In the spring of 1962, Alan Scherr was not a happy person.
A PhD student at MIT, Scherr was working on performance simulations on the CTSS (Compatible Time-Sharing System), one of the first time-sharing systems developed. CTSS is also notable because, in 1961, it became the first system to require a password to authenticate users.
Scherr, like everyone else, was limited to 4 hours of computing time per semester on the CTSS. But that wasn’t the reason he was unhappy. He had already solved that problem. Part of the code he wrote for the CTSS operating system was measurement code, and, as part of that code, he added an STZ (store zero) instruction that reset his time usage to zero after each simulation. “Time enough at last,” as perhaps Rod Serling would say.
The reason for Scherr’s discontent was that his fellow users needed space on the system. Since he was, after all, done with his measurements, they deleted his code (no more STZ!) and revoked his access to the operating system. In a panic, and desperate to find a workaround, he made a remarkable discovery. All passwords were stored in a file called UACCNT.SECRET, under the username M1416, the main system account. If he could get people’s passwords, he can use other accounts to run his simulations. The operating system had a handy feature whereby anyone could submit a punch card to request a printed copy of any file, provided that it included the filename and the username. Scherr did exactly that. Early that Saturday, he retrieved his printout of all passwords. A year after the password-protected operating system was invented, it was compromised.
From 1961 to Now
Fast-forward to 2017. Just last week, Instagram was compromised.
As reported by Variety, nude pics of the Biebs have been unleashed on the world, courtesy of ex-GF Selena Gomez’s hacked account. I could find no definitive confirmation that Gomez’s account was accessed as part of a wider security breach. Nonetheless, the timing speaks volumes. Kaspersky Labs reported the data being shopped around on underground forums, and the Daily Beast reports that up to 6 million accounts have been compromised.
Ask and You Shall Receive
The attacker, according to Ars Technica, found an old version of the Instagram application (8.5.1, released last year) that has a password reset action. Using a web-proxy, they captured what the app was sending and receiving. Astonishingly, data sent to the app sent included personal information (address, email, etc.). But even more astonishing was that, by replacing the username in the request with ANY other valid username, the attackers could harvest the personal information of the specified user.
Scherr’s “hack” was as simple as requesting the information he wanted on a punch card. Similarly, these modern hackers by sending a little JSON to an API, they were able to retrieve personal data for any user of their choosing. No punch card needed. With a bit of scripting, they harvested data from over 6 million high-value targets.
No Passwords, Big Deal?
It’s important to note that this was NOT a password breach. Instagram assures us this is the case, which may be of some comfort, but then, you may ask, how could someone have accessed Gomez’s account using only information from this breach which didn’t contain any passwords? Very simply: with a phone number.
Many services, Instagram included, use phone numbers for password resets. A little over a week before the Instagram breach made headlines, the New York Times reported that hacker are persuading cell phone carriers to transfer control of legitimate phone numbers to hacker-owned devices. Once in possession of the phone number, an enterprising hacker can reset the password on any account associated with that phone number. Recent attacks have focused on valuable BitCoin accounts, and the targets range from high-worth individuals to political activists and celebrities.
The fact is that accounts can be taken over in many ways, circumventing the protecting password itself.
Recently, the site https://haveibeenpwned.com/ (which I highly recommend) released a trove of over 320 million passwords, all of which were once encrypted and have since been cracked by researchers. The purpose of publishing this information is twofold. First, it gives companies a way to blacklist insecure passwords--and any published password is inherently insecure! Second, and more importantly, examining the shared characteristics of decrypted passwords provides new insights into choosing secure passwords.
There have been other good articles on password security, such as this piece, published by researchers at CMU: https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361
But good passwords aren’t good enough, and they won’t be for as long as easy retrieval mechanisms still exist. That was demonstrated back in 1962, and it is no less true today. Some key tips for password usage:
- Always use multi-factor authentication, and do not make the other factor your phone number.
- Avoid reusing passwords, and invest in a password manager.
- Check https://haveibeenpwned.com/ occasionally to see if any of your accounts have made the list.
- Limit what personal information you put online, even for private accounts.
- Keep all software up-to-date.
- Be careful about what you click on and which sites you visit, especially when they ask for personal information.
So, these are things every individual can do. But what about service providers?
Keep Your Users Safe
However, if you’re a service provider, the onus is on you to be secure. The advice above is useful for protecting individuals, but a service bears responsibility for the security of all of its users. Scherr didn’t compromise accounts because users chose poor passwords, he compromised accounts because passwords are insufficient protection.
Here are some steps toward maintaining a secure system:
- See all the linked suggestions for creating strong passwords? Don’t make it impossible for your users to take that advice! I’ve seen sites that prohibit “special characters,” and these were financial institutions.
- Design for an eventual compromise. Say the attacker does succeed in dumping a user table full of credentials--don’t help them by handing over the passwords in clear text. Good articles on secure password storage can be found here: https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
- Pay special attention to password reset flows, see https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
- Rate limit your logins to prevent brute force attacks.
- Monitor login activity to spot brute force, scanning, and credential-stuffing attacks. Good news for tCell customers: we have you covered on this one!
Visibility is Key
The last point is critical. Without visibility into the activity of your system, and without real-time analytics to spot when an attack is underway, the problem is compounded over time. The Instagram breach resulted in 6 million accounts over the course of weeks. Similar breaches went undetected for months.
tCell monitors authorization to your service in real-time, utilizes advanced analytics to spot attack and compromise behavior, providing automated blocking capabilities, as well as alerts to inform your incident SecOps team to respond swiftly armed with actionable data.