Industry voices: Security experts baffled by the extent of Russian hack

[sincity]

We've been inundated with comments from security experts in the UK and abroad as more details emerged on what appears to be the biggest hack of all times. The harvesting of tens of millions of emails from thousands of websites by Russian hackers is mind boggling and could well spell the start of a new era in security, permanent insecurity. We've collated the 10 of the best comments and published them below. Feel free to add your own thoughts in the commenting section at the end of the article.

Geoff Webb, senior director, solution strategy, NetIQ

"This again signals we are reaching the end of the usable lifespan of the username/password combination to security. The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user. People don't want to deal with complex passwords they use only once, and as we keep forcing users to be responsible for this security it's unsurprising we keep seeing the same results - weak passwords, reuse of passwords and breaches that cascade to many sites."

TK Keanini, CTO, Lancope

"There is a glutton of credentials always floating around the black market and because of this fact, security professionals need more than just traditional detection signatures looking for exploits and attacks because the adversary is just going to login to your network normally. In particular, defenders need anomaly detection methods as it is the only way to discovery this abuse in its early stages. "

Mark Bower, VP, Voltage Security

"This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren't patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale. Yet more evidence the bad guys are winning big at consumers' expense who will foot the bill for this in the end like a hidden tax. Clearly it's time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily."

Michael Sutton, VP of security research at Zscaler

"With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely. The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks. This is yet another warning of the dangers of using the same credentials on multiple sites. Consumers should assume that sites they trust will be breached at some point. If they use different credentials on all sites, at least they can limit the damage. Fortunately, there are many tools/services available so that users don't have to remember dozens of different passwords."

Eve Maler - vice president of innovation and emerging technology, Forgerock

"The digital identities of millions of UK consumers are at risk from this latest digital heist. Cyber criminals are more relentless than ever in their pursuit of personal and financial data, and identities have long been their target. We know by now that users are often reluctant to use unique passwords and identifiers for online accounts, so it is logical to think that breaches of this magnitude will shift the way businesses engage with end customers in today's digital age. This is why it is so important for organizations to leverage contextual and relational intelligence to measure risk. By doing so, security teams can apply a multi-layered approach to protect data on any external or internal application, device, or thing and can mitigate risk that may result from this type of breach."

Mark James, security specialist at ESET

"The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don't use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course."

Simon Eappariello, SVP EMIEA, iboss

"The 'Attack of the CyberVors' can be likened to something out of a science fiction film. The scale is unprecedented, equivalent to the size of the EU population in email traffic being hacked. The era of companies being held to ransom by a cyber cartel needs to end. Add to this we need to change how we protect networks and confidential data at the very core. The shift in security of our most trusted brands and websites needs to happen on a large scale if we are going to see a shift in the protection of the Internet."

Tom Burton, director in KPMG's cyber security practice

"Accessing more than a billion passwords takes a significant level of organisation and sophistication, but if ever there was an argument that size doesn't matter, this is it. Each year the number of password hacks seems to be climbing, but such a large amount in one go begs a question about what the attackers are going to do with the information they now possess. One possibility is that the plan is to package the information, price it and sell it according to its usefulness."

Andrey Dulkin, senior director of cyber innovation at CyberArk

"The extent of data compromised is the core concern following this latest data breach revelation. It will result in three main threats: first, personal and sensitive information has been put at risk and can be used by criminals, second, the lost credentials could result in identity theft, third, and potentially the most significant for businesses, attackers can impersonate legitimate users to gain access to organisational assets and confidential information. All of which are made even more severe by the fact that numerous individuals often reuse their credentials across many accounts – personal and professional."

Peter Armstrong, Director of cyber security, Thales UK

The news that a single group has been able to hack 1.2 billion usernames and passwords across more than 420,000 websites shows the not just the sheer scale on which these cybercrime groups now operate, but also the borderless nature of the threat. Security threats present themselves in numerous forms and these increase by the day – if not hour, minute or second. This new method of targeting every site that their victims visit rather than specific large companies, has been devised for maximum results: these large numbers of compromised users can then be deployed by different Botmasters as they seek to create new types of DDOS attacks to monetise their criminal activities- it can lead to the dark web equivalent of buying and selling mailing lists except with these, you're not receiving junk mail through the door!.