A number of articles today note a company, Hold Security [ http://www.holdsecurity.com/news/cybervor-breach/ ] says it was tracking some other stolen credentials with it came upon this larger group, stolen using mostly SQL injection on around 420,000 sites. Yes, I know there are trillions of websites, but you have to work at finding that many vulnerable to SQL-injection attacks. They have been around forever. These guys used a botnet to scan websites for the vulnerability.
The total number of accounts they got off with is around 4.5 billion, 1.2 billion of which are unique. Most of us use the same e-mail for these external site registrations, so they have a lot of duplicates.
The answer for most of the affected sites is for users to change their passwords. This is absolutely unbelievable. I don't know about you, but I don't even have a list of all those sites that require "registration" so they can send out ads, and sell mailing lists. We have no way of knowing who they sold those lists to. Yes, I can change them again, the last was when Heartbleed was on the rampage, but it is putting all the responsibility on users who aren't the ones at fault here.
The obvious answer is the get the administrators of those websites to take something like the SANS Top Twenty and run checks for those vulnerabilities. It is more than just SQL-injection. [ http://www.sans.org/critical-security-controls ]
And, while they are about it, how about all those other patches and updates that keep coming out and get ignored. Maybe someone needs to start naming names of the places that don't have enough sense to secure our data to basic industry standards.
No comments:
Post a Comment