Russian Gang’s Credentials Theft Exposes Web’s Wild, Wild West Side

News that a Russian gang has stockpiled more than a billion purloined user name and password combinations has revved up the Internet’s reputation as a post industrial Wild, Wild West.

Just how much havoc will be raised by the gang remains to be seen. The data thieves so far appear content to use their ill-gotten trove for spamming, according to Hold Security, which announced its discovery of the stolen credential cache last week. Since little is known about the quality of the data — especially its age — it may be that spamming is all it’s good for.

“If the data is very stale, it would be of less value, but it’s a safe assumption that there is some potentially harmful data in the list,” Rick Martinez, an attorney with Robins, Kaplan, Miller & Ciresi, told TechNewsWorld.

The quality and quantity of the data snatched by the gang may be less important than the gang itself and the atmosphere it operates in.

“It’s gotten to the point where it’s like 1920s Chicago,” Tom Kellermann, vice president of cyber security at Trend Micro, told TechNewsWorld.

“You have advanced criminal syndicates that are operating with impunity,” he explained.

The Comrades Agreement

In Russia and Eastern Bloc nations generally, governments turn a blind eye to guilds of thieves, as long as three basic rules are observed: Don’t hack where you live; pass anything discovered of a national security nature to the authorities; and act in the national interest when requested to do so.

“What I’m worried about is the third rule,” Kellermann said, “where the criminals leverage these footprints they’re amassing by the hundreds of millions for infrastructure destruction.”

Whenever a massive credential theft makes headlines, the use of passwords is rapped — and for good reason.

“When we use a password, we use the same thing every time,” explained Chris Webber, senior product marketing manager for Centrify, a provider of unified identity services.

“It’s like our high school locker combination,” he told TechNewsWorld. “If someone knows that combo and our locker number, they can get at our stuff any time. What’s needed is something that changes every time.”

That’s what two-factor authentication does. A new access code is issued to you — usually through your cellphone — when you try to log-in to a website from an unusual IP address or with a new device.

Behavioral Fraud Protection

“A better security standard needs to be used across the entire Internet,” said Nathan Collier, a senior malware intelligence analyst with Malwarebytes.

“Username and password alone just aren’t enough anymore,” he told TechNewsWorld.

“Some companies have already adopted stronger standards, such asking personal questions when the site is being accessed from unknown locations,” he added. “These, and other methods need to be implemented on every website.”

Because passwords impose little friction on consumer purchasing, merchants are reluctant to kick them by the side of the road, so the Russian gang’s vacuuming operations won’t end any time soon. However, there are other measures in the formative stages that promise to foil even the most enterprising credential thief. They include behavioral fraud protection.

Some credit card companies will ring up a customer if their systems detect a large purchase or one from outside the customer’s home country. The same principle, but in a more sophisticated way, can be applied to online behavior by systems using Big Data.

“They look at how a user behaves, such as how they type, scroll and interact with a website, so even when a user is being impersonated online, firms can tell that the user is behaving differently from normal and that a user account has been hijacked,” Christopher Bailey, CTO of NuData Security, told TechNewsWorld.

Microsoft Scroogling?

Microsoft seems to relish needling Google about its automated scanning of users’ email to find tips to target advertising at them. Microsoft even invented a term for it: “scroogled.”

When it comes to child pornography and other objectionable content, though, it seems that Microsoft does some scroogling of its own.

“Child pornography violates the law as well as our terms of service, which makes clear that we use automated technologies to detect abusive behavior that may harm our customers or others,” Mark Lamb, senior PR manager with Microsoft’s digital crimes unit, told TechNewsWorld.

Lamb’s remarks came on the heels of news that a Texas man was arrested for possession and distributing child pornography based on a tip from Google after it uncovered the smut in a routine scan of the man’s email.

“Sadly, all Internet companies have to deal with child sexual abuse,” Google spokesperson Matt Kallman told TechNewsWorld.

“It’s why Google actively removes illegal imagery from our services — including search and Gmail — and immediately reports abuse,” he said. Google notifies the National Center for Missing and Exploited Children.

“Each child sexual abuse image is given a unique digital fingerprint which enables our systems to identify those pictures, including in Gmail,” he explained. “It is important to remember that we only use this technology to identify child sexual abuse imagery, not other email content that could be associated with criminal activity.”

Breach Diary

  • Aug. 4. Appthority releases its summer 2014 Appthority App Reputation Report that found 78 percent of the top Android paid apps had at least one major risky behavior, and 87 percent of top iOS paid apps contained at least one of those behaviors, too.
  • Aug. 5. Cisco releases mid-year security report revealing nearly 94 percent of its customer networks have traffic going to websites that host malware.
  • Aug. 5. Synology confirms some of its Network Attached Storage products have been compromised by ransomware.
  • Aug. 5. OpenDNS releases free online data visualization engine, OpenGraphiti, which enables security analysts, researchers and data scientists to create 3D representations of cyberthreats using Big Data.
  • Aug. 5. Restaurant chain PF Chang’s releases more details about data breach it reported last month. It said 33 locations were affected over a period of eight months.
  • Aug. 5. New York Times reports Russian criminals have amassed cache of 1.2 billion user name and password combinations and more than 500 million email addresses.
  • Aug. 5. Target reports US$148 million loss due to massive date breach last year that compromised payment card and personal information of 110 million customers.
  • Aug. 6. Online Trust Alliance releases report based on anlysis of 800 top consumer websites and more than 100 million email headers, finding only 8.3 percent of them supported three critical authentication protocols: SPF, DKIM and DMARC.
  • Aug. 6. FireEye and Fox-IT launch free service to decrypt files scrambled by CryptoLocker ransomware after announcing they’d recovered the private keys and reverse-engineered the engine used by the malicious app to do its dirty work.
  • Aug. 6. US Investagative Services, which performs background checks for the U.S. Department of Homeland Security, reveals its computer systems breached by what appears to be a state-sponsored attack.
  • Aug. 7. Yahoo annnounces end-to-end encryption for Yahoo email starting this fall. Google announced a similar initiative in June.
  • Aug. 8. Russia grants NSA whistleblower Edward Snowden three-year residency permit which alows him to move freely within the country and to travel abroad.

Upcoming Security Events

  • Aug. 16-17. B-Sides Dubai. Dubai World Trade Center. Free.
  • Aug. 23. B-Sides Minneapolis-St. Paul. Nerdery! Free with registration.
  • Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
  • Sept. 8-9. The Privacy Security Forum: Protecting Data Assets and Managing Risks. The Westin Hotel Waterfront, Boston. Registration: $750, health care providers and payers; $950, all others.
  • Sept. 9-10. Detroit SecureWorld. Ford Motor Conference & Event Center,1151 Village Road, Dearborn, Mich. Registration: $695, two days; $545, one day.
  • Sept. 12. Suits and Spooks London. Blue Fin Building, Southwick, London, UK. Registration: Pounds 200.
  • Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tenn. Free.
  • Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Ga. Free.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex,701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
  • Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. free.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, The Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nev. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nev. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels