Russian Credentials Breach: Threat of the Week by Robert McGarvey
A Russian gang stole an estimated 1.2 billion username/password combinations and, along the way, the criminals also amassed more than 500 million email addresses.
What does the theft mean to credit unions and their members?
For the latter, Adam Levin, founder of Scottsdale, Ariz.-based Identity Theft 911, glumly observed, “This has the potential to become a problem for all of us.”
Milwaukee company Hold Security, which discovered and documented the thefts, added that it believed some 420,000 websites - big companies along with mom and pop outfits - had been breached.
Respected security blogger Brian Krebs said he looked at Hold Security’s research and this finding is “definitely for real.”
Some in security contacted by Credit Union Times voiced skepticism about the Hold Security announcement, especially since the company is not disclosing many facts about who the criminals are and how their exploits were detected.
But even skeptics acknowledged that probably something big has happened here.
A pointed wake-up call was that these attacks were automated. This was not one or 1,000 hackers sitting at monitors in Russia outwitting defense systems. Instead, it was an array of robots – a zombie army of computers contaminated with malware that let the criminals take control – that were programmed to hunt for network vulnerabilities. When they were found, the programs harvested specified information.
The machines do not sleep. They always are on the attack.
Perimeter defenses such as firewalls simply are not good enough anymore.
“It’s now beyond prevention. A breach has become a dead certainty,” Levin said. “Too many sophisticated people are working on this.”
David Maman, CTO at Israel based security firm GreenSQL, explained further.
“This mass theft illustrates the creativity of attackers,” he said. “Companies have invested significantly in the protection of their websites and externally facing systems, but attackers have found a way to identify and exploit vulnerable systems to gain access to valuable assets, which in many cases included internal databases.”
“Essentially, they have found a way to tunnel under the perimeter. Companies need to take a serious look at their internal defenses – protecting the assets where they reside, and that means better database protection,” he added.
The big danger is that the thieves will want to monetize the information they stole. Nobody knows exactly how that will happen yet.
“A potential danger stems from the fact that many people use the same password for all the websites they frequent, meaning the impact of this could be significantly amplified,” said Ron Gula, CEO of Tenable, a network security company in Columbia, Md.
At many sites, an email address and a password are used for login. The criminals also have user names, which many of us reuse on multiple sites.
And, they have the bots to program to try the credentials on targeted high value sites.
“You can steal any information once you steal credentials,” Maman stressed.
Another victim of this theft may be trust itself.
Shane Shook, chief strategy officer at ZeroFOX, a Baltimore-based social risk management company, predicted that this theft will result in a boom in faked social media credentials, on LinkedIn and Twitter, for instance.
The core idea is that if you know Joe Schmo, CEO of a credit union, and Joe seeks to link with you on LinkedIn, you will accept. If it is a fake Joe – the account secured with Joe’s purloined credentials – you may find yourself receiving a malware link from Joe that you will click on because you know and trust Joe.
Then you will be infected, even if you don’t know it.
As far as credit unions are concerned, Rick Dakin, CEO of Alpharetta, Ga.-based security company Coalfire, urged; “Change every admin credential you have and change them every Friday thereafter. You have [bad] guys inside your network. Can you admit you should do a risk assessment?”
His point was that many, many networks have been breached, but few systems are good at detecting and alerting when intruders are inside.
That, he suggested, needs to change.
Added Pierluigi Stella, chief technology officer at Network Box in Houston, “Ensure (as much as possible) that [your] network is clean from stealth trojans.”
That’s because a lot of the activity of the Russian criminals involved in this case seems to connect back to malicious trojans downloaded to consumer computers and corporate networks.
For members, the advice of Trend Micro chief cyber security officer Tom Kellermanwas blunt: “Change your passwords, immediately,” he said.
That is painful, it is time consuming. But it honestly is the best advice in the face of a breach of this magnitude.
Added Gula: “Rather than just changing their passwords in response to this, users should change their password habits overall and refrain from using the same password for each site.”
That will not inoculate the member against possible losses, but it’s a good, first step in self-defense. And it has now become a necessary step.