ADOTAS — In response to Today’s Burning Question about reports of the latest major cyberattack, Bill Evans (pictured below), Sr. Director of Product Marketing at Dell Software, offered the following reaction.
- The attack was perpetrated with a start date of October 21 – a bit over a month ago. Whoever did this did it in about 6 weeks. That’s 333,333 accounts per week, more than 47,000 accounts per day, about 2,000 accounts per hour or about 33 accounts per minute. That’s an account every 2 seconds.
- No one is sure if the perpetrators will be caught. Because of the way these accounts were collected, tracing the owner of the information will be challenging to say the least.
- The account types that were collected include Facebook, Yahoo, Google and ADP. While certainly disconcerting, a compromised Facebook account is probably not all that bad…unless. Unless you also happen to use your Facebook credentials for other sites like retail sites where you might buy clothes. Now these guys can access perhaps stored credit card data. The other site that was targeted was ADP. ADP is where many employees go to view their pay stubs when they are paid by direct deposit. From what I understand, all of these vendors have already taken steps to address this issue, which is to be applauded.
- And perhaps most disconcerting is how this act was executed. Essentially, a bit of malicious code (malware) was placed on the target computers. It sat there waiting for the user to type in their credentials (user id and password) and it basically made a copy and sent it to the perpetrator of this attack.
Here’s the real problem, though: You oftentimes hear of security organizations speak about “strong passwords.” Based on this type of attack, even having a strong password would not be sufficient. The malware was just making a copy of the password as it was being typed and sending it along. This type of attack would have been as successful with a password of “12345” as it would with a password of “Q67hfb%oo98G^5” (and no, that’s not my password).
So, what’s a user to do? There are several steps everyone must take to avoid this and many other security attacks.
- Strong passwords: Okay, I said it. It wouldn’t help here, but they do help.
- Unique passwords: Don’t use the same password for every account. Attackers know people do this so once they have one password, they will visit other sites and just try the same or a variation of the known password. I know you reuse passwords. You shouldn’t.
- Consider unique accounts: Many sites give you the option of creating an account using your “social media” credentials which is easy or creating a unique account for their site. Do the latter. It might be a hassle, but it’s easier than dealing with the fallout of a compromised account.
- Consider vendors that offer multi-factor authentication (and this goes for site owners as well): We already discussed that you shouldn’t use the same password for Facebook as you do for your bank account. Beyond that, however, ask your bank or do your banking with a company that can offer you “multi-factor authentication.” This might be a keyfob that gives you a second password (or PIN) that must be entered in addition to your password. In this authentication scenario, even if the bad guy has your password, he still can’t access your account because he doesn’t have your second “one time password.”
- Keep your virus protection installed, operational and up to date. It’s unclear as to whether the infected computers had virus protection, but better safe than sorry.