18 October 2018

The Cybersecurity 202: Kanye West is going to make password security great again

By Derek Hawkins

“We at war,” Kanye West warns in his song “Jesus Walks” from 2004. “We at war with terrorism, racism, but most of all we at war with ourselves.” The all-star rapper put a fine point on that message Thursday, when he inadvertently exposed his iPhone passcode to a crowd of news cameras during an Oval Office meeting with President Trump.  Now the world knows his six-digit security key: “000000.”  The clip of West mashing the “0” button as he unlocked his iPhone to show Trump a picture of a hydrogen-powered airplane he said could replace Air Force One went viral, prompting a wave of ridicule. Motherboard writer Joseph Cox was quick to say it's "literally the worst password you can have." 

"If starting from the lowest possible number and going up, Kanye’s passcode would literally be the first one you would try. It’s the worst password you can have."

Motherboard is crying audible cries coming from the Motherboard table I repeat we are screaming https://motherboard.vice.com/en_us/article/j53n87/kanye-west-worst-iphone-passcode …


It's true that's a comically bad passcode. But flashing it on national television also triggered a serious discussion about password security, which has been a problem since, well, the invention of passwords. Cybersecurity pros have long cautioned that simple passwords such as “12345” or “password” — and yes, “000000” — make it even easier for malicious actors to snoop or steal personal information. But despite the continuous warnings about the dangers of easy-to-guess passwords, people still choose them. 

West put the issue on the map in a big way on Thursday. "Kanye, 000000 for your iPhone credentials is a really bad idea -- even without the cameras," was the headline on a USA TODAY article, as one example. All this attention on password security arguably a good thing for consumers. 

After all, while it might be easy to poke fun, picking good passwords actually "is really hard,” said Lorrie Faith Cranor, a computer-science professor and password security expert at Carnegie Mellon University. “We have so many different passwords and passcodes we’re expected to remember, and nobody wants to spend their time coming up with something complicated. People want convenience, and they don’t often think they have that much at risk.” 

Cranor added that she doesn’t blame users for not trying harder. “The notion that people could actually follow all the password rules we’re given is ludicrous,” she told me. Instead, she said, the companies that supply the devices and services should shoulder more of the burden. 

Security researcher Matt Tait raised a similar point following West’s slip-up. “Lots of folks will laugh at this,” he tweeted, “but I think it's a useful illustration of how security ‘features’ fail when security decisions get offloaded to users who see them as annoying obstacles.” 

Some security pros came to West's defense and said 000000 is actually not as bad a choice as it might seem. After all, it's better than having no passcode. 

From information security researcher Tarah Wheeler: 

No. The worst iPhone passcode is *not having one*. Stop mocking users and start appreciating that the biggest jump in security isn’t going from 90% secure with “000000” to 98% secure with “QWERTY&floops”. Biggest jump is going from 0% secure to 90% secure. https://motherboard.vice.com/en_us/article/j53n87/kanye-west-worst-iphone-passcode …


The reality is, West is far from alone in his opsec struggles. Bad password security is pervasive. A recent study by the network security firm WatchGuard of a 2012 security breach at LinkedIn found that half of all government and military employees were using weak passwords for the service, including things like “abc123.” A recent security audit of Western Australian government offices found that a staggering 5,000 accounts used the word “password” as part of their passwords. In another survey earlier this year, the password management service LastPass reported that 59 percent of respondents used the same passwords for personal and work accounts, and that 40 percent said they'd never change their passwords unless forced to. 

From BuzzFeed tech reporter Katie Notopoulos: 

you: hahah Kanye's phone passcode is 000000! 

also you: passcode is 747474, hasn't turned on 2FA, uses same password for gmail since 2015

The incident brought another layer of discussion: security for celebrities or people in the public eye. Some Twitter observers were quick to point out that that West's basic passcode might be smarter than something more personalized and complex if he's going to be in front of the media all the time -- and potentially caught on video. 

























Kanye just unlocked his iPhone before the TV cameras in the Oval Office. And his password is just 0 repeatedly

The risk of people looking over your shoulder to get your passcode applies to everyone. But especially for people like West. 

And frankly, his threat model for shoulder surfing and crazy things is incredibly different than a normal user, as @josephfcox rightly pointed out.

