Data Swag: can we trust the good guys?

We will look into the value of data in a later post, but for now let's just assume that bad guys want to get hold of the personal data you have entrusted with a service provider.

We repeatedly hear about data breaches because the natural end-point of your personal data is on the dark web where it is onwardly offered for sale to those with bad intent.

Suffice to say, this stuff matters.

Have I been breached? Yes, probably.
Definitions vary, but if your name/login plus associated data record (think medical, financial, credit etc.) finds its way outside of its storage cupboard (located at your trusted service provider) then you've been breached.

Relationships are all about Trust

For that data record to be of any use our new holder needs to be able to impersonate you, i.e. provide your user credentials, so sometimes this is included in the definition.

Unfortunately, if you've a couple of email accounts it's likely one has been breached; this year alone we've been notified of over a billion breaches and we can count quite a few billion in total. But don't take my word for it, to run a personal check go to this great site:

If we don't trust, can we verify?
If you haven't been breached, should you automatically presume that service providers are doing enough to protect you? In a word, no. Let's look at some highly regarded technology companies and see how they fared when it came to protecting you from bad actors -

  • MySpace (360mm records, 2008): emails, usernames, SHA1 hashes of password without salt.
  • LinkedIn (164mm, 2016/12): emails, passwords stored as SHA1 hashes without salt (vast majority quickly cracked in the days following release).
  • Adobe (153mm, 2013): internal ID, username, email, poorly encrypted (easily cracked) password and a password hint in plain text.
  • Dropbox (68mm, 2016): emails, salted hashes of passwords (half of them SHA1).

Why the emphasis on SHA1 and salts? Here's some language available from the well-regarded OWASP site (link here). Anyone, and I mean anyone, with even a modicum of interest in password building will have been on that page and should have absorbed this:

  • "Do not use weak algorithms, such as MD5 or SHA1. Avoid hashing for password storage, instead use PBKDF2, bcrypt or scrypt."
  • "Generate a unique salt upon creation of each stored credential (not just per user or system wide);"[1]

No ifs, no buts; this is as clear as guidance gets.

So, unfortunately the data tells us that even companies we thought would be on top of their game appeared to be going through the motions when it came to ensuring your personal data didn't end up being traded through the hands of people you would rather not.

And although verification appears here to dictate that we should not trust, unfortunately as it stands, I know of no active way of pre-determining the security standards each provider offers.

When you open that account you really are taking a leap of faith...

[1] A salt just gets appended to your password (often called the pepper) to make password cracking more difficult.

Posted in cyber security.

Leave a Reply