Passwords: How's that still a thing?

Passwords.

How is this topic still a thing? 

In two words: Mark Zuckerberg. 

In June 2016, Mark Zuckerberg got hacked and his secret password was revealed for all to see. Did it meet all those wonderful rules we learn in information security school? Was it ISO27001/2 compliant? 

Well his password was "dadada" - so I'll let you decide. 

The Wall Street Journal's Nathan Olivarez-Giles had a great article on hacking/passwords. 

The article refers to a site where you can check to see if you've been hacked https://haveibeenpwned.com/ - definitely worth checking out. 

Of course the next step is to then change the password on the 7 million devices you own, but who says hackers make your life boring? 

Passwords are the best illustration of trade-off between convenience and security: you don't want the bad guys getting but at the same time you want to make it easy to use your email and the other services that you use.

One possible antidote to this unending saga of deal with hackings - managing the convenience versus security divide - is the use of password manager services. 

WSJ's Geoffrey Fowler had an article which reviewed "1Password, Dashlane, LastPass and PasswordBox"; giving the win to Dashlane.

Of course two factor authentication, as Oliveraz-Giles points out, is a key control that we all need to implement in our lives - especially since many popular services are making it easier two use such a feature. 

The fact passwords continue to be an issue reminds us that the most challenging aspect of a system is not the technology, but the people that use them.

Hacking law firms: A shift in trends? A closer look at the data.

Before the infamous, Panama Papers breach Wall Street Journal reported in late March on cyber security incidents that occurred at two major law firms. As WSJ noted,  that "[h]ackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations."
The attack is a shift in the traditional targets of hackers, which has largely been focused on stealing personal data. Based on UWCISA's review of public news sources from , we recently analyzed data from cyber attacks  based on a review of public new sources from 2010 to 2016 (unless otherwise stated) we found the following:

• Personal data stolen at higher rate than financial data: Of the breaches analyzed, about 33% of attacks related to stealing financial data. In contrast, approximately 53.5% pertained to stealing personal data. 
• What does the data say? Hackers want to go phishing: When analyzing the different data elements (from 2010 to 2014), 35% of elements stolen  could be potentially used by hackers to conduct further phishing and spear-phishing attacks. Of these, 13% relate to user credentials (username + password), while the balance fields includes things such as email, name, address, and social security numbers. This is not to say hackers don't want financial data - approximately 11% of the data elements related to things such as debit/credit cards and even intellectual property.  
• Malware is attack vector of choice: Malware represented 21% of the attack vectors used, while SQL injection was the next favourite at 11% and phishing and spear -phishing was third at 6%. 
• Industry trends: In terms of industry, software publishers (8%), hotels (5%) and AV equipment manufacturers (~4%) and limited service restaurants (3.5%) were the top of the list . However, this compares to an average attack of 1% by industry (when excluding attacks that were not attributed to an industry). 

The move by hackers to target law firms illustrates how the infamous risk formula, likelihood X impact, needs to go beyond  financial assets, like credit cards or bitcoins. As noted in the data analysis above, firms also need to protect intellectual property or anything that can be converted to cash. Consequently, organizations need to be astute as the perpetrators in assessing how information - such as that held by law firms - can be used for financial gains.

Did the SC Supreme Court legalize industrial espionage on the cloud?

As reported in Ars Technica, the South Carolina (SC) Supreme Court iruled that gaining access to someone else's email does not violate any laws, specifically the Stored Communications Act. In the case, Jennings vs Jennings, the husband (M. Lee Jennings) was suing his ex-wife's (Gail M. Jennings) daughter-in-law, Holly Broome, (from a previous marriage) for unauthorized access to his personal email account. Holly had guessed the correct answers to the secret questions and gained accessed to his email accounts. She had been asked by her mother-in-law to look at M. Lee Jennings's email because he admitted to her that he was having an affair and had exchanged email correspondences with this woman. Holly printed the emails and provided it to Gail and her defense team, who used it against ML Jennings during their divorce trial.

The Supreme court found that the hacking was not in violation of the Stored Communications Act (SCA) because cloud-based email does not meet the "definition of "electronic storage" within the SCA [which] requires that it must be both temporary and intermediate storage incident to transmission of the communication and storage for the purposes of backup protection".  It should be noted that, as pointed out by William Shapiro on this episode of This Week in Enterprise Tech (it's the first segment so you don't have to listen to the whole episode), that this judgment is only limited to South Carolina.

Wow. In these few small sentences, the SC Supreme Court has allowed unauthorized access to anything that is stored on the cloud. In the last few posts on the UWCISA blog, I have commented on industrial espionage and Microsoft's move of Office to the cloud. On my entry on cloud I noted that the cloud pretty much gives access to law enforcement:
"In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. "

On my entry on industrial espionage, I highlighted that, in addition to the risks highlighted by US government officials on using Chinese hardware manufacturers, "it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese."

Furthmore, I have been immersed in the last few week's in Kevin Mitnick's (wiki, his site) Ghost in the Wires, which details how he hacked into Motorola, Sun, and other major companies.Once you read his story, you will quickly realize how this ruling by the SC Supreme Court makes it open season on any corporation that uses the cloud as means to outsource processing. If an average person, like Holly Broome can access confidential email - imagine what a determined hacker like Mitnick could do!  For example, if you use Google Docs or the soon to be released Microsoft Office 365, then a competitor can gain access without violating the SCA and use that information. Will this judgement spur hackers to relocate to South Carolina and access all types of confidential information stored on the cloud? Of course they can't take patented or copyright information, but what about companies that likely don't have such information patented, trademarked etc or protected by other laws (e.g. privacy legislation, theft of credit cards, etc)?

It's interesting how vulnerable cloud, and technology in general, is to the inability of law makers and judges to see into the future. Common sense would dedicate that a person that buys or uses a service and keeps it secret via a password, expects that the information to be confidential to them. But I am not a lawyer, just an accountant in tech. That being said, it is unlikely that Google, Microsoft, Amazon, and the other tech giants will take this ruling lying down. One can expect that they will use their dollars and influence to allay fears that their services are safe from "legal industrial espionage".