Security Fridays: Week TwoMichael Urgero 31/01/2020 Industry News
The Blur Password Manager Breaches 2.4 Million Accounts
Sometimes information security breaches expose the irony of things and even more, the ignorance of engineering teams.
Here’s our case; December 13th, 2018 a security researcher, notified Abine, Inc. the company behind the Blur Password Manager and DeleteMe online protection services that they had a server exposed to the internet and that this server contained a file which exposed an enormous number of usernames, password and other details.
Blur took it seriously and an internal audit took place. The audit determined that users who registered prior to January of 2018 very likely had their private information exposed to the public internet for years. The data included, usernames, email addresses, first and last names, IP Addresses, password hints and encrypted passwords. The total number of users exposed to this was 2.4 Million.
There are several things to unpack here. In this rare case, the passwords exposed here were in fact, encrypted. In a statement from the organization, the passwords are encrypted using bcrypt with a unique salt for every user account. Well, thank goodness.
However, as we continue to review this case, we identify several other key points of discussion;
Although they encrypted the passwords, they should have never stated to the general public what method was used to perform this function. The first step in securing your stuff is not sharing about the methods in which you secure the place.
Even though the passwords were not directly exposed, the password hints, IP addresses, usernames and the actual names of members were. This is really (really) helpful to a skilled attacker, as they can use this information to gather additional details about the member. Simply put, they’ll scan the user list for high(er) valued targets and work on those first. So, considering everything the attackers will know about you, you’ve not used something like “Jacob’s Birthday” for your password hint.
Now, all that being said, there are clearly some issues with the way in which Abine, Inc. manages valuable customer data on their network – and guess what – they’re not the only ones. We’ve heard of so many breaches in the last 24 months, that we’ve become numb to the news. And, frankly most of us could care less, until it’s our account that got hacked. If Abine, Inc. would have simply implemented proper security measures, performed regular security audits and applied multi-factor to their user accounts from the beginning during sign up, none of this would have happened – and the whole thing could have been avoided.
In today’s times, more and more of what we do in a day requires us to have an account online somewhere, we are constantly signing up for services. Many of us have many more accounts than we may realize. GrubHub, Uber, Facebook, Twitter, Bank of America, Instagram and many others just to name a few. We regularly put complete faith into the companies that we sign up for.
There is also the human factor. Because we sign up for so many of these services, a lot of people create a single, complicated password like P@%5w04D225!! and use it for multiple services to avoid having to remember multiple passwords and enter different ones all the time. So, your Facebook password is probably also your Twitter password and also probably your online banking password – and so on. Using a password tool sounds nice, but you should consider what’s going to happen when they’re breached.
The moral of the story here is that we are more dependent than ever to online service providers and we are completely dependent on how they manage their companies and data. Yes, sure there are rules and regulatory protections around it, but that’s not helpful when Twitter is breached and that’s the same password you used on Amazon.
The new rule; use Two-Factor Authentication. Go through your accounts and make decisions on which ones are valuable – then secure them with 2FA. Obviously, doing all of them is a burden so start with the most valuable ones and go from there.
There is also the matter of password hints. Many times, online services provide a method for you to reset your password if you’ve forgotten it or if the account is locked out. Be careful here. You should never use the real answers to these questions. For example, if you are asked for your “Mothers maiden name?” You are not obligated to answer it correctly – you just need to make sure you remember your answer and repeat it the next time… So, you could use an answer like “The Hunt for Red October”. It’s completely arbitrary and will avoid someone else (especially someone that knows you well, like an ex) from being able to guess these answers.
And, while were on the subject, many of these services will send password reset links to email addresses. You should be aware that email is not considered a secure form of communication and if you are going to reset a password, receive an email with the link – use it right away. Do not delay, just in the unlikely case that your email was intercepted by someone else.
Regardless of all the precautions – Two Factor Authentication trumps it all. An attacker will simply move on to a softer target.
So, in closing – go to your important accounts and turn on Two Factor Authentication.
Read the article that was analysed here: https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/