Is it time for the death of the password? | #government | #hacking | #cyberattack

Open Access Government speaks with Patrick McBride on how best to protect your data online and whether its time to go passwordless

Patrick McBride, the chief marketing officer for Beyond Identity, has almost 30 years of experience in cybersecurity.

I’ve been an engineer, the right code, I’ve been an industry analyst in the space. I’ve been a Chief Information Officer and a Chief Information Security Officer. And I’ve spent the last decade and a half working, launching smaller companies and growing them all in the cybersecurity space.

if you can look at the environment as an attacker would, it’s pretty helpful

So I’ve had some experience in a space called Identity Management, a space called Threat Intelligence, where you’re kind of figuring out what the bad guys are doing and how they’re doing it and letting customers know. Understanding that with a bit of fidelity so that they could better protect their networks. I’ve spent some time in industrial networks protecting plants and refineries from cyber attacks. And then more recently at Beyond Identity, we kind of sit as a company in between cybersecurity and Identity. Identity is actually highly related. If you don’t know it’s me, how do you let me into one of your systems?

Originally a lot of that was done more for HR purposes, to make sure you could get access to all the systems that you needed access to, et cetera. But now, the whole identity and establishing and understanding of who you are ends up being a really important piece of cybersecurity. So, it either reports into the CSO or the CISO who is very interested in making sure that the CIO and their team have a good identity management programme in place and that people only have access to the things that they’re supposed to have access to. Over time in a company, you migrate, you change jobs or you get promoted, this ensures that you still only continue to have the access for whatever job you’re doing at the moment.

Sounds like you’ve got a lot of really relevant experience in some really unique roles

Yeah, it’s funny. It’s nice that if you can look at this in my 30-year career, I figured out if you can look at the environment as an attacker would, it’s pretty helpful. Understanding where the holes are in our armour, so to speak, is a pretty useful thing because some holes are more important than others, right? But just understanding that and helping to explain that. So that’s actually why I met Beyond Identity. I know we’re going to talk about passwords and things like that, but that’s one of the big holes.

© Embe2006

Is the government evading responsibility for public safety online?

I don’t think so. In fact, I would think the opposite. I’m going to give you a bit of a twisted answer here.

the attackers move at such a speed that the government gets caught up in its own bureaucracy and its old recommendations and it’s not even an aptitude

I think there are a lot of good people working really hard to do the right thing and they truly do want to protect systems, the government systems, they want to protect the consumer, they want to protect just business in commerce in general. I just think the attackers move at such a speed that the government gets caught up in its own bureaucracy and its old recommendations and it’s not even an aptitude. Again, I feel for them.

This environment changes if you think about it. I often coach younger people that are thinking about a career in cybersecurity and say it’s the gift that keeps on giving because the good guys keep on figuring out new and interesting things to do with technology, and at the same time, the bad guys figure out new and interesting ways to break into the old stuff and the new stuff. So it’s a bit of those two mashing together which makes it a particularly hard problem. What I would say is AMEA in general, in the UK in particular, has done a really good job.

You can’t have privacy unless you have good cybersecurity

For example, not a perfect job, but on privacy rights and making sure that you’re putting the kind of regulatory regime in place to guarantee a level of privacy that we don’t share here. We’ve done a poor job of it here in the US. On the other hand, I think if you flip it, I think of privacy and cybersecurity as a yin and yang, you can’t have privacy unless you have good cybersecurity, right?

If I can get in and steal your data, even if I’m one of the big companies and I just can’t use your data, if an attacker can get in and steal your data, then you’ve lost some level of privacy anyway. In the US we’ve done a pretty good job of advising companies on what they need to do from a cybersecurity perspective, I would say an imperfect job as well.

And I think in the UK, frankly, they’re a little bit behind the time. I believe there are still some commercials running, for example, talking about how to make the perfect secure password, for example, and that’s a unicorn. It doesn’t exist. There is no such thing as a secure password.

