By now, even the non-Geeks among us have heard of the Sony PSN and Online Entertainment break ins and the subsequent loss of personal information and perhaps credit card numbers of over a 100 million Sony customers. Sony admitted that at least 10,000 customers did have their debit card information compromised.
The facts that Sony did not notify the FBI of the attack for 2 days, that it did not meet with the FBI for 5 days, and that it did not notify its customers of the potential loss of their personal data for 6 days is bad enough but it gets worse. On Wednesday (2011-05-04) Eugene Spafford, a professor at Purdue University, testified before the House Subcommittee on Commerce, Manufacturing and Trade that Sony was running an old unpatched version of Apache and that they didn’t have a firewall installed. Furthermore, Dr. Spafford testified, this information was publicly discussed on an open forum, which Sony employees monitor, 2 or 3 months prior to the break in.
The story is still unfolding but it’s clear that Sony did an extremely poor job of protecting its customers’ data and notifying them in a timely fashion after the compromise took place. It’s also clear that Sony is going to take a major hit to their reputation and customer goodwill at the least. Just how much of a hit remains to be seen. And, of course, the lawsuits are already being filed.
Now consider this announcement from LastPass. The differences could not be more pronounced.
- Proactive Security
LastPass scours—not just checks but scours—their logs every day. They aren’t satisfied until they’ve explained every anomaly. - Proactive Notification
LastPass notices an anomaly that they can’t explain. They immediately notify their customers that something may have happened and tells them what they should do to protect themselves. - Proactive Followup
LastPass keeps their customers informed with frequent updates. As events unwind, they revise the suggested actions that their customers should take. The company’s CEO gives an interview to PC World in which he further explains what happened and what they are doing. He says they are trying to handle it the way they would want it handled if they were the users. - Proactive Security Improvements
LastPass had already been engineering a change to use PBKDF2 to generate their password hashes. When just the suggestion of a possible breach presents itself, they immediately roll out the change. They also put in place some further procedures to help protect their users in case they were broken into. Then, although there was no indication that any of the boxes or software had been tampered with, they rebuild the servers in question and check the hashes of the repositories to make sure they hadn’t been tampered with either.
This is doing things the right way and LastPass deserves their customers’ gratitude for doing everything possible to protect the data that their users have entrusted to them. The rest of us owe them our gratitude as well. They have shown us that it is possible to handle the inevitable attacks in a responsible and open way. It’s a pity that Sony, a huge corporation, couldn’t perform even remotely as well.