Saturday , March 23, 2019

Security Notes: Lessons From the Marriott Hack

Last month, the world learned that hackers had been violating Marriott’s customer database for four long years without being detected. How many similar outfits are being violated as we speak? People in my profession know that if a breach is detected and there is a chance to hide it from the media, the victimized entity will be desperate to keep it quiet, so it’s no wonder the problem is under-reported.

An aggressive cybersecurity industry uses these breaches to sell their product. At the same time, it is being whispered among consultants that a busy, public-serving database with a complex array of access credentials cannot withstand a well-funded, patient, and competent penetration campaign.

In the cyber realm, we are limited to distinguishing between “good guys” and “bad guys” by merely analyzing a sequence of bits. If a bad guy discovers the bit string that the good guy is using to authenticate himself, then he is treated as the good guy.

The bad guys are using two critical strategies: the victim’s predictability and a credentials buildup.

When we helped Heartland Payment Systems sort out their embarrassing 2009 mega-hack, we saw the very same vulnerability that we have pointed out to our clients ever since: Hackers exploit our predictability, and overcome our defenses with their unpredictability.

The fundamental solution is to tilt this balance, even a tiny bit, in our direction. This is very hard because the business instinct is to achieve a streamlining of operations by relying on smoothness and predictability. Every time you change a protocol, it’s a headache.

Of course, you don’t want to go overboard. But a concerted effort to randomly and repeatedly change established procedures is the best preventative for cyber ailments. A single public-interacting protocol modification could nullify an advantage hackers may have worked months to install.

Random, in-depth inspections of transaction trails will uncover treasures. When I was preaching this gospel to Heartland, their chief information officer chided me, saying: “How about changing cyber security consultants?” “That too,” I replied sheepishly.

“Convenience wins every time,” lamented another client. “We are so busy, who would initiate changes for the sake of an abstract principle of unpredictability.” “Indeed,” I answered, “but the few who do — win the cyber war!”

An aggressive defense would use hackers’ predictability against them by spotting apparently fully credentialed users who are in fact concealed assailants. So far, we humans have been instructing the behavioral software on what to look for. Soon enough, artificial-intelligence engines will hunt hackers on their own.

Hackers build up access credentials painstakingly, starting with open personal data and moving up to restricted personal data, then to classified data, and finally to highly confidential data. They start with social media to identify the targets. They learn about them through health clubs, homeowner’s associations, and other low-security databases, and then climb from there. Hackers remember failing passwords used by sports-club members attempting to log in to the club. Then the hackers try the same passwords over high-security servers they suspect their victims have access to.

We developed a robust solution involving what we call “data fingerprinting” to negate this data buildup. We presented it last summer at a security conference in Las Vegas, and inquiries came from … China!

Both solutions, insistent unpredictability and data fingerprinting, are neither cheap nor convenient. A straight-talking client confessed: “Your solution will cost me money, but will put a feather in the hat of my successor. Not what I need.”

A final note on encryption. Marriott used industry-standard AES 128 bits ciphers. As the famed Israeli cryptographer Adi Shamir (the “S” of RSA) observed: “Mostly, encryption is not cracked but by-passed.” The Marriott hackers just built up credentials to have access to the decryption keys.

Strategically speaking, AES and all other mathematical-complexity algorithms are no defense against a smarter mathematician or a faster (quantum) computer. Here, too, executives stubbornly apply a short-range calculus.

Across the Pacific lies a big country taking a very long-range view. Time for the U.S. to wise up.

—Gideon Samid • Gideon@BitMint.com

Check Also

Priority Technology Blames a Mastercard Subscription Rule for Its $19.5 Million Revenue Hit

Merchant processor Priority Technology Holdings Inc.’s fourth-quarter revenues fell by $19.5 million, a drop of …