Criminal activity
So who is behind all this? Well, passwords are usually
obtained by criminals, although there have been attempts to link such
activities with political groups too. The hacking group Anonymous, for example,
has been involved in a number of denial-of-service attacks on high profile
companies including Master-card and Visa, which was in response to both firms
withdrawing support for Wiki-leaks, which had begun publishing 250,000 leaked
diplomatic cables.
The hacking group
Anonymous
“There is, it seems, a lot of value to be had in acquiring
those passwords, with the financial rewards good enough to make it enticing for
criminal gangs it”
However, it has always claimed not to be financially
motivated. Indeed, Anonymous was linked to the Sony hack, although it denied
suggestions by Sony in a letter to American Congress officials that it was. The
group released a statement distancing itself from the breach, saying:
“Anonymous has never been known to have engaged in credit card theft." The
group added, “Public support is not gained by stealing credit card info and
personal identities, we are trying to fight criminal activities by corporations
and governments, not steal credit cards."
Stories of hacking make the national news such is the impact it can have on
people
According to Jonathan Krause, who has 12 years' experience
in IT security and runs Forensic Control, the motivations for theft vary wildly
depending on how widespread and deep the breach actually is. He said personal
data and passwords are highly sought after by spammers, blackmailers,
whistle-blowers, corporate espionage players, suspicious partners looking for
evidence of infidelity, fraudsters, unscrupulous journalists and private
investigators, and they can get it via a variety of methods.
There is, it seems, a lot of value to be had in acquiring
those passwords with the financial rewards good enough to make it enticing for
criminal gangs.
"Email addresses and passwords are of value because the
bad guys know people use those same usernames, email addresses and passwords on
multiple websites," said Dave Whitelegg who runs the website
ITSecurityExpert.co.uk. “So the amount of data they can potentially grab is
huge and if they can gain access to webmail accounts like Hotmail or
Google-mail, they can perform password resets on other sites and access them,
blocking out the original user."
The theft of LinkedIn and eHarmony passwords could have
far-reaching consequences. Since a lot of personal information is posted on
these sites, people with access will be able to quickly build up a profile of
millions of individuals. “A lot of data can be used in identity theft for fraud
or to assist with general fraud," said Whitelegg. “This kind of breach
tends to be done individually rather than en masse, but that's not to say it
doesn't happen. If you consider the typical password reset questions too, they
are mostly based on personal information, as well as mother's maiden name, date
of birth; I've even seen profiles which include a person's pet name. There's a
lot of information floating about there can be of great use to a
criminal."
The theft of
LinkedIn and eHarmony passwords could have far-reaching consequences. Since a
lot of personal information is posted on these sites, people with access will
be able to quickly build up a profile of millions of individuals
The theft of
LinkedIn and eHarmony passwords could have far-reaching consequences. Since a
lot of personal information is posted on these sites, people with access will
be able to quickly build up a profile of millions of individuals
Whitelegg said there are no borders with cybercrime. He also
claims that there are divisions of labor within this globalized, sophisticated
community. "Generally speaking, Russians tend to write the malware and you
can pay them to write malicious code," he said. "Eastern Europeans
tend to launder the stolen money and the Far East tends to control botnets,
hiring them out to deliver mass attacks. Hackers who steal these types of information
rarely go on to commit the fraud; they tend to sell it on. Where they have lots
of records, they break them down into small pieces, just like a jewelry thief
would do."
In the case of LinkedIn and eHarmony, it appears that the
passwords were taken via a data breach by Russian hackers. They were posted on
a Russian hackers' website in order for people to help crack them, so those
behind it were certainly after doing some damage. Some pundits suggested that
the numbers mentioned were just the tip of the iceberg and that more passwords
had been breached. The theory was that the hackers were only posting the
encrypted files of trickier passwords online because they'd already worked out
the easier ones. Throughout all of this, there was uncertainty at how the password
file ended up on a public forum or exactly which site the passwords originated
from, but signs indicated that hackers had breached the servers of eHarmony and
LinkedIn.
The dating website
eHarmony fell prey to password thieves
It led to accusations that the passwords weren't properly
protected. Imperia, an American security firm, said LinkedIn, in particular,
did not salt its passwords. “Salting, in layman's terms," said a
spokesman, “complicates the process of a hacker cracking a password. Not only do
you encrypt the password, but you append it with a random string of characters
so even if those passwords are revealed, they look like gobbledygook."
All of this seems to put the onus on the user. Claus
Villumsen, CTO at Bull Guard, said internet users need to look after their own
interests rather than relying solely on the security measures of a third party.
“We'd all like to believe that our personal details and sensitive data are
being kept safe from prying eyes when signing up to a service from reputable
companies such as those affected," he said. “The reality today,
unfortunately, is that this is not the case. Hackers are renowned for moving
quickly to find ways around modern security measures, and consumers should be
vigilant to these concerns and always assume that the first step towards
keeping sensitive data safe lies with them."
“More than three billion malware attacks are reported
annually with, on average, 260,000 identities exposed per data breach”
Close to home
With these sorts of breaches, there's little that the
individual can do other than ensure they change their passwords regularly
enough to keep one step ahead. With so many different accounts held by
individuals, though, that's no easy task and it takes a considerable amount of
time to keep on top of them all.
