Crying ‘Wolf!’ seems to work for security
The strange thing is that I’m not really upset about this. Normally, I get incensed when I see the media get security stories wrong. But the greater good in the security business counts for something, and it just may be that these overhyped breach stories led a lot of people to take the simple steps they need to follow to increase the security of their accounts.
The latest mega hack story that was misrepresented was the compromise of 117 million LinkedIn accounts. You can find stories about it on just about every major news site. Stories were posted on Facebook accounts. Clearly this must have been a significant hack that people needed to know about.
But the hack actually occurred four years ago. What is supposedly news is that a hacker is offering the 117 million account credentials garnered in that old breach for sale in criminal forums on the dark web. In theory, all of those passwords should have been changed long ago. In reality, a lot of them weren’t, so some accounts are still at risk — just not anywhere near 117 million of them.
Earlier this month, we had a report that 272 million accounts had been hacked, and a Russian hacker was selling all of the credentials for less than $1, primarily for the notoriety. The credentials were for accounts at almost all the major Internet sites, including Yahoo, Gmail and Hotmail. All the major news venues reported on the hack and issued urgent warnings for people to change their passwords. That was actually awesome from a security perspective.
But the hack was described as hype within two days. One website stated that 99.9% of the compromised credentials were invalid.
The largest mega hack that wasn’t in the last month was of Pwnedlist. In this incident, 866 million accounts were supposedly compromised. Pwnedlist is a site that was maintained by InfoArmor as a public service designed to help companies track public password breaches that may create security problems for their users.
In this case, a valid user of the site performed parameter tampering and was able to search for any domains or accounts listed on the site. A breach involving 866 million credentials certainly sounds awful. But all of the credentials available in Pwnedlist are there precisely because they have already been flagged as compromised. How do you compromise compromised credentials There really was no increased risk for the accounts in question. It would have been better if the vulnerability had not existed, but that is a very different story from 866 million accounts being freshly compromised.
And so we had a string of stories that consistently missed the point. And yet I am grateful for the invaluable public service they performed by making security matters big news and quite possibly prompting thousands, if not millions, of people to change and strengthen their passwords.
On the other hand, I am dismayed when real incidents go unnoted. For example, how much attention was paid to reports that card skimmers were operating in Walmart Stories about that would have been a great opportunity to highlight the importance of using chipped cards or, even better, Apple Pay or Google Pay, for transactions whenever possible. There were also dozens of data breaches in the healthcare field. As always, there was no dearth of real incidents.
As long as I am pondering the failures of the media when it comes to security matters, let me go back a moment to the coverage of the Heartbleed vulnerability. Heartbleed was, and sadly remains, a major problem. It was widely covered, but the mainstream media focused on the idea that the foundation of the Internet was at risk. What they didn’t do effectively was spread the word about what people can do to protect themselves, simply by changing their passwords. When that was mentioned, it tended to be an afterthought.
But I’ll take what I can get. The cries of “Wolf!” about breaches that weren’t really breaches seem to be effectively garnering mainstream attention for good security practices. As a security professional, I guess I should feel some satisfaction that users are being told to regularly change their passwords.
Nonetheless, I have the nagging thought that it would be even better to recommend that users implement multifactor authentication on their Internet accounts. At least I now know how to get the word out about that: Just make up a news story that every password in the world is at serious risk of compromise and the only thing that can stop it from happening is if people implement the free multifactor authentication that is available. Basically, it’s the truth.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.