A source told the Guardian, on Tuesday, that a Russian cyber gang has stolen 1.5 billion unique passwords belonging to multiple email address. However, there does not seem to be enough information as to whether or not the reporting party is telling the truth. At least there hasn't been a big name security firms that have been allowed to verify this claim. A information security researcher from University College London told the Guardian,
It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data ... We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.The article goes on to say that this news, whether true or not, is just another nail in the theoretical coffin for the use of usernames and passwords as the mechanism of choice to secure Web pages. People are always getting the advice that says, "You need to make a secure password that is some number of characters long, contains each of the following character types, and is difficult for others to guess but easy enough for you to remember. However, the problem is not that people cannot remember their passwords, it's that they have so manly passwords for so many place that we, as security professionals, should not expect them to reasonable be able to remember all of them without using the same one here and there or write some of them down. At least the ones that they do not use that often.
An alternative solution is to move to another device or mechanism for proving identity. Wueest explained that one potential solution would to be to use a mobile phone that confirmed a login via a push notification or text message that the user would verify to allow entry into a website or computer system.In other words, this quote is referring to the use of two fact authentication, which is something that I have been using for almost a year now, on the sites that are allowing it. Twitter, Google, LastPass, Evernote, DuoSec (Two factor auth company), and many others have begun to utilize this technique as an alternate means of verifying someone's identity.
I thought it was interesting that the security firm claiming to have discovered the threat will not release any data, but they say that the credentials have been stolen from many big name sites. The had the NY Times sign confidentiality agreements before they would allow an outside source, not affiliated with the firm, to analyze the data and prove its authenticity. What sights are they referring to? There hasn't been word of any companies making a public statement urging their users to update passwords, but the security firm claims that some of them do know their records are among the ones that were stolen. I also found it very interesting that the CISO of the security firm (Hold Security) has some sources in the cyber criminal realms who have given him some information regarding the nature of the attack as well as the possible general where abouts of the criminals. I would really like to know if I need to warn anyone that they need to go change their account passwords due to a large breach.
At this point, no one is sure of anything. It is still a bit early to determine exactly what happened, if anything. The best thing for people to do for the moment is watch their accounts closely. Especially those tide to financial data, banks, credit cards, etc. We will have to see what surfaces in the next few days.
It appears that the primary method used by the hackers to get information was through SQL injections. The hackers created a large Botnet of zombie computer systems (computers that have been taken over by a hacker, usually without the knowledge of the owner, to be used as a mechanism to attack other entities on a large scale) to go to Web sites and test to see if they were vulnerable to SQL injections. If they were, the hacker gang would mark that site as vulnerable then come back later to chiffon any information.
Brian Krebs from Krebs on Security, said that he has seen the data, found by Hold Security, first hand and it is, without a doubt, the real thing, but he is not at liberty to disclose the means by which the information was found or who the data belongs to. He also mentioned that Hold Security does have close ties with the cyber criminal underground.
Furthermore, an article from The Dark Reading says that the cyber gang, at this time, does not seem to be selling any of the information that has been gathered. They look to be using it as a way to create an email spamming business for hire.
Do we know how many of the password databases were hashed? Because this would help us to figure out how many of the passwords are readily available for the hackers to use. Yes, the SQL vulnerabilities should be addressed, but putting a hash of a password in a database is far more secure than storing the actual password in plain text, so even if the data was stolen it would be more difficult for the information to be used.
For more on this breach, visit the Hold Security blog: http://www.holdsecurity.com/news/cybervor-breach/.
- Breach Source: http://www.holdsecurity.com/news/cybervor-breach/
- Source: http://www.theguardian.com/technology/2014/aug/06/cybersecurity-expert-russian-hacking-scare-hold-security-passwords
- Source: http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0
- Source: http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
- Source: http://www.darkreading.com/biggest-cache-of-stolen-creds-ever-includes-12-billion-unique-logins/d/d-id/1297811