Despite most of the population lazily clinging onto the remnants of summer, in the world of data breaches it was as busy as ever. In the firing line this week was the “Reddit of Latin America” Taringa, who were pwned in spectacular fashion, allowing nearly all of their 28 million users to have their login credentials compromised.
Social media attacks can be potentially devastating for the victims. As so much of someone’s everyday life is present across social media channels, cybercriminals will not be privy to a wealth of information that can in turn be used to leverage even more sensitive information. If their login details fall into the wrong hands, spear phishing emails, targeted specifically to them could be in their inboxes before you can say ‘malware’.
As always, those within the cybersecurity industry did not hold back when asked for their opinions on the latest privacy fiasco. A few experts from the world of cyber gave their opinions to the IT Security Guru below:
Tim Woods, VP Technology Alliances at FireMon
“This latest breach underscores the need for greater security visibility and real-time monitoring of our security controls across the enterprise. While this may seem trite and obvious, corporations continue to try and manage their security infrastructure with limited resources and limited management effectiveness. I speak with top rated security professionals routinely that tell me; It’s not that I don’t know what to do, it’s having the time and tools and to it.” Most organization are cognizant of their security weaknesses, but shifting business priorities have delayed or redirected additional security spending. However, it’s not new technology investment that’s needed but rather adequately managing what they have presently deployed. Security management solutions on the market today have significantly matured over the last five years and represent a very economical way to increase resource efficiency and effectiveness of existing deployed technology significantly. Holistic security visibility and real-time policy data analysis is not out of reach, and I would encourage anyone who has experienced a breach or is looking to “up” their security game, to explore this valuable security area.”
Andrew Clarke, EMEA Director at One Identity
“The reported breach at Taringa highlights some fundamental issues. The fact that an administrative file holding passwords was accessible demonstrates little or no control over privileged accounts. Then the passwords were easily cracked since the company used a weak MD5 (128-bit) algorithm rather than SHA-256. And the user passwords were not enforced by a strategic password policy since when revealed the passwords used by the users were fundamentally weak – the most popular password used being 123456789 followed by 123456. Taringa was quick to realise mistakes and forced a global reset on users and updated to SHA-256 but that incident does point out that users also need to take steps to protect themselves.
A Taringa password change is the first priority – but also change any passwords on other personal accounts that use the same password. Other recent attacks on organisations have pin-pointed password re-use as a major factor in their downfall. And when a new password is selected even though the web-site allows a weak password to be chosen – always make it 12+ characters; and a mix of upper/lower case alphabetic plus numbers and special characters. Use of a password manager can help select and recall these passwords. And of course don’t reuse passwords across multiple sites.”
Giovanni Vigna, CTO and co-founder at Lastline
“Stealing social networks credentials is an effective way to access personal data, exploit the trust between users to spread malware, and also expand the criminals’ foothold in the case the credential are re-used across services. The impact of this type of attack that would sensibly reduce if 2-factor authentication would be ubiquitous.”
So there you have it; Protect your privileged accounts, use two-factor authentication and use real-time monitoring of security controls and you’ll be protected from the devastating consequences of a breach…right?