Anonymous recently claimed responsibility for hacking major sites including Amazon and Playstation and releasing thousands of passwords and account information online. Here to comment are two prominent individuals in the field of information security: Jonathan Sander, Strategy & Research Officer at STEALTHbits Technologies; and Ken Westin, Senior Security Analyst at Tripwire.
Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies:
“After Heartbleed and so many other password stealing breaches, folks are getting used to frantic calls to change their passwords. When users get accustomed to hearing ‘change your passwords,’ the boy who cried wolf effect settles in. This is like the ‘it’s always red’ problem that’s plagued IT monitoring for ages — if people expect that things are broken, they won’t ever bother fixing them. The only people who will likely respond to this call are people in IT security and people who have already paid the price of not listening in a previous breach.
Free eBook: Modern Retail Security Risk – Get your copy now.
“One question this raises for me is this: when will Amazon get on the multi-factor authentication bandwagon? I know why they have not. If you want people to buy stuff as easily as possible, adding a step is directly in conflict with your business model. But since Amazon keeps getting hit by password leaks, not to mention the fact that they manage so much credit card information for consumers, they will have to see the light eventually. At some point, one of these password leaks will affect so many Amazon users that they will be forced to do it. Seems to me they could score points by making multi-factor available now and counting on the sad fact that most users won’t choose to use it until it’s too late. But at least no one can tell Amazon they didn’t try.”
Ken Westin, Senior Security Analyst, Tripwire:
“This particular leak of data may in fact be fake, as the accounts listed in the dump appear to be from multiple leaks, many of which occurred several years ago. Many of these appear to be from a now defunct website called Leakforums.net, where a number of accounts were often listed. The VPN Cyber Ghost keys were listed on Facebook in October (https://www.facebook.com/ramlickatz/posts/877746455570975), and the Ubisoft accounts and credit card numbers appear to be from leaks that are several years old.”