I’m proud to introduce SecurityWeek’s new content feature: Feedback Friday. Each week, SecurityWeek’s team will select 1-2 of the week’s biggest or most interesting news stories and provide a summary of reactions from across the technology world. The comments will include both unsolicited commentary that we receive throughout the week, along with some feedback specifically requested by SecurityWeek’s news team. We hope you enjoy this new feature and benefit from reading the varied thoughts, insights and opinions that are voiced. We also encourage our readers to join the discussion in the comments below. – Mike Lennon
Hold Security, LLC reported on Tuesday that a group of cybercriminals from Russia dubbed "CyberVor" managed to collect a total of 1.2 billion unique credentials after breaching the databases of roughly 420,000 websites from all over the world.
The attackers reportedly used a botnet to identify and exploit SQL injection vulnerabilities on the targeted websites. The security company says it has started notifying the owners of affected sites, but has been unable to get ahold of every one of them. Hold Security is also preparing to launch a paid identity protection service that allows individuals to find out if they're affected.
Numerous security researchers and other members of the industry have commented on the story. Some have pointed to the gravity of the situation and provided recommendations for users and companies, while others criticized the way Hold Security made the announcement, and the manner in which some media organizations sensationalized the story by calling it "the biggest breach ever" and referring to it as a single "mega breach."
And the Feedback Begins...
Alex Balan, head of product management, BullGuard:
Let’s not create confusion. Adobe was a mega breach (the biggest in history) with over 150M records stolen. This event is a mega HARVEST since the hackers didn’t collect the credentials from one big site that they hacked but over 400.000 websites, mostly hacked through SQL Injection.
Don’t get me wrong. This event is huge. One criminal organization collecting 1.2 billion user credentials from over 400.000 websites is something that probably makes any IT professional shiver at this point in time. One or all of the following is very likely to be true:
• Your name and password are in that collection at least once and you currently have no way of knowing which one of your Internet accounts was breached. Maybe it was your favorite forum or a dating website. What’s for sure is that you don’t know.
• The accounts will be used for sending spam and will generate a very substantial revenue for the people behind the attack;
• The credentials will fuel wordlists that will further be used for bruteforce attacks;
• The attackers will try to use a user’s password from one website to access other services that they didn’t breach. Do you use the same passwords everywhere ? If so, you will very likely lose your other accounts as well even if they weren’t part of this harvest
Carl Wright, General Manager of North America, TrapX:
Enterprise security cannot afford to be rigid and static; they must be as nimble as the attackers themselves and be able to adapt in real-time to defend against evolving threats. By understanding the motives and movements of bad actors, enterprises can break the kill chain and more intelligently interdict threats and improve proactive defenses.
This breach illustrates how traditional security tools alone don’t do enough and enterprises need to constantly evaluate and improve their security posture. These evolving threats have the ability to circumvent legacy security technologies such that enterprises must continue to build up their arsenal of security capabilities to thwart today’s nation-states or crime syndicates whether foreign or domestic.
Jon Heimerl, Senior Security Strategist at Solutionary:
This is an excellent example of how the hackers worked together, pooled resources, and bought/sold information to create a massive repository of data. The data was not all gathered from the same group or via the same methods, but by repeated attempts to infiltrate systems in a systematic manner – scan, check, repeat. The data was ultimately the result of hundreds, and thousands of attacks spread across years. It helps demonstrate that there are many vulnerable sites, sites that you rely on to protect your information, but your information can be stolen from any of them.
The more accounts you have, the more vulnerable you are. The more you share email addresses and passwords across those accounts, the more vulnerable you are. If you are regularly changing passwords the fact that someone has stolen your credentials may not have a huge impact on you. But how many people regularly change all of their passwords?
Greg Martin, CTO at ThreatStream:
Reusing the same email address as your login or using the same password in multiple places puts consumers at risk. Frequently changing passwords help consumers help protect themselves. Bad habits are hard to break and enterprises need to protect their end consumer by forcing them to change their behavior. Enterprises offering multi-factor authentication and enforcing password policies help make access to customer information more difficult to obtain, which makes your customer less attractive to bad actors.
Mike Ellis, CEO of ForgeRock:
Businesses are being told they must incorporate consumer digital technology or face utter destruction at the hands of the competitors who beat them to the punch. But at the same time, cyber criminals are more relentless than ever in their pursuit of personal and financial data, and identities have long been their target. We know by now that users are often reluctant to use unique passwords and identifiers for online accounts, so it is logical to think that breaches of this magnitude will shift the way businesses engage with end customers in today’s digital age. But if business continues as usual, the very foundations of a successful business--reputation, revenue growth, and customer trust--are literally thrown into the breach.
Joe Schumacher, security consultant for Neohapsis:
Security breaches that result in theft of data are unfortunately common in today’s information age. To amass 1.2 billion username and passwords is impressive but it is not a security threat. This data could have come from dumps on a public web site. This would be frightening and impressive if the crime ring tapped into these companies in a manner that all 1.2 billion username and passwords are valid or accessible. A skilled scripting person could easily scrape public dump sites and amount for a massive collection of user credentials and email address in a short amount of time (but not 1.2 billion, it is impressive number).
If this crime ring has company credentials then many of those credentials eventually will become stale as employees are terminated or accounts passwords are changed by the user. No matter your means of collecting 1.2 billion user name and credentials, to amass that number takes time. Personally, I think this is more PR for a crime ring than fear mongering to the general end user.
