It was announced this week that a Russian gang of hackers, dubbed CyberVor by Hold Security, succeeded in stealing 1.2 billion usernames and passwords from over 420,000 websites. The scale of this attack easily makes it one of the largest data breaches in history. Here to comment on the incident are a number of security experts, all of whom work for industry-leading companies including Voltage Security, Osborne Clarke, and NetIQ.
Mark Bower, VP of Product Management and Solutions Architecture for Voltage Security:
“This sounds all too familiar — weakly secured sites, preventable vulnerabilities that aren’t patched, and automated botnets that steal massive troves of identity data suitable for ruthless secondary online system attacks at a tremendous scale. Today, all reports suggest that the bad guys are winning big at the expense of the consumer, who will foot the bill for this in the end. Clearly it’s time to change the game in data security and neutralize data breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”
Pierluigi Stella, CTO for Network Box USA:
“I confess, I’ve become jaded – I no longer read such news. In fact, the more likely the scenario, the more I am inclined to say, ‘Ah, another one.’
“Why do we continue to be surprised? We’re playing with fire, underestimating the importance of security, although we continue to talk about it as something beyond vital. At the end of the conversation, there’s always someone asking about costs and slashing budgets. And these are the results. The true risks of security cannot be measured in such rudimentary ways anymore. The time when we compared risk assessment to a horse in a stable (don’t spend more money for the fence than for the horse) is long gone. We need to change the approach and understand that the risks are much higher; losing your data can (and WILL) cost you your company. Data breach notification laws now require that every user be notified (and that’s standard across the board in all states), an undertaking which alone can cost a fortune. Insurance companies will cover some of that cost (if you have cyber security insurance) but you’ll still be out a lot of money. Let’s not even begin to peg a dollar value to corporate reputation and loss thereof. (How many of us refrained from shopping at Target for a long time at the beginning of this year?) That’s a cost you can’t easily quantify nor foresee.
“When will the time come when companies take security seriously ‘for real’ and not only on paper? One has to wonder.”
Geoff Webb, Director of Solution Strategy at NetIQ:
Wider Implications
“This again signals we are reaching the end of the usable lifespan of the username/password combination to security. The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user. People don’t want to deal with complex passwords they use only once, and as we keep forcing users to be responsible for this security, it’s unsurprising we keep seeing the same results – weak passwords, reuse of passwords and breaches that cascade to many sites.”
Size of the Breach
“This is a huge haul of accounts and passwords, and as a result it’s very significant. It will be some time before we get a sense of how wide reaching the potential problem is here, if in fact we ever really get insight into the impact. The sheer scale however demonstrates that we have a long way to go in securing web-facing applications.
“Although it will be compared to the Target breach, this is a very different kind of problem. While the Target breach stole credit cards from a retailer, it’s impossible to know how many sites will be impacted by this hacker group.
“Small groups of hackers are able to perpetrate this kind of immense data theft because there is already extensive information available to assist them in exploiting vulnerable systems around the globe. After all, hackers have mapped the internet to a high degree of accuracy, and that information is readily available online. Furthermore, the advent of cloud computing presents these hacker groups with massive computing power on tap and at low cost. They can use botnets to identify and attack sites, cloud compute resources to crunch the resulting data, and remain under the radar the entire time.”
The Breach Itself
“It’s likely that well-known vulnerabilities were exploited to steal passwords – in fact it’s very likely given the sheer scale of attacks. That includes vulnerabilities in the web-facing applications and systems, as well as vulnerabilities in the way passwords are created and stored.
“Organisations don’t always protect passwords as well as they should. They often use weak hashing algorithms and/or unsalted hashes, and in some cases, they do not institute any password protection measures. Many companies don’t enforce good password policies, and users employ poor password hygiene – reusing the same passwords in multiple places – meaning that any single username and password combination could constitute a vulnerable open door to many sites.”
James Mullock, Lawyer and Partner at Osborne Clarke:
“Business with a digital presence will be waiting with baited breath to learn whether their users are affected by this reported attack. It’s a nasty reminder of the cyber threat that organisations face in 2014, as well as the need for management boards to be prepared for attacks such as this.
“An interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of data breaches reaches those compromised organisations. There is currently little legislative guidance regulating how that process should operate, and it appears ripe for review.”
Toyin Adelakun, Vice President at Sestus:
“The Internet Arms Race is in full-swing. The ever-growing sophistication of these attacks suggests the attackers have greater resources at their disposal than ever — and there will always be speculation as to the degree of state backing. Cross-jurisdictional law enforcement cooperation may help amongst allies, but with Russia and the West seeming to diverge on other major points of policy, cooperation on cybersecurity matters is unlikely to bear any short-term fruit.
