In what may be the largest compromise of IT security in history, Russian hackers have amassed more than 1.2 billion passwords and user names, creating what may become havoc among IT security professionals and IT security vendors, according to an article in The New York Times. However, the real question here is how the hackers were able to accomplish such a massive breach of security and what can be done to prevent it.
The New York Times article said the group of hackers based their operation in south central Russia, flanked by Kazakhstan and Mongolia, and that the group included fewer than a dozen men in their 20's and that their computer servers were believed to be in Russia.
Those pilfered account records, which are associated with some 500 million unique e-mail addresses, were discovered by Hold Security LLC, a Milwaukee-based company that sells information-security and risk-management services. "There is a division of labor within the gang," Hold Security founder Alex Holden said in The New York Times article. "Some are writing the programming, some are stealing the data."
Hold Security's findings were based upon seven months of research. However, the company has not given a time period for the theft of data or name any websites that were hacked. A lack of disclosure that raises more questions than answers - such as determining who is at risk and what websites are susceptible to attack.
The breach isn't a surprise
Some industry veterans are not surprised by the breach. Dave Rosenberg, CTO of products and vice president of development at DB Networks, said, "Organizations are typically breached because they have no practical visibility into what's going on in their core networks. Sure, they guard the perimeter with firewalls and WAFs, but HTTP and HTTPS are gaping holes in this defense."
Rosenberg added "The continuing stream of successful and all too often trivial SQL injection attacks are proof of holes in network defenses. Many organizations rely on trusted web applications which just don't turn out to be trustworthy."
Rosenberg also offers some sage advice, and said, "The only effective alternative to working without a safety net is dynamic modeling and continuous, real-time monitoring of core database networks. Database vulnerability can be detected at the application/database interface trying to do this at the perimeter is a fools errand."
SQL injection as root cause
Naturally, Rosenberg has focused on SQL injection as a root cause of the security problem and is probably correct in that assumption. However, one must remember that Rosenberg's firm, DB Networks specializes in SQL Injection attack prevention.
Nevertheless, if SQL injection is to blame for the breaches, it is a clear indication that many website (and database) managers are taking a very sloppy approach to securing access to databases and making sure that the applications that use those databases are secure.
Rosenberg said, "The Russians used infected computers as part of a bot net to penetrate more than 400,000 sites with preformed, even quaint attacks. Essentially they were kicking in screen doors. Twenty guys from Russia have essentially audited the security of the typical web site and found it wanting."
That further indicates that website security is lacking and handled in a sloppy fashion across hundreds of thousands of sites and must be addressed sooner than later, before other sites are compromised and additional data stolen.
Website managers should immediately start testing their sites for intrusions using readily available tools and should also check the patch statuses of their web servers, database servers and applications to ensure that the latest security patches are deployed.
Finally, users need to be reminded to change passwords frequently and abstain from using the same password on multiple sites. One can only hope that the account information stolen consisted of older and temporary accounts, and offers little value to the hackers.
Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MCNE, MCSE, A+, N+, L+, and Security+.