A report that Russian hackers have hoarded 1.2 billion stolen passwords could prove to be an important catalyst for beefing up information security.
"In the end, it is not important whether this report is legitimate or not," says attorney Francoise Gilbert, founder and managing director of the IT Law Group. "This new incident, whether it is true or is the perfect script for Hollywood, reflects the brutal reality that many, or most, websites are not adequately secure."
Milwaukee-based startup company Hold Security warned Aug. 5 that a "Russian cyber gang" - which it dubbed CyberVor - has amassed more than 4.5 billion records, including a cache of 1.2 billion passwords tied to more than 500 million e-mail addresses (see: 5 Facts About CyberVor Report). CyberVor used botnets to scan hundreds of thousands of websites for known vulnerabilities, Hold Security says.
"This [news] is important because it shows consumers and companies how vulnerable they can be," Gilbert says. "The most important lesson is that each company and each individual must take affirmative steps to protect identity credentials, user IDs, passwords and access to networks and devices."
The report about Russian hackers' activities also highlights how reliance on passwords for security is outmoded and points to the need for more sophisticated, multifactor authentication.
But many organizations that have contemplated using advanced authentication techniques have hesitated because of cost concerns, administration overhead and the burden to manage the process, says Bruce Murphy, a partner at Deloitte and Touche who specializes in computer and network security.
"There are some of these consolidated password tools that are emerging that potentially could be a solution to this," Murphy says. "This problem isn't going away anytime soon. There's growing sentiment to ... put stronger, secondary authentication techniques in place."
In an interview at the Black Hat USA conference, Mikko Hypponen, chief research officer at F-Secure, said the mega-breach "is the fault of the websites that don't secure customers' information."
Mikko Hypponen of F-Secure on website security.
Worse Than Target?
In a blog, Avivah Litan, an analyst at the consultancy Gartner, suggests that the password heist is worse than the Target data breach in December 2013. "There's a lot of chatter about the motivations of the company who told The New York Times about this story," Litan says. "Frankly, no matter what the motivations were or are, the story is still true and it's still ominous."
Litan says the Target breach pales in comparison to the latest revelation from Hold Security. "With Target and stolen cards, consumers are protected financially and the banks can stop the stolen cards from being used relatively quickly," she says. But with the theft of passwords and other sensitive data, criminals have access to many accounts where security protections are inadequate and systems are much more fragmented, she contends.
"For example, if someone steals money from my online retirement account, I have to go through a lot of very time-consuming hoops to get my money back and may not get it back in the end if my retirement company doesn't want to give it back to me," she says. "They can tell me it's my fault my password was stolen."
Legitimacy of Report
Meanwhile, citing scant details and the timing of the news (released at the start of the Black Hat USA conference), the security community continues to debate the legitimacy of the report produced by Hold Security. "Without firm corroboration we can only speculate," says Steve Durbin, global vice president of the Information Security Forum. "Information and specifics are scant, so it's a tough one to call at this stage."
The lack of details offered by Hold Security generates skepticism, says Deloitte's Murphy. "There's still some work to be done to know the full extent of the [breach]," he says. "There may be some duplicates, so it may not be as large as initially contemplated. Until there's full transparency around this and there's additional multiple vetting techniques around it, there's going to be raised eyebrows and concerns that this isn't really as extensive."
But many observers counter that the report appears accurate. "This is a legitimate report, if we can rely upon The New York Times' dual validation process," says Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest.
The New York Times reports that a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. The newspaper also reports that another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
A Catalyst for Change
Regardless of the debate about the report's details, however, organizations and individuals should view the news about the password heist as a signal to implement stronger security protocols, experts say.
Paidhrin notes, for example, that SQL cross-site scripting has been the leading website vulnerability for some time. "Preventing cross-site injection attacks is first on every security priority list," he says. "Any organization that does not harden their Web services with updates, patches and at least one security event detection capability is a prime target for easy abuse."
But the larger threat, Paidhrin says, is weak credentials, the reuse of credentials for different websites and bad password management habits. "Everyone should have an encrypted password management solution," he says.
Gilbert, the attorney, says individuals and organizations "should make it a practice to use or require the use of strong passwords; use or require the use of strong authentication methods; require that these passwords be changed frequently; [and] educate and increase awareness of personnel, users, etc."
Individuals who use the same username and password across multiple sites are particularly vulnerable, notes Durbin of the Information Security Forum. "Now would be a good time to revisit that habit and consider the use of a password management system to help manage multiple passwords, or simply to change the passwords associated with their more valuable sites," he says.