Ensuring security on cloud services
Apple announced last Tuesday local time that the accident was caused by targeted attacks on each cloud user’s password and not a hack of its server.
However, security experts argue that Apple is still responsible for the incident, because it gave hackers enough chances to find the correct password through a simple method called a brute-force attack.
The hack randomly inputs passwords until it guesses correctly. Because it takes a lot of time to get it right, hackers also use what is called a dictionary attack, in which a computer automatically inputs words frequently used as passwords and includes personal data related to the individual being hacked.
In the wake of criticism, Apple CEO Tim Cook said the company plans to adopt a new notification system in the next two weeks, The Wall Street Journal reported Tuesday.
But cloud security problems are not limited to Apple. Local cloud services provided by major portal websites and telecom carriers, such as Naver NDrive, Daum Cloud and LG U+ Webhard, use passwords as the only method of verification to gain access to an account.
Most local cloud service providers are equipped with a system that only allows a user to attempt to input the correct password a few times, which makes brute-force hacks difficult, said a researcher at state-run Korea Internet Security Agency’s (KISA) information protection department.
Local security experts have said cloud services should have additional authentication methods and that the National Assembly should move to pass a bill on cloud security that was proposed in October. It includes standards for identification methods, data encryption and criteria for auditing cloud service providers.
One method suggested by a security research team at Soonchunhyang University last year is an ID system that gives a digital identification card to each person based on his or her URL address in order to prevent cloud account hacks. A digital ID is given to each person by a government-approved security firm and that ID can then be used to access multiple cloud service sites, so a user doesn’t have to create their own passwords.
But experts say online protection depends on each user, after all.
Security expert Mark Burnett, who wrote the book “Perfect Passwords: Selection, Protection, Authentication,” said on his blog that setting a strong password is the first step to making sure data is safely stored.
According to Burnett, “password” and “123456” are the two most common passwords, followed by “12345678,” “1234,” and “qwerty.” Names of sports and combined phrases, like “baseball,” “football,” “letmein” and “abc123,” are also popular. He said that anyone can crack at least one out of 10 online accounts by punching just in three of those popular passwords.
Burnett wrote that about 40 percent of Internet accounts use a password from his list of top 100 most frequently used passwords. Complicated and long passwords that include symbols can hence reduce the risk of hacks.
Burnett gave three tips to creating safe passwords: Use a combination of letters and numbers, create a long phrase that is easy to understand and set passwords that are slightly different for each website.
“Increasing the password length is just as effective, maybe even more effective [than including numbers],” Burnett wrote in his book. “All it takes is adding a few characters to the length of a lowercased password to make it just as effective as a password that uses a mix of characters.”
The JoongAng Ilbo experimented with Burnett’s theory at howsecureismypassword.net, a website based on Burnett’s password database on which people can check how long it takes to crack their password. The reporter created a variety of passwords using the paper’s title and year of establishment, 1965.
The four-digit password 1965 was immediately decodable. Similarly, the eight-digit password “joongang” would take only 52 seconds for a brute-force hack to guess.
When the password has capital letters and numbers, the decoding time increases by several hours. Including symbols in a password means it would take years to break.
“One of the most secure ways for Koreans is to make their password from a Korean phrase typed in English and add some symbols in between,” said Suh Hyo-joong, a professor at the Catholic University of Korea. “The longer the password, the time to decode becomes exponentially longer. So I would recommend making up a secure password with a sentence that’s meaningful to you.”
BY KIM CHANG-WOO, KIM JI-YOON [email@example.com]