TOPICS > Nation > technology

After criminals steal 1.2 billion web credentials, how to protect personal info from data breaches

August 6, 2014 at 6:08 PM EST
The New York Times and a Midwest security firm are reporting a massive breach of online privacy that includes the collection of more than a billion username and password combinations and more than 500 million email addresses. Gwen Ifill talks to Dmitri Alperovitch of CrowdStrike about the method and urgency of the hack and who might be behind it.
LISTEN SEE PODCASTS

TRANSCRIPT

GWEN IFILL: Computer hacking and the breaches of privacy that come with them are becoming a regular and unwelcome feature of our wired world.

Now The New York Times and a security firm based in the Midwest are reporting a massive one that includes the collection of more than a billion username and password combinations and more than 500 million e-mail addresses. What’s more, the perpetrators appear to be a shadowy Russian crime ring.

Details, including the names of the victims, are hard to come by. But the news has raised eyebrows around the world. So, how serious is it?

For that, we turn to Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, a Web security firm.

Mr. Alperovitch, tell us just in context of all these other breaches we have had in the past year, say, how — relative to those, how big is this?

DMITRI ALPEROVITCH, CrowdStrike: Well, the number is certainly striking; 1.2 billion credentials is a lot. In the past, we have seen some big breaches that numbered in the hundreds of millions.

But this is certainly the biggest one that I — that I can remember.

GWEN IFILL: Are we talking about a targeted attack in which they are trying to take down either individuals or corporations? Or was this a sweep?

DMITRI ALPEROVITCH: Not all the details are known yet, but what we do know is that these criminals did aggregate a lot of already stolen data from other cyber-criminals, and that probably amplified some of these numbers.

They were also able to hack into a number of Web sites and steal credentials that people were using to log into those sites.

GWEN IFILL: And when we say shadowy Russian crime ring, who are these hackers?

DMITRI ALPEROVITCH: They have not been publicly identified.

The firm that released this information called them cyber-thieves, CyberVor. In Russian, vor means thief. But we don’t yet know a whole lot about them, but we do know that there’s a wide range of cyber-criminals operating out of Russia that have formed these organized criminal syndicates.

They have really been trading in this type of stolen information, credentials, banking details, credit card numbers. And it’s a really booming business over there.

GWEN IFILL: Let’s talk about Hold Security, the firm that uncovered this and provided this information to The New York Times, which The New York Times said it authenticated through a third party.

Its head is a guy named Alex Holden. And there have been some questions raised among — especially among tech reports today whether the timing of this was suspicious, happening just as tech people are meeting in Las Vegas for this big conference, which you are there attending actually.

DMITRI ALPEROVITCH: I am, indeed.

This is not unusual, though, that security firms have released reports at these big conferences, like the Black Hat conference that is here in Vegas right now. That usually is done to get more publicity around this time and it is not something that is all that unusual.

GWEN IFILL: OK. At the root of this, I am told, I read, is something called a botnet. What is a botnet?

DMITRI ALPEROVITCH: A botnet is essentially a network of compromised machines.

So, when you get a suspicious e-mail, and you decide to click on it and your e-mail is infected by a cyber-criminal, your machine will connect to a server that they control. And when you aggregate this to millions of machines that get compromised every single day around the world, you essentially create these network of machines that the cyber-criminals have complete control over.

They can steal any type of file from that system or they can monitor that system on an ongoing basis. And any time you visit a site like your banking Web site do your online banking, for example, they can steal your username and password and surreptitiously send it to the cyber-criminal.

GWEN IFILL: Do we know that that happened in this case?

DMITRI ALPEROVITCH: That’s what the firm is reporting, that some of the credentials were in fact harvested from botnets, which is a common thing that we see regularly from cyber-criminals. That alone is not going to get you 1.2 billion credentials.

For them to get to those types of numbers, they clearly have to go to the source of that data, which is Web sites that would aggregate this information. So we have heard of incidents in the past. Adobe was compromised about a year ago, “Forbes” magazine earlier this year, where the criminals were able to get into the Web sites of these companies and steal all the credentials, all the usernames and hashes of the passwords that were used for logins in to those sites.

GWEN IFILL: And actually cause those companies or those individuals damage? Do we know that money was drained from bank accounts? Do we know whether there is — this is a lucrative thing to amass all of this information, which is basically what it sounds like these hackers were doing?

DMITRI ALPEROVITCH: So, typically, these credentials are not directly to the banking sites.

Most banking sites are actually very secure, and it’s very hard to retrieve the usernames and passwords directly to those banking sites, unless you’re collecting it from the botnet, as I mentioned before.

But what is a common problem these days is that people reuse passwords. So the same username and passwords that you may use to sign up for a magazine subscription, someone may use to log in into their banking sites. And is a real problem, because when those credentials gets reused, if one of those sites gets compromised, you are vulnerable everything else you use those credentials.

GWEN IFILL: This is supposed to be a billion different user-passwords combinations. Are we talking about from all kinds of different Web sites or from one big breach, for instance, only a few companies that would have that many users, like Facebook or Google or Microsoft?

DMITRI ALPEROVITCH: Well, reportedly, it does include data from over 400,000 sites. But there are probably some very big breaches in there that amplify those numbers.

GWEN IFILL: OK.

So, now here’s the real question for those of us who now are rushing to our desks to change our passwords again. Is this the risk of living in a wired world? Is this something that we have to get used to, build into our psyche, that once a month, we are going to hear about another big hack?

DMITRI ALPEROVITCH: Unfortunately, it is.

And once a month, we would be lucky if we heard at that frequency. Unfortunately, it’s almost a daily occurrence. And what I recommend to everyone is to make sure that you use a different password on every site that you do anything with, whether it’s a banking site, or even an innocuous site like a magazine subscription.

And use a password management program to track all these sites. Obviously, no one can remember a hundred different passwords. So, create long and random passwords, store them in a secure program. And then you can easily access that password when you need to log in to that site.

And when there’s a compromise, that compromise will be isolated just to the site that was hacked.

GWEN IFILL: In your experience, do people take that advice?

DMITRI ALPEROVITCH: Most don’t, unfortunately.

But it’s really not that hard. And it takes just a little bit of effort, and you will be a lot more secure as a result.

GWEN IFILL: Dmitri Alperovitch, thank you so much.

DMITRI ALPEROVITCH: Thank you.