“But by infecting end-user computers and co-opting them into an army of Web-password vulnerability testers, these gangs may have unwittingly done the wider cyber-community an enormous favour: that of auditing the Web for password-management vulnerabilities. However, for full value to be had from this audit, companies (and individuals) need to act quickly. They may not get another chance. Here’s how organisations can implement multi-layered security and thus apply the defend-in-depth principle to their means of user authentication:
1.) Implement two-factor or other multi-factor authentication. It goes without saying that passwords alone are no longer anywhere near sufficient as means of identifying users in a trustworthy manner.
2.) Follow the best-practice of hashing and/or encrypting contents of password databases (PWDBs). That way, even if password databases are somehow exfiltrated, their contents cannot be trivially exploited.
3. Locate PWDBs behind at least two levels of firewalls — at least three, if a Web application firewall (WAF) is included. Most Web applications are or should be deployed in three-tier architectures, with the “data tier” being furthest from the Internet and behind most levels of the firewalls.
4.) In addition to firewalls, consider deploying intrusion-detection systems (IDS, the TCP/IP equivalent of CCTV for Internet packets) and Web application firewalls. Proactively monitor and manage the security devices — firewalls, WAFs, and IDSes.
“Individuals are not necessarily directly at fault for this latest breach, but they can take protective steps, too:
1.) Keep your operating system and anti-virus software up-to-date. This can reduce the likelihood of your computer being infected and drafted into a botnet.
2.) Where available, use two-factor authentication. In other words, whenever presented with the option to use two-step verification — e.g. By Apple, Google, Microsoft, online banking application — take the option.
3.) Install and use a good, strong and reputable password manager. Current thinking is that the best ones are those that do not store the passwords “in the cloud” — but rather, keep them on your devices (computers, smartphones, etc) in encrypted form.
4.) With the help of the password manager, create and use unique and strong passwords for your online activities and services. The word “unique” is important. That way, even if a given website is compromised, your password for that website will not be usable anywhere else.
“One characteristic of an arms race is that the lead often changes between the contestants. With such focus on password management, it will come as no surprise that password manager software and websites have been and are themselves being attacked. That frontline may see a good few skirmishes yet, but two-factor authentication already exists as a valuable flanking manoeuvre for individuals and companies alike.”
Ilia Kolochenko, CEO of High-Tech Bridge:
“This is hardly a news story: legions of bots have been crawling the web to find unpatched or outdated software for a dozen years already. Yes, the number of automated bots that aim at finding vulnerable websites, compromises, and backdoors, as well as those who patch those vulnerabilities (to prevent ‘competing’ hacking groups from getting in) are growing, as is their efficiency. Of course it’s useful to alert people that such risks exists, but it’s definitely not a news story.
“Another point that makes me smile is the famous myth about ‘Russian hackers’. That is, plenty of countries speak Russian as a second language (e.g. Israel), and plenty of people speak Russian.
“On another note, just by using Google, you can find millions of passwords in plaintext quite quickly on the web, or you can have a look on XSSposed.org. They have collected vulnerabilities on hundreds of the most famous websites within a period of only two months, and the researchers can submit information there for free. So you can estimate how big the cyber black market is.”
Peter Armstrong, Director of Cyber Security, Thales UK:
The news that a single group has been able to hack 1.2 billion usernames and passwords across more than 420,000 websites shows not just the sheer scale on which these cybercrime groups now operate but also the borderless nature of the threat. Security threats present themselves in numerous forms, and these increase by the day – if not hour, minute or second. This new method of targeting every site that their victims visit rather than specific large companies has been employed for maximum results: compromised users can be deployed by different Botmasters as they seek to create new types of DDoS attacks with the intent to monetise their criminal activities. It can essentially lead to the dark web equivalent of buying and selling mailing lists, except with these you’re not receiving junk mail through the door!
Cyber security is not just an issue for large companies. It should be a concern for any company that retains customers personal data. It is also a personal issue – understanding and awareness of what it means to Get Safe On-line is a responsibility for all of us. For all of these organisations affected by this breach, need to ensure that they are alerting their customers to breaches in a timely manner and are encouraging preventative measures such as changing passwords. Online threats are evolving at a rapid rate, and if companies want to stay ahead of the attackers, they need to adopt a holistic approach to maturing their security posture on a continual basis. This means not preparing to counter a specific threat but instead considering how to ensure their organisation is best able to respond to and recover from such an attack in the most effective and comprehensive manner that fits with their business priorities. Cyber maturity is a capability and way of life – not a specific counter-threat measure.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.