Julia McCarron, Advent IM Director, looks at the British Gas breach that saw customer details published online and the energy giant claiming they had not been breached and the details must have come from elsewhere…
So let’s get this straight. The email addresses and passwords definitely belonged to British Gas customers? Tick. They definitely accessed British Gas customer accounts? Tick. But the data didn’t come from British Gas? Dot. Dot. Dot.
It appears that where there’s blame there’s a claim. British Gas are blaming everyone else’s recent security incident misfortunes and claiming it’s the result of information from other data breaches being pieced together, testing passwords which were re-used across multiple accounts. Or they’ve been uncovered from the result of a phising campaign. One or the other …. They’re not sure which.
Is this possible? Well yes in today’s sophisticated technological world it probably is to be honest. And that’s quite scary and brings us round to a common theme of ours …. Password management.
Every action we do online these days requires a password. Shopping accounts, banks, building societies, utility suppliers, pensions, social media, YouTube, movie streaming, e-reader accounts ….. And what do we have a tendency to do? Use the same password so that we don’t forget it. What else do we do? Use the cat’s name and granny’s date of birth. For those of us working in security, or an organisation with a good security culture, we are aware of the bad practice this demonstrates but many consumers out there have not grown up in an electronic information security environment. This makes British Gas’ claim a distinct possibility given the sophistication of the unethical hacker community.
Recent guidance issued by CESG and the Centre for the Protection of National Infrastructure (CPNI) explains how passwords are discovered.
Attackers use a variety of techniques to discover passwords, which include:
- social engineering eg phishing; coercion.
- manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names.
- intercepting a password as it is transmitted over a network.
- ‘shoulder surfing’, observing someone typing in their password at their desk.
- installing a keylogger to intercept passwords when they are entered into a device.
- searching an enterprise’s IT infrastructure for electronically stored password information.
- brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.
- finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device.
- compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.
In business we can do something about this through implementing policies and procedures, providing security awareness training to our staff and implementing technical controls that prevent, detect and monitor activity to reduce the risk of a data breach.
The general public may not have the knowledge or resources to implement these controls, and arguably the likes of British Gas need to help their users cope with password overload. The same CESG/CPNI guidance suggests how service providers might do this.
“Users are generally told to remember passwords, and to not share them, re-use them, or write them down. But the typical user has dozens of passwords to remember – not just yours. Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.
- Only use passwords where they are really needed.
- Use technical solutions to reduce the burden on users.
- Allow users to securely record and store their passwords.
- Only ask users to change their passwords on indication or suspicion of compromise.
- Allow users to reset passwords easily, quickly and cheaply.
- Do not allow password sharing.
- Password management software can help users, but carries risks.”
So rather than simply saying “this isn’t our fault” British Gas could perhaps be ‘looking after our world’ by improving how their customers manage their passwords? They may have got to 9/10 boiler breakdowns the same day last year but 9/10 password breaches won’t be good enough.