Thursday, July 12, 2012

Should you really change your re-used passwords after a breach? Maybe not.

DiceThe news is reporting that 453,000 credentials were allegedly taken from Yahoo, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can search for your username/email here on a sanitized list that doesn't include the passwords.

Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, 59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.

What I'd really like to know is how many of those people actually suffered from this password re-use. Did anyone bother to try re-using their credentials?

I'm reminded of one of my favourite security papers, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved.

So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach.  That's a lot of people.

Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing.  In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.

So, should you change your password after a breach? It depends on how much you feel like rolling the dice. Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future.  Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.

Wednesday, March 28, 2012

Apparently consumers do care about privacy

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:

The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.

Tuesday, February 7, 2012

Andrew Tanenbaum on Security vs Fun-Loving Students

... "some modicum of security was required to prevent fun-loving students from spoofing routers by sending them false routing information."

- Andrew S. Tanenbaum regarding OSPF in Computer Networks (4th ed.)