Russian Hack Attack

Aug 21, 2014 by

computer securityHacking news has become so common that we hardly pay attention anymore. A million credit card accounts compromised? Yawn. Social Security numbers accessed illegally through a bank’s internal systems? Oh well. We’ve all been victimized by credit card or some other sort of fraud—that just seems to be an unavoidable part of modern life.

But recent headlines seemed to break new ground. Russian hackers have stolen more than a billion unique username / password combinations and more than 500 million email addresses, grabbed from thousands of websites. Wow.

Web Security

Let’s face facts folks: World Wide Web security is a joke. Hackers seem able to crack open any website they might choose to target. In this case, the security of thousands of websites was compromised. My layperson’s observation is that there is no such think as an un-hackable website or impenetrable Internet security. I think we’d all be prudent to assume foolproof online security is impossible.

What Should You Do About the Russian Hack Attack?

I’d like to think—but I’m not quite that naive—that if the managers of a website that stored my username / password suspected the site may have been hacked, they would contact me and recommend that I change my password. But I don’t have confidence that would happen (I haven’t received any such suggestions—have you?), so I’ve changed my password at all of the financial websites where I do business.

I recommend you don’t blow off this latest hack news like we all normally do with these sorts of stories. The username / password combination is the key to the castle. If a crook has your username / password combo, there’s nothing stopping him or her from doing anything you could do at the subject website. Those “challenge questions” might be an impediment if attempted access originated from, say, St. Petersburg, Russia instead of your computer. (“What was your first pet’s name?”) But I wouldn’t assume a challenge question would be anything more than a speed bump for an accomplished hacker and crook.

The other scary thing is that the names of the hacked sites haven’t been made public, that I’ve been able to find. So the safe course is to assume sites where you do business were hacked. In fact, I’d assume a site’s been hacked even if the site’s managers told me explicitly that their site had not been hacked. I’m not sure they’d even know until some poop begins hitting the fan. And I don’t want to be hit by the spray!

Here’s what Maneesha Mithal, director of the FTC’s Division of Privacy and Identity Protection, recommends:

FTC Russian Hack Recommendations

The links don’t operate in the screenshot above, but here’s a link to the entire FTC article if you want to drill down.

Passwords Suck

The security community recognizes that passwords are so 20th century. The web needs a new approach to security. Some ideas being debated right now include:

  • Biometrics: fingerprints, iris scans, facial recognition. A challenge with all of these is that if they are compromised, you’ll find it tough to change them to restore your personal online security. Also every Internet access device on the planet would need the appropriate hardware built in.
  • Gizmos: Before E*Trade kicked me out, it sent me a fob to use in conjunction with my username and password when I logged in to its site. The fob generates a new, random, 6-digit number every 30 seconds. When I logged in to E*Trade, I had to enter the number currently shown on the fob’s display. Evidently a geek at E*Trade has the same fob, and if the number I entered matched his, he let me in. This seems like pretty good security to me, but what do I know.
  • Passphrases: Tougher than a pass-word for hackers to “guess” using password cracking technology, but who cares since passphrases would be equally vulnerable to outright theft of the sort in the news now?
  • Cognitive fingerprints: The Defense Advanced Research Projects Agency is developing technology that will identify you based on the way you use the mouse and the keyboard—how you interact with the PC.

If this topic interests you, check out FIDO, or the Fast IDentity Online, Alliance.  This nonprofit group aims “to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.”

Been Hacked Lately?

Have you been victimized by a hacker? Are you sure you’d know if you were? How do you manage all of your passwords and usernames?

Digiprove sealCopyright secured by Digiprove © 2014 Kurt Fischer
All original content on these pages is fingerprinted and certified by Digiprove