‘Krebs on Security’ recently published that hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees, in some cases going back to 2012. Facebook issued an official statement, explaining how it protects user passwords by using a variety of signals to detect suspicious activity.
This problem is not unique to Facebook. Github and Twitter has similar issues that were revealed last year.
The problem with employees having access to these passwords goes well beyond the fear of a Facebook or a Twitter employee misusing this information. What are the chances that no Facebook engineer was phished during the period of time that these passwords were accessible? A list of hundreds of millions of passwords that Facebook users likely use for other accounts, is a goldmine for any attacker.
Protecting user passwords is extremely important for B2C companies, but is also a major issue for B2B companies. In many cases B2B companies hold keys or passwords that belong to their customers. A few examples include Content Delivery Networks that might hold customers’ private keys in order to authenticate as the customer, or companies like MuleSoft that hold API keys for their customers.
It’s the responsibility of these companies to ensure that their customers’ secrets are protected from internal employees, even if these employees have root access to the infrastructure. Similar to the Facebook case, if an employee account gets compromised or breached, an attacker gets access to all the customer keys or secrets, which is both a PR nightmare and a major breach of confidence that would be very costly to the business.
BUT HOW CAN CUSTOMER SECRETS BE PROTECTED FROM EMPLOYEES WITH ROOT ACCESS?
Historically, engineers or admins with root access to the infrastructure are able to gain access to sensitive information like passwords and keys. Companies try to reduce this risk but limiting access to the minimum and rotating root passwords frequently. However, none of these measures would stop a determined attacker.
Facebook, for example, in its statement mentioned that it protects user passwords by using a variety of signals to detect suspicious activity. While it’s important to do so, this does not prevent attackers from gaining access. It simply notifies Facebook that there was an issue after the fact.
Building solutions that completely prevent insiders for getting access to customers’ secrets is extremely difficult and usually requires significant resources that could be placed elsewhere.
A much better approach would be to completely prevent access from insiders and admins to these secrets without having to change any of the applications built internally.
This can be achieved by coupling a software-based approach with a processor-based technology called Secure Enclaves. Modern processors from Intel®, AMD and others enable applications to secure sensitive data and processes in hardware-level encrypted memory partitions that are completely isolated from the rest of the system. This approach is so secure that not even users with root permissions can access this encrypted memory.
This means that users’ and customers’ passwords and keys are completely protected, and we can avoid New York Times headlines like this one, be protected from breaches, and be able to tell your customers or users that their secrets are safe.
To learn more regarding how to protect applications and secrets with secure enclaves, please click here.