Well, back to blogging again after a couple of days of a hiatus. Just some medical work that needed done. Anyways, do you remember the days of the 2016 campaign? Who can’t forget those days. The name calling, finger pointing, the cries of “Lock Up Hillary”, “Build A Wall”, etc. all still resonate in our ears and eyes today. I gotta tell ya, Trump for sure has been a controversial President thus, far, and to some degree, Hillary, though you don’t hear too much from her lately.
The reason I bring all of this is up because of another key issue that was front and center during the campaign-Hillary’s supposed use of a private E-Mail server at her home while she was Secretary of State, and the two FBI investigations that followed after. Now, I am not making any judgements here, because I of course do not know of all of the facts. But I want to use this to illustrate another security breach that was discovered earlier this week.
Apparently, it was discovered that a file from the popular “My Heritage” website was discovered on a private server, but the very bad news is that it contained the email addresses and hashed passwords of more than 92 million MyHeritage customers. Also, the file contained the login information of MyHeritage users who had signed up for the service going as far back as October 26, 2017, which is the date of the breach.
It should be noted as well that the company, My Heritage, does not store user passwords but instead stores a one-way hash. This is just a principle of Cryptography that is used to help encrypt passwords (a future blog will review this and other Cryptographic related content in much more detail). So far, there appears no evidence that there has been any misuse of the personal information, which is the good news so far.
Also, it appears that the Security practices that were implemented by My Heritage were followed, but somewhere, somehow, there was a hole in their network intrusion detection system which allowed the fie to be captured, and thus stored onto the private server. The worst yet for the image of the company is that this vulnerability was not discovered by them internally, but rather, by an outside third party.
The corrective actions that My Heritage has offered thus far are urging their customers to change their passwords ASAP, and they have also hired a separate, Cyber security firm in which to investigate further exactly how all of this happened, and to conduct the necessary forensics investigations. They will also be offering to its customers what is known as “Two Factor Authentication”, or “2FA” for short.
I have talked about 2FA in previous postings, and just to recap, it is where two levels of security are employed in order to positively confirm your identity. Probably the best example of this are the new iPhone series, in which you not only have to create a password, but use a Biometric trait as well, such as your Fingerprint, or even your Face.
According to the CTO of the Cyber security firm that My Heritage has engaged sums it up this way: “ . . . a top priority must be to use unique passwords, but even when browsers recommend this, the reality is very different. How many of you reuse the same password across two or more sites? What is your personal cyber posture? The second question is, from where was this data obtained? Does MyHeritage leverage the public cloud? If so, were they following best practices to ensure their cloud security posture, or does this breach follow so many others where cloud storage resources were left unsecured and unencrypted?” (SOURCE: https://www.scmagazine.com/researcher-finds-login-info-for-92-million-myheritage-users-on-private-server/article/771148/).
Although this is a critical Security issue, I have to give credit to My Heritage. From what I can see so far, the company acted promptly in notifying the local law enforcement as well as customers, and has taken the initiative to find out what really happened by engaging a Cyber security firm to help (and this will not be cheap either, by any means).
My thoughts? Well, it just goes back to what I have been saying before. Whenever passwords are used as the primary means of defense even in a 2FA setting, there is always a high probability that a Security breach that can occur. After all, once the password has been discovered, all that is left is for the Cyber attacker is to try to figure out how to break down the other layers of defenses.
If this is the case, then why not make the password the second, or even third line of defense that has to be broken into? Why make it the first? In the case of the iPhone, why not use the Facial or the Fingerprint Recognition technology first, then the PIN number or the password? In these cases, if the iPhone were to be indeed lost or stolen, then the probability of the Cyber attacker hacking into it is much lower, because it requires the confirmation of a physiological trait that is unique only to you.
Second, the next issue that arises is the Security about using the Cloud. We all assume (and yes, even myself), that all of our stuff is safe in the Cloud, because we assume that the Internet Service Provider (ISP) or whoever is responsible for maintaining it will have implanted strong security based practices. By human nature, we tend to be only concerned by those Security breaches that can only happen to our local devices, such as our Smartphone or workstation.
But in stark reality, the Cyber attacker is after for our stuff in the Cloud. After all, they know that is where we literally store everything of a private nature, and are not concerned about it. But, you should be. If you engage in Cloud based services either personally or through your employer, it is your fundamental right to know as to what Security protocols have been implemented. If you can’t get the answers that satisfies you, then find another ISP to work with.
After all, in the end, it is your personal information and data that is at risk, and nobody else will look out after it except for you.