Sad news. Once again a web productivity tool has been hacked.
Slack has used contemporary accepted practices for securing their client’s data. Still the system was penetrated and according to their blog, passwords and other credentials were stolen.
Another site’s credentials and passwords hacked.
This intrusion and cybertheft is no reflection on Slack its products services or efforts to protect their client’s data. We should acknowledge that they were forthcoming. Slack is only this weeks’ visible poster child, of an pandemic trend in security breaches. From China to Russia, India to Turkey security breaches focus on getting passwords and credentials. They want everyone’s, even yours.
This breach, like so many others raises some very troubling issues. These issues are the giant elephant in the room that everyone ignores. Perhaps we just don’t want to wake the sleeping giant?
- What is the true responsibility of any enterprise, to protect data it takes in trust from its clients?
- Why did it take a month to become aware of the intrusion.
- If state-of-the art encryption systems for password are defective, why do we continue to use them?
1. The question of responsibility is not a trivial issue. If Slack (or any other site) has a user’s credentials and the stolen identity is used in a crime, what is their liability?
Slack said: “We are committed to continual improvement of both internal security practices and development of features that help you take control of your own and your team’s security on Slack.”
Nice words, but does that end the responsibility of a compromised site?
Slack: Two Factor Authentication (“2FA”; also known as “two step verification”), which is now available for all users/teams”.
Is it sufficient to patch the hole and make it more difficult for users to login? What of the charge cards taken out in the names of the stolen credentials?
2. Why did it take a month to become aware of the intrusion. Intrusion and cybertheft is an endemic issue. The Edward Snowden incident demonstrates that once security is breached, either legitimately or not, there is no security to control or record activity. Why are we stuck on only addressing perimeter security? Can’t we go past the perimeter and secure the individual data elements and files?
3. Why do we use and continue to patch a broken system. We know the boat named HMS Password is leaking. We even know it is sinking. Yet we continue to ride along knowing it is steaming full speed to Gilligan’s Island. Why?
The fact that Slack is a target should be accepted as part of the big picture; everyone and every site is a target. Slack was the unfortunate victim of a successful attack. They should be acknowledged for their transparency but they should be looking for and championing alternatives not playing ‘patch and pray.’ They claim to be, after all, innovative and should seek innovative solutions to difficult problems.
The real question, the unifying theory of security, is why don’t we just eliminate the password all together?
Coming soon… BPID password-free authentication.
Paul Swengler is the CEO and principal of Bulletproof ID a password-free authentication system. He can be reached through www.bpidsecurity.com and can be found on twitter, @bpids