The Microsoft Security Center has this excellent article listing their “10 Immutable Laws of Security” (read it thoroughly):
- If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
- If a bad guy can alter the operating system on your computer, it’s not your computer anymore
- If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
- If you allow a bad guy to upload programs to your website, it’s not your website any more
- Weak passwords trump strong security
- A computer is only as secure as the administrator is trustworthy
- Encrypted data is only as secure as the decryption key
- An out of date virus scanner is only marginally better than no virus scanner at all
- Absolute anonymity isn’t practical, in real life or on the Web
- Technology is not a panacea
In my article about single identity, I mentioned that a trusted source for passwords would be a big target for hackers. Someone commented that lastpass.com had done it right by doing the encryption locally (so there is no transmission of cleartext data) and sending only the encrypted data to the servers. This does seem like a reasonable approach depending on the level of encryption.
But here is the problem. Suppose a hacker knows that Warren Buffett is storing his prospective acquisition documents on Google Docs and he is saving his Google password in LastPass. How much would someone pay for that information? Wouldn’t that be worth millions or hundreds of millions? Or even billions if you can gain access without Buffett knowing that the password has been compromised and so continues to use it. Buffett might be an extreme example, but you can go lower down the food chain and still find lucrative accounts to crack.
It doesn’t have to be financial information. It could also be passwords to gain access to secrets that are useful for governments or the military. For example, the Chinese government cracks down on dissidents and they would want to hack into a source that can provide them access to information of accounts that will help them continue their hard-line regime.
When there are such high incentives, it is a different ball game. It is not just about the technology involved. It is also about the people who are running the technology. I don’t want to pinpoint LastPass, but if a company stores millions of passwords of people, some of who are big shots, then not only the data storage and data transmission become targets, but every aspect of the company is also a target.
Is it possible for a receptionist at that company to walk to a programmer’s desk and plug in an USB key that will attach malicious code to the program that is downloaded? How much configuration management is done on the bits that are part of the shipped software? Is it possible for someone to copy the source code to examine at their leisure for loopholes?
There are organizations, such as military installations, that need high security. They expend millions of dollars and vast amount of resources to secure every aspect of their organization. Somehow, I don’t get the feeling that the startup-like companies dealing with passwords on the cloud have that capability. They are simply looking at technology to salvage them.
This is not to say that an ordinary person like me should not use such services to store commercially useless passwords like my Twitter account. In fact, the reason why these services are still alive is that only regular people are there saving throwaway passwords. And no criminal wants to take the risk to spend the effort on something that will yield little reward.