Listening to the radio on the way to work recently, I heard that hackers had stolen some 1.2 billion usernames and passwords, affecting as many as 420,000 websites. When asked what listeners could do to protect themselves, the security expert speaking recommended changing passwords.
He did not mention which ones. Indeed, the names of the compromised sites have not even been publicly named for fear of making the problem worse, so there is no way of knowing how to prioritize which passwords to change. Adding to my irritation, I had just changed several passwords in the wake of the Heartbleed/OpenSSL compromise a few months ago. Perhaps like you, I have more than 100 passwords. Changing them all is not really an option.I created new headaches for myself by updating my system software over the weekend. Instead of getting work done on Monday morning, I was troubleshooting Wi-Fi connections and certificate authentication. As an old friend used to say, “no good deed goes unpunished.”
My personal quandary is playing out on a much larger scale in organizations of all kinds and sizes. Technologists, physical security specialists, and business executives are speaking different languages to each other, and frequently blame each other for breaches and losses. The result is an epidemic of unpatched software, invalid or corrupt certificates, and sloppy security practices. Most of the time nothing bad happens, reinforcing this behavior. Even in the case of this most recent breach of a billion passwords, most of us will never see any direct negative consequences.
But, like most things in life, the balance can tip quickly. Particularly in the cyber realm, breaches may come from vulnerabilities that have existed for months or years. During the recent crisis in Ukraine, researchers found that a sophisticated malware known as “Ouroboros” (the mythical snake that swallowed his own tail) had been lurking on Ukrainian government networks since 2012. It came in handy for saboteurs as the political situation deteriorated early this year; recent reports link it to the theft of sensitive diplomatic information from dozens of Ukrainian government computers, including numerous overseas embassies.
Such longstanding, but potent, vulnerabilities can be attributed at least in part to communication failures. This spring, the U.S. Office of Personnel Management (OPM), which handles personal information for government employees, reported a hack of databases containing thousands of applications for government clearances. “Something is obviously not working,” a staffer was quoted as saying. I’d be willing to bet it had at least something to do with passwords and out-of-date software.
Cisco’s midyear security report, released this month, reminds us that our computer vulnerabilities are not just technology problems, they are cultural and process problems. The assumption that system administrators will take care of cyber security for the rest of the enterprise, without any input, attention, or cooperation, needs to stop. As Cisco’s Chief Security Officer John Stewart says, with the arrival of the “Internet of Everything,” every company is a technology company, which means that every company needs to be a security company. We are all responsible. Now, go brush your teeth, change your passwords, and update your software.