Part 2 of the Tech Premier Series
How do security breaches occur? In a prior piece, I discussed encryption and explained how a straight brute force attack against a 256-bit key would take many billions of years. Directly attacking encryption schemes is financially costly, and many breaches occur by exploiting bugs, or oversights. In many instances, attackers will employ social engineering. In others, it’s a lack of funds and staff for projects which underpin security framework.
Security breaches are a fact of life and aren’t necessarily due to incompetence or malice – though sometimes they are. It’s important to examine how companies react in the wake of disclosures; important questions to ask include:
- What measures do they employ to minimise damage?
- What systems to the implement to limit similar breaches in the future?
- How did the breach occur?
Consider the below security vulnerabilities from the last few years:
Spectre & Meltdown:
Spectre and Meltdown (read more here) are possible due to a 20-year-old oversight when implementing speculative execution in CPUs. The methods don’t allow an attacker to ask ‘What’s your bank password,’ but they allow an attacker to infer your password by measuring how quickly a CPU responds to certain requests.
Google’s security team disclosed Heartbleed to the OpenSSL team on April 1, 2014. It’s a form of ‘buffer over-read’ where a web server supplies more information than it should when an attacker makes a specifically formatted request (See this XKCD comic). Technically, a programmer made a mistake in 2012 which no one noticed for two years; in reality, a lack of funding and workers prevented maintainers from detecting the bug themselves.
OpenSSL is free and open source software used by well over half the internet to secure connections between your computer and remote servers. It is one of many open source projects that are critical to the modern internet but received limited funding until the 2014 disclosure – despite megacorporations such as Facebook, Google, and Amazon building their businesses around such technologies. The Core Infrastructure Initiative (Funded by Microsoft, Dell, Adobe, amongst others) aims to secure funding and support to projects critical to the functioning of the internet. It’s a welcome change, but there are still many systems which languish due to limited funds.
Twitter recently asked that all their users reset their passwords, due to a bug in an internal logging system which accidentally stored some user’s passwords in plaintext. However, Twitter is confident that no attackers accessed the log, and they recommend that users change their passwords.
In each instance, unauthorised access to systems occurred because the creators are human and thus fallible. It’s important that you use unique passwords for each account, and to think on how companies disclose breaches. Companies experiencing breaches aren’t necessarily insecure or incompetent (Though sometimes they are), so it’s important to see how they handle such breaches. It’s important to note how quickly an organisation comes clean, and what steps they’ve taken to stop similar issues in the future.
In future tech primers, we’ll discuss passwords and how password cracking works in more detail.