An epic password failure


22 August 2014
Password security

By all accounts, it was an epic hack. Early this month, it was reported that a Russian group siphoned off 1.2 billion usernames and passwords belonging to over 500 million email addresses. According to Hold Security, the information security, risk management and incident response firm that broke the news, the information was stolen through more than 420,000 websites, and the perpetrators targeted not just large companies, but also “every site that their victims visited”. Affected web sites were said to range from those of industry leaders across all sectors of the economy down to small and even personal sites.

According to Hold Security, the gang, which it dubbed “CyberVors”, initially acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack email providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems.

Earlier this year, the hackers changed their modus operandi and got access to data from botnet networks, again through the black market. These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. “The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of emails and passwords,” said Hold Security in its blog post.

Commenting on the data breach, Andrey Dulkin, senior director of cyber innovation, CyberArk, said the latest incident will result in three main threats. First, personal and sensitive information has been put at risk and can be used by criminals. Second, the lost credentials could result in identity theft. Third, and potentially the most significant for businesses, attackers can impersonate legitimate users to gain access to organisational assets and confidential information.  

All of these, said Dulkin, are made even more severe by the fact that numerous individuals often reuse their credentials across many accounts – personal and professional. “This report once again throws password security back into the spotlight and despite the fact that we are continually bombarded with tales of the increased cyber risks facing individuals and enterprises alike, the complacency surrounding password security remains an issue that must be addressed, rather than deemed inevitable.”

Of particular concern are the privileged accounts amongst the 1.2 billion credentials stolen – those that belong to administrators and other users who have high access and operational permissions in various networks. “These credentials represent highly powerful and lucrative ‘keys to the kingdom’ within any network, as they will provide unrestricted access to an organisation’s most valuable assets; making them sitting ducks if left unguarded.”

According to CyberArk, the only way organisations can mitigate the impact of data breaches is to tackle password security “head-on”.   This means identifying all privileged users and accounts, and managing and monitoring access and activity. Organisations should ask themselves whether they would be able to detect impersonation and malicious activity in their networks, and intervene in time to prevent damage being done to their business.

As Dulkin pointed out, it only takes one privileged credential to fall into the wrong hands to open up a huge data breach. “For organisations, focusing on automated password management and ensuring strong passwords for sensitive assets is essential. For individuals, employing personal password managers and employing two-factor authentication whenever possible should be part of their normal thinking.” 

However, as cloud adoption gains traction amongst organisations and individuals alike, traditional password managers alone may not be enough, said Greg Hauw, chief executive officer of cloud data privacy protection company Ohanae. “Cloud privacy protection must include security of the password manager, so that it does not become a single point of failure, where all passwords can be compromised through it.”

In a blog post, Hauw pointed to a report by a UC Berkeley research team entitled “The Emperor’s New Password Manager”, which found that five browser-based password managers contained security flaws that could lead to the compromise of login credentials they were protecting.

“In the password managers surveyed, each provided a cloud-based implementation that exposed the password store. In some implementations, the cloud-based password store was not encrypted, or data for the password store (usernames and passwords) were sent in the clear to the server in the cloud,” he said.

Ohanae’s approach is to use a password management function which generates passwords dynamically when they are required based on the device and passphrase, and erases them after they are used. “This provides two factor authentication on local devices, and ensures that there is no static store which can be attacked and decrypted,” explained Hauw.

The master passphrase is only used, and not transmitted, even between devices of the same user. This is to ensure that sensitive passwords and pass phrases are retained and used only on authorised end devices.

In Hauw’s view, cloud privacy protection must include authentication that goes beyond a simple password. “It should also safeguard data as well as credentials, enabling storage of sensitive, identity related data without risk of trickle-down account compromises if that data is accessed without authorisation,” he said.