Data breach epidemic shines spotlight on shared secrets

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://gcn.com/articles/2014/07/17/isc2-shared-secrets-security.aspx

Recent history has not been kind to businesses and consumers when it comes
to Internet security.  From LinkedIn to Adobe to eBay, we continue to hear
the same story:  X number of passwords/records leaked via company Y data
breach.  According to Tripwire, the Adobe breach alone compromised over
234,000 accounts of military and government users.  While few can argue the
extent of the problem, what do all of the data breaches really mean to
password security, and what can agencies do about it?

At the root of the problem is the fact that passwords are nothing more than
shared secrets.  The use of passwords means that there is a dependency and
reliance on both the end user and the authentication mechanism by which the
password provided by the user is validated.  Both ends have a critical role
in ensuring the password is maintained as a shared secret.

Unfortunately, the authenticating party has to store a copy of the shared
secrets  in a data center somewhere. Even if proper security controls are
designed and implemented from top to bottom, the nature of targeted
attacks, operator error and software and hardware vulnerabilities (like the
recent OpenSSL Heartbleed bug) prevent the total elimination of password
breaches while the concept of shared secrets is in use.

Although the end user is typically not directly responsible for the mass
password breaches we continue to see, the user does have a key
responsibility as the other half of the shared secret model.  By taking a
closer look at the recent breach data, we can get a good understanding of
how responsible (or irresponsible) users are and, as a result, how
effective user passwords are in protecting their accounts and other
associated data.

For example, “123456” and “password” are extremely poor passwords choices,
yet these were the still most common passwords used on the Internet in 2013
according to SplashData.  Strong password practices may seem like common
sense to security professionals, but typical end users do not usually
understand the implications of using weak passwords.

Online retailers also have a responsibility to enforce appropriate password
policies to help protect their users.  However, most online retailers do
not appear to be helping the cause with 55 percent accepting known weak
passwords such as “123456” and “password,” according to Dashboard. Its
Personal Data Security Roundup further concludes that 64 percent of top
U.S. e-commerce retailers have “highly questionable password policies.”

Finally, while strong password length and complexity requirements make it
more difficult to crack a given password via brute force, even extremely
strong passwords can be exposed in a mass data breach.

Given the recent history and recurring headlines of new data leaks, there
is no reason to believe that the number of mass data breach events will
decline anytime soon.  In fact, issues such as password reuse provide even
more incentive to adversaries who can use compromised credentials, not only
at the source of the breach but anywhere else where the same password may
be used.  While there are ways to better secure passwords when they are the
only authentication option available, even a password consisting of a long
and completely pseudo-random string of alphanumeric and special characters
in the hands of adversaries after a data breach means the shared secret may
no longer be a secret.

Two-factor authentication

In an attempt to address the issues with passwords, there has been an
increase in the availability and use of two-factor authentication.  Banks
have been using some sort of two-factor authentication for some time, and
many other Internet sites, such as email providers and social networking
sites, now offer two-factor authentication as well.

Two-factor authentication should be used wherever available in lieu of
passwords alone. However, it is important to realize that most two-factor
implementations still rely on the concept of shared secrets; instead of one
secret (a password), there is now a second secret as well. If both shared
secrets are compromised as a result of one or more data breaches,
associated users accounts are also compromised.

Many customers like Lockheed Martin learned this the hard way when RSA’s
two-factor SecureID tokens were compromised in 2011.  While two factors are
almost always better than one, this type of implementation is only
effective if there is some level of certainty that all shared secrets will
in fact remain secret.  Storing the multiple factors in multiple locations
or data centers makes compromise more difficult, but sophisticated and
persistent attackers can eventually reach their goal.  Additionally, these
two-factor authentication approaches are also subject to man-in-the-middle
attacks and provide little value to any system already compromised via
other means.

So if usernames and passwords are no match for data breaches and most
two-factor authentication approaches still rely on shared secrets, what
else can be done to combat these ongoing data breaches?

The critical technology is end-to-end security based on public key
cryptography.  The federal government has been working on implementing
smart cards as a second factor for nearly 10 years, though adoption rates
are low. Homeland Security Presidential Directive 12 (HSPD-12) leverages
public key cryptography embedded within the second-factor, personal
identity verification (PIV) smart cards.  If implemented properly, public
keys potentially exposed as a result of a data breach will be useless to an
adversary without the corresponding private key stored within the physical
card.

While HSPD-12 is specific to government employees and contractors, there is
nothing preventing private industry from adopting a similar approach.  In
fact, the FIDO (Fast Identity Online) Alliance was formed in 2012 and
strives to improve the nature of online authentication and reduce reliance
on passwords. And OATH (Initiative for Open Authentication) is a similar
industrywide collaboration to develop an architecture and open standards
for strong authentication. The FIDO Alliance now hosts the U2F (Universal
2nd Factor)standards that attempt to scale the benefits of smart card
technology beyond government and enterprises to every Internet user.

Data breaches will continue, and the continued use of only usernames and
passwords is obviously not working.  Will the federal government continue
to lead by example via HSPD-12, and will private industry drive change via
the public key cryptography bandwagon and standards like U2F?  With
comprehensive adoption, this combination has the potential to completely
eliminate mass password breaches.

But until this happens, expect to see more headlines on compromised account
credentials. If you can’t find any news on the most recent password breach
today, you’re not looking very hard.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!