1.2 billion logins scooped up by CyberVor hacking crew – what you need to do

Towerwall Application Security Alert Vol 13.73

Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.

Researchers monitored the gang for over seven months, thought to be “fewer than a dozen men in their 20s who know one another personally” based in a small city in central Russia.

They found that the group, working together since at least 2011, had rented time on bot-infected machines around the world, and rather than the more standard techniques of sending masses of spam, distributing malware or monitoring the infected system to catch banking logins, had instead monitored each and every website visited by the compromised host’s user, probing for vulnerabilities to SQL injection attacks.

Vulnerable sites were then plundered for any data they could be tricked into leaking, which was added to the gang’s epic cache.  This amounted to 4.5 billion records, including the 1.2 billion unique login pairs and over half a billion unique email addresses. The data has apparently been verified as genuine by an independent expert at the behest of the New York Times.

SQL injection attacks are one of the most common ways of compromising web-facing systems.

Databases are used by websites to store all sorts of information, including sensitive data like passwords and credit card details.

Because of their sensitivity these databases are not publicly accessible and are only visible to the website that uses them. But if that website is not coded with security in mind attackers can use the website as a go-between that gives them indirect access to the database.

Although this haul is staggeringly large the infrastructure and techniques required to perform the attack are nothing new, according to SophosLabs’ Senior Threat Researcher James Wyke.

A large proportion of all the malware families that we see form some sort of botnet. In fact there are relatively few categories of malware that don’t.

Even those that don’t are often spread through botnets – CryptoLocker was spread via the Gameover Zeus botnet for example.

Botnets themselves can be extremely large. We estimated that the ZeroAccess botnet managed to infect over 9 million machines and the number of Gameover infections was also in the millions.

 

Website users

There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.

Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it’s prudent to assume those sites didn’t secure the data in their databases properly either. Even strong passwords are at risk if they aren’t stored correctly.

That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you’re one of them. We recommend that you:

  • Change your website passwords.
  • Use a unique password for each website.
  • Use two-factor authentication wherever you can.
  • Check bank and social media accounts for suspicious behavior.

 

Website owners

This data haul may yet turn out to be a ‘Heartbleed’ moment for website owners who assume their sites are too small to be of interest to hackers.

The gang that amassed this giant data haul didn’t discriminate between popular or unpopular, large or small. All that mattered was vulnerability.

Fortunately SQL injection attacks are easily defeated by simple coding practices.

If you run a website, we recommend that you:

Towerwall Application Security Alert Vol 13.73

1.2 billion logins scooped up by CyberVor hacking crew – what you need to do

 

Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.

Researchers monitored the gang for over seven months, thought to be “fewer than a dozen men in their 20s who know one another personally” based in a small city in central Russia.

They found that the group, working together since at least 2011, had rented time on bot-infected machines around the world, and rather than the more standard techniques of sending masses of spam, distributing malware or monitoring the infected system to catch banking logins, had instead monitored each and every website visited by the compromised host’s user, probing for vulnerabilities to SQL injection attacks.

Vulnerable sites were then plundered for any data they could be tricked into leaking, which was added to the gang’s epic cache.  This amounted to 4.5 billion records, including the 1.2 billion unique login pairs and over half a billion unique email addresses. The data has apparently been verified as genuine by an independent expert at the behest of the New York Times.

SQL injection attacks are one of the most common ways of compromising web-facing systems.

Databases are used by websites to store all sorts of information, including sensitive data like passwords and credit card details.

Because of their sensitivity these databases are not publicly accessible and are only visible to the website that uses them. But if that website is not coded with security in mind attackers can use the website as a go-between that gives them indirect access to the database.

Although this haul is staggeringly large the infrastructure and techniques required to perform the attack are nothing new, according to SophosLabs’ Senior Threat Researcher James Wyke.

A large proportion of all the malware families that we see form some sort of botnet. In fact there are relatively few categories of malware that don’t.

Even those that don’t are often spread through botnets – CryptoLocker was spread via the Gameover Zeus botnet for example.

Botnets themselves can be extremely large. We estimated that the ZeroAccess botnet managed to infect over 9 million machines and the number of Gameover infections was also in the millions.

 

Website users

There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.

Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it’s prudent to assume those sites didn’t secure the data in their databases properly either. Even strong passwords are at risk if they aren’t stored correctly.

