Written as editor of the New Statesman’s NS Tech and first published here.
We’ve seen millions of passwords compromised across huge sites like LinkedIn, Myspace and Tumblr in the last few months. And just this weekend, the London Stock Exchange was hijacked by Anonymous as part of its campaign against large corporations.
Now, in what should raise a loud alarm for people everywhere, the CEO of a company that manages the private lives of more than 1 billion people, Mark Zuckerberg, has apparently fallen victim to hackers.
According to the BBC, the trail likely leads back to the 2012 LinkedIn hack, which continues to resurface every time the hackers are able to decode another lot of passwords.
The first 13 million sets of details leaked had, helpfully to both themselves and the hackers, used the platform’s name to help them remember their password, so they were the easiest targets.
But, using a ‘reverse trapdoor’ or ‘rainbow table’ as it’s called in the trade, hackers can just sit back and use a precomputed program to test out all possible password combinations. With enough time and computing power, it looks like they’ve been able to crack Zuck’s password, which it appears he was using across Twitter and Pinterest too.
“Password sharing is a huge faux pas and a recipe for disaster,” David Shearer, CEO of cyber skills certifier ISC2 tells NS Tech, with a knowing smile.
“Come on, there are password vaults out there! It’s getting increasingly difficult to fight the questions after someone, who appears to be you, has been doing things on your account.”
Those questions must be a million times harder to answer if you’re… Mark Zuckerberg.
Too little, too late from tech cos
This series of hacks is prompting companies across the world to update their security systems.
But changes like those being made by Microsoft, where it updates its list of banned passwords after cross-referencing with the latest haul posted online, or even biometrics like those being trialled at Google, are criticised by the crypto community.
“The main reason Microsoft is getting you to create a ‘really strong password’, is to protect them,” explains Brian Spector, CEO of London-based cryptography startup MIRACL.
“The more complicated the password is, the more time it takes to crack, so they’re just pushing the burden of using their service onto you because they haven’t got anything better.
“Google’s plan doesn’t represent a leap in technology, it’s just something they can do, based on the position they’re in, to mine data on you,” he adds. “It’s not going to fix anybody else’s problems and it likely violates EU privacy regulations. So the jury’s out.”
What companies like MIRACL say they are doing is getting rid of both digital certificates, which have proven to be vulnerable to digital forgery, as well as the need to keep password-based databases ‘somewhere safe’.
Pairing, as it’s called, based on elliptic curves, was just about impossible 15 years ago. But through some very complicated maths, it’s enabling ‘something you have, a key, plus something you know, a PIN’, to arrive online for normal people in a similar way to using an ATM in real life.
“The biggest challenge to the cyber security industry is that there’s now a ubiquity of technology, from smartphones to the Internet of Things, Internet of Everything, smart cities, smart nations, even, and the workforce is just trying to keep up,” says Shearer, whose organisation has certified some 114,000 IT folks around the world.
1.5 million cyber jobs going unfilled
“There are going to be 1.5 million jobs that come available between now and 2020, we have an ageing workforce who are increasingly suffering burnout and we don’t have a wave of young people to replace them,” Shearer warns.
“Ultimately, CEOs get fired for cyber security issues because right now, cyber security staff have no authority within businesses, the reporting lines are unclear and there’s no global standard for how this all works in practice.”
Mark Zuckerberg is unlikely to get fired for something that ultimately doesn’t seem like it was a problem with Facebook’s security, particularly as he’s in charge.
But it’s a rather embarrassing, even dangerous, if the CEO of one of the world’s biggest personal data companies fails Cyber Skills 101. The company’s shareholders will no doubt be asking questions.
Thankfully, our friends over at the New Statesman have prepared a list of nine quick, effective ways to protect your privacy online, which it seems like *some of us, Mark* are still in need of.