You may have been hacked. A Russian cyber gang has obtained what security researchers are calling “the largest cache of stolen data.” Hold Security is offering details on the theft of 4.5 billion records, including 1.2 billion usernames and passwords that correlate to over half a billion e-mail addresses.
Dubbed 'CyberVor' by Hold Security, the group apparently hacked more than 420,000 Web sites to get "such an impressive number of credentials." Hold Security has become well-known over the past few years for its involvement identifying massive data breaches, including the 2013 Adobe Systems breach and the February 2014 breach of Target stores' database.
“The CyberVors did not differentiate between small or large sites,” the firm explained in a blog post. “They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal Web sites."
Focusing on Data Control
We asked Gerry Grealish, CMO of cloud security software firm Perspecsys, what impact he thinks this hack will have. He told us one of the main concerns regarding a breach of this magnitude is the fact that criminals will be able to use exposed credentials to access sensitive data and intellectual property in public cloud environments.
“Clouds are logical points of data aggregation, data assets from a large number of employees can be stored there and many companies share the use of these public clouds,” Grealish said. “This situation serves as a reminder to organizations that they must place greater emphasis on data control -- the responsibility lies with CIOs and CISOs.”
Grealish asked some pointed questions: How can CIOs lock down access to their data? Where is their data located? There are endless questions about data security and control, he said, which only become more perplexing when data is in a cloud environment.
“At the core of data control is ensuring sensitive and regulated data is encrypted. If organizations can do this correctly, they will be the sole owner of encryption keys, so if someone without proper access to their data attempts to access it, the information will be rendered meaningless,” he said. “Alternatively, organizations can use a technique like tokenization, which ensures that all sensitive data remains locked in a secure database inside a firewall.”
Back to Basics
We also caught up with Joshua Roback, Security Architect with cloud security firm SilverSky, to get his thoughts on the hack. He told us the value of a password has increased exponentially as Internet users continuously reuse the same passwords across multiple Web services.
“While smaller, niche Web services may be easier to break into than the likes of Google or large banking sites, the stolen passwords are often just as valuable,” Roback said. “It’s extremely important to diversify your investments when it comes to password management. Like investing, the importance of minimizing risk can’t be overlooked.”
Roback said using a password management system like LastPass or 1Password is a good option, but he doesn’t like the idea of storing his password in a central location. Instead, he relies on his own system including a common string with all the standard password requirements -- upper case, numbers, special characters, etc. -- along with some letters from the Web service name sprinkled in.
“Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible,” Roback said. “We should expect to see these accounts for sale on underground forums before the week is through.”
the trust is gone...:
Posted: 2014-08-06 @ 2:59pm PT
Give it up. Go back to paper.
Ulf Mattsson, CTO:
Posted: 2014-08-06 @ 1:06pm PT
I agree that “Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible” so I think that we urgently need to secure the sensitive data itself with modern data security approaches.
Modern granular data protection, like data tokenization, should not only be used for compliance with regulations like PCI DSS. Recent studies reported that data tokenization can cut security incidents by 50 %.
After that is done, we can start the long road of patching all access paths to the sensitive data across all the systems that are hosting sensitive data and maybe changing how we login to systems. That will be more like boiling the ocean.
I think that we urgently need to secure the sensitive data itself.
Ulf Mattsson, CTO Protegrity