Russian mega-hack: time to get serious about alternatives to passwords?

padlockAll the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.

So what can we say about it?

Well, according to the security experts I spoke to we can summarise as follows:

  • It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
  • The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
  • It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
  • Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.

Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.

“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.

“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”

For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.

“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.

“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”

For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.

“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.

“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest.  If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”

Advertisements

Forcing out rooms – Japan’s dirty secret

exitOver the weekend a New York Times story had some interesting insights into the continuing labour problems at Japan’s once proud electronics giants.

It alleged that workers who are unable to be sacked are often sent to oidashibeya or “forcing out rooms” where they are made to perform menial or repetitive tasks in a bid to make them resign out of shame and boredom.

It’s not particularly nice but it’s a situation that seems to have been forced upon multinationals such as Sony because of Japan’s relatively strict employment laws which make it hard to sack staff without good reason.

These firms simply can’t be as agile as their international rivals because they can’t downsize or strip out waste in specific areas. In the technology industry especially, skills can quickly become outdated.

As Gartner analyst Hiroyuki Shimizu told me, these laws should take the majority of the blame for the decline of Japan’s electronics industry on the global stage.

“In these 20 years, the goal for the company executives in almost all the Japanese electronics companies were to make much use of (or not to leave idle) their own excessive resources including workers and assets,” he said.

“In the global electronics market, companies focus on their differentiators. However, Japanese companies focused on the segments where they have plenty of human resources and large assets.”

This is a major failing of Japanese technology firms but not the only one.

Large scale job cuts are starting to appear, at firms including NEC, Sharp and Sony, although more are probably needed. However, this stripping out of dead wood needs to go hand in hand with enhancing traditional areas of technical weakness, said Shimizu.

It’s also true that there’s more to Japan’s well-charted decline on the technology front than just some stubborn employment laws.

“There are several reasons for each Japanese company for losing power such as commoditisation of electronics products, severe competition with Korean or Taiwanese companies or exchange rates,” he told me.

“But we consider that the deep-seated reason is the employment policy of Japanese companies.”