Thursday, December 22, 2016

Hackers & Passwords

Hackers and passwords: Your guide to data breaches

When companies tell you your data was stolen, it's not always clear what really happened. Here's what the terms mean.

by Laura Hautala



Yahoo CEO Marissa Mayer in 2014, a time when her company wasn't synonymous with data hacks.
Photo by Ethan Miller, Getty Images

Oh great, another data breach.

That's what you're likely to think when a yet another company or organization that had your personal information tells you it's been hacked. Whether it's Yahoo, Ashley Madison or the US Office of Personnel Management you're hearing from, these notifications are often filled with technical terms and legalistic phrasing.

But you don't need to be a lawyer or a computer science expert to decipher them. Before you skip down to the part where they offer you free credit monitoring (if you're lucky), it's worth looking at that breach notification to learn more about what really happened. It can tell you how good a job the company was doing at protecting your privacy and point to where things went wrong.

Here are some tips on what these terms and phrases really mean.

Is it encrypted, hashed, neither or both?


In a standard breach notification, you'll often get some information about how the company stored your data before hackers stole it. It may seem like a foreign language, but not once you get the hang of it.

Plain Text -- If your information was stolen in plain text, that means it can be read by anyone. This is the worst-case scenario, because it leaves your data completely vulnerable to identity thieves or foreign governments.

Encrypted -- When you log in to a website over a secure connection, your username and password are encrypted, or scrambled. That means no one intercepting your traffic can swipe your password or other info. Encryption is reversible, so when your password gets to the other side -- to an authorized recipient -- the website can read it.

Hashed -- Sometimes you'll read your that password was "hashed," and this isn't a reference to savory breakfast potatoes. A hashing algorithm converts passwords of any length into a random, fixed-length string of characters. Unlike encryption, hashing isn't designed to be reversible. Web services often store the hashed version of your password on their systems, instead of your real password. When you log in to your account, the site's servers will run the same hashing algorithm on the password you submit and compare it to the hashed version it was storing.

Salted and peppered -- Often, passwords are both hashed and salted, and sometimes there's pepper thrown in. Again, I promise this has nothing to do with hash browns. The salt is a mathematical tool that attaches more random characters to the hashed version of the password, normally at the beginning. Pepper attaches the random characters to the end of the hashed version. They both make the hash even harder to crack and turn back into your password.

MD5 -- This is a hashing algorithm, and not a very good one. In 2004, researchers began to find ways to "break" the algorithm, as well as the NSA-created SHA and SHA-1, prompting security expert Bruce Schneier to call for advances in hashing algorithms.

"It's better than nothing, but really it's not," said Steve Manzuik, director of security research at cybersecurity firm Duo Security.

Passwords stolen in the 2013 hack of 1 billion Yahoo users were hashed with MD5. Other hashing algorithms have been developed in the last decade, from SHA-2 to SHA-256.

Bcrypt -- This is another hashing function that takes a different approach than MD5 and the SHA family of algorithms. It's meant to be robust, standing up to various techniques for cracking the code and turning hashes back into passwords. Like hashing functions Scrypt and PBKDF2, Bcrypt achieves this without needing all that extra salt and pepper. Still, if your password is easy to guess, this isn't foolproof.

Why are they telling you this?


Common phrases you'll see in breach notifications may leave you scratching your head. They may read like a normal sentence, but you're just not sure why the hacked company is telling you this. Here's what companies (and their lawyers) are really saying with these phrases.

No payment or health care data was stolen -- When you stumble across this phrase in a notification that your data was stolen, you might feel relieved. But you might also think, so what? The latter was true for many users of Ashley Madison, a website for people interested in extramarital affairs. When they learned all their account data was made public by hackers, they didn't much care that their full credit card data wasn't stolen. Still, the company told them it wasn't.

It might have sounded tone-deaf to people who were more worried about the fallout of being exposed as a cheater. But companies are legally required to disclose whether payment or health care data was exposed in a breach, so they often include it even if it doesn't seem relevant.

State-sponsored actors -- Yahoo said it believes the 2014 data breach affecting more than 500 million of its users was likely carried out by a state-sponsored actor. That means the company thinks a foreign government agency either conducted the hacking itself or paid skilled professionals to do the work. Companies make this assessment based on the evidence left behind on their systems and information shared with them by law enforcement agencies.

Behind this statement is the implication that really sophisticated hackers carried out the attack. But it's important to remember that this doesn't mean the company's system would have blocked less sophisticated hackers. State-sponsored hackers could just as well steal 500 million passwords from a company with poor security.

We value your privacy -- Some breaches are worse than others, but it seems companies use this stock phrase no matter how bad the damage is. If you want to know how sincere the company is, you'd be well advised to ask yourself how well this claim matches up with the severity of the hack.

No comments:

Post a Comment