I had the chance to talk with cyber security expert Justin Cappos last month about the recent breaches in the retail sector. Cappos is an Assistant Professor of Computer Science at NYU Polytechnic School of Engineering. He’s well known for his work on Stork, a software installation utility for cloud environments.
In our discussion, Professor Cappos has a lot to say about weaknesses with our current approach to password-based security as well as new technologies that can be applied to credit card transactions. He’s worked on his own password hash protection algorithm, known as PolyPasswordHasher, which would it make it very difficult for hackers to perform dictionary-style attacks. Cappos offers some very practical advice on securing systems.
Metadata Era: It looks like Backoff malware was implicated in the Staples attack. Though we don’t know too much about the exploit, but if it’s like other recent attackers, the hackers found it relatively enter the system through phish mail, guessing passwords, or perhaps injection attacks.
Justin Cappos: I did look around for this information, and I see a lot of people reporting, but I don’t see anybody specifically saying or speculating that perhaps it’s similar to Target or some of these breaches. Nothing concrete yet.
That’s not to say there isn’t anything a company can do to protect infrastructure—for example, to harden things, to train users not to open phishing mails, and have people choose reasonable passwords especially on sensitive systems. The problem with any of these defenses is that the attacker has to only succeed once.
Once they get in, typically they can move around, get access to other things. So businesses need to do a few different things to try to protect themselves effectively. Some of which they may already being doing, but there needs to be a strong emphasis on compartmentalization.
You mean …
So the person who does PR for the organization doesn’t, say, have direct access to financial records.
Also, it’s extremely important to have good network monitoring. You need to have a way to detect whether data is moving off our servers—is it going to places we wouldn’t expect it to be going to. Looking for things like, for example, an HVAC subcontractor who occasionally accesses the corporate network but has now suddenly found to be hoovering up data. That should be a red flag!
So once they’re in through phishing or injection, they have the credentials of an existing user, and as you pointed out, you have to start monitoring for unusual behaviors. This internal monitoring function becomes very important. Although it’s not something necessarily that companies focus their resources on.
Exactly. So imagine a quarantine. If you were to quarantine something like a thousand people, you wouldn’t put them all in the same big area, where they’d all interact. Ideally you’d want to isolate them.
At a minimum, you want to cut down on interactions. So when you do a data analysis in your organization, you want to keep track of how these isolated pockets are able to communicate and look for suspicious patterns and behaviors.
How can this be done—is this part of your research?
Not specifically for me. But it is good best practices for lots of different organizations. So the military and government use this compartmentalization approach. As do banks. They will segment information off and in some cases, have isolated networks that are not even connected to the Internet. It really depends on the sensitivity of the data and how it will impact the working style of the people.
So you’re really talking about a data governance function, in terms of what is more valuable and what requires more restrictive permissions.
I consult with lots of startups. And one of the first things I do is I say, “Tell me your worst nightmare about somebody breaking in and stealing something. What is that thing?”
For some companies, it’s data about their customers, for some it’s information about an algorithm. It varies a lot depending on the monetization strategy and what the secret sauce of the organization is.
You want to find that thing, and for larger companies, it’s probably many things, and isolate them as much as possible so it’s as hard as possible for an attacker to get that information.
Sometime it means separating functionality out across multiple servers. So for instance, if your password data is one of the most sensitive things your organization has, you can very easily have a separate server whose only function is to handle password requests, and it did this through a custom protocol that your company wrote.
You would monitor the network and if it got anything other than a password request and returned anything other than a “yes or no”, then you would know immediately that something has happened.
That takes time and takes energy, and you have to implement something a little different to make that happen. If you’re going to protect a really valuable asset, they should do this!
And if you don’t spend the time and effort for say your legacy systems, what would your recommend?
For legacy systems, there’s certainly never an excuse not to follow best practices. They absolutely should be using salting and hashing of passwords, if not something stronger, such as hardware-based authentication or PolyPasswordHasher. They need to be using strong protections for user passwords and data.
They need to be encrypting credit card information. If they’re not really in the security business, they really shouldn’t be storing credit card information, they should consider working with a 3rd party payment processor that will make it so they effectively only have tokens on their server instead of raw credit card data. They can outsource the risk and security concerns with storing credit card information in many cases.
Sure, for some companies it would make sense to outsource to payment processors. But clearly the big box retailers are doing their processing in house.
You mentioned multi-factor authentication. In theory that would have made some of the attacks we’ve seen over the last year much more difficult. Is that a fair statement?
It is. It’s not a panacea—it doesn’t solve all problems. It raises the bar for simple password attacks. It doesn’t necessarily stop people from getting in other ways—SQL injection and other vulnerabilities. Two-factor authentication will not help in that context.
