(This post was originally published on Forbes.)
In 1988, the relatively nascent internet experienced its first cyber worm. In just 24 hours, the Morris worm , named after its creator Robert Morris, spread to roughly 10% of the computers on its network and caused damages estimated to range from $100,000 to several million.
A formative event in internet history, the Morris worm was also the first real-world exploitation of a software vulnerability that would become ubiquitous in the hacker and computer security communities of the 1990s and early 2000s: the buffer overflow.
A buffer overflow is when a program attempts to write an input that is larger than the space of memory (the buffer) that has been designated for storing that input. The “overflow” portion of the input can spill out of the buffer and into memory that holds other information for the program. When used as a security exploit, that overflow can contain malicious code that changes the function of the program.
Buffer overflows “monopolized the headlines in the security research community” for decades (see a comprehensive timeline put together in 2010), and the closely related term “stack overflow” became the name of one of the most popular online developer communities.
Fast forward nearly a decade, and today's mainstream headlines are also monopolized by a growing cyber threat.
Large-scale credential data breaches—when hackers gain access to a company’s database of usernames and passwords—have become commonplace. Notable examples just this year include Flipboard, Docker and Canva. Even Facebook and Google have been in the headlines for not properly protecting passwords (though there was no evidence of unauthorized access at either company).
Verizon’s annual breach report counted over 2,000 data breaches in 2018, but since many breaches go undetected (or unreported), that number is likely much higher. The same report also found that 81% of breaches involve the use of stolen or weak credentials.
Hackers have learned that because people often choose weak passwords and reuse them in multiple places, large lists of passwords from any particular website or company can prove to be useful at hundreds or thousands of others. John Doe’s password stolen from badsecurity.co might get an attacker into Mr. Doe’s bank account. Companies that are seemingly completely independent share a crucial security dependency: their users.
We have entered a state of “enterprise overflow.” With billions of internet users connecting to hundreds of thousands of websites and applications, the availability of breached passwords has reached a critical mass. The credentials stolen from some enterprises are overflowing into others, leading to a further cascading effect of breaches. Like Morris’s fateful worm, enterprise overflow has become a problem of systemic proportions, where every participant in the system is impacted by the security of its peers.
The comparison here between credential breaches and buffer overflows is, of course, metaphorical—and perhaps a bit of a stretch—but the point is hopefully illustrative of two things. The “overflow” of credential data from its intended domain has become an effective weapon for cybercriminals, and the problem of authentication is a defining security challenge of today.
A Network Perspective
The Morris worm demonstrated that the decentralized nature of the internet required collaborative approaches to security. In the aftermath of the incident, the Computer Incident Response Team Coordination Center (CERT/CC) was formed as part of a non-profit called the Software Engineering Institute. CERT/CC has since been a crucial venue for research and coordination of internet-scale security across public, private and academic domains.
Today’s enterprise overflow problem will require a similar mindset and response. While the security industry has carried on a great tradition of open collaboration around research and disclosure of the vulnerabilities that may lead to breaches, we need to start viewing the breached data itself in the same way—at least when it comes to identity and authentication data. When passwords or other data are breached from one company that can directly be used to attack others, that data should be shared in a way that allows other companies to protect themselves, without violating individuals’ privacy or empowering would-be cybercriminals.
This is easier said than done. Exactly how this should be achieved is up for debate. The important point now is that we adopt a “network perspective” to credential data breaches. We need to view each new breach as a factor in the threat models of all organizations. Security teams should be asking themselves, "Do we trigger our incident response process when someone else gets hacked?”
Some efforts along this line of thinking have already been made by individuals and a few businesses. Troy Hunt’s Have I Been Pwned (HIBP), and his related Pwned Passwords service, are great examples. Google has taken a similar step with its Password Checkup tool. Inspired by these examples, we recently release a free tool to check Active Directory credentials against 2.5 billion stolen passwords. By collecting breached data and making it available in various privacy-preserving ways, these services are connecting the dots between individual credential breaches and enabling users and business to respond to the changing breached-data landscape.
There are a host of promising technologies in the authentication space that may one day make enterprise overflow obsolete. But solving such large and collective problems take time, and there is still a lot we can do today with technology that is already in place. Recognizing that credential data breaches are in fact a collective problem—adopting that network perspective—is a step that we can take now while we build the solutions of tomorrow.