ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Update from ITPNZ

Paul Matthews. 28 February 2020, 2:00 pm
Update from ITPNZ

Here's a quick weekly update from ITP CEO Paul Matthews

This week I look at election manifestos for tech, and how the tech sector are again putting together an election wish list.

And I get a little preachy. Sorry, not sorry. The re-emergence of a dump of stolen passwords and a reminder, yet again, to take precautions when protecting client data.

And why Escrow NZ won't accept online submission or storage of source code for Escrowing.

Election Manifesto

We're working with the other main tech bodies to create a digital manifesto ahead of the election, similar to the document we collectively put together in 2017

The intention is to create a coherent, well evidenced and well supported selection of things the Government can do to support our sector and by extension, support growth in New Zealand's economy.

ITP's focus is primarily on developing professionals and tech education, however the manifesto will cover a wide range of areas. For context, 2017's manifesto was broken into 3 areas - People, the Economy and the future of Government and included sections on education, future of work, immigration and skills, connectivity, digital exports, cyber security, research funding, improved procurement, open standards, privacy and open policy.

2017's manifesto also called for an area of Government (dubbed the "Ministry of the Future") to focus squarely on the opportunities and risks of the digital world and to help bring together the various parts of Government. This was like a CTO for New Zealand; but resourced appropriately rather than just one person (or worse still - yet another committee).

Despite promises, this never happened and New Zealand is worse off because of it.

We do this during election year so the parties can look to include components in their own election manifestos. Once they've made commitments, we have something we can hold Government to account on. And if they don't, we can ask why not.

Part of this year's manifesto will be looking at what was in the 2017 version, alongside what was promised, and rating the Government's performance in tech using this as a benchmark. Just to be clear, this isn't a partisan activity - the rating will be fully objective and based on this previously published benchmark. ITPNZ, alongside the other tech bodies, is an apolitical body but we will hold Government to account, regardless of party colour. 

Look out for the Manifesto in April or May, and let me know what you think should be covered that wasn't in the 2017 Manifesto.

Unprecedented stolen password dump 

On this week's New Technology segment on Nine to Noon, I talked about the prior unprecedented dump of login credentials now doing the rounds again in the hacker community*.

The so-called "collections #1-5" bundles include a ridiculous 2.2 Billion unique email and password combinations. It's basically a big bundle of credentials from all sorts of hacks - some known and some unknown. While there are a crazy 25 billion combinations, many are duplicates.

Three things make this hack extra scary:

  • Firstly, the share scale of it. We're talking about gigabytes of text credentials. The first collection found (Collection #1) was the biggest leak ever, then Collections #2-5 came to light and turned out to be three times the size of the first one.
  • Secondly, the fact that 750 million combinations appear to be from previously unknown hacks. These weren't in the "known" combinations held by the Hasso Plattner Institute. This implies that lots of credentials have been quietly stolen away from various sites over a period of time without anyone knowing about it.
  • Thirdly, these are freely available. Previously when credentials are stolen they're either kept quiet, or sold within the hacker community. This meant that, while some of the bad guys and girls had them, it wasn't as widespread. However these collections are freely available on torrents. The first was found on a MEGA file share. With the list being widely circulated again, it's likely that thousands of people, if not tens of thousands, have them now.

So what can you do?

Firstly, you need to help get the word out to your clients. You should talk to them about:

  • Not using the same password on multiple sites
  • Two-factor authentication
  • Considering using a password manager (e.g. LastPass)
  • Using long and complex passwords
  • Not putting online things they don't want to fall into the wrong hands

Secondly, if you're not properly protecting passwords and other sensitive data on sites and services you manage, you are part of the problem. I can't make this any clearer. It's simply not acceptable to not take proper precautions in this day and age such as using one-way encrypted salted hashes to protect customer passwords.

It is sloppy, likely illegal and certainly unethical to not take best practice precautions and if that's you, you need to do something about it.

Whether we like it or not, and whether they should or not, some of your clients will use the same password on multiple sites including yours. If your site is hacked (and you have to assume it will be at some stage), you're giving the script kiddies the keys to your clients' other sites and services. You have an ethical responsibility to do everything you can to stop that.

So please please please, check what your doing and sort it out if you're not doing it right. And if you are, good on you.

Security of software escrow

As an aside, the share scale of hacking things like this uncovers is exactly why ITPNZ-owned Escrow NZ made the conscious decision to continue to air-gap all escrowed source code material.

While other providers have moved to online submission and storage of source code, ENZ made the decision to continue to only accept physical submission and literally store it in a bank vault rather than on direct or indirectly accessible servers. They just don't believe online is safe enough to store customer's source code material in today's environment and aren't prepared to take that risk on behalf of their clients.

For those who aren't aware of it, Escrow NZ is the leading New Zealand escrow specialist, with a focus on providing secure escrow services for software source code, research documentation and all types of IP information for many purposes including risk mitigation, the sale or purchase of a business and archiving. 

Risk mitigation is the biggie - ensuring that if a development company goes bust, their clients can still support their own software via a copy of source code kept in Escrow and released in agreed circumstances.

Escrow NZ is also 100% wholly-owned by ITPNZ. While the decision to not accept internet-submitted material has no doubt cost them a few customers over the years, ENZ will simply not compromise on the security of their client's data. And nor should you. 

Sorry for the ad, but if you don't already escrow your software source code (as a developer or client), you really should. More info on their website

* An earlier version referred to this leak as new, however it was from early 2019 and has just resurfaced recently.


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio