The Russians have stolen 1.2 billion Internet passwords! We are all doomed!
You can’t have missed the recent flurry from NBC News, The New York Times, USA Today, and almost every other news media about how a Russian crime ring has stolen 1.2 billion user name / password combinations plus over 500 million email addresses. These credentials were stolen from 420,000 different websites spanning everything from Fortune 500 companies to small companies across almost every line of business and all around the world.
The attack uses an old but still effective mechanism: introduce malware into the company’s network that looks for SQL databases, then use a technique called “SQL Injection” to steal data. SQL Injection takes advantage of bad code in application programs. When you sign into a website and enter your account number to get information such as your personal profile, the web site sends the request to an application program which then queries a database. Many of these databases are based on SQL, Structured Query Language, originally developed by IBM over 40 years ago. These databases now run on every kind of computer and are extensively used because of their reliability, scalability and relatively low cost. The application program sends an easy to understand query to the database. For example, it would send something like “give me the account information for account number 123.” The database returns the requested data to the application. If you ask “give me the account information for account number > 1” the database will return all of the account information for all of the accounts. If the programmer was not careful and testing was woefully lacking, you can fool the database into giving you a lot more information then intended or appropriate.
How serious is this particular attack? We don’t really know. The 420,000 hacked companies have not been identified. We don’t know how old the passwords are. Many critical systems require that you change your password periodically; many of the hacked user name password combinations may be months or years old. These attacks have apparently been going on for years, so it is not clear that this is really something new.
Surprisingly, and contrary to standard practice, Hold Security, who reported the breach, has not provided the victim companies sufficient information to verify the problem and identify specific individuals impacted. Hold Security has also announced a new service ($10/month) that will monitor your email address if it is one of the stolen emails. However, you must provide Hold Security with your email addresses and account passwords.
What should you do?
- Don’t panic.
- Monitor your financial activity frequently looking for unusual transactions. Especially look for small, often less than $10, transactions that you do not recognize. Many criminals use one or two small transactions to validate the information they have before they move to bigger transactions, and many are satisfied to pick up a few dollars from thousands of accounts and hopefully stay below the threshold to get government authorities interested in their activities. Some financial organizations, including Chase, actually monitor for these small transactions and will notify you to determine whether they are valid.
- Identify your important financial and medical web sites. While you probably have dozens of different accounts you access online, most of them would have little impact on you if they were compromised. Note which accounts are linked to a bank account or credit/debit card. For example, if you use Amazon one-click to make purchases, then Amazon is an important account
- Change your passwords frequently on those important web sites. To me, frequently means at least four times a year.
- Do not use the same password for more than one account.
- Do not use a simple password. Your password should be at least eight characters long, and contain at least one lowercase letter, one uppercase letter, one digit, and, if the site allows, one special character like $ # % !.
The top five passwords actually used in 2013 were 123456, password, 12345678, qwerty, and abc123. For a bad password, I prefer “what,” as in “what is the password.” You should not use anything remotely like these.
If you have trouble remembering dozens of strong passwords and would like to have help doing that, check out Sreenivas Angara’s Kickstarter project. He is working on a smart phone and tablet game called Drongzer to teach you to how to create and remember strong passwords by using procedural memory instead of declarative memory. Procedural memory guides the processes we perform, like driving a car. We know what to do while driving when we come to an intersection, even if we have never been there before. Procedural memory usually resides below the level of conscious awareness and tends to be automatically retrieved and utilized. Declarative memories must be consciously recalled. We use it for things like dates (1492, your significant other’s birthday, your address, …). There is no pattern to them; you just have to memorize them.
The last word:
Many if not most of the 420,000 companies are still vulnerable. Is yours? Meet with your IT and security managers and review your current security and audit practices. Most companies concentrate on protecting data coming into their site, looking for malware and denial of service attacks. These are all important. But also look at the data leaving your site; this is where you are really vulnerable to losing protected information. Are you looking for unusual patterns, like outgoing transactions that are thousands or millions of bytes instead of a few hundred, or large data transfers in the middle of the night? Do not forget to include non-electronic loss opportunities like storing unencrypted files on laptops, CDs or thumb drives.
Keep your sense of humor.