As I sit here spending my day changing all my passwords, for the I can’t remember how many times this year, I can’t help but wonder if we have reached a tipping point when it comes to TRUST on the Internet.
At this point it is difficult to imagine that you have not seen the story, emanating from the Black Hat security conference now underway in Las Vegas and first reported last night in the New York Times (NYT) that according to Milwaukee, WI-based Hold Security a Russian crime ring has accumulated the largest known cache of stolen Internet credentials. Hold says the trove of information includes 1.2 billion user name and password combinations and more than 500 million email addresses. And, yes you read correctly that is billion with a “B”—representing roughly one-third of all current users of the Internet.
In addition, Hold Security says the information was collected from 420,000 websites, including household names, and small Internet sites. It should be noted that before going public with the information the New York Times validated the findings as credible with another security firm, and as reported for a host of really good reasons, Hold Security would not name the victims, or sites which it says remain vulnerable to compromise by the bad guys.
NYT quotes Alex Holden, the founder and chief information security officer of Hold Security as stating that, “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites… And most of these sites are still vulnerable.” Mr. Holden added that as far as his research can tell there is no connection between the criminal activities and the Russian government, although that seems us users as little consolation for a major inconvenience.
What security experts are saying
The NYT article goes on to provide historical context for this latest breach revelation and how this arsenal might be further exploited. This included the observation that, “So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter (News - Alert) at the behest of other groups, collecting fees for their work.” They did note that selling such records on the black market is lucrative, and that personal information once in the wrong hands is how bad actors can easily engage in identity theft.
There is also a good explanation of how easy it has been for the Russian criminals to capture the information by using botnets with great effectiveness and efficiency.
How efficient? Holden said, “They audited the Internet.” And, while it is not clear how the botnets infected their targets initially, the article says by July, criminals were able to collect 4.5 billion records. Plus, after massaging the data, Hold Security found 1.2 billion unique records which after taking out duplications for the same combinations we all use on multiple email addresses the criminals’ database included about 542 million unique email addresses.
Those of us who cover security matters were besieged with commentary from industry experts, and continue to be as this story unfolds. That said, I’d like to share two that really resonated with me.
First, is one from Mark Bower, VP of Product Management and Solutions Architecture for Voltage Security who said what I have been thinking since all of this became public. He stated, “This sounds all too familiar -- weakly secured sites, preventable vulnerabilities that aren’t patched, and automated bot-nets to exploit them yielding massive troves of identity data suitable for ruthless secondary online system attacks at tremendous scale. Yet more evidence the bad guys are winning big at consumers’ expense who will foot the bill for this in the end like a hidden tax. Clearly it’s time to change the game in data security and neutralize data breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”
The one that really hit home were the remarks of Pierluigi Stella, CTO for Network Box USA who said: “I confess, I’ve become jaded – I no longer read such news. In fact, the more likely scenario is I go, ‘Ah, another one.’” He went on to observe:
“Why do we continue to be surprised? We’re playing with fire, underestimating the importance of security, although we continue to talk about it as something beyond vital. At the end of the conversation, there’s always someone asking about costs and slashing budgets. And these are the results.
The true risks of security cannot be measured in such rudimentary ways anymore. The time when we compared risk assessment to a horse in a stable (don’t spend more money for the fence than for the horse) is long gone. We need to change the approach and understand that the risks are much higher; losing your data can (and WILL) cost you your company.
Data breach notification laws now require that every user be notified (and that’s fairly across the board in all states), and that alone can cost a fortune. Insurance companies will cover some of that cost (if you have cyber security insurance) but you’ll still be out a lot of money. Let’s not even begin to peg a dollar value to corporate reputation, and loss thereof - how many of us refrained from shopping at Target (News - Alert) for a long time at the beginning of this year? That’s a cost you can’t easily quantify nor foresee.
When will the time come when companies take security seriously ‘for real’ and not only on paper? One has to wonder.”
Patch and pray is not the answer
The NYT article concluded with a quote from Lillian Ablon, a security researcher at the RAND Corporation who said, “The ability to attack is certainly outpacing the ability to defend.” She added, “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” As all experts agree at this point, and as every report on security matters highlights, the bad guys are really good at what they do and are getting better at it seemingly faster than our ability to defend.
Unfortunately, again as study after study has pointed out, patching and praying is insufficient these days. However, it must also be noted that most of the studies point out that a large degree of hazard can be mitigated by doing simple things. An abbreviated list includes making sure all software and apps are up-to-date, old versions of popular items like Java are disposed of when updating, passwords are changing frequently, anti-virus and anti-malware is also up-to-date and run frequently and encryption is used where it makes the most sense. In fact, protecting email is a great place to start.
Does this mean all of our prayers will be answered? No it does not! However, enterprise IT shops, websites and we as users all need to up our games. Indeed, as the Black Hat event highlights, it is not just our personal information that is at risk. Already there has been a demonstration of how easy it is to hack a keyless car. Caution flags are up on the lack of security of anything dealing with the Internet of Things (IoT), and this should be a warning to everyone about “Everything”.
In answer to the question posed in the headline as to whether we have reached a tipping point regarding TRUST which totally undermines confidence in the Internet and thereby throttles its use and the pace of innovation, the answer is a tentative NO! The incredible utility of the Internet dictates that we all rolls the dice and takes our chances. That said, the onus of improving the probability of peace of mind rests on all of us in both our professional and personal personae.
If the latest revelation proves nothing else it is that the days of relying on passwords and even challenge questions for protection are over. The industry is rushing to come up with much stronger and multi-factor authentication, and each new operating system is coming out with enhanced security. Yes, this is a cat and mouse game, but it is time for the mice to get a lot smarter.
In the meantime, I don’t know about you but I wish there was a secure app I could use that would go into all of my apps and places I sign on and use a random password generator to which I only held the keys and the info on when my credentials were updated. This manually changing stuff is really getting old. Plus, I am sure I may miss a few and I pray I do not suffer the consequences, although the best advice is to stay both current and vigilent.
Have a nice day!