I thought this was an interesting story: “Webmail gets hacked, corporate passwords exposed”, and one that ought to be read by executives in many companies – the folks who can actually change behavior that could otherwise jeopardize corporate security. But it’s also a story that is highly relevant to consumers because they – “we” – do the same thing!
I’m sure we’ve all seen stories of similar attacks over the past few years, and there have been numerous warnings about the importance of the hotmail/gmail/webmail password vulnerability. I recall an incident a couple of years ago when significant amounts of corporate information from Twitter was accessed by a hacker who found an initial entry-point via an employee’s gmail and hotmail account (for a detailed background on this attack see: Anatomy of the Twitter Attack).
The vulnerability is really a weakness in practice, governed by human behaviour. As we all know, it’s pretty common for consumer-facing websites to use an individual’s email address as the user ID for their account. And online behaviour being what it is means that many people use the same password across multiple sites – and often that password starts with their email account. Let’s face it, if Jude Law or Meg Ryan do it for me for my email password, chances are they’re also doing it for me for my itunes account, audible account and possibly even my bank account! And online application providers compound the risk in this behavior by using relatively weak password reset procedures that leverage the user’s email account.
So with my email account being used as my User ID, and it being relatively apparent that Meg Ryan is on my “top ten list” you might say, if someone gets access to one account there’s a pretty good chance they’re going to get access to all!
But this is the kicker for companies: a couple of years ago we talked about phishing, spear-phishing, and man-in-the-middle as if they were privileged threats to online consumers. But that’s no longer the case. As we’ve seen from recent attacks (RSA, Barracuda, Amazon. . . ) there’s no longer a distinction between the type of attacks targeted at consumers and those targeted at corporate networks. And this is compounded because most of us who work in the “corporate world” (yes, I felt the urge to put that in quotation marks ‘cause the term kinda makes me cringe) are also online consumers – and our behaviour in this space carries over to our corporate identity.
There was risk in this when companies hosted their applications on their own networks. But today, companies are increasingly leveraging corporate applications in the cloud. And it is here that things begin to get really sticky.
You see, in the case of Ms C-level executive in the referenced story, her Yahoo email account was compromised – the same account that she had a habit of using as the “reset” email account for various online applications in the event she forgot her password – including some corporate Software-as-a-Service (SaaS) applications. And to compound her error, she used a common password across many of these applications.
My friend and colleague, Mike Byrnes, made reference in one of his recent posts – his second and last post I think – about the need for a secure Internet ID (See: Pay for a secure Internet ID. . . ) . I think this is an interesting thought. But I genuinely don’t know how this would play given the practice of many individuals to share their identity across business and consumer accounts – an identity that they choose to protect in the same way – and one that is susceptible to the weak password reset policies of many online application providers.
So as long as we, and those providing services online, are taking the easy way out to protect our online identity it strikes me that there needs to be some separation of “church and state”, if you will, to mitigate damage when our identity is compromised. If I was a corporate executive, I’d be insisting on it!