Speaking to Wired about the recent news of a Reddit cybersecurity compromise involving usernames, passwords, email addresses and more granular information, Kenn White, director of the Open Crypto Audit Project said, "A high-value property like Reddit secured with some dude's mobile number is no bueno."
No bueno, indeed. While at first glance this compromise may not seem to be high impact, a moment's consideration should give rise to concern. Consider this: The most popular bad password of 2017 was, once again, "123456." Bad cyber-hygiene is widespread. A significant number of people not only used the same password for the last eleven years (one chunk of Reddit's compromise dates back that far), but they continue to use that same password to "protect" other accounts. Those people are now compromised.
More alarming is the revelation that the hackers stole logs from June 3 to June 17, 2018 that tracked the site's email digests. Whether a hacker was interested in account takeover or a phishing attack on a specific user, the email digest part of this compromise connects user names with email addresses (another reason not to be blasé about the fact that email is a sensitive form of personally identifiable information). That connection between user name and email address provides email in context, and thus makes possible a spearphishing email from a spoofed Reddit account as well as a host of other attack vectors.
But as with many hacks, there are layers of potential damage, and the more serious threats are often not as obvious as the stuff that makes headlines.
There is no doubt that the attack on Reddit expanded the attackable surface of individuals who were exposed. Far more serious, however, is the exposure of the site's source code, configuration files and other employee-eyes-only records. If the hackers were interested in creating a permanent tunnel into the site, and with that, insights into specific Reddit users, having this information could prove an effective means of doing it.
Because Reddit may never know the motivation of the hackers who hit them, they now have an ongoing security issue that will require systemic action to make sure that whatever did happen won't open the flood gates to another cyber compromise.
In other words, they are going to have to change the way they do cybersecurity.
Getting Cybersecurity Right
Cybersecurity is an imperfect practice. The reasons an attack succeeds can be complex, but it often boils down to a failure of the imagination.
There is no such thing as failproof when it comes to cybersecurity. An organization gets a daily reprieve from "getting got" based on the regular maintenance of sound cybersecurity practices--behaviors and a mindset based in the bedrock of corporate culture and implemented by best-in-class experts.
Compromise occurs when we mistakenly call our vulnerabilities "protocol," or, put more simply, "That's the way we do things."
Reddit was not alone in allowing hard-to-hack practices that provided an opening for the "right" hacker. Being hard to hit isn't good enough anymore. In the realm of cybersecurity, perfect protection is temporary because every minute is a new day.
The Problem with Magical Thinking
Reddit was hacked utilizing a type of login authentication known to be vulnerable for two years prior to the compromise. For anyone to assume they're completely secure under these conditions is a form of magical thinking.
The hackers targeted authorized Reddit employees who had credentials that permitted them to access sensitive information and were also using two-factor authentication transmitted via SMS. That takes imagination.
While it's not common knowledge, this form of authentication makes possible something called a "SIM swapping" attack, where identity thieves use a victim's data (often purchased on the dark web) to trick a phone carrier into transferring a phone number to a device in the possession of the criminal. It's not easy, but it's possible and Reddit should have known that and had a strategy to protect against it--something they clearly lacked.
To make the facepalm all the more robust here, the risks associated with SMS two-factor authentication were known as early as 2016, when the Federal Trade Commission issued a report on the trend.
The crux of the problem here is an age-old conundrum. Where do you draw the line between convenience and security?
There are authentication apps (you can read about them in this 2017 article) or you can utilize physical authentication tokens for two-factor protection. While using them is not as easy as tapping an icon that triggers a code sent to your phone, this loss of convenience does bring an increase in security.
Here's the kicker: two-factor authentication was invented to address a security need. The tightest security authentications require something you know (a password), something you have (e.g., your phone, a fob, a USB device) and something you are (biometrics). The problem with SMS two-factor authentication is that it doesn't rely entirely on something you have, because you do not "have" the transmission of the code sent via SMS until it hits your device, and SIM-swapping means that you can't always be sure that's going to happen.
The solution is unfortunately inconvenient. You have to stay one step ahead of those trying to compromise you. That requires a great deal of super not-easy work, constant vigilance, and, because breaches are the third certainty in life these days, some good luck.