I don’t think they’re trying hard. I would say I think they just need to keep up. So it’s not that they don’t want to, it’s that I think some bureaucrats need to get a little bit of a kick in the butt; they need to think like an attacker. What are modern attackers doing to break in, stop there, figure out what that is and that’s where the recommendations that start from. Not something that was valid 8-10-12 years ago.

What is preventing the government from improving user security online?

I think they’re stuck in some old patterns. People need to be responsible for what attackers are doing today, not what they were doing ten years ago. I think that information hasn’t gotten over to the policymakers. So there are typically two distinct groups in different governments. They split them up differently. But there’s a set of folks that are looking at what’s going on, like right now, what kind of attacks are going on, what are the bad guys doing, making sure they get into someplace that we can get them out and kind of kick them out.

And then there’s a set of policies related to that, there’s a set of people that are forgetting example in the government responsible for protecting government systems. And I think that’s a little bit more close linkage. The problem is it gets over to the policymakers and then it gets over to the, in some cases the bureaucrats, the members of parliament or others, and folks underneath them that are helping make the rules or push things. And it doesn’t make it over or makes it over so slowly the attackers don’t wait.

As soon as they find a new way to do something, they’re going to do it

As soon as they find a new way to do something, they’re going to do it. And if it’s working, they’re going to keep going. They’re not going to wait for the government regulations to catch up. And so I think it’s that gap between what’s actually happening on the ground and what the policymakers are doing. To some extent, there’s always going to be a gap, even in a perfect situation, writing a good set of regulatory requirements and then ginning up a programme to inform people of what those are and what precautions they need to take. It is just a time-consuming process. So regulations will never keep up with the hackers, but they can’t be ten years old either. So the gap is there because I don’t think the information from what’s going on on the ground is getting in quickly enough into what the policymakers are doing. So that means one of the things that has to happen is the guys that are watching what’s going on on the ground have to share that threat intelligence better with the companies that are trying to protect their systems or trying to protect the consumers.

In a lot of ways, I’m trying to protect my internal systems where I’m keeping a lot of consumer data, or I’m trying to protect the applications that consumers are using so I don’t get an account takeover, that sort of thing.

Is time for the death of the password?

In a ten-year time frame? You probably have a couple of really bad laggards where you just didn’t get it in a 20-year time frame.  I think we’ll roll over all the systems. I think a large majority of companies are going to go passwordless within the next three to five years.

Now, if you take all the thousands of systems that are out there, is everyone going to go? No, but we’re finally on that path. Bill Gates presented a presentation at one of the biggest cybersecurity conferences called RSA in 2004 where he proclaimed the death of the password all the way back then, and yet here we are.

But a lot of things have come together. There’s a lot of momentum behind it, and that’s removing passwords out of systems that a workforce uses, like the internal systems that a government would use or a company would use, or even a non-profit organisation would use the ones that their employees log into, I think that will move faster. In some ways, the consumer space is going past relatively rapidly in some areas, but in others, it’s kind of what I would call fake passiveness.

You got to be careful. For somebody who removes and I’ll dissect this a bit: I can remove the password from the view of the end user to make it more convenient. I’ll give you a good example. I can log in using my camera onto my phone and then some of the applications, like there’s a banking application that I use, will then – underneath the covers – grab my password and log me into my banking app. I haven’t removed the password. I’ve made it more convenient for me. I could use my face and then it sends my password over. But I haven’t removed the risk of the password. How do I know that I can go to the web browser on my MacBook Air and type in and I get a user ID and a password so it can still be stolen? It still can be used to break into my account. So that’s not going to passwords and you need to make a distinction there between actually removing the password as part of the authentication process and actually kind of just hiding it from the user for convenience. And so where I think you’ve got some people that are hiding it for convenience.

