This week saw the launch of a report which claimed that 1.2 billion unique credentials had been captured by a Russian cyber crime gang.
Altogether, the haul of details amount to more than four billion, and were collected by the gang from sites with a common SQL vulnerability. As John McAfee said in his closing keynote at this week’s BSides Las Vegas event, this is unlikely as there are only five billion people on the planet. We asked the industry what they thought.
TK Keanini, CTO at Lancope
“There is a glutton of credentials always floating around the black market and because of this fact, security professionals need more than just traditional detection signatures looking for exploits and attacks because the adversary is just going to login to your network normally. In particular, defenders need anomaly detection methods as it is the only way to discovery this abuse in its early stages. “
Mark Bower, VP at Voltage Security
“This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren’t patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale. Yet more evidence the bad guys are winning big at consumers’ expense who will foot the bill for this in the end like a hidden tax. Clearly it’s time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”
Michael Sutton, VP of security research at Zscaler
“With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely. The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks.
“This is yet another warning of the dangers of using the same credentials on multiple sites. Consumers should assume that sites they trust will be breached at some point. If they use different credentials on all sites, at least they can
limit the damage. Fortunately, there are many tools/services available so that users don’t have to remember dozens of different passwords.”
Mark James, security specialist at ESET
“The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don’t use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course.”
Eve Maler, vice president of innovation and emerging technology at Forgerock
“The digital identities of millions of UK consumers are at risk from this latest digital heist. Cyber criminals are more relentless than ever in their pursuit of personal and financial data, and identities have long been their target. We know by now that users are often reluctant to use unique passwords and identifiers for online accounts, so it is logical to think that breaches of this magnitude will shift the way businesses engage with end customers in today’s digital age.
“This is why it is so important for organisations to leverage contextual and relational intelligence to measure risk. By doing so, security teams can apply a multi-layered approach to protect data on any external or internal application, device, or thing and can mitigate risk that may result from this type of breach.”
Mark Sparshott, EMEA Director at Proofpoint
“Most SMEs know they have weak security but do nothing about it because they believe that cybercriminals focus on high profile, high value “Targets of Choice” who are selected specifically and pursued intently.
“CyberVor blows this self-denial out of the water as the majority of those businesses breached were “Targets of Opportunity” attacked by automated scripts that launched sophisticated SQL Injection, Spam and Phishing attacks against an endless list of websites and IPs without any knowledge of who they were attacking.”
James Mullock at International law firm, Osborne Clarke
“Business with a digital presence will be waiting with baited breath to learn whether their users are affected by this reported attack. It’s a nasty reminder of the cyber risk threat which organisations face in 2014 and the need for boards to be prepared for attacks such as this.
“An interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations. There is currently little legislative guidance regulating how that process should operate and it appears ripe for review.“
Peter Armstrong, director of cyber security, Thales UK
“The news that a single group has been able to hack 1.2 billion usernames and passwords across more than 420,000 websites shows the not just the sheer scale on which these cybercrime groups now operate, but also the borderless nature of the threat. Security threats present themselves in numerous forms and these increase by the day – if not hour, minute or second. This new method of targeting every site that their victims visit rather than specific large companies, has been devised for maximum results: these large numbers of compromised users can then be deployed by different Botmasters as they seek to create new types of DDOS attacks to monetise their criminal activities- it can lead to the dark web equivalent of buying and selling mailing lists except with these, you’re not receiving junk mail through the door!”
Brian Spector, CertiVox
“This incident is one of many attacks that highlight the need for the wider security industry to take another look at the methods that they employ to secure services and data. Consumers are prone to using the same password for multiple accounts which means that the risks posed by this particular data loss are extremely wide ranging.
“Businesses are appearing increasingly desensitised to these repeated attacks, but they need to know that there are other means of authentication that can offer a way out of this cycle of hacking. Government organisations, businesses and other bodies need to identify new ways to secure data, or they will face more of the same problems in the future and an increasing consumer backlash as crucial details are stolen and used for criminal gain.”
Geoff Webb, senior director of solution strategy at NetIQ
“It’s likely that well-known vulnerabilities were exploited to steal passwords – in fact it’s very likely given the sheer scale of attacks. That includes vulnerabilities in the web-facing applications and systems, as well as vulnerabilities in the way passwords are created and stored.
“Organisations don’t always protect passwords as well as they should – either using weak hashing algorithms, unsalted hashes, or in some cases, not even protecting the passwords at all. Many companies don’t enforce good password policies, and users employ poor password hygiene – reusing the same passwords in multiple places – meaning that any single username and password combination could present an open door to many sites.”
Gavin Millard, EMEA technical director, Tenable Network Security
“Although the headline numbers are staggering, this huge password cache could be related to a handful of SQL injection vulnerabilities on popular content management system or forum applications, for example WordPress, Drupal, phpBB or vBulletin. It shouldn’t matter that hackers stole your password to a forum you frequent, but even now with all the breach headlines we see and the fraud associated with it, the fact that many users apply the same password for every internet service they use means the impact of this hack will be significant.”