Segundo escenario

www.pcworld.com/downloads/collection/collid,1525/fi les.html. Each team should download a product and discuss its pros and cons for the class. Be sure to take a look at all the comments posted about this article.

[ Closing Case Passwords Are No Longer Enough ]

The Problem

We bank online, track our fi nances online, do our taxes online, and store our photos, our documents, and our data online. As a result, the amount of personal information being stored online has exploded. Further, we typically link our online accounts, with our e-mail addresses acting as univer- sal usernames, a problem that becomes worse as the number

of our online accounts increases. The combination of our e-mail address as username with a password creates a single point of failure that can be exploited with devastating results. How did this problem start? Companies conducting busi- ness over the Internet had to fi gure out a way to make people feel secure about conducting online transactions and storing personal information on merchants’ Web sites. To function in the real world, the security systems provided by online

128 CHAPTER 4 Information Security

merchants must effectively manage the trade-off between convenience and security. The most secure system is useless if it is too diffi cult for users to access. For example, if the mer- chant requires customer passwords to be 50 characters long and include special symbols, these passwords might keep their customers’ accounts safe, but they would be impossible to remember.

Companies want the act of signing up and using their ser- vice to appear both totally private and perfectly simple. The problem with this scenario is that it makes security impos- sible. Therefore, these companies decided to employ com- binations of usernames (the customer’s e-mail address) and passwords.

We have all bought into the idea that a password is suf- fi cient to protect all of our data, as long as it is elaborate enough. In reality, however, passwords by themselves are not enough. No matter how unique or complex you make them, passwords can no longer protect you.

There are many ways in which attackers can obtain our passwords, no matter how strong they are. How are our pass- words compromised? Hackers have numerous strategies to discover them: They can guess them, lift them from an online password dump, crack them by brute force, and steal them using malware and phishing and spear phishing techniques. In addition, they can con a company’s customer support department into resetting them. Let’s examine these methods more closely.

• User carelessness is the biggest security risk of all. There- fore, the most basic hacking method is simply to guess correctly. Despite years of being told not to, people still use weak, predictable passwords. One security consultant compiled a list of the 10,000 most common passwords based on easily available sources, such as passwords dumped online by hackers and simple Google searches. He discovered that the most frequently used password was (believe it or not) “password.” The second most popular password was the number 123456. If you use a weak pass- word, then accessing your accounts becomes incredibly easy. Free software tools such as John the Ripper auto- mate password-cracking to such an extent that anyone with rudimentary computer skills can do it. All they need is an Internet connection and a list of common passwords, which are often available online.

• Today, our laptops have more processing power than a mainframe did 20 years ago. Therefore, cracking a strong password with brute force computation takes just a few milliseconds longer than cracking a weak password. These computations simply try every possible combina- tion of letters, numbers, and special characters until they discover the password.

• Since 2011, hackers have dumped more than 280 mil- lion “hashes”—that is, encrypted but readily crackable passwords—online for everyone to see. LinkedIn, Yahoo, Gawker, and eHarmony all have experienced security

breaches in which the usernames and passwords of millions of people were stolen and then dumped on the Internet. A comparison of just two dumps revealed that 49 percent of people had reused usernames and passwords. The implica- tion here is that users should create a unique combination for every site that requires log in procedures. Unfortunately, this is not particularly feasible.

• Hackers also obtain our passwords through phishing and spear phishing attacks.

• Another means of stealing passwords is to use hidden malware that secretly sends your data to other people. According to a Verizon report, malware attacks accounted for 69 percent of data breaches in 2011. Malware is epi- demic on Windows and, increasingly, Android. Malware typically works by installing a keylogger or some other form of malware that captures whatever you type or see (i.e., a screen grab). It frequently targets large organiza- tions, where the goal is to gain access to the entire system. One example of this type of malware is ZeuS. Click- ing a link from a phishing e-mail installs ZeuS on your computer. Then, when you log in to your online banking account, ZeuS captures your password and sends it back to a server controlled by the hacker. In one case in 2010, the FBI helped apprehend fi ve individuals in the Ukraine who had used ZeuS to steal $70 million from 390 victims, primarily small businesses in the United States.

• Unfortunately, we still have to contend with human mem- ory. Passwords must be diffi cult, or they can be routinely cracked or guessed. As we discussed, however, strong pass- words are also the most diffi cult to remember. So, if you use strong passwords, there is a very good chance that you will forget them. To address this problem, every password- based system needs a mechanism to reset your account. Going further, the process of recovering a forgotten pass- word, or creating a new one, cannot be too diffi cult, or customers will simply stop doing business with the Web site. Unfortunately, that process makes your account vul- nerable to hackers who employ social engineering tech- niques. Hackers frequently con customer service agents into resetting passwords by getting past the “private secu- rity questions” that you set up in order to reset your forgot- ten passwords in the fi rst place.

You know how these security questions work. To reset a forgotten password, you supply answers to questions that supposedly only you know. In reality, hackers can obtain, or guess, the answers to your questions by searching for information on you on Google, LinkedIn, and Facebook. They can search the Facebook pages of your children, your spouse, your extended family, and your friends. The bottom line: If you have a Web presence, your answers to standard security questions are fairly easy to fi nd. Your mother’s maiden name is on Ancestry.com, your high school mascot is on Classmates, and your birthday and your best friend’s name are on Facebook.

129

Closing Case Passwords Are No Longer Enough

A Variety of Attempted Solutions