Playing Russian Roulette with Internet security

Aug. 7, 2014
This week's massive internet attack that compromised 1.2 billion credentials is just the tip of the iceberg

It seems each new bold hack attack that makes headlines is more grandiose than the next. While this week’s massive hack of more than one billion usernames and password combinations may not have had the security impact of several recent corporate network breaches, it certainly ranks at the top based on its sheer scope.

Although 1.2 billion credentials were stolen, because many people have multiple passwords and usernames it is difficult to calculate just how many users this attack affected. Still, given the fact that there are 2.9 billion internet users worldwide, the chances are you or someone you know was hacked. The fear is that based on the sheer volume of accounts that were compromised, thieves are now able to access other accounts in the future.

“There has been much commentary that many of these Russian hacked websites are still ‘vulnerable’ – truth of the matter is; they’ve been vulnerable for some time. In the hacker world, this really isn’t news. As long as businesses are more focused on making things run than making them secure, there will be a large number of insecure servers,” says Dave Frymier, CISO of Unisys.

This latest Russian attack was reportedly discovered by U.S. security firm Hold Security out of Milwaukee, which has also been credited for discovering the Adobe Systems data breach in October 2013 and the much publicized Target breach in December.  According to Hold Security executives, they were able to identify a Russian cyber gang following seven month of exhaustive research. This group, which Hold Security dubbed “CyberVor”, was in possession of the largest cache of stolen data they had ever detected – more than 4.5 billion records – stolen from over 420,000 web and FTP sites, both private and commercial.

At the outset, CyberVor used the black market to secure stolen credentials from their hacker compatriots, using the information to attack e-mail providers, social media and other websites with spam, and to install malicious redirections on legitimate systems. CyberVor then decided to take another approach earlier this year by obtaining access to botnet networks through their underground black market connections.

 “This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren’t patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale,” comments Mark Bower,  Vice President of Voltage Security. “Yet more evidence the bad guys are winning big at consumers’ expense, who will foot the bill for this in the end like a hidden tax. Clearly it’s time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”

These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVor gang used these vulnerabilities to steal data from these sites’ databases.

“To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords,” reports Hold Security officials. “The CyberVor gang did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

Sami Nassar, who currently leads the digital security products for the cyber security markets at NXP Semiconductors, believes the problem of Internet security and password protection goes beyond relying on a simple combination of a username and password.

“Advances in computing power have progressed to the point that the average person is no longer able to remember the required length and complexity of a password that cannot be decoded by exhaustive searches from hackers. Add to that, most people use the same, or a variation of the same user name and password for multiple accounts, thereby exposing all those accounts to potential compromise,” Nassar says. “By replacing it with an authentication method that also includes a hardware security IC – otherwise known as a secure element – the process of online access can be made simpler, more private, and more secure.”

Hold Security says that the Russian hackers have not sold many of the records online, but are instead providing the information to third parties to send spam on social networks like Twitter, and charging those “clients” a service fee for the information transactions. Many security experts don’t feel that this breach, as massive as it was, spells disaster for those using the internet. The consensus, however, is that both the public and private sectors are certainly vulnerable and need to take action to secure their networks.

“What consumers need to do is perform the same sorts of risk analysis for their cyber lives as they do in their physical lives. Many people won’t worry about leaving a child’s tricycle in the driveway overnight, but would never dream of leaving their wife’s diamond necklace hanging from the mailbox. Similarly, you can set up a credit card with a low limit and use it for all your internet purchases – when you need to use a bank account, set up one you only use on the Internet and only fund it with a minimal amount of money. This limits your risk of loss to something tolerable,” says Unisys’ Frymier.

“Consumers, or perhaps government, should push for the general adoption of dual-factor authentication. That’s the technical term for the ‘chip and pin’ credit cards we’ve heard about since the Target breach; it can also be applied to any type of authentication. It will stop this password stealing cold by making it valueless. Unfortunately, it adds just a bit of friction to e-commerce by needing a few more clicks and keystrokes, and the perception is that consumers won’t put up with it.  Consumers may grumble at first, but it still beats hopping in a car and driving to the store,” Frymier adds.

At minimum, experts certainly recommend changing your passwords now. They also advise that if you are using the same password for multiple websites, this would be a good time to rethink your strategy, since it is just making the hacker’s work easier.

"It's a difficult state of affairs for online account password security and it always has been - Heartbleed demonstrated that. Security experts can never provide fool-proof security for passwords as it just isn't possible. Whether it's through vulnerable code, falling for scams, or trusting others, you just can't guarantee password protection,” Webroot’s Senior Threat Research Analyst Tyler Moffitt says.

For Toyin Adelakun, Vice President of Sestus, an online security company offering a suite of security products used to satisfy multi-factor authentication requirements (FFIEC, CJIS, PCA, HIPAA), thinks this attack is just another indication that the “Internet Arms Race” is truly in full gear. But he offers that this latest event may have also presented all web users an opportunity to reassess their security policies.

“The ever-growing sophistication of these attacks suggests the attackers have greater resources at their disposal -- and there will always be speculation as to the degree of state backing. Cross-jurisdictional law enforcement cooperation may help amongst allies, but with Russia and the West seeming to diverge on other major points of policy, cooperation on cybersecurity matters is unlikely to bear any short-term fruit,” he speculates.

But by infecting end-user computers and co-opting them into an army of Web-password vulnerability testers, these gangs may have unwittingly done the wider cyber community an enormous favour: that of auditing the Web for password-management vulnerabilities. However, for full value to be had from this audit, companies (and individuals) need to act quickly. They may not get another chance,” Adelakun adds. “One characteristic of an arms race is that the lead often changes between the contestants. With such focus on password management, it will come as no surprise that password manager software and websites have been and are themselves being attacked. That frontline may see a good few skirmishes yet, but two-factor authentication already exists as a valuable flanking tactic for individuals and companies alike.” 

Yet the sad fact remains that cyber security is still the most talked about -- and least acted upon -- subject in our industry. Whether it emanates as total disregard from the C-suite, or a lack of policy enforcement, or just a company willing to play Russian roulette with its data, there is a definite perception issue regarding just how vulnerable our assets are.

Pierluigi Stella, the CTO for Network Box USA, a Houston-based managed services company in the internet space, confesses that he no longer is surprised at such brazen acts of internet piracy.

“I confess, I’ve become jaded – I no longer read such news.  In fact, the more likely scenario is I go, ‘Ah, another one.’  We’re playing with fire, underestimating the importance of security, although we continue to talk about it as something beyond vital.  At the end of the conversation, there’s always someone asking about costs and slashing budgets.  And these are the results,” he says. “The true risks of security cannot be measured in such rudimentary ways anymore.  The time when we compared risk assessment to a horse in a stable (don’t spend more money for the fence than for the horse) is long gone. We need to change the approach and understand that the risks are much higher; losing your data can (and WILL) cost you your company.” 

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]