If I Told You, I'd Have to Kill You

Monday, June 11, 2012

Ed Bellis

48f758be63686a73484a7380e94f73d0

I’ve been talking a lot about information sharing within information security lately. Most recently at the ISSA CISO Summit in Denver.

The presentation covers some of the new school of information security and walks through a few use cases on data-driven security.

Sadly this past week has reminded how much “old school” is still being practiced.

We saw a lot of password leaks in the news including the likes of LinkedIn, eHarmony and Last.FM, however; this post isn’t about breaches or even lax security practices.

If I Tell You I Have To Kill YouWhat actually bothered me the most about these incidents were the communications or lack thereof.

When news broke of the LinkedIn password hashes being posted on the net, it seemed most realized it was real long before LinkedIn confirmed.

There was a lot of guidance to change your password yet nothing that lead me to believe the hole was closed and my new password wouldn’t be breached as well.

Of course as the week went along the news of the others came out as well. The response from Last.FM was the one the irked me enough to take the time to write a blog post.

All of these breaches present a great opportunity to learn what does and doesn’t work in information security. But when we get responses like the one posted by Last.FM not only do we not learn anything, we don’t have any reason to believe they have either.

On Friday, Last.FM posted that at least “some” passwords had been leaked online. They were encouraging all of their users to change their passwords (Note: I’m one of those users).

Again, this post isn’t to pick on sites that have been breached because it happens to everyone. Personally, as a Last.FM user, I’m not all that worried about this one. I used a unique password and frankly if someone took over my Last.FM account I can’t imagine much damage being done… but when I read the post from them I couldn’t help but show a little frustration on Twitter:

RT @lastfm: We posted an update on our blog reg the password situation on Last.fm: blog.last.fm/2012/06/08/an-… <neither useful nor informative :-/

— Ed Bellis (@ebellis) June 8, 2012

A product manager from Last.FM then engaged me on Twitter and asked what more information I would have liked. I asked him to provide how they would be storing my new password, to which he responded with this:

@ebellis we’re not going to be specific about the method for secure storage of PWs but we did a MAJOR upgrade to this on Wed.

— Matthew Hawn (@jukevox) June 8, 2012

Well I felt much better immediately. They completed a MAJOR upgrade after all. You can see the how the rest of the conversation went here.

After a long week of internet password leaks it was only the lack of information sharing that truly bothered me. This mind set that I can’t possibly tell you how I’m protecting your password because then the bad guys would know how to get us isn’t working.

Look I get it, you can’t share everything. I’m just asking for baby steps. Let’s start talking about our mistakes in hopes we all learn from them.

Finally, the news isn’t all bad. There are some new schoolers out there whether they know it or not. Take a look at the communications from Cloudflare after they recently suffered a breach.

The transparency is refreshing and something we should all strive for.

Cross-posted from the Risk I/O blog

Possibly Related Articles:
8094
General Network Access Control
Industrial Control Systems
Passwords breaches Authentication Access Control Incident Response LinkedIn data-driven security Information Sharing Last.FM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.