That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you’re one of them. We recommend that you:

  • Change your website passwords.
  • Use a unique password for each website.
  • Use two-factor authentication wherever you can.
  • Check bank and social media accounts for suspicious behavior.

 

Website owners

This data haul may yet turn out to be a ‘Heartbleed’ moment for website owners who assume their sites are too small to be of interest to hackers.

The gang that amassed this giant data haul didn’t discriminate between popular or unpopular, large or small. All that mattered was vulnerability.

Fortunately SQL injection attacks are easily defeated by simple coding practices.

If you run a website, we recommend that you:

Perform an application scan or full application penetration test

 

 

 

by John Hawes on August 6, 2014

Cork That App or Face Attack

Despite all the news about hackers infiltrating major corporations, most businesses continue to leave themselves woefully unprotected. Some surveys estimate more than 70% of businesses perform vulnerability tests on less than 10% of their cloud, mobile and web applications. A majority also confess they have been hacked at least once in the last two years.

While most large businesses have begun application vulnerability testing, there is still a long way to go. After all, you are only as strong as your weakest link; hackers will undoubtedly find and attack any application without sufficient defenses.

Although testing and creating protection for high-value and mission-critical applications is better than not doing anything at all, leaving low-priority applications unprotected is still a major risk. If hackers can exploit just one application, that means they can then access the rest of your infrastructure. They’ll eventually figure out a way to also attack your high-value applications.

Major Challenges When Protecting Applications

So why in spite of all the risks are organizations not identifying all the vulnerabilities in their cloud, mobile and web applications? Security professionals typically point to several reasons that hold them back:

  • Limited Budget: Businesses simply don’t allocate enough money to test all applications. Whether additional headcount or technology is required, testing costs money, and most organizations do not set aside sufficient funds.
  • Lack of Expertise: Application security is still not a mature science. Even companies with the budget to hire expertise find it difficult to recruit security experts who really understand application security.
  • Compliance Focus: Most organizations are driven first by compliance requirements rather than security. So the focus is only on applications that help achieve compliance while other applications are ignored. Applications assessed for security are tested in many cases only to get a checkbox for compliance—not necessarily for sufficient security.
  • External Focus Only: One misconception when it comes to application security is that companies shouldn’t worry about testing internal applications with no external interface. But think of insider threats. What if you have an internal human resources application with access to confidential employee information? If a less-than-ethical employee exploits a privilege, they can gain access to sensitive records, and your company becomes non-compliant with various standards.

Recommendations for Protecting Your Business

Despite these challenges, there are practical ways to protect your business. Here are a few recommendations to identify application vulnerabilities:

  • Respect the Impact of Hacking: According to research by Forrester and the Ponemon Institute, the average cost per record in the case of a breach is at least $300. Most companies have thousands of records. And more than 75% of attacks occur through web applications.
  • Outsource: You don’t have to do everything yourself. Consider a managed service or a cloud service to help you secure your cloud, mobile and web applications quickly and affordably.
  • Create a Process: You can cut your costs by creating a pyramid according to the value of all your apps. First identify and then test all your applications. Based on what you find, you can prioritize applications that need deeper penetration testing. This way, you’ll cover all your applications without spending a fortune and taking too long. Automated solutions and a good process can help you get there quickly.
  • Manage Your Risk: You will find hundreds of vulnerabilities within your applications, but you won’t have time to fix them all. Take a risk management approach and prioritize these vulnerabilities based on a quantitative score. The ones with the highest score (i.e. most likely to be exploited) are the most sensitive and should be addressed right away. All others should be blocked with a web application firewall or other methodologies.

Raise Your Castle Walls to Thwart Attacks

Any breach can have a severely-adverse impact on your bottom line. Cloud, mobile and web application vulnerabilities are low-hanging fruit for hackers—they would rather pick these than go after the hard stuff.

Hacking, unfortunately for the rest of us, has become a lucrative profession, and intruders will continue to attack to earn their living. Whether their motive is financial gain, espionage, hacktivism or perhaps something even more pernicious, hackers will continue to fire shots until they penetrate.

Although you can’t fire back at the enemy and can’t be 100% secure, you can certainly raise the walls of your castle. This puts you in a much better position to thwart their attempts.

Michelle Drolet is founder of the data security services provider Towerwall.
Special to Innovation Insights