This post is part of a series in which we pull security stories right from the headlines and discuss their relevance to the eight domains of the CISSP® exam.
Read our previous post in this series:
Name That Domain: Backdoors
Name That Domain: Ransomware
Name That Domain: 85 Million DailyMotion Accounts Compromised
With hackers becoming more adept every day, some would say that the cyberworld is in daily motion. In a year filled with unprecedented data breaches and cyber incidents, the video hosting site DailyMotion is just the latest casualty. According to LeakedSource and cited in Hacker News, the unique usernames and email addresses associated with 85 million DailyMotion users were compromised in October 2016. The attackers also managed to collect 18.3 million hashed passwords associated with these user accounts. Although DailyMotion protected the passwords using an encryption protocol called bcrypt, hackers may still be able to circumvent this protocol and access all of those login credentials.
The specifics of the attack were revealed this week on December 6, indicating that stolen user data could have been circulating on the black market for more than a month before users were even made aware of the security breach.
Domain 3: Security Engineering
The third domain of the CISSP® exam describes the details of security engineering. Cryptography contributes heavily to this process by using complex math to scramble raw messages (or plaintext) into unreadable characters (ciphertext). When it comes to selecting the algorithms used to encrypt information, security engineers have many options.
The CISSP® curriculum teaches that it is paramount to select the hash function that can appropriately secure the information under one’s purview. Algorithms may all have the same goal of securing information, but each one differs in output length, the number of operational steps, and how vulnerable it is to attack. Bcrypt, the hashing algorithm chosen by DailyMotion, is considered to be more secure than other algorithms like SHA-1 or MD5 because it uses a process called salting to introduce randomness into the ciphertext. However, as the 2015 Ashley Madison data breach proved, bcrypt is still crackable. Ashley Madison users’ passwords were decrypted and published online by Internet vigilantes and extortionists, resulting in a $567 million class-action lawsuit and at least one suicide.
The cybersecurity world has become desensitized to data breaches targeting personally identifiable information, financial records, and intellectual property. However, if distributed, data as seemingly innocuous as email addresses and usernames can become a security risk. Affected DailyMotion users will likely receive more phishing emails as a result of the breach. If an enterprising hacker manages to gain access to the scrambled passwords, then the risks will multiply. Reusing passwords remains a common security misstep with dire consequences. According to a 2015 study by TeleSign, 3 out of every 4 consumers admitted to reusing passwords across multiple accounts.
Everyone—from CISSP®s to ordinary, cyber aware users—can employ cybersecurity best practices to protect themselves and their data. Create unique passphrases for each of your digital accounts. Never write your login credentials down on a piece of paper. Always keep your login credentials to yourself.
Perhaps most importantly, you should keep reading the headlines. By remaining apprised of recent breaches, you will be able to take corrective steps in a timely manner and protect yourself.