But you also have a push very recently – both Apple and Google noted that they were going to pass key. They’re going to support that you already started this using something called the Fido standard. It’s a standard that allows them to securely remove a password and replace it with a strong cryptographic kind of connection. By the way, we use this stuff every day. We all log on to our bank from our web browser and we see a little lock in our browser come up. That lock in the browser makes it clear that I’m talking to the appropriate server and then I’ve got a secure private connection that I could talk with. The problem was getting into that application is kind of the last mile and I still use it today. I still typically use a password for that and in some cases, for some applications, I get a multi-factor authentication challenge. We’ll get to that in a minute. So the first step is really eliminating the password, not giving me a one-time password like a magic link or something that I click on because that’s just as bad as a password.

It’s another shared secret that gets passed over the network. It’s actually removing a password from the authentication flow and making sure that I’m using a much stronger way to do that. Typically something like public-private key cryptography, which again it’s used every day. We use that to have a private web conversation. Once I’ve logged onto an app securely and I’ve got that secure connection, I can type in my Social Security number or my ID number or whatever, or my other personal information if it’s like a healthcare application or something without worrying about somebody sniffing that information off of the network. We’ve been using that kind of technology for some time, we just haven’t used it to replace the password. I think that’s what’s going to happen fairly rapidly now.

Who is responsible for ensuring password security?

It really has to be a combined effort. I mean, governments have to get better, as I stated, about letting companies know what kind of attacks, what kind of attacks are bad guys using now? And I’ll give you a specific example of that. The reason they tell us to use these strong passwords, a passphrase or something that’s long and uses uppercase and some other things, like an exclamation point or any other special character like that. So that I’m not putting passwords one, two, three, or my kid’s name or whatever, things that people could easily figure out. What the bad guys used to do is they would steal a password database, or they would get an encrypted password, and then they would unencrypt it. And if you make it really long and with all these special characters, it’s much harder to run an attack against that. But that’s not how the bad guys are getting passwords these days. They steal them when they’re in the clear when they’re unencrypted. Either they have some malware that’s running on the device that you’re logging in from, and I go to type my password in it, and they’ll grab it there and send it back to the bad guy, or you get what’s called a man in the middle attack.

They’ll send me to a fake site. Hey, you need to reset your password. Patrick and it looks like it’s this exact site coming from my bike site. Type in my username. I type in my old password. They told me to type in a new password. I type in a new password. It really doesn’t do anything with that. It’s just stealing the password and sending it back. And there are criminals that just do that. They’ll run those attacks all day, and then they sell access to computer access, for example. So that’s a lot of the way that ransomware happens. So one criminal group will buy access to somebody’s system. They’ll buy the passwords, the user ID, and the passwords for those systems that got fished earlier, stolen in an earlier attack, and then launch the ransomware attack. Or they’ll do the same thing and launch an account takeover. Well, they’ll take over my bank account and then be able to move money, that sort of thing, or steal my points if I’m an airline, that sort of thing. So it used to be that I had to run like some as an attacker, I might have to run some cracking technology to get to my password, to steal passwords.

Now I just buy them. I buy them from another guy and use them to log on. So that’s one of those examples where government has got to stop saying just pick a longer, stronger password. They’ve got to start pointing out regulations that are actually going to protect the consumer from the modern attacks. And the modern attack is somebody buys a password and just buys a set of passwords and just uses it to log in. Attackers don’t necessarily have to break in to accounts anymore. Very often they’re just logging in, like you or I would so what was supposed to help? That was MFA, right? I typed in my user ID and my password. And since my password is so weak, well now I can just get a code onto my phone and then I type in the code. Well a lot of those same techniques that were used to steal the password, this man in the middle attack kind of thing can now be used to steal the code that I put in. So now I’ve got two weak factors. I’ve got a password that’s totally compromised and now I’ve got a second factor, effectively another password that I’m typing in or passphrase or a number combination and that can be stolen too in many of the same ways and this man in the middle of that.

