I saw a great but scary presentation this week from Kamran Meer, Chief IT Security Officer at Bank Alfalah, the sixth largest bank in Pakistan.
Kamran began by asking the audience if they knew about the Stuxnet attack.
Amazingly, 70% of the audience hadn’t heard of it although maybe it’s not so amazing as this was part of a Middle Eastern conference and the Iran-Israel and MiddleEast-USA frictions are not reported as widely here as they are in the West (or so I was told afterwards).
So, the Stuxnet video made the point that we live in a world where cyberattacks are becoming more and more targeted:
That was frightening enough, but that was way back in June 2010.
Since then, malware underworld hacker types have morphed Stuxnet into far scarier attacks.
These start with Government organised attacks such as the Chinese on America with Night Dragon in 2011, and develop into private threats that are very real, such as the Indian attacks on corporate systems around the world in 2013.
The latest is the Heartbleed flaw in the Secure Socket Layer (SSL) that means you think you’re dealing with a bona fide website that is secure and you’re not.
You see the little padlock on the bottom of the screen to make a secure payment, but it’s not secure.
And then you get the advice that YOU MUST CHANGE YOUR PASSWORDS, only to find that you must not change your password until the website has deal with the Open SSL issue.
As my friend asked last night: how do you know whether they’ve been affected and fixed it or not?
Luckily most online companies are making it clear what their position is. For example, from the Daily Wail:
This follows other leaks, such as all Adobe passwords being released online after an attack, along with my story about Aaron Barr that I use regularly in all my presentations.
It just goes to show that the age of the password is over.
Whatever happens, passwords are dead.