Eesh. Check this out: hackers have made off with nearly two million credential sets for over 93,000 websites. Here’s the breakdown from CNN:
- 318,000 Facebook (FB, Fortune 500) accounts
- 70,000 Gmail, Google+ and YouTube accounts
- 60,000 Yahoo (YHOO, Fortune 500) accounts
- 22,000 Twitter (TWTR) accounts
- 9,000 Odnoklassniki accounts (a Russian social network)
- 8,000 ADP (ADP, Fortune 500) accounts (ADP says it counted 2,400)
- 8,000 LinkedIn (LNKD)accounts
…. Among the compromised data are 41,000 credentials used to connect to File Transfer Protocol (FTP, the standard network used when transferring big files) and 6,000 remote log-ins.
The attack appears to have been collecting passwords since October 21 and may still be ongoing. At this point it remains unclear which machines are infected and how the attack was able to penetrate so many computers. My guess is that phishing is involved, but obviously there are a number of other ways to deliver malware:
- email or instant messaging attachments
- file sharing and downloading pirated software (same category but not the same things)
- browsers delivering malicious code from compromised websites
- inaudible sound (Eek!)
- and many more …
There are a number of ways to protect your users from these attacks, including some affordable, powerful, and — let’s face it — sexy, Barracuda security products. But we have to be honest about this; no device can fully compensate for users who aren’t trained in user-end security, don’t pay attention to what they’re doing, or simply don’t care about the rules. Security Week recently reported,
In a survey of 3,200 mobile device owners between the ages of 21 to 32 working full-time, Fortinet discovered that 51 percent stated they would contravene any policy in place banning the use of personal devices at work or for work purposes. The survey also found that 14 percent of the respondents would not tell an employer if a personal device they used for work became compromised
Thirty-six percent of respondents using their own personal cloud storage like DropBox accounts for work purposes said they would break any rules brought in to stop them – something with problematic implications potentially because 33 percent of those that use cloud storage services store customer data there, while 22 percent store critical private documents like contracts and business plans.
A few months ago Network World reported that about 30% of the users in this study were willing to open email even if they knew it contained a virus.
Even. If. They. Knew.
How do you protect the network from that? Good training, good policies, good enforcement, good equipment. Now that there are another two million credential sets out in the open, it may be a good time to review all of those things. And of course, we’d be glad to give you a hand.
Barracuda provides award-winning security and storage solutions. Check out our full line of products here.