So I’ve got a totally compromised Credential filed by a Credential that is my second factor. That’s merely a speed bump these days. And now I’m breaking it. In fact, Microsoft came out, I think it was last week and I called you. There was some stuff in our channel about the whole report. I used to have to fight this. I don’t anymore. Microsoft was talking about like 10,000 attacks where people were criminals stealing the MFA code. So they already had the password. Now they’re stealing the MFA code and just logging into the system. So now what really has to happen, like the state of the art is passwordless that uses crypto that you can’t steal cryptographic links but you have to have multiple factors and all of them have to be unfishable. And in fact that’s what the US. The government came out and said in January. They said you have to use they told the government, our government in the next two years has to replace the authentication method that they’re using with passwordless phishing resistant I’m using air quotes or real quotes because that’s exactly the phrase they want to use, password and phishing resistant MFA.

So that’s kind of the state of the art now. So rather than spending time producing commercials telling consumers to build a longer stronger password that doesn’t have any effect, do you think malware running on a machine or a man-in-the-middle attack cares? It’s not like they weigh the password and say, oh this one’s only four or five characters. I’ll send it back to the bad guy. This one’s 15 characters and it’s got some special characters in it. I’m not going to touch that. Of course not. It’s just going to send it back to the bad guy. So they’re not having to crack the passwords. They’re just fishing them out and sending them off to the bad guys to reuse. So you can’t make a secure password. It doesn’t exist.

Could you compare US and UK strategies?

I think in stark contrast to our privacy regulations, the US is actually being pretty aggressive now about with the regulations. Right now, the regulations only specifically apply to government organisations or the businesses that are directly supporting those. So there’s always a set of contractors and consultants that are working with government organisations running some of those systems. They’re both beholden to use this passwordless unfishable MFA, and they’ve got to do it quickly. They told them in January that they need to make this change within two years. I don’t know enough about the UK government, obviously, watch some of it and try to keep up with the regulatory regime there. But in no way does our government barely rolls over in bed in two years. So that’s the fastest or the shortest time I’ve ever seen in 20 years of watching our government. So they’re worried about it. They’re very worried about it. And contrast that to kind of the recommendations still out of the UK government is to consumers. They’re focusing a lot of their attention on consumers. They really ought to be focusing their attention on not only their government system, but the folks who are building applications that consumers use, educating them that there is a way to make those applications much safer than you make them today.

They should dig into that and make that known, at least make it known and educational. But if you continue to take privacy, if the UK government and the rest of them Maya, the rest of Europe, the whole of Europe take privacy seriously, and they do. I mean, they’re way ahead of this than the US. Then you have to solve the security issue because if you don’t, you can’t have privacy anymore. Because if I’m a bad guy, I can log in and steal all your private data. Does it matter that you’ve got good regulations that keep Facebook from selling some of it or Google or others? That’s what they’ve done. Well, I would contrast that the GDPR and other things as much aligned as GDPR is sometimes, and it’s certainly not perfect. It’s way ahead of other parts of the world and certainly other in the US. However, you’ve got to marry that with strong authentication or you’re not going to have the intended impact. Private information is going to still get out and massive reaches.

What is the role of the dark web in password security?

The dark web for a long time is where the bad guys sell their wares. So they do a couple of things. It used to be that they would sell the kits that they used to pull off these attacks on the dark web. You can get a kit as an attacker. I don’t have to be super sophisticated anymore. We’re not talking like Russia or China level state actors. We’re talking about garden variety, financially motivated attackers. I used to have to go to the dark web to buy my toolkits to log in and steal credentials. But now very often those things get marketed, like straight up on Facebook, but then it’s a dark web connection where the actual transaction between the buyer and seller, like two bad guys, takes place. But in some cases it’s open.

You’ll see people marketing breach passwords on the dark web. They’ll sell you hundreds or thousands of usernames and passwords or a database full of previously breached passwords that you can then put into your malware kit to try to do from what they call a brute force attack. Typically the dark web was where I either buy the toolkits that I use to pull off these attacks or buy passwords. That’s kind of the fuel that these things run off of.

But now you’d be shocked at how many places, like in Facebook and Instagram and those places where bad guys are marketing both sets of those things kind of out in the public again, they may do the transaction on the dark web or do the exchange there, but they’re openly marketed in the visible web.

