Information Security: Limiting Damage from Hacking

Information security has long ceased to be simply a technology issue. Clearly, it’s a key business concern.

In late March, Under Armour announced that its extremely popular fitness app MyFitnessPal had been hacked. The result, cybertheft of e-mail addresses, passwords, and other information from an estimated 150 million MyFitnessPal users is one of the largest data breaches in U.S. history.

But two facts of note that make the breach must less serious than it could have been. First, Under Armour took care to note that the cyberthieves did not make off with data that allows identity theft, such as Social Security numbers, driver’s license numbers, and payment information.

The second fact falls in the realm of technology news. According to the MIT Technology Review, MyFitPal’s method of cryptography may have limited the damage.

Slow Can Be a Defense

To understand how the cryptography shielded consumers, it’s important to have a bit of understanding about how hackers do their work.

Password protection takes place behind the digital scenes in a process called “hashing.” Hashing converts passwords into a long random set of characters. When an individual logs in with their password, the system hashes it and then checks it with the previous hash, which is maintained in a database. If the two hashes match, presto! Log in is achieved.

The first line of defense is that, if cyberthieves break into the database, they get the hashes rather than the passwords.

More time was part of the cryptography method.

Ah, but cyberthieves then try to reverse engineer the hashes to find out the passwords. The MIT Technology Review cites two methods of doing this.

The first is called a “dictionary attack.” In a dictionary attack, common phrases and passwords are hashed in an attempt to match them to the hashed data the thieves have.

The second is called a “brute force attack.” These combine every possible set of characters up to a determined length in an attempt to come up with a match for the stolen hashes.

So now that you know at least 2 methods of attacking a database, you can better understand the defenses. One is “salting,” a method of placing random characters onto a password prior to hashing. As a result, even if you have the same password as someone in Des Moines or Dubai, you won’t have the same hash.

A second is a technology called bcrypt, which simply adds micro-fractions of seconds to the time it takes to enact both dictionary and brute force attacks. These attacks take place with astounding rapidity, but bcrypt shows it down.

The slow-down business strategy means that cybercriminals are more likely to go to the next database in frustration. It also means, for businesses, that they have more time to sound the alarm, and for consumers, that they have more time to change their passwords.

Although bcrypt slows down password hashing, its micro-fraction of a second means that consumers are unlikely to notice. But cyberthieves will.

The damage from the increasing rise of cybercrime, then, can be limited. It is being thwarted on many different fronts, including sophisticated encryption combined with more time.