Published: 08 July 2015
By Kev Pearce
Another day, another breach, another reason why passwords are no longer fit for purpose. This time it was infamous surveillance technology company Hacking Team that was, ironically enough, the subject of a successful attack. If the reports are true, the incident could be hugely damaging for the firm; revealing internal emails, documents, customer invoices and even product source code.
It’s yet another example why secure authentication cannot exist until users are separated from their passwords.
Details are still emerging about the incident, but here’s what we do know. A 400GB torrent file was posted online containing sensitive documents appearing to show the firm selling surveillance tech to repressive regimes, as well as agencies like the FBI and Australian Federal Police. Product source code was also exposed, as were sensitive internal emails. But the part of the story that may surprise many people is that security researcher Christian Pozzi supposedly had a Firefox password store exposed in the hack. The passwords are said to be of poor quality – easily guessable or crackable by cybercriminals.
Client passwords are also said to have been leaked – and were as poor quality as Pozzi’s. And it’s likely the attackers obtained the firm’s Twitter credentials, as they used the official Hacking Team account to post details of the attack and change the Milan-based company’s name to ‘Hacked Team.’
So where does that leave us? Well, if the reports are accurate, it means that security staff aren’t necessarily practicing what they preach when it comes to authentication. It might not be that the attackers actually gained access to Hacking Team itself via these exposed credentials, but the use of such easy-to-guess passwords on a range of web and social accounts and internal systems including routers highlights the folly of many current access systems.
At Osirium we’ve been banging on for years about the need for a new approach to authentication. Privileged users in particular are at risk as hackers increasingly look for ways to break into corporate systems via accounts which will grant them access to the most sensitive data in the organisation. As we’ve seen again from this hack, your security and IT team is no exception when it comes to poor security practice.
A new way
That’s why Osirium invented its Privileged User Management platform. It’s technology which effectively separates the user from their password. We sit in the middle operating enterprise class password management – so there is no password for the user to remember and crucially none for the attacker to steal. Privileged Session Management complements the set-up by recording all privileged activity – boosting compliance efforts and acting as a deterrent against IT admin malpractice.
We also offer Task Automation and Delegation to speed up time-consuming tasks, and Privileged User Analytics for even greater account visibility, which will help minimise malicious behaviour.
Hacking Team faces weeks of bad publicity, possible lost business and has even been forced to advise customers to suspend use of its products. How many more incidents like this do we have to see before organisations take authentication seriously, and ditch out-of-date password systems?