Wednesday, August 6, 2014

Russian Hackers Amass Over 1 Billion Passwords

Many of you may have seen the recent announcement about a Russian hacking group amassing over a billion internet passwords from internet facing applications.  If you haven't, here's a link to the recent New York Times article

This hasn't generated a tsunami of chatter just yet but I am certain that many of you will have/face questions.  Based upon what little we know right now, here are some random thoughts and opinions.

  • When In Doubt, Change Your Passwords.  Seems simple enough, but many people still do not do this with regularity.  Worse, many people use the same weak password for multiple accounts.  Changing your password to a strong, complex password that you haven't used elsewhere will eliminate the threat of compromised passwords.  Corporately, enforcement of password policies regarding complexity and periodicity of change will have the same positive impact
  • The Announcement Timing Is Suspect.  Hold Security (the company that announced this finding) may be doing this for publicity.  Less than scrupulous security firms have often kickstarted their initiatives with a huge announcement like this as an entry into gaining traction in the market.  Add to that the fact that the Blackhat and Defcon Security Conferences are currently underway, and my suspicions become exacerbated.  Indeed, Forbes announced this morning that Hold is now offering a service "for as low as $120" to help you determine whether your password is on the list.
  • We Don't Know The Important Stuff.  Yet.  Until we have more data (who/what/when/where/why) about this announcement, there's little anyone can do corporately/organizationally to protect themselves beyond changing passwords.  Indeed, this is little more a "the sky is falling" announcement as it is currently crafted.  What's would be more interesting is an understanding of what servers in what corproate entities were compromised to get this data.  If Hold Security chooses to release that information (and early indications are that they will not), then the impacted organizations will come under increased scrutiny and may trigger a need for security professionals to reassess their overall protection profiles.
Bottom line for this one -- for now -- is password management.  Only time will tell if we need to take a deeper look at the potetnial ramifications of this revelation.

My two cents...

2 comments:

  1. The information you have posted is very useful. The sites you have referred was good. Thanks for sharing..
    jiofi password change

    ReplyDelete