Infosecurity speaks to a range of industry experts about the 1.2bn password breach and the implications for website security.
It’s rare that information security stories break through into the mainstream press. The eBay data breach and Gameover Zeus takedown are two rare examples from 2014. Yet to this exclusive list was added another on Wednesday when news broke that a Russian cybercrime gang had amassed a staggering 1.2 billion user name and password combinations and 500 million email addresses from poorly protected sites.
Although the company that discovered the breach, Hold Security, appears to be making the most of the incident, charging $120 for a “breach notification service” for website owners, the findings have been independently verified by experts, according to the New York Times.
The “CyberVor” gang, as it has been dubbed, apparently hail from south central Russia. It comprises less than a dozen people – men in their 20s who seem to have begun their cybercriminal career a few years back launching amateurish spam runs. As such, the level of complexity involved in their work seems worryingly basic. From what we can gather so far, they used a botnet to effectively “audit the internet” – that is, check websites all over the world belonging to companies big and small for SQL Injection vulnerabilities. Once one was found it was then flagged, compromised and its database of user credentials stolen.
The biggest ever?
Many of the headlines accompanying this story have screamed out that it’s the biggest robbery of online credentials in history. However, not everyone agrees. Speaking at the BSides conference in Las Vegas yesterday, AV founder John McAfee argued that 1.2 billion figure may be “false” and that the number of identities stolen “may be closer to 500 million”. Others claim that as the data grab was done over a long period of time and from numerous sources, it’s not technically a single attack.
Beyond that, Sophos principal security researcher, Vanja Svajcer, was sceptical about claims this was the “biggest attack ever”, simply because the quality of the passwords in question and the servers they were taken from is not clear.
“If the server was an online service with an obvious financial value such as Paypal or Gmail we could certainly talk in those terms,” he told Infosecurity. “Current indications are that the credentials have been retrieved from poorly secured servers using older unpatched versions of web applications so the actual value of the passwords could be low.”
For Peter Armstrong, director of cyber security at defense contractor Thales UK, focusing on the size of the attack misses the point.
“Passwords demand discipline from users and this is at the heart of the issue,” he told Infosecurity.
“Most people recognise cyber as a problem, but most of those same people think it is somebody else’s problem when of course this is ridiculous, cyber is everybody’s problem both individually and collectively. Until this level of understanding increases we will continue to see this kind of issue.”
Armstrong claimed part of the responsibility for awareness raising lies with governments “in the same way that safety in seat belts and smoking has been in recent years”.
CyberArk senior director of cyber innovation, Andrey Dulkin, was also keen to get away from a focus on the size of this breach. “This is just another disclosure in a series of many, as we’ve already seen datasets of millions, tens of millions and hundreds of millions in the past,” he told Infosecurity.
“The interesting thing in this case is that this dataset is actually a combination of multiple attacks and not a single data theft, which means that the attackers were purposefully constructing a database over a long period of time
Time to ditch passwords?
What the incident has done once again is to raise the question of whether passwords are fit for purpose as an authentication method.
“In the short term individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached – such as bank or email accounts - while being pragmatic and using common passwords for sites that would be little more than an irritation if breached,” argued KPMG cyber security director Tom Burton.
“The next step will be the rise of consumer-driven ‘two factor authentication’ using physical devices such as mobile phones to provide unique codes for each access – akin to one-time pads used by spies during the Cold War.
However, few expected the incident will eventually spur a change in companies’ attitudes to user authentication. Simon Eappariello, senior vice president EMIEA of iboss network security claimed that “passwords and usernames, whether we like it not, are like the bricks and mortar of the internet”.
CyberArk’s Dulkin agreed, arguing they’ll be around “for a long time yet” given their familiarity to users. “We can hope that this, and other disclosures, will drive businesses to improve their security and provide two-factor authentication to improve the security of their customers,” he added.
Others noted that more secure authentication methods like 2FA can also be cracked by determined hackers.
Personal password managers were recommended as one concrete step which could be taken by users to ensure that passwords are not re-used across online accounts – minimizing risk exposure in the event of an incident like this.
“Passwords demand discipline from users and this is at the heart of the issue”Peter Armstrong, Director of Cyber Security, Thales
A beachhead into the organization
There were fears from some quarters that the breach could allow attackers to more easily launch targeted threats at organizations.
“The main things that organisations should do is separate the personal accounts and the privileged accounts; so that the users may set passwords for their own personal accounts, but the organization sets strong passwords for the privileged accounts and only enables the use of these privileged accounts as needed by legitimate users, such as administrators,” said CyberArk’s Dulkin.
“Organizations shouldn’t rely on their users, even its administrators, to set strong passwords or to avoid password reuse with regards to other, non-sensitive assets.”
Gary Newe, senior systems engineering manager at F5 Networks, told Infosecurity that both APT-style attacks and data breaches like this are rightly high on the agenda for CISOs.
“With the sophistication of cyber-attacks developing at such a vast rate, and with this recent incident in mind, it is now more important than ever that organisations take note and put stringent processes in place to prevent more attacks like this from happening,” he added.
“The tools are available and straightforward to implement, but it’s down to businesses to prioritize cyber in their planning.”
Time to toughen up your site
If nothing else, a data breach on such a massive scale gives the cyber security industry once again the opportunity to impress on web owners the importance of improving their defenses.
“We need to focus on protecting the valuable data which is in the applications and no longer focus on protecting the network which is where many organisations seem to be focusing their efforts,” said F5’s Newe.
“Whether using malware, APTs or traditional application based hacks, the applications are now the target for cyber criminals, so businesses need to react and invest in protection for them.”
Both service providers and users need to pay attention here, according to Sophos’ Svajcer. This includes firms regularly applying security patches and installing web application firewalls which take a whitelisting approach to data requests.
“On the client side use, ensure the system used to access the server is not compromised. Use security software and isolate client software in disposable virtual machines,” he added.
CyberArk’s Dulkin, meanwhile, suggested organizations include automated password management tools and make sure they implement strong passwords for sensitive assets.
“Also, employing analytics systems that detect anomalies in privileged activity can be a strong mitigation control to detect credential hijacking in organisational networks,” he said.
However, iboss network security’s Eappariello argued that “prevention isn’t the cure”.
“IT has to assume malware is on their network and devices and that data might be being exfiltrated right now and for sometime in the past,” he said.
“Most companies that have been breached previously don’t find out for some time and then the clean-up process is often impossible when considering the sheer volume of data that has been processed and limited visibility regarding network traffic and data flow."
Ongoing monitoring, anomaly detection and “fast, responsive reporting” can all help improve firms’ ability to deal with data breaches, alert customers quickly and comply with regulations.
“The tools are available and straightforward to implement, but it’s down to businesses to prioritize cyber in their planning.”Gary Newe, Senior Systems Engineering Manager- F5 Networks