Security Apocolypse

This week’s news about the Heartbleed bug is just a sign of things to come. And the resulting hassles this is causing the same.

Having to rush and change all your passwords is nothing short of an enormous hassle. And then realizing that likely I need to do this again in a few weeks makes it worse. I tend to think these things are going to keep happening and likely will get worse. The reasons are:

  1. Older systems that perhaps we thought to be secure, like this situation, can in fact be exposed as insecure at any time.
  2. IT shops (and everyone and everything) has an enormously difficult time keeping up on patches. Patches at the OS layers, equipment firmware, database layers, various services, etc. Some vendors bundle these up and do them less frequently which then means known problems are not patched for longer. Other vendors publish new patches all the time and it is practically impossible to keep the application of patches up-to-date because they keep coming out.
  3. Computing power to find vulnerabilities is increasing. Brute force attacks are getting easier.
  4. Using higher caliber password management tools like LastPass are great and add some levels of confidence. However, they too require a lot of focused attention to use. Having to go through 100+ different online services and change each of their passwords is a chore. And these tools, like LastPass, work well with some of the sites and others not so much. It is far too easy to get out of phase on which password is valid at which site. Sometimes the password change doesn’t work right for various reasons. It is just too complicated to manage these for many people.
  5. Two-step authentication is a great step addition to use where possible. Lots of high-end sites now provide this level of authentication and I recommend you use it everywhere you can. However, again, for many users this is still too complicated.

There is going to be more and worse problems with wide-spread security issues. I fear that the good guys are losing.

What do you think?

6 thoughts on “Security Apocolypse”

  1. Hi Mark,

    Unfortunately insecurity has become the defining norm of internet. Heartbleed is a good example of the unknown unknown. Not only we don’t know if the user credentials from various webservices were compromised, we don’t know if they have been already used to siphon off data from users’ accounts. Even if I change the password for all of my accounts, I don’t know if the data in those accounts have been already compromised.

    One other thing to watch out for is the app authorization process in modern webapps. If the user’s credentials were compromised, a malicious app could authorize itself to access user’s account using OAuth without user’s knowledge, and that authorization may continue till the OAuth token is manually revoked.

    We may never know true of extent of the damages caused by heartbleed.

    Saqib

    1. Saqib, I agree. This is spiraling in a direction where trust is going to be lost on a large scale. The possible ramifications are hard to fathom because now we are so used to these services and the interconnections that we can’t envision not having this model.
      Mark

  2. Mark,

    One could draw a parallel between online use of passwords and automotive use of gas. Gas represents a “cheap” form of energy for cars. The entire exploration, refining, distribution and retail mechanisms are in place for getting gas to a gas station on the corner of your street for ease of consumption. To switch to an alternative energy form seems initially daunting due to all that gas infrastructure coupled with cars being mass produced to consume gas. Same could be said about passwords. Passwords are a “cheap” form of online access. Web sites are built around password for identity verification, enrollment and call center/self-service password management. Alternatives to passwords are liken to wind or solar energy for cars.

    What will be interesting is if a radically new alternative to passwords is invented that comes with a low switching cost or if it will take a higher authority to somehow make passwords so expensive the service providers will be motivated to implement alternatives.

    As always, enjoy your articles,
    jfbauer

    1. John,
      Good analogy. The switchings costs to something else are huge and it is not clear what might be better at scale. But even if we change to a different ‘password’ scheme, we still likely have the interconnection challenge and trust challenges between services that might still be a weak link. If we all use Facebook to authenticate to services and then something in that ecosystem is compromised, we won’t be sure.
      Troubling times.
      Thanks for stopping by!
      Mark

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s