Snapchat and other online services need to tighten security
- 16 October, 2014 23:36
In recent weeks, there have been data breaches involving passwords and email addresses from JP Morgan Chase, celebrity nude photos from Apple's iCloud, more than 70,000 images from Snapchat and now a new alleged hack at Dropbox -- a claim it denies.
Many of those hacks didn't involve a security breach of the company's own servers but were instead the result of brute-force password attacks, customers' use of third-party apps not authorized for use on the original service, or names and passwords collected from websites not related to the cloud service that hackers claimed to have broken into.
This week on code-sharing site Pastebin, an anonymous poster claimed nearly seven million Dropbox accounts had been hacked. The poster then published 100 of them and threatened to reveal them all if not offered a Bitcoin reward.
Dropbox security engineer Anton Mityagin insisted the company's servers had not been hacked, saying in a blog post, "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox."
Responses to many of the recent attacks have been similar to Dropbox's. Chase says there's no need to change PIN numbers or passwords or replace credit and debit cards; Apple claims its iCloud is secure and Snapchat denies any wrongdoing on its part.
Experts, however, argue that online companies are not doing enough watch their networks and identify nefarious activity, as well as encrypt data prior to it being stored.
"Service providers can block brute-force attacks. For example, if you see the same IP address logging in 100 times, that's something you should check," said Engin Kirda, a professor at the College of Computer and Information Science at Northeastern University and co-founder of Lastline Inc., a maker of security and malware protection software.
Snapchat's breach this week, which involved a third-party app collecting user photos for years, comes five months after the company settled a suit with the Federal Trade Commission (FTC) over charges that it deceived consumers with promises about the disappearing nature of messages sent through the service.
The need for greater visibility
According to the FTC's complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
For example, the FTC alleged that Snapchat stored video snaps unencrypted on the recipient's device in a location outside the app's "sandbox," meaning that the videos remained accessible to recipients through a device file directory.
SnapSaved took responsibility for what has been called "The Snappening," where around 70,000 Snapchat photos or videos were shared on an anonymous website. SnapSaved said most of the photos that were exposed came from Swedish, Norwegian and American users.
In a post on its Facebook page, SnapSaved apologized and explained its "dictionary index" database had been hacked.
"As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it. As far as we can tell, the breach has effected 500MB of images, and 0 personal information from our database," the company stated.
Also according to the SnapSaved post, the hacker's claims that there was sufficient data to create a searchable database of Snapchat images were false.
Third-party applications for Snapchat, Twitter, Facebook and other social media sites can be found throughout Apple's iTunes and Google Apps services.
However, users are often unaware of the risk they're taking when they download an app, even one vetted by big-name vendors, according to John Kindervag, a security analyst at Forrester Research.
Hacks not new, but social media is growing them
Kindervag said three things have contributed to the flood of recent privacy breaches: The fact that security and net neutrality are opposite goals; the rise of popularity in social media, and poor security often results from a company assuming bad things happen only outside their network.
"Look at brute-force attacks, those have always been happening. The idea that SnapChat had another proxy involved that saved all their stuff, yeah that has always been happening too," Kindervag said. "Now everyone's upset."
"As I like to say, there are no suburbs on the Internet. We all live in the same bad neighborhood," he added.
SnapChat's biggest failure, Kindervag said, is that they weren't more closely monitoring the third-party apps using its API. He also said using an encryption algorithm would have made it more difficult to gather the photos in the first place.
"You should always plan for a systemic failure, whether its one in your network things or someone else's," Kindervag said.
Users, of course, also have a responsibility to understand that once something is uploaded to a cloud service, the risk of exposure greatly increases regardless of whatever security measures are taken.
For their part, users either have to be responsible in the content they create, or understand there are steps they must take to increase the security around the content.
Northeastern's Kirda recommends people use free services such as KeePassX, an open-source password management utility that works with most OSes. KeePassX stores usernames and passwords in an encrypted database, and gives the user the specific password or key file to use on every website they visit with a login.
While user education is important, and includes measures such as choosing robust passwords and not reusing them on multiple sites, the onus can't be entirely on the customer to protect his or her own data when it's been entrusted to a service.
"Basically, I think anyone that relies on passwords for security has to be kidding themselves," said Gartner security analyst Avivah Litan. She suggests biometric security measures instead. For example, behavioral biometrics applications can track how users of a website typically act, and if that activity changes dramatically, the company can be alerted and take action.
"The idea is you can maintain customer convenience and strengthen consumer security without imposing things on them," Litan said. "That's even better for security because many intelligent security folks believe we need to forget about prevention and focus on detection and containment."