Today, I heard a squeal of brakes and an explosion. I saw big-company hubris grow sheepish in the light of a million glares. And I saw a man courageously face up to losing much of what was important in his life.
I am talking, of course, about the disastrous weaknesses in cloud security that led to Wired writer Mat Honan having his "digital life dissolved by hackers." This was the online equivalent of breaking into someone’s house and destroying everything there that is useful, empowering and beautiful. Psychological vandalism for the digital age.
Mat’s hackers compromised his Google account and deleted it. They compromised his Twitter account and broadcast vileness from it. They hacked his AppleID and erased all his phone, tablet and computer data. And Mat, in a display of breathtaking humility, takes the blame for the infuriating causality behind it all – because his accounts were "daisy-chained" together. Cracking one helped them to crack all the others.
OK, you can panic now. The old world of usernames and passwords is not suitable for a cloud environment where everything you use is connecting you to everything else you use. Cue the evidence.
A litany of lethal logins
Facebook Connect – You like logging in to stuff via Facebook? Until just a few months ago, the tokens exchanged between Facebook Connect (the application that runs the multiple login) and the applications it connects to could be sent completely in the clear. Gulp.
Website username/password files – Did you know that thousands of websites the world over store username and password details in a file or database on the website itself, positively inciting hackers to target them? And that in some instances (most notably that of Yahoo’s recent breach) they are stored, once again, in the clear?
Apple encryption that doesn’t encrypt – When does an encryption not encrypt? When it’s Apple’s full disk encryption tool, File Vault 2, apparently. It contains, according to our chief cryptographer Dr. Michael Scott, "chunks of unencrypted plaintext, floating there like meat in gravy…" Lunch, anyone?
Reuse and recycle…? Did you know that each Briton has, on average, 26 online accounts? That equates to 52 different pieces of information to remember (26 x username + password). I know, ridiculous, isn’t it? And if you were in any doubt about whether people are using the same username and password for some or all of these accounts – including corporate accounts that, in turn, can compromise thousands of other accounts – look no further than the disastrous compromise of DropBox just a few days ago.
Windows 8 – next up for notoriety? OK, this is speculation, but well-informed people have suggested to me that Windows 8 will require a Live login for its cloud experience. Basically, every service within that environment would appear to be sharing the same Live login details. So, if you’ve got SkyDrive, an HTC phone and Hotmail, for example, then any compromise of the Live login could enable a hacker to delete everything on your SkyDrive, locate and erase your phone, and delete all your contacts and emails. Sound familiar?
Ditching the Daisy Chain
I could go on, but actually Mat Honan puts it rather more succinctly: "Had I used two-factor authentication for my Google account," he says, "it’s possible that none of this would have happened."
It’s a simple statement, to match the simplicity of the concept that underlies two-factor authentication: it’s based on something you have, and something you know. These two things together provide the authentication. Think about your cash withdrawal card: the card is what you have, the PIN is what you know. Card is useless without PIN, PIN is useless without card, and the PIN isn’t stored on the card in any way. Username and password, on the other hand, really doesn’t cut it on the have/know level.
But no-one wants to have to use a card reader or physical PIN pad online (remember the millions the banks spent on those runty little things that looked like calculators?) The way you make this work in the online world is to virtualise the card into the form of a mathematical token.
You "have" this token for the duration of the transaction, and it is combined with a PIN (the thing that, once again, you know) to create the authentication. Token is useless without PIN, PIN is useless without token. A new token is generated for every piece of information sent, so the PIN/token combination effectively becomes single-use only. No daisy chain (very frustrating for hackers) and you only have one PIN to memorise.
Where do we go from here?
So is the two-factor message starting to hit home? Well, in part, but we seem to be stuck in a rut of "clunkiness." DropBox publicly stated its wish to switch to two-factor and Google also offers it, but – maddeningly – both rely, or will rely, on authentication codes sent to mobiles. Which is all well and good, but, as we all know, SMS is wide open.
Be worried.
Brian Spector, CEO, CertiVox.
