Security Advisor
Russian Crime Ring Steals 1.2 Billion Online Passwords
This week's incident highlights the need for a change in attitudes relating to corporate security.
A crime ring operating out of Russia has collected what is being called the largest batch of stolen online credentials, including usernames, passwords and e-mail addresses across multiple services.
The New York Times reported on Tuesday that Milwaukee firm Hold Security discovered the theft and said the obtained information came from 420,000 different Web sites, with targets ranging from across the entire globe.
"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," said Alex Holden, chief information security officer of Hold Security, to The New York Times. "And most of these sites are still vulnerable."
The list of affected sites has stayed private so that further information leaks could be avoided.
According to the security firm's blog that disclosed the incident, the database of stolen information was acquired from the black market by accessing a large network of botnet networks that obtained the information in the first place by information leaks through unpatched SQL server holes.
The crime ring, which Hold Security has called "CyberVor" ("vor" means "thief" in Russian). Is known mostly for sending out spam, including bogus deals for weight loss pills. According to the 18-month investigation by the firm, financial information was never targeted by the group. However, activity using the stolen credentials has already been spotted. The group has been using the information to send spam on social networking sites like Facebook and Twitter.
Experts reacting to the incident point to a lax in enterprise security as being the main culprit of this and other recent high-profile thefts (including last year's Target breach). Pierluigi Stella, CTO for Network Box, said the dangerous practice of enterprises installing security procedures based off of cost effectiveness over actual need will continue to lead to incidents like these.
"The time when we compared risk assessment to a horse in a stable (don't spend more money for the fence than for the horse) is long gone," said Stella in an e-mailed comment. "We need to change the approach and understand that the risks are much higher; losing your data can (and WILL) cost you your company."
Redmond columnist Don Jones spoke of this corporate change in attitude in his June column "The Quest for a Culture of Security." In it, he said if an enterprise has not clearly analyzed what is the actual cost of a large data leak, security is not a strong focus of the enterprise. "If you don't know, you're probably not making good, metrics-based decisions when it comes to security," wrote Jones. "After all, without knowing your level of risk, you can't decide how much it's worth spending to mitigate it."
Aside from investing more money and time in a comprehensive analysis and strategy, what are some more practical steps companies can take to avoid situations like this week's data theft? Hold Security said companies should double check to see if their corporate Web sites are open to SQL injection attacks (including auxiliary sites), and make sure all online servers are patched and up to date.