A couple weeks ago, we covered the West Australian government’s security audit here on the Octopus Blog.
The section of the governmental audit’s research into cyber security practices unveiled some pretty disturbing facts. Given the opportunity, users will choose the most obvious, easiest to guess passwords, leaving them wide-open targets for cyber criminals.
While the size and scope of this phenomenon was received with shock, no infosec professional worth his or her salt could really be surprised. Password based authentication fosters bad security practices. This is a long established fact.
The truth is, the data collected in Australia’s recent audit doesn’t stand alone. Other recent findings have exposed another serious security issue passwords inevitably create.
The Vulnerabilities Pile Up
Passwords aren’t only problematic when they themselves are weak.
Passwords are essentially cryptographic secrets. These secrets need to be managed and stored. Even for individual users with multiple online accounts, this can be a difficult task. For a large organization with hundreds if not thousands of members, it becomes a major logistical hurdle. And here’s where many organizations relying on passwords to protect identities end up failing.
This fact was made public most recently late last month, when security researcher Kushagra Pathank discovered openly accessible links to internal documents belonging to the United Nations.
According to reports, UN employees made this breach possible by misconstruing files on popular project management service Trello, the tracking app Jira, and Google Docs. The mistake allowed anyone with the proper link to access these documents, rather than being accessible to specific users only.
Pathank came across these documents by running simple search engine queries. The searches produced public Trello pages, some of which contained links to the public Google Docs and Jira pages. The data revealed in these documents contained passwords for various UN accounts, including the video conferencing system at the UN’s language school, a web development environment for the UN’s Office for the Coordination of Humanitarian Affairs, and access to UN websites currently under development.
“In total, Pathank discovered some 50 boards and documents that he was able to access–all because of the flawed security settings implemented during their setup.”
Lessons Learned
There are two important points to highlight from this story.v
First off is the shockingly low security standards of whoever was handling IT at the UN.
One would expect that the largest, most influential diplomatic organization in the world would put in some more effort to secure documents containing so many credentials. To protect its passwords, the UN should have been using a password vault that utilizes a privileged access management approach. At the very least there should have been a second authentication factor in place to access these files.
But there is a another, more important element that needs to be pointed out, and that’s the fact that the UN is using passwords at all.
Its because the UN is utilizing passwords that they had to resort to a form of managing them. And of course, whoever was in charge of that, chose an easier, less secure option. Pathank–who has become quite an expert at identifying publicly accessible private files–explained that exposure of these types of files happens simply because leaving them unsecured is easier than securing them. Users opt for “sharing the URL of the board without [actually adding users] to the board” since securely adding members with access “seems to be huge task for these people” Pathank said.
This whole episode serves as another stark lesson on how password-based authentication leads to security problems.
The good news is that the digital sphere no longer has to rely on passwords or deal with all of the vulnerabilities they create. Password-less, out-of-band authentication is the way of the future. With these tools, companies and private users alike can circumvent all the pitfalls of passwords, and achieve network-wide authentication that is both seamless, and more secure.