If you’re like me, you have a tendency to stick with a certain set of passwords for your personal data, and maybe a few more for your work-related accounts. Trust me, I hate changing my passwords; it takes me weeks before I can remember them without looking them up.
Well, unless you are hiding under a rock and missed the news lately, there has been a cyber-gang that has stolen a reported 1.2 billion credentials consisting of both usernames and passwords (that sounds preposterous, but, hey, it must be true if the New York Times reported it). If these reports are accurate, a group of Russian hackers known as “CyberVor” has pulled off an Internet heist of jaw-dropping proportions.
Let's pause for that to sink in: The owners of more than a billion Internet credentials (which is the equivalent of one third of all the email accounts on the entire planet) are potentially at risk of identity theft, stolen financial information, and a slew of other repercussions. And it's all because these hackers managed to write a code that infiltrated unwitting accomplices' home computers to rob data from the more than 420,000 websites they visited.
How did this happen?
The hackers began stealing these credentials several months ago by distributing spam. Their process starts with a simple email I am sure you have all seen, one which claims your account may have been compromised. It tells you that you need to change your account password for your ISP or some other site which you use, or that you need to log in and validate some minor information on your account. This email might look legitimate, so you click on the link, and then nothing happens, or it takes you to a redirected site that asks you to fill in some information. This all seems harmless enough, so after you’ve updated your information or password, you discard the email and eventually delete it. Unfortunately, you may have loaded some malicious code that added you to a botnet, which is a large group of virus-infected computers controlled by one or more criminal systems.
The botnet that the Russian hackers used conducted what is possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The cyber gang used these vulnerabilities to steal data from these sites’ databases. A security firm called “Hold Security” out of Milwaukee reports that the hackers mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.
So now what?
The vulnerability that seemed most relevant in this case was due to use of what is called “SQL injection.” This type of intrusion is hard to detect, and it may not directly affect a particular site, but might target an auxiliary site instead. SQL injection is not so much a vulnerability that can be simply patched; instead, it is related to poor coding techniques in SQL queries. If you want to make sure your site is safe from SQL injection, there are simple techniques and precautions that can shield web applications this type of intrusion. Making application security a priority at the time of design and including security testing as part of the non-functional requirements are the basis of good programming practices.
Secondly, change your passwords. Wait, let me repeat that again… Change your passwords! And make it a requirement to do this at a set interval, such as every 60 to 90 days. I know people don’t like to do this, but if any of your personal data was compromised, dealing with the hassle is far simpler than trying to recover from identity theft or notifying your clients that you had a security breach due to weak passwords.
Tools and Tips
- Store your passwords in a safe location, or use a password database with a high level of encryption. I personally use a free tool called KeePass. With this tool, as long as I can remember the master password, I can store all my personal and work related passwords safely on a jump drive or some other media.
- Use complex passwords with a minimum of 10 characters, a mixture of uppercase, lowercase, numeric, and special characters. For example, instead of “Eye of the storm”, use “3y3_0fTh3_$t0rM!”
- There are several commercial products available for website vulnerability testing, along with some open source products like Nmap or BackTrack virtual appliance. These devices may trigger alarms with your network team, so it is wise to notify them of what you are doing and to work as a team when doing your pen testing.
- Use different passwords for each of your accounts.
- Beware of scams related to newsworthy breaches. If you get an email or text with instructions to click on a link to change your password, don't click it. Instead, manually type in URLs, or call tech support and verify the source.
As information continues to move online, it’s more important than ever to monitor security at both a personal and professional level. Do you want to know more about how to keep your information secure? Do you want to make sure your site isn’t vulnerable to attacks? Please share any questions you might have in the comments below, or contact us to speak with a Solutions Engineer.
