I hope you enjoy my latest cartoon about passwords on the Dark Web. These days, it seems, login credentials and other personal data are routinely stocking the shelves of the Dark Web. Last year, a hacker was peddling 117 million LinkedIn user email and passwords. And, late last year, researchers found a file with 1.4 billion passwords for sale on the Dark Web. Hackers will have happy shopping for a long time.
A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros. There is now an epilogue to report in the case. The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball. The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.
According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”
As I wrote in my piece about the case, there are several lessons to be learned. One lesson is that it is a myth that hacking and computer crime must be hi-tech. Here, Correa’s hacking was nothing sophisticated — he just used another person’s password. The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password. In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information. The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data. The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.
A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:
In what city were you born?
What is your mother’s maiden name?
Where did you go to high school?
Here’s a cartoon I created to illustrate the importance of security awareness training. I hope you find it amusing.
By Daniel J. Solove
The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015. The list is compiled annually by examining passwords leaked during a particular year. Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.
Recently, the FTC issued a short guide to what organizations can do to protect data security. It is called Start with Security (HTML) — a PDF version is here. This document provides a very clear and straightforward discussion of 10 good information security measures. It uses examples from FTC cases.
Co-authored by Professor Woodrow Hartzog.
Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.
by Daniel J. Solove
I’ve really been enjoying the new TV series Mr. Robot on USA. Network. It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security geeks.
The protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City. The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person. Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone. But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.
Elliot is very smart and clever, and he sees many around him as idiots. He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people. He lives most of his life inside his head. The show presents the stark contrast between what he says to others and what he is thinking. In one scene, we see him speaking to his psychiatrist, telling her hardly anything. But we hear his thoughts and know that he is pondering quite a lot.
By Daniel J. Solove
A recent study by TeleSign revealed that many people engage in some troublesome password practices. Some of the most alarming findings from the report include:
— 73% of accounts use duplicate passwords.
— Nearly half of consumers have a password they haven’t changed in 5+ years
— “Consumers have an average of 24 online accounts, but use only 6 unique passwords.”
— “Only 30 percent of consumers are confident that their passwords will protect the security of their online accounts.”
These findings demonstrate why better authentication is needed. Enforcing good password practices is tremendously difficult. People have so many passwords that they must memorize, and if they must be long and complex, this compounds the challenge. Alternative means of authentication — such as two-factor authentication — should be explored, as they can be affordable and efficient.
By Daniel J. Solove and Paul M. Schwartz
This post is co-authored with Professor Paul M. Schwartz.
This post is part of a post series where we round up some of the interesting news and resources we’re finding.
For a PDF version of this post, and for archived issues of previous posts, click here.