A Russian gang stole an estimated 1.2 billion username/password combinations and, along the way, the criminals also amassed more than 500 million email addresses.
What does the theft mean to credit unions and their members?
For the latter, Adam Levin, founder of Scottsdale, Ariz.-based Identity Theft 911, glumly observed, “This has the potential to become a problem for all of us.”
Milwaukee company Hold Security, which discovered and documented the thefts, added that it believed some 420,000 websites – big companies along with mom and pop outfits – had been breached.
Respected security blogger Brian Krebs said he looked at Hold Security's research and this finding is “definitely for real.”
Some in security contacted by Credit Union Times voiced skepticism about the Hold Security announcement, especially since the company is not disclosing many facts about who the criminals are and how their exploits were detected.
But even skeptics acknowledged that probably something big has happened here.
A pointed wake-up call was that these attacks were automated. This was not one or 1,000 hackers sitting at monitors in Russia outwitting defense systems. Instead, it was an array of robots – a zombie army of computers contaminated with malware that let the criminals take control – that were programmed to hunt for network vulnerabilities. When they were found, the programs harvested specified information.
The machines do not sleep. They always are on the attack.
Perimeter defenses such as firewalls simply are not good enough anymore.
“It's now beyond prevention. A breach has become a dead certainty,” Levin said. “Too many sophisticated people are working on this.”
David Maman, CTO at Israel based security firm GreenSQL, explained further.
“This mass theft illustrates the creativity of attackers,” he said. “Companies have invested significantly in the protection of their websites and externally facing systems, but attackers have found a way to identify and exploit vulnerable systems to gain access to valuable assets, which in many cases included internal databases.”
“Essentially, they have found a way to tunnel under the perimeter. Companies need to take a serious look at their internal defenses – protecting the assets where they reside, and that means better database protection,” he added.
The big danger is that the thieves will want to monetize the information they stole. Nobody knows exactly how that will happen yet.
“A potential danger stems from the fact that many people use the same password for all the websites they frequent, meaning the impact of this could be significantly amplified,” said Ron Gula, CEO of Tenable, a network security company in Columbia, Md.
At many sites, an email address and a password are used for login. The criminals also have user names, which many of us reuse on multiple sites.
And, they have the bots to program to try the credentials on targeted high value sites.
“You can steal any information once you steal credentials,” Maman stressed.
Another victim of this theft may be trust itself.
Shane Shook, chief strategy officer at ZeroFOX, a Baltimore-based social risk management company, predicted that this theft will result in a boom in faked social media credentials, on LinkedIn and Twitter, for instance.
The core idea is that if you know Joe Schmo, CEO of a credit union, and Joe seeks to link with you on LinkedIn, you will accept. If it is a fake Joe – the account secured with Joe's purloined credentials – you may find yourself receiving a malware link from Joe that you will click on because you know and trust Joe.
Then you will be infected, even if you don't know it.
As far as credit unions are concerned, Rick Dakin, CEO of Alpharetta, Ga.-based security company Coalfire, urged; “Change every admin credential you have and change them every Friday thereafter. You have [bad] guys inside your network. Can you admit you should do a risk assessment?”
His point was that many, many networks have been breached, but few systems are good at detecting and alerting when intruders are inside.
That, he suggested, needs to change.
Added Pierluigi Stella, chief technology officer at Network Box in Houston, “Ensure (as much as possible) that [your] network is clean from stealth trojans.”
That's because a lot of the activity of the Russian criminals involved in this case seems to connect back to malicious trojans downloaded to consumer computers and corporate networks.
For members, the advice of Trend Micro chief cyber security officer Tom Kellerman was blunt: “Change your passwords, immediately,” he said.
That is painful, it is time consuming. But it honestly is the best advice in the face of a breach of this magnitude.
Added Gula: “Rather than just changing their passwords in response to this, users should change their password habits overall and refrain from using the same password for each site.”
That will not inoculate the member against possible losses, but it's a good, first step in self-defense. And it has now become a necessary step.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.