Hold Security recently announced that a Russian “hacker gang” its teams have dubbed “CyberVor” succeeded in accumulating over 1.2 billion unique user credentials from over 420,000 web services, ranging from smaller sites to major household names. While there is no doubt this is a shockingly massive breach, and CyberVor’s amassed collection of user identifies is surely the largest publically disclosed trove to date, what these hackers actually created is something far larger and more dangerous. Worst still, we have yet to realize the true ramifications of this massive and unique breach.
Sure, the sheer size of the number of compromised credentials is impressive on its own. For scale – if the CyberVor hack were a box office return, it would equal the total global gross of the final Harry Potter film, as compared to the recent Target breach which would register only in the range of opening week for “Big Daddy”.
Ever heard of “Big Daddy”? No, of course not.
More than its sheer size, the CyberVor attack constitutes the flash of lightning before the deafening crack of thunder. This attack has created the perfect storm for hackers, for the continued coverage of this story stirs up feelings of fear, ambiguity, and opportunity – all of which work in the favor of social engineering.
With over 420,000 sites affected, we know that many are sites millions of people use frequently. [FEAR] But which of the many sites we use were affected? [AMBIGUITY] Finally, the fact this attack is broadcast loudly presents an unprecedented opportunity for social engineering.
If I were so inclined to take advantage of this situation, here’s precisely what I’d do.
My first step would be to determine my targets. Because of the ambiguity in the market, I don’t have to focus on small game here – everything’s on the table. Perhaps I’d start with a handful of major financial institutions, some cloud storage providers, a couple of email platforms, and an assortment of major corporate remote access gateways. After I’ve decided which firms to target, I’d assemble a very convincing email using the appropriate company logo. The email would read:
“In light of recent news regarding the attack on 1.2 billion identities, we strongly encourage you to change your password to prevent any malicious action against your account. Please feel free to login normally through our website, or find a link below for your convenience.”
I can imagine a striking percentage of users mistakenly clicking on the link that would route them to a convincing phishing site, which would compromise any multi-factor authentication solution that relies on generating a one-time passcode.
The crash of thunder is not the fact that so many credentials were compromised. No, the true roar is felt as the current situation is leveraged to gain access to corporate networks, bank accounts, and sensitive documents. Clearly the CyberVor attack is the shot across the bow, as cyber security has leveled up from being the responsibility of just the technical architects and CISOs; with the ramifications immediately available for would-be bad actors, cyber security is now a liability for CEOs and the rest of the Executive Board. CEOs should be hyper-aware that despite the great work of most CIO and CISOs, they’re one attack away from missing estimates next quarter. And if the CEO is not having this conversation with their lead security officer, then his or her Board should help make it a priority. Remember, it took a matter of hours for CodeSpaces to effectively disappear as a company.
So – how can we best prepare for the coming storm?
Passwords. Despite what is written and said (ad nauseam), passwords need not die. All the same, they cannot be relied upon as the only form of authentication. We need to supplement passwords with multi-factor authentication that secures services against the attacks levied against it and simultaneously does not affect the user’s experience.
Using better multi-factor authentication throughout the ecosystem, both internally and externally for an enterprise, makes it much more difficult for hackers to take advantage of the banquet table set before them. Providing multi-factor authentication that does not affect user experience will actually enable users to use it and create stickier relationships for enterprises.
CyberVor presented the first lightening strike of a frighteningly large and fast moving storm. While there may not be much we can do to change the weather, we can benefit from the use of multi-factor authentication to get off the flood plain.
To help enable CEO and Boards have the right conversations and ask the right questions, demystifying the obfuscation surrounding security, please visit our website at www.toopher.com/guide.
By Josh Alexander, CEO, Toopher
About Toopher
Toopher virtually eliminates online fraud and identity theft by providing out of band, automated two-factor authentication. It offers better security without any of the hassle entrenched in existing two-factor solutions. Toopher uses the location awareness of your smartphone to add another layer of security to passwords—all without leaving your pocket. The company’s product suite is the rare security tool that users actually want to use.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.