terriko: (Default)
Cross-posted from my security blog, Web Insecurity.


Should you really change your re-used passwords after a breach? Maybe not.




DiceThe news is reporting that 453,000 credentials were allegedly taken from Yahoo, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can search for your username/email here on a sanitized list that doesn't include the passwords.

Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, 59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.

What I'd really like to know is how many of those people actually suffered from this password re-use. Did anyone bother to try re-using their credentials?

I'm reminded of one of my favourite security papers, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved.

So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach.  That's a lot of people.

Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing.  In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.

So, should you change your password after a breach? It depends on how much you feel like rolling the dice. Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future.  Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.
terriko: Evil Soup (evil soup)
Cross-posted from Web Insecurity

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:


The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.


The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.
terriko: (Default)
Been a while for a Web Insecurity post, eh? I blame thesis.

Anyhow, here's the teaser:

Web Insecurity : I admit, I laughed: LulzSec as popular as orgasms?




I don't know about you, but I got a great chuckle out of the thought that LulzSec might be as popular as orgasms... at least when it comes to scam bait.




Read the full post here (and learn about how LulzSec hacked the sun!)
terriko: (Default)
Bunch of posts elsewhere:

Web Insecurity: Free Wordpress themes considered harmful



It's illegal in many places to compromise someone's site to force them to serve up spammy links. But it's not illegal to put them in a Wordpress theme and then offer it for free...

Web Insecurity: To whom are you confessing?



The Catholic church has given its blessing to a new iPhone app that helps you prepare for confession. The Office of the Privacy Commissioner of Canada isn't so sure they'd approve it, though, pointing out the the developer collects a lot of information and doesn't provide a policy about how it will be used.

Geek Feminism: “How could they not have known?!”



A post about how our male compatriots are often floored by the sort of sexism women deal with daily. Also about FatUglyorSlutty.com, troll visualizations, and ...

*grin* In that post, I wrote "my male gamer buddies don’t have people freaking out or getting, er, excited when they speak on voice chat" and it took some effort to resist adding "but some of them should. Yum." Seriously, some of my gaming buddies have incredibly sexy voices and on the entirely too rare occasion when one of them sings on teamspeak... mmm...

I know, TMI, but I've wanted to brag about my hot gamer guys all day. ;)
terriko: (Default)
New post up at Web Insecurity: Will Facebook's choice of social authentication (face CAPTCHAs) lead to huge gains in facial recognition software?

Excerpts:
For many people with public profiles, flickr accounts, etc. it's pretty easy for a hacker to identify your friends. (Even easier if your would-be hacker is a jilted lover or angry sibling, but presumably those folk could also pass a regular CAPTCHA.) The key here isn't that this social authentication isn't hackable, though, it's that the hack has to be more carefully crafted to your account, and may well require a human to do the facial recognition necessary, thus slowing down the attack and doing exactly what CAPTCHAs were intended to do.
...
So the interesting question to me is "Will Facebook's choice of Face CAPTCHAs lead to huge gains in facial recognition software?" -- we're well overdue for gains in that area, actually, given that law enforcement is hoping to use facial recognition to stop crime and even terrorism, but the technology is so poor right now that if they used it now they'd likely be arresting a lot of innocent folk.


Read the rest here
Page generated Apr. 24th, 2014 06:58 pm
Powered by Dreamwidth Studios