AP Twitter Hack Shows It's Time for the Post-Password Era
We may not have needed more evidence that password-based security is as vulnerable today as it ever was.
But we got it anyway when a bogus tweet was posted from a hacked Associated Press Twitter account. According to the tweet, there had been explosions at the White House and President Barack Obama was injured. The markets sent the markets into panic mode and a 143-point free-fall in the Dow Jones Industrial Average resulted. (The report was false of course, and corrected by the AP within minutes).
(Read More: The Trading Robots Really Are Reading Twitter )
The apparent culprit —"Syrian Electronic Army" (that's who took responsibility)—went spear-phishing and hooked a big one. They targeted specific AP employees who hold sensitive data—Twitter passwords, for example—and sent legit-looking emails from trusted parties, even touting a competitor's news story as bait. One click on the innocuous-looking link within and the world's oldest and largest news organization was hacked—simple as that.
(Read More: Twitter Trading: 8 Tweets That Moved Markets )
We'd all like to think we'd be vigilant enough not to click such a bogus link and touch off such a calamity. But the temptations are cleverly produced and such incursions have created chaos at the BBC, NPR, "60 Minutes," Washington Post, Wall Street Journal, and Reuters as well as the AP, and those are just the news organizations we know about. All of the organizations are staffed by smart and savvy, cautious people and all have been embarrassed by reliance on the security workhorse of our day—passwords.
If you're an IT professional, chances are you are not surprised. You have probably known for some time and maybe even lost some sleep over the realization that password systems are badly flawed.
A new McAfee global survey recently published finds 55 percent of senior level security professionals think username / password combinations have grown so insecure, they're no longer appropriate for managing access to critical enterprise data. Only 11 percent still maintain full faith in passwords. And 83 percent fear their organizations are at risk for a severe security breach.
Another McAfee survey this year found on average, Americans have 10 password-protected Internet accounts, but use only five unique passwords to protect them. A fifth of all Americans have a whopping 20 password-hungry online accounts.
When there's too much to remember we do what's natural. We reuse passwords, or employ easily guessed words. When system protocol demands we invent something tougher (with numbers, #@!-type characters, or both: $Wombat394#*, anyone?) we write them on Post-its and stick them to our screen. Or we forget, and waste time resetting again and again—the McAfee survey found a quarter of Americans have been through the password reset shuffle at least three times in the last three months.
This behavior matters at the enterprise level because so many workers connect their personal devices to the company data cloud, and other cloud resources that IT sometimes doesn't know about. Each off-the-reservation device, and each cloud connection, presents a hacking opportunity. Get speared by a spear-phisher, of course, and all the precautions and $&@!-inclusive passwords are for pointless anyway.
Twitter doesn't offer "two-factor authentication"—where users must bring a second form of ID—although reports since the AP hack suggest they are considering it. Other technology names like Apple and Google have already taken the plunge. With the increasingly indispensable role Twitter plays in data dissemination—Wall Street money movers check Twitter constantly for market news as they trade—it may finally be time.
At the enterprise IT level, however, the pros in our survey think replacing everything with multi-factor authentication would take too much time and money without proving sufficiently bulletproof. They say the unwieldy password systems they've got already consume too much bandwidth.
But solutions are on the way that will make a better mousetrap: automated, improved, and simplified access controls that raise the game.
Some security solutions include technology that facilitates centralized authentication and tools that monitor and audit user activity. There are also SSO (single sign-on) solutions for cloud access, ending the often-seen requirement of separate, discrete passwords for separate, discrete applications—which can drive frazzled users to too-convenient workarounds. And biometric authentication has improved dramatically and is near ready for prime time. It can offer a genuine paradigm change—one that can leave the spear-phishers with empty nets.
Passwords have had a good, long run. They date from the dawn of consumer computing. But today the landscape is different and the cost of breaches potentially terrible. A next-generation approach to data security is overdue. It will be welcome news.
Just ask the Associated Press.
—Pat Calhoun is a digital security expert and Silicon Valley veteran who is responsible for the strategic direction of McAfee's network security business unit. He can be followed on twitter at @calhoun_pat.