HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 2 MINUTES AGO.
You are here: Home / Network Security / Hack Puts Social Media Users at Risk
Database Hack Puts Social Media, Webmail Users at Risk
Database Hack Puts Social Media, Webmail Users at Risk
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
DECEMBER
05
2013


A massive hack has served up the user names and passwords of nearly 2 million Facebook, Twitter, Google and Yahoo accounts, among others. TrustWave’s SpiderLabs first reported the database breach, which it said was made possible by the Pony Botnet Controller.

“With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9,” Daniel Chechik of SpiderLabs wrote in a blog post.

In addition to hundreds of thousands of Facebook, Twitter, Google and Yahoo accounts, SpiderLabs reports the breached database also let loose credentials for 1.58 million Web site log ins, 320,000 e-mail accounts, 41,000 FTP accounts, 3,000 remote desktops, and 3,000 shell accounts. But the leak itself is only one part of the story.

“In our analysis, passwords that use all four character types and are longer than eight characters are considered ‘excellent,’ whereas passwords with four or less characters of only one type are considered ‘terrible’,” Chechik said. “Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the medium category.”

The Unreported Threat

We turned to Matthew Standart, director of threat intelligence at HBGary, the technology security division of ManTech International, to get his take on the database leak. He told us it appears that Trustwave infiltrated a control server for the massive Pony botnet that was dumping credentials that it had harvested from compromised computers around the world.

What hasn't been reported, he added, is that compromised endpoints are the actual threat and they should not be overlooked. As Standart sees it, the challenge comes in that many end users rely only on antivirus software products to detect and remove malware -- but today's sophisticated malware threats slip past sensors and aren't being regularly detected. For remediation to work, then, the first and most important step is to identify whether the system is compromised with malware.

“If so, the malware needs to be removed before the passwords -- which should be done periodically as standard personal security hygiene -- can be reset,” Standart said. “Resetting the passwords first is like putting the cart before the horse because the new passwords will be compromised over and over again. Today, there are powerful solutions on the market that detect sophisticated strands of malware where antivirus can't.”

A Focus on Data Management

We also asked Aaron Titus, CPO at Identity Finder, a breach prevention and risk management firm, to get his perspective on the attack. He told us this incident underscores the need for whole-lifecycle sensitive data management.

“Even though the scope of the hack is staggering, keylogging remains a somewhat inefficient method to harvest sensitive data,” Titus said. “The fact that even an inefficient hack can amass such an astounding cache of credentials should be a wakeup call that companies should focus their energies on internal sensitive data discovery, classification and remediation, because harvesting that information is typically much easier.”

Tell Us What You Think
Comment:

Name:

Herbie Dragons:
Posted: 2013-12-16 @ 4:28pm PT
The trouble with pass phrases is that they can be identified easily if they are, for instance, passages from a book. The alternative is to create a unique pass phrase which may become hard to remember.

MasterPassword:
Posted: 2013-12-05 @ 12:09pm PT
“In our analysis, passwords that use all four character types and are longer than eight characters are considered ‘excellent,’ whereas passwords with four or less characters of only one type are considered ‘terrible’".

Your analysis is terrible. There are no character types for a computing device. it is a fiction made to adapt sequences of bits to human circumnstances.

The best password are passPHRASES. very long sequences of bits, easy for humans to remember and difficult for computers to crack.

Unfortunately, the crackheads that program password protection do not give sufficient space (30+ characters) and force us to use &?#kIjy7769y that are difficult to remember and easy to crack.

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
ISACA® offers a global community of more than 115,000 IS/IT constituents in over 180 countries. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip individuals to be leaders in the fast-changing world of information systems and IT - Learn More>
MORE IN NETWORK SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
Here we go again -- or should that be “Regin”? That’s the name security firm Symantec has given to an “advanced piece of malware” used in systematic spying campaigns at least as far back as 2008.

ENTERPRISE HARDWARE SPOTLIGHT
Doctor Who had K-9, the robot dog that accompanied him on adventures through space. Now, Mountain View has K5, a 5-foot-tall, 300-pound robot security guard patrolling in the Bay Area.

MOBILE TECHNOLOGY SPOTLIGHT
The new Android 5.0 Lollipop OS rolled out last month was Google's "biggest update of Android to date." However, early users report that Lollipop's sweet changes also come with less-tasty bugs.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.