Still, as noted Jake Williams, founder of the security firm Rendition Infosec, physical security was part of the equation, too: 

Okay, so Kanye's phone password is 000000. But let's be real about three threat. Phone pins protect against physical threats. Is someone going to take Kanye's phone? He has handlers on him constantly. You're not getting that phone... 1/2

Now for those of us who don't have bodyguards on us 24/7, the message should be to watch your surroundings. It's way too easy for some creeper to video you unlocking your phone. If it happened to Kanye, it can happen to you too. 2/2

Tech companies have been working to find ways around the problem of bad passwords -- for everyone -- while still providing security. It's a key reason Apple, for instance, has over time introduced biometric features such as thumbprint identification and facial recognition to instantly allow users access to their devices. Such biometric security features have ushered in a new set of concerns about personal privacy, but they’re a simpler option for many users. 

As security pro Lesley Carhart pointed out, the biometric authentication solutions available to West would have solved this particular issue: 

No. The worst iPhone passcode is *not having one*. Stop mocking users and start appreciating that the biggest jump in security isn’t going from 90% secure with “000000” to 98% secure with “QWERTY&floops”. Biggest jump is going from 0% secure to 90% secure. https://motherboard.vice.com/en_us/article/j53n87/kanye-west-worst-iphone-passcode …


I’m more stuck on the “logging in in front of a ton of cameras” thing instead of fingerprint / faceid.

#opsec everyone is laughing but I have done this before, if in public and when of risk of shoulder surfing switch pin to #disposable

“The phone is actually the closest to being a solved problem,” Cranor told me. “They use biometrics pretty well. They’re not the most secure things, but they’re a lot more secure than using ‘000000.’ ” 

Kanye West’s full remarks in the Oval Office

Rapper Kanye West visited President Trump in the Oval Office on Oct. 11 to discuss policing, mental health and manufacturing. (Photo: Calla Kessler/The Washington Post) 

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. 

Not a regular subscriber? 








Keeping up with the news in President Trump’s Washington is exhausting — whether you live here, work in the nation’s capital, or are just watching from afar. That’s why next Tuesday, we’re launching Power Up by Jacqueline Alemany. It's a new newsletter from The Washington Post that will land in your inbox before you reach for that first cup of coffee. It will bring you Washington, fast. 

PINGED, PATCHED, PWNED 


Facebook chief executive Mark Zuckerberg on Capitol Hill in Washington on April 11. (Matt McClain/The Washington Post) 

PINGED: “Facebook said on Thursday it purged more than 800 U.S. publishers and accounts for flooding users with politically-oriented spam, reigniting accusations of political censorship and arbitrary decision-making,” The Washington Post's Elizabeth Dwoskin and Tony Romm reported. “In doing so, Facebook demonstrated its increased willingness to wade into the thorny territory of policing domestic political activity. Some of the accounts had been in existence for years, had amassed millions of followers, and professed support for conservative or liberal ideas, such as one page that billed itself as ‘the first publication to endorse President Donald J. Trump.’ Facebook’s ability to monitor manipulation of users is under an intense spotlight in the weeks ahead of the U.S. midterm elections.” 

The company removed “559 Pages and 251 accounts that have consistently broken our rulesagainst spam and coordinated inauthentic behavior,” Nathaniel Gleicher, head of cybersecurity policy at Facebook, and Oscar Rodriguez, product manager for the social network, said in a statement. “But Facebook only named five of the hundreds of pages it removed,” Elizabeth and Tony wrote. “Two of the page operators said that they were legitimate political activists, not profit-driven operators of clickbait ‘ad farms,’ as Facebook claimed in a blog post. They said were still unsure which Facebook rules they had violated or why they had been singled out for behavior that is standard in online organizing.” 


Sen. Chris Van Hollen (D-Md.), left, and Sen. Benjamin L. Cardin (D-Md.) in Washington on July 11, 2017 (Katherine Frey/The Washington Post) 

PATCHED: Sens. Benjamin L. Cardin (D-Md.), Chris Van Hollen (D-Md.) and Susan Collins (R-Maine) on Thursday introduced a bill aiming to prevent foreigners from owning or controlling election service providers. “Our free and fair elections are central to what makes America’s democracy an example to the world,” Van Hollen said in a statement. “We cannot allow Russia or any other foreign adversaries to own our election systems.” 

Under the bill, titled “Protect our Elections Act,” state and local government would have to evaluate election service providers annually to ensure that they are “solely owned and controlled by United States persons.” The bill does make an exception for contractors or vendors that are “created or organized under the laws” of the Five Eyes alliance — the United States, Britain, Canada, Australia and New Zealand. The legislation would also require election vendors and contractors to disclose foreign ownership or control to the homeland security secretary, the U.S. Election Assistance Commission and state and local governments. Companies that fail to make the disclosure would risk a $10,000 fine. 