What advice would you give consumers to improve their passwords?

The single best piece of advice that a consumer can actually use on something is to use a different password for every site. So if it’s stolen one side, it can’t be just pushed, automatically pushed in. Having said that, that won’t solve the problem, right? Because I can still send you to a phishing site. I’m your bank or I’m not your bank, I’m a bad guy. I’m mimicking your bank. I tell you you need to do a password reset, for example, and I give you an email that looks like it actually came from the bank. When you go to the site, it looks like it came from the bank. The URL looks just like your bank and it’s probably got some one little character that’s changed and it’s really hard to recognise. And then you type in your username and password. So just because you’ve got a unique password from your bank doesn’t mean that I can’t steal it and then reuse it. Having said that, since they’re buying a lot of these passwords on the underground or above ground on the dark web and other places, one of the things that they’ll do is these passwords frame campaigns.

Use a different password for every site

Like they’ll take your bank password if they stole that and try it in 100 other different sites with your same username, your email or the front part of your email, and then try it with a bunch of different passwords. So a unique password on every different site can help. It just doesn’t solve the problem. But then you’ve got the other problem. How many websites do you have to log on to? Personally, I use upwards of 100. So I’ve got over 100 accounts. There is no chance in the world that I’m going to remember a unique password. So what then do you do? Well, I could use a password safe, right? That’s a place where I could have a tool. And by the way, I do use it now because of some of the sites that I go to, I can’t help. I can only use a password anyway. We haven’t solved the world’s problems. Now we’re on our path. But I use a password safe. But guess what? I put all my passwords in one little database that’s protected by, you guessed it, how do I log into my password safe? Using a password. So I log into my password safe using a password and at least I have a unique set of other passwords.

But if somebody gets the password to my password safe now, I’m really screwed. So that’s not a very secure way to do it. So at the end of the day, you can’t protect the password. It’s a totally compromised thing. The best advice I can do is to the extent you can use a different one on each site, or at least use a different one on. Every site that’s got important information like your bank account, it’s tied to money. It’s tied to your credit card. It’s tied to those kinds of things. At least the ones that if somebody bad guy gets in and takes over that account that they can do some harm with it.

What is the most important thing that individuals can do to protect themselves online?

The overriding thing is even that recommendation I gave you doesn’t solve the problem. It makes it incrementally better. MFA can make it incrementally better, but it’s so inconvenient vendors like us have to solve two real problems. They have to replace a password that’s something that’s foundationally strong. And again, we know how to do that. There’s a capability. Like I said, log in to any site that you do and click that little lock that comes up in your browser. That’s a technology called TLS transport layer security. And make sure that if it’s working, you’ve got a private conversation going back and forth between your bank. Now your bank doesn’t know necessarily because somebody could have stolen their password and now they’ve got a secure connection. But at least that secure connection is there. And it uses public private key cryptography. So unfishable passwords or phishing resistant passwords are going to use some sort of a public private key technology. Now what you wouldn’t want to say is just use a unique password and all your sites and everything’s hunky dory. It’s not that improves the situation, but only incrementally. And you could say, well then you just have to use MFA.

It’s got to be foundationally secure and it’s got to be easy to use

When I said we have to solve two problems, we have to solve. It’s got to be foundationally secure and it’s got to be easy to use. Most of the world doesn’t turn MFA onto their applications because it’s inconvenient. But I’ve got to go. Every time I log into my bank, usually the financial services will force me to do it. So those guys have done that even though the stuff that they’re using is still just a speed bump. At least it’s a speed bump. But in many applications, a retail application, I’m going to buy Am I going to really turn my multi-factor authentication, my credit card information is in there, but am I really going to turn MFA on and I got to pick up my phone and do another code? I’m going to buy a pizza. That way. I’m just not and so the world is made really insecure MFA. So we’ve got to fix that. It’s got to be both secure and not annoying to use.

Editor’s Recommended Articles

Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

five + 3 =