Do Russian Hackers Have Your Password?
The New York Times recently reported that Russian hackers had stolen a billion internet passwords. This was soon brought into question by the professional security industry as there were no details or proof submitted to the industry or to independent analysts. While details are still emerging in regards to this news article it looks like the actual compromise was much smaller in scale and occurred after a much longer period of time. Still the theft of user credentials even at a greatly reduced estimate is still concerning.
How does this happen (the short explanation)?
Websites still allow users to log on without using a secure or encrypted connection. This allows user’s names and passwords to be stolen by anyone who can see (sniff) that traffic. Many web services and web sites are not properly patched or are deployed in an insecure manner allowing the user’s data to be collected. Because of the sheer number of computers, sites, and computer infrastructure it has become a near impossible task to track all of a companies’ assets. Because of this there are many vulnerable points that exist on a computer network that would allow attackers to infiltrate the network and extract user’s information.
How does this impact you?
UNC has no evidence that any of our user’s accounts or passwords have been stolen as part of this investigation. The security company that has reported this incident refuses to name names so we cannot know who has been compromised or how. It was claimed that this information has been turned over to law enforcement to investigate but at this time we at UNC IM&T haven’t read any updates. This means it is possible that some other sites you have gone to have been compromised but we may never get a list of effected sites or accounts.
What can you do about it?
Because of the vague nature of the current information the UNC IT Security Operations can only give the general advice:
Change your password frequently (at least every 90 days) for all accounts not just work accounts.
Use a two-factor authentication method if it is offered
- Use a strong password (your password should have at least 12 characters, the more the better, you should have upper and lower case alpha character a-z, A-Z as well as numbers and special characters)
- Never share your user name or password with anyone
- Use unique passwords for every account
- Do not have a “universal” user name or password to any computer systems
- If you are responsible for configuring or installing new equipment make sure you understand the security implications of how you are implementing it
- Take time to have a solid understanding of technology you are using, including your smart phone
- Do not use unknown wireless access points, we know it seems great that you can get free wireless but the person who actually owns the access point can be reading everything that is going across it
- Be wary of any “free” software that you use or download, free software is either collecting your data (though hopefully not your user name or password) and therefore allows for the possibility of interception or is probably not being maintained as rigorously and may have security flaws
- Do not export sensitive data to any outside source unless you have verified that source
- Do not send sensitive data unencrypted
- Use a secure connection to websites you visit