If Dr. Emmett Brown were around today (and a real person) he might be uttering a similar line after reading that 1.2 billion accounts are vulnerable to a breach of data protection. As has been reported in the news, the company, Hold Security, is claiming that more than half a billion people have had their accounts compromised by a gang of Russian hackers. The methods of attack allegedly used are nothing new which casts a sad shadow on the current state of information security. The gang started gathering account information by sending out malicious spam. The email would attempt to entice the recipient to click on a link. Once clicked, the recipient would be taken to a website that would try to either exploit a vulnerability in the recipient’s web browser or trick them into downloading and running an application. Either way, if successful, the recipient’s computer was compromised and various credentials were stolen. If the recipient worked for a company the hacker may try to use them as a launching point to exploit other computers on the network or take advantage to files and resources to which the recipient had access.
The gang also allegedly exploited sites that were vulnerable. Most likely these were websites that had not been properly patched or hardened. Case in point, the Heartbleed virus was made public in April of this year. Two months later, in June, there were still over 300,000 servers vulnerable to the virus. Sometimes it is neglect or laziness. Sometimes it is a server sitting in a corner that is forgotten. That scenario can occur even in big organizations. We got a call once about a server that may have been compromised. IT wasn’t even aware the server existed, it was set up by someone else in the organization and of course it wasn’t patched or hardened to the client’s specifications. Now is a good time to get your hands around your IT infrastructure and make yourself familiar with some useful data security tips.
- Better password management. This step is key. Stop using the same password for multiple sites. In fact, stop using similar passwords where you just add a number or punctuation character to the end
- Complex passwords. If you are using a word from the dictionary your account will likely be compromised. Many password cracking utilities come with a dictionary that gets fed into a site until the word is found. Furthermore, many of these dictionaries include foreign languages as well. And if you think using a dictionary word and either appending or prepending a few special characters to it will suffice—think again; most of the password cracking tools account for that.
- Change passwords. You should consider changing passwords regularly. Changing every 3 months is a good idea.
- Employ two-factor authentication. Many services from email (Yahoo and Google) to banks employ two-factor authentication. Basically to authenticate and get access you have to provide “something you know” and “something you have”. The something you know is your username and password. The something you have is usually another code. In the case of Yahoo and Google, they immediately text you a 5 or 6 digit code that you enter in after you have authenticated. With banks, they often give you a key fob that generates a code that you enter.
- Education. Stories such as the one involving 1.2 billion passwords provide a great opportunity to send out educational messages to your employees. When security is top of mind, they are more likely to heed your warnings and directions and listen to what you have to say. You can then win some of them over to smarter account management practices.
- Have an audit performed. As mentioned above, the criminals were likely exploiting vulnerabilities that have been known for months. Quite often the view on digital security is one of “the emperor has no clothes”. However, when security issues make headlines, those are great opportunities to convince those on the fence that spending some money now is cheaper than paying later.
Back to the two-factor authentication. What I like about Google and Yahoo, along with similar ones, is that not only does the two factor authentication provide you additional security, but it also alerts you to possible theft. A couple of months ago, my phone alerted me to a text message. I checked and found it to be an authentication code sent to me by a provider with whom I did business. I was alarmed because I was not trying to log into their site. I immediately called customer service to find out what was happening. It appeared that someone made their way to tech support pretending to be me and managed to get past some other defenses. Since I had two factor authentication set up, a code was sent to me when the perpetrator tried to authenticate. If I didn’t have this identity and access management set up, I would’ve had a valuable account compromised.
As I mentioned more than once in this post, the 1.2 billion accounts that are vulnerable to a breach of data protection serve as a wake-up call for IT, and individuals, to get their electronic data in order. Understand what you have, where you have it and how you are protecting your digital information. If you don’t, I seriously doubt you will be able to power up that flux capacitor and travel back in time like Marty McFly.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations