Modernizing Authentication — What It Takes to Transform Secure Access
A devastating security breach at Trapster.com, home of a mobile app that helps drivers avoid getting speeding tickets, perfectly illustrates the old adage that security is only as strong as the weakest link.
The website's 10 million registered users were informed this month that "our website has been the target of a hacking attempt, and it is possible that your email address and password were compromised."
A website should never, ever, store your password unencrypted. What it should do is pass your password through a hashing function which converts it into an apparently random string of characters. It's this password "hash" that it should store. Every subsequent time you enter your password to log in, the site should hash it and ensure that the result matches the hash of your password it has stored. That means that if hackers break in they can't get their hands on a list of passwords - they can only get a list of hashes, which in themselves aren't very useful. That's because getting a password back from a hash is hard, and probably impossible if the original password is long and complicated.
But Rob Cotton, CEO of security outfit NCC Group, reckons that Trapster wasn't protecting its users' password in this way. "Website owners should declare if they store your passwords using strong hashing. This is a simple process and not any more expensive to implement, however, unfortunately, websites not using this method of cryptography is something we see all too often and this can only be down to developers' laziness or ignorance. In the case of Trapster, it would appear that they didn't encrypt or hash so the hackers got the crown jewels."https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
The crown jewels in question, of course, are Trapster users' usernames and passwords - unencrypted, unhashed, just waiting to be abused - and if the folks at Trapster really didn't bother hashing their user's passwords before storing them then it's a shameful omission that almost beggars belief.
And the problem is that many of Trapster's users will have used the same username and password for FaceBook and Gmail, and around half will have used them for their bank as well. Websites like Trapster.com may seem harmless enough, but all this goes to show that if you use the same password for different web applications then insecure sites can turn out to be the weak security link that give hackers access to your family fortune.
Smartphones represent another potential weak link in your security, according to new research carried out by Trusteer, an online banking security company. Its study of traffic going to phishing sites found that smartphone users are three times more likely to be fooled into submitting confidential information to a phishing website than people accessing the site from a PC.
The reason why smartphones are a potential weak link is uncertain. It may be because these devices are portable, so smartphone users are more likely to respond to scam emails more quickly than PC users who may be away from their desks. "The first couple of hours in a phishing attack are critical. After that many attacks are blocked by phishing filters or taken down. Hence mobile users are more likely to be hit by Phishing just because they're "always on," says Mickey Boodaei, Trusteer CEO.
He also points out that smartphone screens are desperately small, making it far harder to spot that a given website is a fake - especially when the website's URL is either not displayed or too long to fit on to the limited screen real estate of a smartphone.
Of course, sticking to a desktop PC is no guarantee of security - accessing social networking sites like FaceBook and Twitter can be another weak link in your security. According to a Security Threat Report 2011 published by Sophos earlier this month, 40 percent of social networking users quizzed have been sent malware such as worms via social networking sites, a 90 percent increase since April 2009, and 43 percent have been on the receiving end of phishing attacks, more than double the figure since April 2009.
Social networks can be a particularly weak link for businesses: about 50 percent of respondents get access to social networks at work, and the majority feel that social networking sites are a danger to corporate network security. "If your business isn't on Facebook, but your competitors are, you are going to be at a disadvantage. But you have to be aware of the risks and secure your users while they're online," says Graham Cluley, Sophos's senior technology consultant.
If both your smartphone and your PC are weak security links, then that leaves Apple's Mac. But Mac malware is on the rise - albeit from a very low base - according to a review published this month by Mac OS X security vendor Intego. That a security company should big-up the risks of malware will come as no surprise, but it's also worth pointing out that Mac malware is probably under-reported, as very few Mac owners would know an infection if they saw one. And while there are relatively few Mac viruses to be worried about, the fact that so few Macs run anti-virus software does make them frighteningly vulnerable to the few bits of malware - such as RSPlug and HellRTS - that do exist.
Still, at least Apple does seem to be aware of the problem - at the end of January the company hired David Rice as its Global Director of Security. Rice was head honcho at cybersecurity consulting firm Monterey Group, and has also been a Global Network Vulnerability Analyst for the National Security Agency and a Special Duty Cryptologic Officer for the United State Navy. In other words, this guy knows a security bug when he sees one.
Finally, spare a thought for cosmetics retailer Lush , which has been forced to close down its entire online sales operation following attacks by hackers around the beginning of the year. An email was sent out on 20th January warning customers that some credit card details had been stolen and that they should check their bank statements and seek advice from their banks (and good luck with that).
The weak link in this case seems to have been Lush's own IT staff, who were simply not up to the challenge presented by the hacker, as this plaintive message from Lush rather touchingly reveals:
"TO THE HACKER - If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'."
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.