While vintage can be pretty awesome in the context of music, fashion and other arts, vintage in security is not a term you want to embrace.
My son, a fantastic musician and aficionado of classic rock music, is always on the hunt for something new to listen to, and often my friends will eagerly help out by pointing out some old, obscure 70s underground rock band that they think would be “perfect for him.”
Recently one friend came to us perplexed. He had gone to a local music store seeking out a CD of a band that was a minor hit 35 years ago in Boston, and couldn’t believe that they had none available in CD format, but plenty available in vinyl. “VINYL?? I know its retro and vintage, but who paid to have vinyl pressed for this band?" he lamented. “But,” he admitted, “it’s a pretty awesome find."
But like I said, vintage is great for music, not so much for security.
Lately one of the big trends emerging is the use of “vintage” passwords to make an attempt at cracking into other services. Recent password thefts from Twitter, LinkedIn and MySpace have made headlines, and have also made for some chuckles as people try to recall just what 16-year-old them posted to their MySpace accounts that might embarrass them today.
At first blush, having passwords like this exposed after so many years doesn’t seem like that big of a deal. Services used five or 10 years ago likely forced their users to change their passwords long before these vintage credentials went on the market, so the service itself is protected.
For example, the LinkedIn password theft, according to the official blog, was from 2012, and their “immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure.” So that should be enough, the leak had been contained.
But, in fact, we are now just witnessing the second phase of this attack -- coordinated or not, we don’t really know. What we do know is that a subset of those passwords from some of those vintage leaks were likely used in a massive sweep through GitHub, a very real, very non-vintage, very important service for thousands of companies and millions of developers. This is the service that acts as a repository for millions of lines of software code, technical documents, and much more. And on June 15th, reports came out that the GitHub Security team “became aware of unauthorized attempts to access a large number of GitHub.com accounts” and that it “appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts.”
Vintage passwords from one service being used in new attacks on another service. Pretty frightening if you tend to use just a few permutations of your primary password for access to a number of your online services.
It should be noted that none of these companies did much wrong in these situations -- they discovered a breach or an attack, they notified users of the situation, they advised or forced password resets, and they monitored their own services. In this day and age, its just about the best they can do as a service.
However, that leaves little comfort to the users of these services, especially the cross-users (as I am) who now have to worry about just how many services share the same password, and when the next vulnerability is going to be exposed.
But what can you, as a user, do? Well, you can probably take a tip from user Mark Zuckerberg, that 32-year old Harvard grad running a little site called Facebook, who fell victim to this very type of attack when a hacker busted into his Twitter and Instagram accounts using, you guessed it, old LinkedIn password credentials stolen in the 2012 breach.
To be fair, these seem to be old, unused accounts attached to Mr. Zuckerberg, so we can’t blame him entirely for the lack of security, but the lesson here remains the same -- as a user, it is important to take advantage of all of the security features offered to you by a service because you need to be an active member of the security team dedicated to protecting your stuff.
And the most important security feature that not enough users employ? Two factor authentication.
2FA is a simple yet critical validation step that is offered by many, if not all, of the services mentioned above. 2FA requires a user to include a second channel of communication, usually a mobile phone, through which the service can contact the user whenever a login to the service occurs from a new location. In its simplest form, 2FA sends a 4- or 6-digit code to the mobile device via SMS that must be entered in as a challenge on the login page after password credentials have been entered.
This second factor acts not only as an added security layer, it also acts as an immediate alerting system to the valid user when someone is attempting a login from parts unknown.
As with everything else, 2FA is not the panacea for securing online services and protecting them from breaches, hacks, and other service attacks; but it is a fundamentally safer option than simple password challenges alone and it is not too difficult to use. I urge you all to go to all of your active online services now and research the options for security. If 2FA is offered, use it! If its not offered, ask the service why it's not, and maybe consider how serious that service’s security team is in protecting their users.