Over the course of several years a small group of cybercriminals there amassed a cache of 1.2 billion user names and passwords, and a half-million email addresses. That’s one-sixth of the world’s population. Some they purchased off the black market, some they swept up on their own using botnets.
Their targets? Any vulnerable website large or small. Obviously there are many, from the well-recognized to the innocuous … in this case 420,000 by one estimate and not only in the U.S. According to Hold Security of Milwaukee, the security firm that disclosed the theft, most of those sites remain vulnerable to attack.
What manner of evil are they about to unleash on the world? What despicable plot is about to unfold? The gang wants to sell you weight-loss pills, or whatever bogus products their clients pay them to spam.
Given that this is the largest collection of stolen digital credentials to date, it could have been far worse. It’s because this was a spam factory and not a scheme to wreak financial havoc that it was kept under wraps. But that doesn’t diminish the seriousness of the crime or the fact that too many websites fail to protect visitors or that visitors fail to protect themselves.
“Criminal activity on the Internet is not new, but the sheer scale of this incident should be a wakeup call for governments, consumers, and especially for information security professionals,” said Peak 10 security expert David Kidd, director of quality and compliance.
The success of cyber criminals is exasperating, as this security professional seemed to express in a recent article on the breach: “The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.”
Throwing in the towel is not an option. There are simple things we can do to fight back.
Among the causes of vulnerability, poor passwords is a big one. Often passwords are not complex and, even more often, they are not changed regularly. To make matters worse, people use one password for multiple sites; crack one and you’ve cracked many.
Here are two sites that demonstrate the strength of a password: password meter and password strength calculator. Password meter is particularly interesting in that it breaks down the password construct according to best practices. There are a number of similar sites, as well. (Of course, one has to wonder if any of these sites is stealing passwords in the process.)
When two-factor authentication is an option, use it. For example, you enter your password. Then a device or a text message presents you with a unique identifier that you must enter before gaining site access. Bank cards use the physical card first, followed by the PIN; you need both to complete a transaction.
Some people shun this because “it’s not convenient” or “it takes too much time.” Try dealing with a stolen identity if inconvenience is bothersome.
“Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible,” said Joshua Roback, security architect, SilverSky. “We should expect to see these accounts for sale on underground forums before the week is through.”
Technology advancements don’t take sides; they’re accessible to all. When you’re primary objective is criminal, you immediately have an advantage over those not so inclined or dedicated full time to mounting defenses. That’s always been the case with crime, which is why we avoid dark alleys at night. The Internet is only a new field of play.
Guarding user names and passwords is one action we all can take, keeping us from going down dark, unseen cyber alleys. Peak 10’s David Kidd points to others that all businesses could benefit from: “Security offerings including encrypted virtual private network connections, advanced intrusion detection and prevention systems, two-factor authentication and a strong security awareness program can help secure systems from criminal attack.”
The other side is not giving up. We won’t either.