5 Facts About CyberVor ReportExperts Question Threat Severity Based on Scant Details
A report that Russian hackers are hoarding more than 1 billion stolen passwords triggered worldwide concern, but security experts caution that scant details have been revealed, making the threat tough to judge.
Milwaukee-based startup company Hold Security warned Aug. 5 that a "Russian cyber gang" - which it dubbed CyberVor - has amassed more than 4.5 billion records, including a cache of 1.2 billion passwords tied to more than 500 million e-mail addresses (see: Security Firm: 1.2 billion Credentials Hacked).
Obviously, the industrial-scale harvesting of online credentials is bad news for businesses and consumers alike and suggests that something about today's username and password ecosystem must change.
As this story unfolds, here are five related facts to consider:
1. Timing Raises Eyebrows
The timing of the announcement, made in a "You Have Been Hacked!" blog post by Hold Security, has raised eyebrows among security and breach experts. For starters, two of the world's biggest security conferences - Black Hat and Def Con - run back-to-back this week in Las Vegas; widespread information security hyperbole is a given.
Hold Security, furthermore, announced at the same time that it's selling a new breach notification service to businesses for $120 per month, so they can see if their data turns up in stolen caches and thus learn if they were hacked. Those service details, however, have since been excised from the site, replaced by "coming soon." But the company is still offering a paid, monthly monitoring service for consumers, designed to do the same thing on an individual level.
2. The Details Are Sketchy
Hold Security didn't immediately respond to a request for further details of the attack campaign. To date, it's released no information about which sites were hacked, thus making it difficult to ascertain how dangerous this cache of stolen data might be. "Unfortunately there's so little information in Hold Security's report that it's hard to comment in much of a meaningful way," says Oxford, England-based independent security consultant Graham Cluley.
Hold Security has so far declined to name any of the companies that might have been breached, citing non-disclosure agreements and a desire to not anger other businesses. The New York Times, which was the first to report the story, says that at its request, an independent security expert reviewed the data obtained by Hold Security and found it to be authentic.
"It's difficult to know how much of a threat this poses as they are being coy about saying who exactly was affected. It's a rather unusual approach to take for a security company," Alan Woodward, a professor in the computing department at England's University of Surrey, tells Information Security Media Group.
"It might even be that we find these are only 'potentially' affected sites and that they are selling results of some scans they've conducted," he says. "Or, it may be that they have come across the cache for sale and have some how partitioned it up so as to tell folks if they are affected."
3. Botnets Played a Role
Hold Security says the Russian gang, which it's been tracking for seven months, originally purchased databases of stolen information via underground forums. "There are various sites on the Internet where dumps of previously stolen user databases, such as from LinkedIn and the Adobe breaches, are easily available, or indeed the gang could have paid or traded for credentials from other gangs," Brian Honan, an independent information security consultant based in Dublin, tells Information Security Media Group.
But earlier this year, the gang began tapping botnets to catalog SQL vulnerabilities on websites, according to Hold Security. The vendor doesn't say if the attackers rented these services or built them up themselves, but says the results of their security scans identified "over 400,000 sites ... to be potentially vulnerable to SQL injection flaws alone." Attackers then targeted these bugs to amass their cache of stolen data.
"To the best of our knowledge, they mostly focused on stealing credentials," Hold Security says. It claims attackers didn't distinguish between large and small sites, and that affected sites include "many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."
But that doesn't mean that most of the stolen information poses a threat. "Many of the sites that were probably found are likely to be small, and hence it is unlikely that the credentials found will be of huge value except that, of course, people still use the same e-mail/username and password on multiple sites," Woodward says.
4. Defensive Efforts Are Weak
Of course, security experts have long warned consumers to never reuse passwords across sites, since attackers could also reuse the credentials to gain access to the user's accounts on multiple sites. Instead, by and large experts recommend that sites enforce strong passwords, and users pick a unique password for every site they use. "Ideally, of course, you'd use a password manager," says Woodward, and also use multi-factor authentication, whenever it's available.
Many people, however, still reuse passwords. Dashlane, a password management service, says that among its user base, 70 percent reuse passwords on nine or more sites, and 67 percent don't update their passwords on a regular basis. In addition, the average user must manage 55 different accounts that require passwords.
But even the best password-picking prowess and multi-factor authentication only goes so far, especially if website developers fail to patch easily exploitable vulnerabilities. "Educating users on employing secure passwords is of little benefit if criminals can break into a company's website using SQL injection - a security vulnerability that is widely known about and easy to fix - or are storing those credentials in an insecure manner," Honan says.
"In addition, what is worrying from the reports on this story is that many of the organizations affected are not even aware they have had a security incident," he adds. "This raises questions as to how effective the security is within those companies, particularly in respect to proactive monitoring of their security logs."
5. Passwords Are Here to Stay
The CyberVor gang's industrial-scale harvesting of username and e-mail credentials, and related passwords, will likely lead to pronouncements that the current system is broken, and a more secure alternative must to adopted, Honan says. But at least for the moment, prepare to be stuck with passwords. "We have yet to come across a solution that is as cost-effective and easy to use as passwords," he says. "Until we address those issues, passwords will remain as the main way to authenticate users."
As a result, businesses must sharpen their online security game, Honan says. "It is incumbent on companies to make sure that they implement strong security mechanisms and controls around how they manage those passwords, ensure their websites and systems are secure, and also conduct proactive security monitoring so they can detect and react to security breaches in a timely manner."