The Perfect Hacker Storm: CyberVor Was Lightning; Here Comes Thunder


A Russian “hacker gang” they’ve dubbed CyberVor accumulated more than 1.2 unique user credentials from more than 420,000 Web services, ranging from smaller sites to major household names.

For scale – if the CyberVor hack were a box office return, it would be the total global gross of the final Harry Potter as compared to the recent Target breach which would be opening week for Big Daddy.

Ever heard of Big Daddy?

No, of course not.

There is no doubt this is a shockingly massive breach—and CyberVor’s amassed collection of user identifies is surely the largest publicly disclosed trove to date—what this hacker gang has actually created is far larger and more dangerous. CyberVor has created billions of opportunities for hackers to attack, whether by access to individuals’ bank accounts or through infiltrating a news publication’s infrastructure. The fraudsters don’t even need the stolen credentials. CyberVor’s attacks of the 400,000-plus sites show that the sites were vulnerable to SQL injections, meaning that hackers can successfully target almost any site out on the Web. We have yet to realize the true ramifications of this massive and unique breach.

The CyberVor attack is the flash of light before the deafening crack because the breach creates the perfect storm for hackers. Hold Security decided to go public with their findings of the attack, and now the increasing number of large-scale breaches is part of conversations at Defcon and Black Hat Security conferences recently. But without disclosing pertinent details like which services were hacked, or even which sites are still vulnerable, the general public is left in the dark not knowing which services (they’re likely using) have stolen credentials floating around the black market.

With the announcement and coverage of this breach—but without the specifics to fully arm ourselves against these attackers—the fear and ambiguity have created opportunities for other bad actors bent on social engineering.

If I were so inclined to take advantage of this situation, here’s what I’d do. My first step is to determine my targets. Perhaps I’d start with a handful of major financial institutions, some cloud storage providers, a couple of e-mail platforms, and an assortment of major corporate remote-access gateways. After I’ve decided which firms to target, I’d write a very convincing e-mail using the appropriate logos informing the individual user:

“In light of recent news regarding the attack on 1.2 billion identities, we strongly encourage you to change your password to prevent any malicious action against your account. Please feel free to log in normally through our website, or find a link below for your convenience.”

I can only imagine how large a percentage of users would mistakenly click on the link and then be routed to a website—actually an equally convincing phishing site—which then installs malware on the user’s computer. This would compromise any multifactor authentication solution that relies on generating a one-time passcode.

The crash of thunder is not the fact that so many credentials were compromised; it’s the ability to access corporate networks, bank accounts, and sensitive documents in order to gain access to accounts and networks to sell the stolen information.

While the ability to change your prize-winning apple-pie recipe on a crafts web site is tempting, the real prize here is to create a a seemingly endless pipeline of stolen credentials in order to determine the five-year expansion strategy for a major E&P company, or the designs for the next major smartphone, or access to satellite feeds. While hackers themselves may care little about the details contained within the vast cyber folders of information they tap, they have buyers willing to pay top dollar for that information.

The sheer size of the CyberVor attack now catapults the responsibility of cyber-security off of the desk of the CISO and onto those of the CEO and company board members. CEOs should be hyper-aware that despite the great work of most CIOs and CISOs, they’re one attack away from missing financial estimates next quarter. And if the CEO is not having this conversation with their lead security officer, then his or her board should make that a priority. Remember, it took a matter of hours for CodeSpaces to effectively disappear as a company. (In June, the company’s cloud-based server was taken down at the hands of one unauthorized intruder who gained access to CodeSpaces’s Amazon Web Services (AWS) control panel.

Still, some organizations believe that their current security provisions are enough or that they just don’t have the capacity to explore or implement new security because they’re cleaning up a breach of their own. Many executives believe adding additional security measures would create too much friction for their users.

They would be wrong.

So, how can we best prepare for the coming storm?

Passwords. Despite what is written and said (ad nauseam), passwords need not die, but they cannot be exclusively relied upon as the only form of authentication. We need to supplement passwords with multifactor authentication that both actually secures services against the attacks levied against it and simultaneously does not affect the user’s experience.

Using better multifactor authentication throughout the ecosystem, both internally and externally for an enterprise, makes it much more difficult for hackers to take advantage of the banquet table set before them. Let’s face it; passwords are not enough and haven’t been for a long time.

Providing multifactor authentication for users that does not affect their user experience will actually enable users to use the security and create stickier relationships for enterprises. Not to be too self-serving but we at Toopher provide a multifactor authentication solution that uses the location awareness of a user’s mobile device to automate the authentication response based on a user’s normal behaviors. Toopher will only alert the user when something out of the ordinary occurs, and then, the user could deny a would-be fraudster with the push of a button. Users don’t face the friction of having to enter additional codes or pull out their phone for every single login because the Toopher app does the work for them in the background, creating an invisible user experience.

CyberVor presented the first lightening strike of a frighteningly large and fast moving storm. While there may not be much we can do to change the weather, we can sure as hell use better multifactor authentication to get off the flood plain.

Josh is CEO of Toopher in Austin. Follow @@toopherjosh

Trending on Xconomy