Security Needs Update: Russian Hackers Steal 1.2 Billion Passwords



About 1.2 billion Internet usernames and passwords from hundreds of thousands of Web sites and 500,000 e-mail addresses have been stolen by a Russian crime syndicate, according to an Aug. 5, 2014 report in The New York Times.

This should revive interest in the movement to eliminate passwords.

Google’s efforts in 2013 to make the Internet more secure by eliminating the use of passwords has already drawn praise from one of the nation’s leading authorities on digital security.

“The premise is indeed interesting and is most likely destined to become reality,” says Stan Stahl,Ph.D., at Citadel Information Group, www.citadel-information.com, in Los Angeles.

Published reports including “Google Prepares to Leave the Password Behind” in PC Magazine indicate Google wants to use “a tiny cryptographic USB card called a YubiKey with a modified version of Google Chrome.”

Google ostensibly wants to make a gadget available that would corroborate the identity of users on all machines from computers to mobile phones.

“Passwords are challenging and difficult for people,” acknowledges Dr. Stahl. “Strong passwords are hard to construct – in part because we do a lousy job of instruction.”

It can be a tedious process if you have a lot of passwords.

“Strong passwords are hard to remember,” says the security guru. “And when we need several of them, they become very are hard to manage.”

Feasible alternative

“Replacing passwords with authentication devices could have the positive benefit that both the web site and the user will be able to authenticate the other,” says Dr. Stahl.

“Right now, it’s often too easy for a fraudulent web site [set up by a cybercriminal to steal your information when you visit, for example] to look legitimate to an unsuspecting visitor,” he adds.

“Done right, an authentication device could authenticate the user to the site and the site to the user,” asserts Dr. Stahl.

But what if the device is lost or misplaced? Indeed, the PC article reports Google probably has a solution.

The search engine has “developed a Google-independent protocol that requires no special software to authenticate a security device. It even includes measures to prevent websites from tracking users via their security devices, and only requires that the user be running a browser that supports the protocol.”

The Google approach appears to be easier and more secure than passwords. However, don’t get complacent and start celebrating.

“…no technology – including technology that replaces passwords – is a silver bullet in the fight against cybercrime,” cautions Dr. Stahl.

“A cyber criminal who takes control of the computer you use to access your bank account will have your access to that bank account, whether you gain access through a password or through an authentication device,” he adds.

From the Coach’s Corner, visit Dr. Stahl’s informative security blog, where you can sign up for his complimentary security updates.

More of Dr. Stahl’s expert opinions:

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

5 Safety Measures to Thwart Mounting Social-Network Attacks  — An epidemic of social-networking attacks represents unprecedented dangers to companies. Here’s how a Facebook user cost her company a $1 million loss.

Who Profits from Android’s Security Issues? Not Users — Countless headlines detail the cyber dangers of Android-based devices. It has to do with the apps.

Cyber Security Legislation that Affects Your Business — A data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Actually, you should take the enclosed precautions even if the law doesn’t pass.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records — Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor.

 “Criminals should be punished, not fed pastries.”

-Lemony Snicket

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records



Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor.

The information was on the computer hard drive stolen from a doctor’s home, according to an article in the The New York Times (UCLA Health System Warns About Stolen Records). Medical records of the patients included addresses, birth dates and medical information covering July 2007 to July 2011.

The possible good news: The personal medical data was encrypted. But the alarming news: A piece of paper containing the password to the medical records was missing from the doctor’s home.

ID-10070889 imagerymajestic“Rule 1 is never write down passwords,” warns nationally known security expert Stan Stahl, Ph.D., of Citadel Information Group in Los Angeles.

“Rule 2 is – if you’re going to break Rule 1 – do it securely,” he adds.

“If you must write a password down, write it on a piece of paper the size of a credit card and keep it in your wallet with your credit cards and your driver’s license,” explains Dr. Stahl. “And just write the password: write ‘15Blah-blah-blah’ not ‘my laptop password is ‘15Blah-blah-blah’.”

You can get more of Dr. Stahl’s insights on his security blog and his Web site. (Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are additional cybersecurity tips:

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study — A whopping 79 percent of companies in the U.S. and U.K. experienced Web-borne attacks, according to data released in 2013. These incidents continue to represent a significant threat to corporate brands.

Don’t Wait for Cyber Security Legislation that Affects Your Business — Not likely to pass, a data-breach bill has been re-introduced in the U.S. Senate that would regulate how businesses behave – informing customers when their personal information has been stolen. Passage or not, businesses should act on their own. It’s the right thing to do. Here are four precautions to take for your business.

Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later.

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic.

Protect Your Bank Accounts So You Can Sleep at Night — Imagine for a moment — you’re sitting at your desk enjoying a second cup of morning coffee. Then, your phone rings. It’s a call from your bank to discuss possible fraud. Your bank is concerned about possible suspicious activity with your accounts, and wants to make sure you’re not a victim.

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

-Richard Clarke


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.




Photo courtesy of imagerymajestic at www.freedigitalphotos.net


Seattle business consultant Terry Corbell provides high-performance management services and strategies.