General end-users need to practice good authentication habits, which should include using different user name and password combinations for different web-services and/or business accounts. Users should also change their passwords regularly to something different than it was previously and do this around every 30-90 days. For sensitive accounts, the user name should be protected with a two-factor authentication process that relies on two of the three means of authenticating (e.g. something you have, something you are, and something you know).
Robert Capps, Senior Director of Customer Success at RedSeal Networks:
It's important to keep in mind that the Internet wasn't originally designed to be a secure network for the transmission of sensitive information. The Internet was originally a loose collection of computer networks meant to further research between government and educational institutions. With the advent of the commercial Internet (in the 1990s), much effort has been focused on securing the underlying infrastructure, to enable safe and secure transactions. Based on recent news reports, we obviously have more work to do.
The data breaches we see today are not a unique phenomena of the Internet age. As long as there have been computers connected to phone lines, hackers have been breaking in and stealing the information they contain. Data breaches can actually be attributed to Moore's Law as much as they can be attributed to the Internet. The cost to process and store ever increasing volumes of information with online computer systems has plummeted in recent years, allowing every company on the planet to amass information about consumers in a cost effective way. Sadly, not all companies are equipped to manage the security practices required to protect this data. The results are evident in the daily news stories of cybercrime, fraud, and data breaches.
While the current disclosure is unsettling for consumers, security professionals have long believed that cybercriminals were combining stolen consumer data from multiple breaches, to make their attacks more effective. This confirms their suspicions. There is good news here – the stolen data in question appears to be limited to usernames and passwords. Consumers can immediately protect themselves with minimal effort by setting unique passwords for each site they register with on the Internet. By following this simple step, a stolen password from one site can't be reused to gain access an account on another website.
Adam Kujawa, Head of Malware Intelligence at Malwarebytes Labs:
The scale of this find reflects our current reality. While many cyber-criminal groups might not be holding on to billions of login credentials at one time as in this case, they grab information, either use it for their own purposes or sell it to the highest bidder.
Phishing attacks, malware and poor password security allow these attackers to obtain the most from their efforts. This is only an instance of finding a lot of credentials collected in one place but if you put it up against the numbers that are currently circulating through the underground markets, it would seem small.
Eric Chiu, President & Co-founder of HyTrust:
Credentials are highly valuable to hackers since they are the new 'skeleton keys' for personal and work accounts. Hackers are leveraging social engineering, phishing, and other APTs to steal these credentials which they can use to access bank accounts or steal identities. This is even more valuable as a means to gain access to company networks so that they can siphon large amounts of data (customer data, intellectual property and confidential information) without being detected. Insider threats are the number one cause of breaches and also do the most damage.
The Internet enables us to live more connected lives; however, consumers need to be vigilant about protecting their credentials and personal information. It is important to use strong passwords and rotate them often as well as be careful about who you do business with and what information you share on the Internet.
Accounts are hacked and credentials are stolen every day; however, the number of credentials reportedly stolen is at a massive scale. This is a huge wake up call to consumers and companies that attackers are going after personal and work accounts in order to impersonate our online personas. It is critical for everyone to take security more seriously to protect our identities; in addition, companies need to think about security differently and take an 'inside-out' approach to security where they assume the bad guy is already on the network in order to prevent the next Target and Snowden incident.
Sorin Mustaca, IT security expert and author of the Mustaca on Security blog:
Every time I read such PR, it makes me think: "what are the press guys thinking when accepting such information without any kind of proof?"
In my opinion, the most worrying part into this matter is the company that sells the service to consumers for checking and monitoring if their email address has been stolen and to companies to check if their websites are vulnerable to SQL Injection. Normally, there is absolutely nothing wrong with selling such services. And, don't get me wrong, I am not saying that Hold Security is lying about knowing that some cyber gang got access to this amount of credentials. But from here to offering services for checking and monitoring if the client is a victim of exactly this breach, it is different. To do this, one assumes that the company is either in possession of the credentials or is just creating FUD to sell their services.
Taking a step back, if you read carefully the PR of this "unprecedented" hack you will see... mostly just some good PR talk and a very entrepreneurial spirit. There is no single piece of evidence of which websites were hacked, how exactly and what exactly was obtained. I am afraid that for security experts to say that "a botnet" checked websites for SQL Injections and stole credentials from the websites that were vulnerable is a bit too superficial.
"Internet credentials" can be something ranging from an email address to credit card information stored in plain text. But, don't you think that if they would have had this information, especially about credit cards, they would have made a completely different PR gag? And they definitely would have asked for more money
[The phrase in Hold Security's announcement], "Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable," shows that the company targets the billions market of Identity Protection and that it is slowly testing its competitors.
Nathan Collier, Senior Malware Intelligence Analyst at Malwarebytes Labs:
A better security standard needs to be used across the entire Internet. Username and password alone just isn’t enough anymore. Some companies have already adopted stronger standards such asking personal questions when the site is being accessed from unknown locations. These, and other methods need to be implemented on every website.
If you haven’t updated your password recently, now would be the time. Make sure it’s a strong password containing capital and lowercase letters, numbers, and special characters. Also, don’t use the same username and password combo for every site. This is especially true for sites that have personal information like the site to your bank or credit card.
Until Next Friday...Have a Great Weekend!