The online security mirage

Yahoo, Billabong, Crikey have become the latest in a growing list of companies that have seen their databases come under attack. So are hackers getting smarter or are we making their lives easier?

The internet has always been a dangerous place for the naïve and the uninformed but the recent spate of break-ins across the web – ranging from a behemoth like Yahoo, to a retailer like Billabong, to independent news site like Crikey – has highlighted just how transient this illusion of online security can be.

In fact, Yahoo, Billabong and Crikey are the latest in a growing list of victims that have seen their vaults raided and user data pilfered. The recent flurry started in June when LinkedIn was breached and this was quickly followed up by similar raids on online dating site E-Harmony and UK-based music streaming service Last.FM. The hit list this month started with Formspring, then Yahoo and was followed up by Crikey and Billabong in Australia.  

While the Yahoo security breach exposed 450,000 usernames and passwords from its Contributor Network, a subset of Yahoo's massive network of Web sites, Billabong has seen a database of 37,000 users compromised with a company spokesperson telling Technology Spectator that only 250 users on that list were from Australia

“Based on what we know currently there is a relatively small number of Australians affected. We are still in the process of verifying the information in the database and also in the process of taking all the necessary steps with regards to notifying users and regulators,” a Billabong spokesperson said.

As things stand Billabong is still trying to get to the bottom of how the breach happened and the data remains online. In the case of Crikey, the independent news site’s open source platform, WordPress, was hit by a hacker who got hold of a username and acquired a password – presumably via automatic password generator software freely available on the web – to access the administration site. 

“We got onto it pretty quickly and shut down the website to ensure our readers were protected.  I think we went down about 10am and were back up before 12,” Crikey editor Jason Whitaker said.

“Our database of reader information was not hacked so nobody has had any personal and payment details compromised. There’s extra walls of security around this information.”

Now, if you are under the impression that there is rhyme or reason behind the attacks then you would be wrong. The only discernible pattern that is of any consequence right now is that hackers can pretty much hit a site at will and bypassing security is about as simple as turning on a computer. If you needed any further sign of the apparent impunity with which hackers are operating look no further than the so called official of the hacker collective AnonymousPar:AnoIA

This data dump website, which stands for "Potentially Alarming Research: Anonymous Intelligence Agencies", will now serve as the platform for the collective to ostensibly carry on the work started by WikiLeaks. Leaving aside Anonymous’ motivation for a moment the chutzpah of the collective is undeniable and the litany of high-profile breaches in the last couple of months would suggest that it’s not entirely unfounded.

So what’s going on? Are the hackers too smart for their own good?

Databases under assault

Right now all the action seems to be geared towards cracking open databases. If you put a number on the carnage, so far just between over seven million user accounts have been potentially compromised in the attacks. Perhaps the most galling aspect of the whole scenario is that the hackers aren’t actually even breaking a sweat right now. They are actually targeting vulnerabilities that have been around for a long time and the recent breaches are evidence that the age old pathways are still very much effective.

As if that wasn’t bad enough, users and enterprises are actually making the life of hackers easier. In the case of Yahoo and Billabong both companies had the usernames and passwords stored completely unencrypted.

How a company like Yahoo or Billabong fails to see the shortcomings of such a procedure is baffling to say the least. There is almost a disconnect between the stated strategy a business has for protecting user data and how this is actually implemented.

Most organisations carry out extensive due diligence when it comes to sourcing the security setup but the breakdown can often happen during the implementation part of things. This is certainly a bigger issue for larger organisations where there are numerous distinctions between IT security teams, database admin teams, operations teams and even some business units that are using web-based front ends for customer engagement.

What’s needed is a complete oversight of all the databases, so knowing where all the databases are, and then having a strategy that allows management of the data and the update cycle of the software in use.

A slip up in any of the aforementioned departments can lead to serious risk exposure and in the case of Yahoo all it took was a simple SQL injection, which is designed to compromise a database by tricking a site into forming a rogue SQL command. What you end up with is a scenario where the contents of a database are delivered right into the laps of the attacker.

We don’t know if the Billabong breach was another SQL injection but the very fact that it is a likely culprit is a sad indictment of the state of security in many organisations. After all SQL injections aren’t exactly cutting edge and there is actually a well-developed toolkit available to deal with the problem. In Yahoo’s case this toolkit obviously went missing in action. 

User complacency: the other side of the coin

The disconnect between strategy and implementation at an enterprise level is only one side of the coin, the other side is the appalling level of user complacency on display. An examination of the copy of Yahoo’s breached database by CNet’s Declan McCullaugh has highlighted the existing password frailty.

McCullaugh wrote a program to analyse the most frequently used passwords and e-mail domains that surfaced in the breach of the database that contained 137,559 Yahoo accounts and 106,873 Gmail accounts. Here’s small sample of what he found.

There were 2,295 instances of a sequential list of numbers used as a password, with "123456" by far being the most popular password. The word “password” was used as a password 780 times, while there were 437 instances of the use of the word “welcome.”

Security vendor McAfee’s executive Kevin Le Blanc says that the sort of user complacency highlighted by McCullaugh’s study is a major issue and unfortunately organisations aren’t forcing users to make stronger passwords to create online accounts.

“It’s a lot easier to remember one thing and use it for everything but it’s not the safest thing to do,” Le Blanc says.

Password fatigue is a valid problem but Le Blanc says there are relatively easy things that users can do that don’t involve the use of various strange orderings of numbers and symbols.