords occasionally.  Once a year will prevent really stale passwords from being compromised and used, plus it will keep you exercising your brain to remember new passwords.

Use multifactor authentication where possible.  Google and others have made it easy to implement two factor authentication using things like smart phones, SMS, public phones, etc.  These are easy to implement and makes a password compromise a non-event.