As my colleague Ovetta Wiggins reported this summer, the FBI in July told state officials in Maryland that ByteGrid LLC, an election service vendor under contract with the state, was linked to a Russian-backed firm. “In 2015, ByteGrid LLC was financed by AltPoint Capital Partners, whose fund manager is a Russian and its largest investor is a Russian oligarch named Vladimir Potanin,” Ovetta wrote. 


The Medtronic headquarters in Minneapolis on June 16, 2014. (Ariana Lindquist/Bloomberg) 

PWNED: Medical device maker Medtronic has halted Internet updates on 34,000 portable computers that health-care workers use to program and manage pacemakers, saying the devices are vulnerable to cyberattacks, Jim Finkle of Reuters reported

“The company said it knows of no cases where the vulnerability had been exploited by hackers in a letter sent to physicians this week, which was labeled ‘urgent medical device correction,’ ” Finkle wrote. “The vulnerability ‘could result in harm to a patient depending on the extent and intent of a malicious cyberattack and the patient’s underlying condition,’ according to the letter.” 

Security researchers at the Black Hat hacker conference in Las Vegas in August demonstrated how a bug in the devices “could enable hackers to update malicious software onto the programmers, then attack implanted pacemakers.” Medtronic said in its letter that it is working on security updates to “further address these vulnerabilities and will be implemented pending regulatory agency approvals.” 

— Three top Republicans on the Senate Commerce Committee want to know why Google decided not to disclose that a bug on Google exposed the data of up to 500,000 users. The Wall Street Journal reported Monday that an internal company memo “warned that disclosing the incident would likely trigger ‘immediate regulatory interest’ ” from public authorities. Sens. John Thune (S.D.), the committee's chairman, Roger Wicker (Miss.) and Jerry Moran (Kan.) told Google chief executive Sundar Pichai in a letter Thursday that the “reported contents” of the memo are “troubling.” They also asked the company to provide a copy of the document. 

“We are especially disappointed given that Google's chief privacy officer testified before the Senate Commerce Committee on the issue of privacy on September 26, 2018 — just two weeks ago — and did not take the opportunity to provide information regarding this very relevant issue to the Committee,” the senators said. “Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services.” 

— A bill by Sen. Ron Wyden (D-Ore.) that would require paper ballots and risk-limiting audits in all federal elections picked up new endorsements from Democratic senators. Wyden's office announced Thursday that Sens. Tammy Duckworth (Ill.), Tammy Baldwin (Wis.), Maria Cantwell (Wash.) and Gary Peters (Mich.) added their support to the “Protecting American Votes and Elections Act of 2018.” “American intelligence officials have made it clear that we face an ongoing threat to our elections from foreign adversaries and hackers,” Baldwin said in a statement. “We should take action to protect the integrity of the vote.” 

— More cybersecurity news from the public sector: 


The administration will likely be discreet about disciplinary actions.

"It gets my blood boiling to think we have all this data. We should be able to do more with it,” Margaret Weichert, the administration’s management chief, said.

An elections integrity activist is demanding a rigorous security review of voting systems in Tennessee's largest county before the November election, and the replacement in the next year of its electronic voting machines with paper ballots.


Russian President Vladimir Putin in St. Petersburg on Oct. 3. (AP Photo/Dmitri Lovetsky, Pool) 

— “The U.K., the Netherlands and other European Union governments are pushing the bloc to expand the scope of its sanctions regime to include cyber attacks, following alleged attempts by Russian and Chinese operatives to infiltrate the computer systems of agencies in Europe and the U.S.,” Bloomberg News's Natalia Drozdiak and Nikos Chrysoloras reportedThursday. “The EU has sanctions protocols in place targeting states for violating nuclear and chemical weapons treaties or harboring terrorism. Now the group of countries, that also includes Estonia, Finland, Lithuania and Romania, wants the bloc to introduce a similar system against the individuals and organizations that are behind cyber-attacks, according to a memo obtained by Bloomberg. EU leaders are slated to discuss security next week in Brussels.” 

— “China’s two mobile-payments giants said stolen Apple IDs were used to swipe customer funds, and called on Apple Inc. to address the issue,” the Wall Street Journal's Stella Yifan Xie and Yoko Kubota reported Thursday. “Alipay, the payments affiliate of e-commerce giant Alibaba Group Holding Ltd., in recent days posted an online notice warning iPhone users, and saying some customers had lost money as a result. Alipay said it has asked Apple ‘multiple times’ to pinpoint how the thefts occurred, and that the Cupertino, Calif.-based company replied it is looking into the matter.”

No comments: