News that Russian hackers stockpiled 1.2 billion usernames and passwords has been the talk of the Internet over the past few days as security experts and others digest what has been dubbed the “largest known collection of stolen Internet credentials,” according to The New York Times.
The Milwaukee-based firm that uncovered the stolen records says that “with hundreds of thousands [of] sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.” Hold Security has not publicly disclosed the names of those companies because of nondisclosure agreements and the fact that websites remain vulnerable, The Times reported.
Hold Security did not immediately respond to requests for comment on whether “virtually all industries” includes governments, and the Department of Homeland Security and the FBI wouldn’t comment on the matter. Hold Security advised companies to check if their websites are susceptible to a SQL injection, which could enable malicious manipulation of a website and unintended commands to be sent to the underlying database.
Part of the hackers’ technique involved using botnets and victims’ systems to identify SQL vulnerabilities on the websites they visited, according to Hold Security. The company claims that more than 400,000 websites were “identified to be potentially vulnerable to SQL injection flaws alone.”
Should CIOs Be Worried?
So, what should government CIOs and chief information security officers do in light of this news, and what’s the takeaway?
Raj Samani, McAfee’s chief technology officer for Europe, Middle East and Africa, noted that agencies should have a vulnerability management program in place that includes capabilities for scanning agencies’ systems to determine if they have been patched and how to mitigate risks. Monitoring, remediating and scanning for risks should be business as usual, he said. “Do you have a disaster recovery or business continuity [plan],” in the event that agency assets were compromised?
Some security experts, including Samani, are skeptical about Hold Security’s approach to addressing the problem. Did they notify the website owners? he said, noting the company’s promotion of its fee-based security services for potential victims. “What you are telling me is I might be vulnerable, but the only way I’m going to find out is if I pay you money to tell me?”
Hold Security said it’s also offering a free service “designed for the individual users to check whether they became victims of cyber-criminal activities,” according to the company website.
As the story unfolds, there are more questions than answers about the true scale and techniques used to acquire the data and over what time period it occurred.
How Should Agencies Respond?
“First and foremost, [they] need to be assessing all of their websites and mobile apps for vulnerabilities associated with OWASP [Open Web Application Security Project],” said Trend Micro Chief Cybersecurity Officer Tom Kellermann. OWASP describes itself as a worldwide nonprofit focused on improving software security. The organization lists common vulnerabilities in websites and mobile apps, similar to services also offered by DHS.
Agencies should have security capabilities installed on their devices that can detect these kinds of vulnerabilities, Kellermann said. The biggest mistake agencies make is failing to change passwords after scrubbing infected devices. If government websites are among those affected, users should be asked to change their passwords.
"This latest hack reinforces the need for strong password policy that includes retention, storage and transmission of passwords, not just password complexity (i.e., number of characters, special characters, overall strength),” said Dan Waddell, director of government affairs for the information security organization ISC2.