LastPass keeper of passwords confirms system breach

LastPassLogoShadow

Password management isn’t as simple as it should be. Everyone recommends using unique passwords for every account you use, in addition the same people will heavily recommend each of these should be complex. With the ever increasing amount of accounts we use every day remembering all of your passwords simply isn’t as easy as it used to be.

This problem has seen the rise of password manager tools, where you would only need to remember the one password and the tool will securely contain all your other passwords within. Some password management systems also have the ability to access your passwords from any device, meaning if enabled your passwords get uploaded into the cloud. This of course is a big convenience, but putting all your passwords together on a single companies cloud is equally a big risk.

LastPass a leader in password management issued a statement this week that their system containing everyone’s passwords had been breached. Despite the system breach LastPass is remaining optimistic claiming their numerous encryption methods will keep users passwords secure.

The numerous encryption methods include passwords being salted, hashed and stretched. Salting is where random characters are inserted into each word so the same password would not produce the same encrypted text. Hashing is where the text is rearranged cryptographically so a slight change in the original password doesn’t produce a similar encrypted version. Finally stretching is the method of running the hashing part many more times over. All of these measures, especially when applied together make cracking the outputted encryption code almost impossible to break.

Even with these measures in place LastPass is issuing emails to users to reset their master password and advising enable 2-factor authentication.

An important lesson to lean is be careful where you keep your own passwords and no matter how secure you believe your IT system and network security is, so must be your data and not all encryption is equal.

Change your password by default and change it again

At a major US information security event last week a fundamental flaw by a major payment terminal vendor was disclosed, potentially exposing millions of customers to the risk of credit card theft and fraud.

The researchers at the RSA Conference in San Francisco would only reveal the password ‘166816’.  This sequence has apparently been used by the same firm on payment terminals shipped worldwide for more than 20 years.   A Google search afterwards connected this with several models of credit card terminal sold by Verifone in the Silicon Valley.  Verifone are highly active, selling into 150 countries and connecting 27 million payment devices, so it is an embarrassing disclosure for the vendor (although they declined to comment) and a stark warning to businesses to review security.

It is believed that customers assumed the 6-digit password was unique to them and thus made no further changes.  This lapse in security practice makes it all too easy for hackers to unscrupulously target payment terminals.  Moving to chip-based payment cards remains only part of the answer as they are not bullet proof either.

The financial repercussions for retailers cannot be underestimated both from loss of consumer confidence as well as share price with publicly listed organisations (remember US retailer Target in 2013 – 70 million customers affected and US store Home Depot – reportedly affecting 56 million customers).

The take away for business whatever the market sector and whichever side of the Pond, is to ensure your business has a robust security policy, reviewed regularly at board level and on a deployment basis, if your systems and software are ringfenced, then to have clear protocols on re-securing assets introduced or re-circulated into the organisation.  But to this ying we add a yang:  no system is any good if an operator is flawed. To best practice cyber security policy we would add a good education programme communicated throughout the workplace, as humans remain the primary conduit for increasingly sophisticated hacking.

Password-image

Top technology news for MSP’s

Can 4G resolve problems with on-the-go access to data?

The continued rollout of new wireless network, 4G, is expected to give users the fastest broadband in Europe.  With speeds of up to 5 times faster than the previous 3G, how will 4G impact desktop virtualisation? We believe the new wireless network may help aid the adoption of desktop virtualisation on mobile devices, allowing users to remotely access their information more often and at a much faster rate.

Google back ‘one password’ strategy

With the huge increase in cyber-crime and phishing attacks, Google thinks it’s time to say goodbye to the traditional password and look to something new.  Google’s security experts, Eric Grosse and Mayank Upadhyay, propose consumers use an encrypted USB-like device that people would use to log into password-protected websites and online accounts. The web giant stated how the miniature device could be used to log into websites with a single password.  We understand that with the great challenge this poses to governance procedures, this is far from being put into practise. However it does highlight some critical issues in the current online environment. 

What can the Surface Pro offer a Business Environment?

Microsoft have announced their much anticipated Surface Pro tablet will be released at the later than expected date of 9th February in the U.S.  This latest tablet has been one of the top talking points for IT professionals over the last couple of months, but to what extent can the Surface Pro make a significant business impact in your organisation? We predict a noteworthy one.  With its incorporated Windows 8 OS and its ability to access the same business applications as you can on a laptop, the Surface Pro is destined to see the rise of mobility at work.

Nokia 3D printing for phones

As competition in the mobile market becomes fierce, mobile operators are constantly coming up with new innovative ideas to make them stand out from the crowd, and Nokia’s 3D homemade case is no exception.  Embracing 3D printers, Nokia have released design files so users can ‘make their own’ plastic accessories.  With the current hefty price tag of 3D printers, will users miss out on the Nokia’s latest innovation?