Another way it often does help is to prevent the spread. So if you have a sensitive server that users have to log into with two-factor authentication, even if the attacker figures out the password for users on that server, if they don’t have the second factor they will be unable to get in. That can sometime contain the attack.
Security is almost never about perfect solutions. It’s pretty much about making it harder for the hackers, and buying yourself some time and just making it difficult enough that you no longer become a good target
Right, so it becomes too much of an investment for them and the attackers will move on to an easier victim.
In our blog, we’ve been focused lately on the flaws in authentication systems, mostly as result of SSO or Single Sign On that distributes the hash of the password throughout a system. We’ve written about Pass the Hash wherein once they attackers get the password hash they essentially can become that user. Any recommendations for this authentication problem, and are there longer term solutions?
Sure. There are three things to know about in this area.
The first is that if your organization has a good password policy and makes users choose passwords that have a reasonable degree of randomness, then breaking those passwords—through say dictionary attacks— still can be implausible. What really happens is that if you get those hashes and those passwords behind them are not amazingly well chosen, then one can break them. If they are very strong passwords—like 8 character, randomly chosen and not from a dictionary—those are pretty strong.
If you’re trying to generate passwords as a human, there are tricks you can do where you pick four dictionary words at random and then create a story where the words interrelate. It’s called the “correct horse battery staple” method! [Yeah, we know about it!]
Strong passwords do help a lot. Organizations should be encouraging their users to choose strong passwords. I think that—many experts believe—requiring users to frequently change passwords, say, every three or six months, does much more harm than good. Because users get frustrated by this and are more likely to forget their password, and so choose passwords that somewhat fit the criteria but are easy enough to remember. I wish organizations would do away with this policy, and instead choose a good initial strong password. That would dramatically increase the time it takes for hacker to crack the passwords.
By the way, should we be relying on those password strength meters?
Unfortunately, password strength meters can be fooled—you can give it a poor password that it thinks is a good password. Use it with a grain of salt!
There are lists out there of commonly used passwords—even those that use upper and lower case with symbols—and organizations should be really positive that users are not choosing anything in the popular password list. They should actively block the passwords.
That’s the first thing—focus on passwords.
The second is that organizations like Microsoft, should be really spending more time designing and improving the security of their systems with respect to password storage. The threat model and landscape has really changed in the last few years where hacker are much more aggressively going after password databases.
So I would like to see much better support from operating system vendors for things like hardware protection of passwords. I’d like to see some of the new techniques for password protection—like PolyPasswordHasher and other things like this—integrated more broadly. Anything that will slow or stop attackers.
Microsoft, by and large, has very good security—they have an excellent security team. I would just love to see them have a focus in this area, and do this in a realistic way and even provide patches for older versions, which companies like banks are still using.
It’s a password storage and protection scheme. It’s actually something that’s been done by myself and one of my students. It makes it so you have to crack multiple password in a database simultaneously to know if any of them is correct. It’s much harder for hackers to crack passwords from the hash. It’s simple to deploy–it’s a software change in the server—and it makes things exponentially harder. It’s open-source and free—available for different frameworks.
And the third part of your recommendations?
There’s something called EMV, which is a standard way to handle credit card numbers that’s commonly used everywhere else but the United States.
So there’s a chip on an EMV-based card that protects information—a tiny security computer if you will. If you swipe your card at a terminal, then all you’re doing is authorizing a transaction—you’re not giving any card information. But if you swipe a magnetic card—like what we use in the US—they really have all the information. The nice thing about EMV cards, you have to steal the cards to take advantage of it. The bar is much higher.
What information does the EMV chip give?
A way of thinking about it is that the magnetic strip technology is almost like giving someone your wallet. Basically, every time you hand someone a credit card or credit card number, you give them the ability to make transactions on your behalf. With EMV, you not giving the ability to make transactions in the future, you’re giving an authorization for the current transaction—almost like a ticket for a movie. You can’t reuse it.
Ah, so you use it once and it can’t be replayed in an attack.
If the EMV solution becomes widespread, would that prevent the retailer attacks from succeeding—there wouldn’t be anything the attackers could use again?
No security is perfect, but EMV makes it much harder. It’s not impossible, though. The amount of work you’d have to do is substantial. I wouldn’t anticipate we’d see millions of credit card stolen. It’s not a panacea, but it works well.
EMV raises the barriers and eliminate the easy hacks, which is essentially what we’ve been seeing the last year– retails hacks that required very basic techniques.
Yes, it would no longer be a problem of hackers stealing and then at their leisure moving files. Instead they would have to do real-time, live changes to the transactions. EMV is not perfect, but it makes it harder. And often times in security, harder is enough.
That’s a good way to end this. Thanks Professor Cappos.