Simply Security - News, Views, and Opinions from Trend Micro

Posted on August 28th, 2012 in Internet Safety, Web Threats by Simply Security | 2 Comments | Tags: Internet Safety, web threats

Not long ago, professional social site LinkedIn reported thousands of its user accounts were compromised when hackers got hold of login credentials and released them on the web.

Not long ago, professional social site LinkedIn reported thousands of its user accounts were compromised when hackers got hold of login credentials and released them on the web. Not the first attack of its kind this year alone, the online community might have expected providers and consumers alike to step up their game and enhance data security through better token requirements and more complex codes, but that clearly hasn't been the case. In the most recent incident, Yahoo announced some 450,000 of its clients have had their passwords compromised.

As companies struggle to fill the gaps, though, there's no way for them to plan for every breach. Some businesses have found that being proactive isn't enough and are showing their resilience by taking additional steps after the fact to save face and maintain data security.

A recurring problem

Just like the LinkedIn fiasco, hackers were able to gain access to Yahoo's servers through a targeted SQL injection attack and trick server security into releasing a cache of personal data. The perpetrators then took the information public, splashing the news of their achievements across message boards and broadcasting the 453,492 unique passwords and their associated account credentials for all to see. According to Ars Technica, the hackers claimed in an open letter to Yahoo's IT and management teams that they had perpetrated the attack not necessarily to steal information, but to point out the security gaps in the website's net.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the message attached to the leaked data stated.

No lesson learned

There's been little progress in terms of improvement for password security despite large-scale thefts and warnings from the online community. Consumers continue to use easily guessed codes while companies consistently use the same weak data protection guidelines on their servers and domains, allowing hackers to overwhelm and slip by firewalls and access whatever information they want.

A review of leaked codes from the Yahoo attack by CNET revealed that the majority of those who fell prey to the breach were using weak and predictable passwords. The most common trend was using sequential numbers, sometimes with a few letters tossed in at the end, but the majority consisted of numerical progressions of some kind alone. Another popular password was the word itself, "password," with no alteration whatsoever.

How to fix it

There's no quick and easy solution for removing the threat of hacking from public domains. InformationWeek pointed out that there's no such thing as a "breach-proof" website, even when advanced encryption techniques are thrown into the mix. The best way to handle these incidents is through surveillance, management and constantly updating server security practices to keep hackers guessing and fix the issues as soon as they're caught.

When social media network Formspring realized that more than 400,000 of its 28 million users could have been compromised, the company didn't hesitate. Instead of sending out warning emails to users or announcing the breach publicly, every user's password was immediately reset and randomized to protect all of its users, according to the San Francisco Chronicle This may seem like a very broad-armed technique, but considering the fact that the entire system was as good as compromised at that point, Formspring realized it was probably the best option to safeguard its clients' data while it repaired any other damage.

Companies can also purchase password and login management software to help safeguard data in the future. These suites will assist with creating strong randomized passwords, cataloguing user credentials and storing them for safe keeping. Syncing technology also means users will no longer need to key in passwords or other codes in order to access accounts from secured machines, reducing the threat of certain kinds of malware.