jump to navigation

Password Security, How Does It Work? February 27, 2011

Posted by Ishmael Chibvuri in I.T Risk Management.
trackback

Don’t share credentials between your accounts, especially if security is your business.

I thought it was silly of Gawker Media to taunt world-plus-dog to test its IT security, only to be caught napping last year when its systems were compromised. But when your whole business is IT security, it’s even more embarrassing to be caught reenacting the tale of the cobbler’s children.

In that story, the cobbler was so busy making shoes for the village that his own children had to run around barefoot. This is—after being updated for the 21st century—pretty much what happened to security consultancy HBGary and its subsidiary HBGary Federal. From what I understand, one or more of the company’s executives thought that it was a good idea to use the same password for Twitter, LinkedIn and the firm’s content-management system. That became a problem after HBGary Federal’s CEO Aaron Barr decided that he was going to try to infiltrate the hacktivists collectively known as “Anonymous.” He was successful in doing so, but after revealing himself, apparently thought that his company was immune to retaliation.

But Barr’s sloppiness with passwords gave his enemies enough of a toehold to allow them to break into the consultancy’s e-mail server in early February and capture about 50,000 documents and messages. For the last few weeks, the two firms have been the butt of jokes, especially after HBGary posted a “pity me” sign in place of its booth at the RSA Conference in San Francisco.

Here’s the thing that makes this situation even more amusing than the Gawker debacle: HBGary was soliciting clients by letting them believe that its team knew better than to reuse passwords among key systems. (I’m sure that wasn’t actually in the pitch, but it was one of those things that you assume is there in much the same way that one assumes that a LAN uses Ethernet.) On top of that, HBGary had offered its services to Bank of America as experts in fighting back against WikiLeaks and in turn, Anonymous. This is the Internet’s equivalent of waving a red cape in front of a bull; do it enough, and you’re likely to be gored.

More likely than not, from some of the e-mail that I’ve seen that passed between Barr and one of his top coders, arrogance played a part in the debacle. The problem with the “can’t touch this” attitude is that it’s only valid while the people who want to take you down have better things to do.

I’m sure that the HBGary executives were thinking the same thing most of us do: “I’m kind of busy right now, and I’ll change it to something stronger when I have a little more time.” I’ve done that more times than I care to think about, as I noted in December when the Gawker story broke. Since then, I’ve become a little bit better at resisting the temptation to slap a quick and dirty password on an account. But I’m still doing it from time to time, as I realized the last time I ordered a cable from my new favorite vendor for such things.

I’m convinced that practicing password security in the fashion that many security experts say we should is just too much bother for all but a handful of people. “Easy to remember, hard to forget” only gets one so far if the password has to be rotated every month or two. Maybe we really are better off carrying around a piece of paper full of random characters with a few real passwords embedded in the randomness. This “poor man’s steganography” has to be a better approach to password security than what we have today.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: