Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Hitachi ID Systems Blogs

Archive for May, 2014

eBay compromise – the largest incident yet?

Thursday, May 22nd, 2014

It seems that compromised password databases are getting bigger and bigger.

The latest one is a report that 145 million user account records (i.e., username, hashed password, some profile information such as date of birth) were exfiltrated from eBay.

(Gotta love that word … exfiltrated.)

I don’t know what attack vector was used to compromise this data, other than that the attack was carried out from inside the eBay corporate network, so discussing that will have to wait for another day.

As the scale of these incidents gets larger, new problems arise. For example, eBay (the corporation) has reacted very responsibly here – disclosing what they know and advising users to change their passwords. Users are getting used to these kinds of incidents and are trying to change their passwords. So far, so good.

But there are 145,000,000 users trying to change their passwords, more or less all at the same time. The eBay web site clearly cannot keep up. I tried to change my password, but failed:

  • First, it was hard to find the password change screen (but I did find it in the end…)
  • Once I found it, I learned that the eBay site requires confirmation that it’s a legitimate user (me) making the password change, by sending a code to my personal e-mail or phone.
  • But … the system is under such high load that I never got the confirmation e-mail. I tried asking for a text message but the site just refused, complaining about load.
  • What about users who registered an e-mail account with eBay years ago, and no longer have that account? I suppose they cannot change their password – at least not without human assistance, which also won’t scale to 145,000,000 accounts…

In short, at this scale, remediation is a problem. Maybe I’ll try to change my password tonight or tomorrow. Hopefully the storm of password changes will have slowed down by then.

What about users that employ the same password on multiple web sites (i.e., almost everybody)? This incident implies that 100,000,000 or more users are now trying to change their passwords on facebook, reddit, flickr, google, live.com, etc. I bet those sites are slammed too, and perhaps also unable to respond.

All this sounds like a strong argument for federating identity and authentication — but federating to a few large providers (like Google or Microsoft) will concentrate risk. Imagine if Google or Microsoft get compromised, and everybody was using those platforms as federated identity/authentication providers for web sites such as eBay. That would be even worse than the current eBay incident! Moreover, federation creates linkages between accounts on different services, so has the (unintended) effect of diluting privacy.

Ultimately, I think federating to a large number of small providers would be best, because compromise of any one provider would have only modest impact. Unfortunately, we are still very far from such an architecture.

Another day, another rogue admin

Wednesday, May 21st, 2014

Some people never learn, I guess.

This guy: (link to IT World article) will spend some quality time in jail for sabotaging work systems before he learned about his own imminent termination.

Getting fired sucks. Going to jail for these shenanigans is definitely worse.

Clearly, a privileged access management system could have mitigated the harm.

Real security: the new SOX

Monday, May 5th, 2014

In the past few years, the looming threat of non-compliance with Sarbanes-Oxley (SOX) has driven much spending on IT security. This, despite that the “security” bits in the SOX legislation are laughably vague. In section 404 of the SOX legislation, there are requirements for public-listed companies to implement, assess and certify the quality of the internal controls that impact financial systems and data. That’s about it. Weak.

Despite being totally ambiguous, fear of SOX non-compliance has led corporations to spend billions on IT security. I imagine much of that money was spent on useless technology and process – things that *look* like they work, but may not actually be effective.

That was then. This is now.

I just read that the CEO of Target was removed, in large part because of the huge security incident they had, with tens of millions of credit card records compromised. Now that’s a serious threat, with a material impact on the corporation, both in terms of liability (to the card companies) and brand (shoppers going elsewhere because they are afraid of the nuisance of identity theft). It seems that the impact on management is actually more serious than SOX. I can’t recall any CEO of a major corporation being terminated before, due to an IT security breach. But now we have one, and I bet all the other CEOs will take note.

http://www.reuters.com/article/2014/05/05/us-target-ceo-idUSBREA440BD20140505

It will be interesting if the response to this will be any different than it had been to SOX. i.e., if the focus this time will be on actual security, rather than merely passing audits.

Of course, we have a vested stake in this game. Organizations seeking real security need to worry about all kinds of things — control over privileged accounts, prompt/reliable/complete access deactivation when users leave, assigning needs-appropriate access rights, strong user passwords and much more. We make software that addresses these problems.

Bait-and-switch, buyer beware

Friday, May 2nd, 2014

It seems that this industry can never stop with the bait-and-switch sales strategy. It never ceases to amaze me what some of our competitors will offer, or what some customer organizations will believe.

A couple of recent examples:

  • Last summer, we were talking to a global enterprise interested in replacing a legacy, out-of-support identity management product. They had a really unrealistic timeline: 6 weeks to implement and deploy a replacement. We told them that it would simply not be that fast. One of our competitors assured them that it would be no problem. Our competitor won the business, on the basis of ludicrously false promises. Now, in retrospect, reality has set in. 8 months later (not 1.5 months!), they are about half way done with the replacement effort. Good times.
  • Recently, a software vendor in our space started offering “free” software. Of course, it would only come with limited integrations, and limited features, and just one day of consulting, and would only be free for the first year. But hey – it’s free! And if any organization is silly enough to adopt this “free” software, why they would be hard pressed to walk away when the time comes to start paying for things, or adding useful features.

This is not new – we’ve seen companies promising “enterprise deployment” of privileged access management systems, with thousands of integrations and full business process, in under 30 days. Seriously? Most organizations will need that time just to define their requirements, never mind deploy, test, migrate to production, retest, document and hand-off to operations.

But there must be money in it, because people keep offering things that are clearly too good to be true (and so are not true).