On that mega ‘Russian hack’ – Keep calm, and do security right

CorporateNetworkSecurity Tips2FAChester WisniewskiNaked SecurityPasswordsUTMWeb Application Firewall

keep-calm-and-do-security-rightThe news this week about a Russian cyber gang amassing 1.2 billion user credentials including emails and passwords has created a bit of a frenzy — in the media, in the security community, and among average users, all of whom are wondering what the heck really happened.

Sadly, the security firm behind the revelations, Hold Security, seems to be milking the publicity for financial gain by offering breach notification services to businesses starting at $120 per year.

Our security experts have been parsing the story, and have poked some holes in it.

As Sophos Senior Security Advisor Chester Wisniewski pointed out in an opinion column published at CNN.com, a large portion of the email addresses and passwords among the 1.2 billion were likely from previously disclosed data breaches of websites such as eBay, Adobe and Sony.

Many of the passwords associated with those accounts were “hashed,” meaning it would take the crooks a long time to crack them. Plus, some of these hashed passwords are quite old and probably useless to the criminals.

Unfortunately, we just don’t know where this trove of data comes from because Hold Security hasn’t fully disclosed its findings.

“Of course, we don’t know the truth and can’t analyze what is known because Hold Security is trying to figure out how to monetize the knowledge, leaving even the experts a bit in the dark about how serious a discovery this truly is,” Chet writes.

Despite Hold Security’s questionable methods and motivation, the company’s revelations demonstrate just how bad security is at many websites, and how passwords are failing at providing adequate security for online accounts.

In light of all this, we’ve got some security tips for businesses, website owners, and the public at large.

For users

  • Just to be safe, you should change your website passwords (including webmail, social media accounts, etc.). It’s good sense to change your passwords frequently.
  • Always use unique passwords for each website.
  • Use two-factor authentication wherever you can.
  • Check your bank and social media accounts for suspicious behavior.

For website owners

To learn more about how a modern firewall can improve your security posture on multiple levels, listen to our Sophos Techknow podcast: Firewalls Demystified.

 

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s