Following the recent breaches at LinkedIn and Myspace, a hacker is now selling a massive cache of 51 million user credentials purporting to be from the now-defunct iMesh – once the third-largest peer-to-peer filesharing website in the US. Listed on a dark web-based marketplace called The Real Deal, the hacker, under the pseudonym Peace, is attempting to shift the dataset containing 51,310,759 records for 0.5 bitcoin, which is the equivalent of £245 ($350).
@DFMag has obtained several comments from security experts;
David Gibson, VP of strategy and market development at Varonis:
“John Oliver from Last Week Tonight bought $15M USD worth of bad debt for $60,000 and forgave it during his show. It is unfortunate that John Oliver cannot spend $350 and make these 51M records disappear – these large-scale data dumps continue to chip away at our privacy. While specifics like account data, passwords and user preferences may have comparatively low value in the short term, over a longer time horizon data dumps will continue to make it easier for hackers to aggregate and establish a clear identity of their victims, especially as the sophistication of the aggregated data dumps advance.
Our observations suggest that businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs. Spear phishing attacks that provide hackers with valid credentials are increasing in frequency and sophistication, so administrators and security practitioners should assume that if their networks aren’t already breached, there’s a good chance they may be some day.
When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.
Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Lisa Baergen, director at NuData Security:
“Once again, more news of a big breach hits the wire. We all have to start accepting that breaches are happening and our personal records are being shared on the dark web – sometimes years after the breach occurs. This one, in particular, is hitting hard for a lot of professionals – and sr. level professionals that tend to avoid social media outlets, except for LinkedIn or at times Twitter for business. If you, like me, use these outlets for professional usage, do you use the same password across this as you do at work? If yes. Stop. Think. These hackers want to gain access to big corporations, and sometimes it can be as simple as one executive password gaining entrance to a backdoor into your organisation.
While it’s good practise to change your usernames and passwords often, victims of a breach need to understand that every single piece of identifiable information exposed is important. Credentials from various breaches are sold in packages on the dark web used, and used to build a “Fullz”, or full online identify profile. These full profiles are sold for higher value than just pieces, because the more complete the information, the more fraud can (and likely will) take place.
For example, if I’m a hacker and gain access to geographical data on John Smith from breach one e.g. LinkedIn, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. OR more frighteningly, gain access to your work credentials, where the damage could be colossal.
Where credit card fraud was all the rage a couple years ago, it is this kind of account takeover and new account fraud that is on the painful and dramatic rise. We saw in our own database of nearing 81 billions of behavioural events annually, a 10% month-over-month increase in new account fraud.
Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device – and trust it is not the hacker using our identity information online.
User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by learning over time how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information ripped from all these breaches. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the identity of the user behind the device.
So, hackers like “Peace” can keep trying to get a “ pieces” of our data, but we are going to make it irrelevant because they can’t steal our behaviours!”
Mark Bower, global director at HPE Security – Data Security:
“Even though this breach appears to have happened in 2013, the message still resonates in 2016: enterprises need to follow best practices of encrypting all sensitive personal data as it enters a system. Encryption stays with the data whether at rest, in motion or in use, so if an attacker accesses the data, they get nothing of value. The ability to neutralise a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure. Credentials that never need to be recovered in clear form should be strongly protected with state-of-the art methods, for example, strong standards based keyed hashing.
Hackers will steal anything of value and this story is no exception. Data has high value to attackers, and even though the information for sale on the black market is several years old, it can still be used for social engineering attacks for spear phishing to attempt to gain access to deeper systems with even more lucrative data that can be monetised directly if stolen.
We have a saying in security, it’s not a matter of if a breach will happen, but when. Beyond the threat to sensitive data, companies need to be concerned with the impact a data breach can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyber attacks and other attempts to get this sensitive information.”
Javvad Malik, Security Advocate at AlienVault:
Why is such a huge amount of data being sold for only £245?
“I assume there are several contributing factors to this. Primarily it would be down to the fact that iMesh is now defunct, so the value is only in seeing if users have reused the passwords elsewhere. The other factors would boil down to market pressures. There are other big breaches out there so in order to sell, it needs to be priced competitively.”
“At the risk of sounding like a broken record (corrupted MP3?), for users, the only advice is to avoid reusing passwords across different sites. If in doubt, use something trustworthy like https://haveibeenpwned.com to see if your details are out in the wild anywhere.
For companies, the message could not be clearer. They need to not only implement strong measures to secure the password database of their users; but put in place effective threat detection and monitoring controls so that they are aware of when an attack is attempted. The current controls most companies have in place are inadequate as most are only made aware of a breach once the details appear for sale.”
Brian Spector, CEO of MIRACL:
“There has been a flurry of these mass data breaches recently, with MySpace, LinkedIn and now iMesh, falling victim. Each announcement demonstrates that data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant.
The sad truth is that passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today. They don’t scale for users, they don’t protect the service being used and they are vulnerable to a myriad of attacks.
Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by replacing the password with more rigorous authentication technologies. For now, anyone affected should change their password, not only for this account but also for any other website where they may have used the same password. But unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web and as long as we use this outdated username and password system, we will be reading a lot more of these headlines.”
Lamar Bailey, Sr. Director, Security R&D at Tripwire:
“Many people reuse passwords so a breach that publishes credentials can be an issue if they have been reused. Users should create strong unique passwords for each site they visit and that is harder than it sounds given the sheer number of sites people visit every day. The best way to accomplish this is to use a password generator and vault to keep track of your passwords. Many of the products have very minimal costs and they will remind you to change passwords and alert you of breaches to sites you access.”
Mark James, Security Specialist at ESET:
“With so much data being available on the internet it’s getting more and more common for caches of this information being sold for small manageable sums. When data is originally harvested its value is based on the ability to reuse the information for financial gain, after a while this gets less and less until its value is almost worthless for its intended use. At this point its value is moved from a unique status with the intention of gaining access to other resources to just being part of a larger database and a “spam” type worth. Also as time goes on databases are able to be cracked and the data extracted.
As in all these cases just relying on passwords is not sufficient, you need to consider where possible to use 2 factor or 2 step verification processes to protect your logins along with a good internet security product that updates regularly. Keeping your operating system and applications on the latest versions and patched will also help to keep your data safe. There is no single solution for doing this, you have to use multi-layered protection these days if you want to stay safe.”
Itsik Mantin, ?Director of Security Research at Imperva:
“In this case it is likely that the seller wasn’t responsible for the actual breaches, but only gathered the stolen credentials from various sources. Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.
The ease of acquiring stolen credentials, combined with the fact that users continue to reuse passwords, make brute force attacks more effective than ever and therefore encourage application providers to take proper measures to protect their users.
To prevent brute force attacks security officers should not only rely on password policies, but should also take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, being cautious about logins from unexpected countries and anonymous sources and comparing login data to popular passwords and stolen credentials.”