I’ve been talking a lot about information sharing within information security lately. Most recently at the ISSA CISO Summit in Denver. The presentation covers some of the new school of information security and walks through a few use cases on data-driven security. Sadly this past week has reminded how much “old school” is still being practiced.
We saw a lot of password leaks in the news including the likes of LinkedIn, eHarmony and Last.FM; however, this post isn’t about breaches or even lax security practices. What actually bothered me the most about these incidents were the communications or lack thereof. When news broke of the LinkedIn password hashes being posted on the net, it seemed most realized it was real long before LinkedIn confirmed. There was a lot of guidance to change your password yet nothing that lead me to believe the hole was closed and my new password wouldn’t be breached as well.
Of course as the week went along the news of the others came out as well. The response from Last.FM was the one that irked me enough to take the time to write a blog post. All of these breaches present a great opportunity to learn what does and doesn’t work in information security. But when we get responses like the one posted by Last.FM not only do we not learn anything, we don’t have any reason to believe they have either.
On Friday, Last.FM posted that at least “some” passwords had been leaked online. They were encouraging all of their users to change their passwords (Note: I’m one of those users). Again, this post isn’t to pick on sites that have been breached because it happens to everyone. Personally, as a Last.FM user, I’m not all that worried about this one. I used a unique password and frankly if someone took over my Last.FM account I can’t imagine much damage being done. But when I read the post from them I couldn’t help but show a little frustration on Twitter:
— Ed Bellis (@ebellis) June 8, 2012
A product manager from Last.FM then engaged me on Twitter and asked what more information I would have liked. I asked him to provide how they would be storing my new password, to which he responded with this:
@ebellis we’re not going to be specific about the method for secure storage of PWs but we did a MAJOR upgrade to this on Wed.
— Matthew Hawn (@jukevox) June 8, 2012
Well I felt much better immediately. They completed a MAJOR upgrade after all. You can see the how the rest of the conversation went here.
After a long week of internet password leaks it was only the lack of information sharing that truly bothered me. This mind set that I can’t possibly tell you how I’m protecting your password because then the bad guys would know how to get us isn’t working. Look I get it, you can’t share everything. I’m just asking for baby steps. Let’s start talking about our mistakes in hopes we all learn from them.
Finally, the news isn’t all bad. There are some new schoolers out there whether they know it or not. Take a look at the communications from Cloudflare after they recently suffered a breach. The transparency is refreshing and something we should all strive for.