Security VARs: 2 Million Stolen Passwords, 2 Million Reasons For Stricter Policies


Security researchers uncovered a stolen cache of millions of account credentials belonging to users of Facebook, Twitter, Google and other online services. The finding, experts tell CRN, should be a call to action for business owners to thoroughly review their security practices.

Researchers at security vendor Trustwave found the stolen account credentials on a malicious server they believe is connected to the use of the Pony Botnet controller. It was the second such find from the Trustwave researchers, who first revealed a large cache of stolen passwords in June. Pony is a toolkit that enables cybercriminals to conduct widespread malware attacks. It is associated with keyloggers that record key strokes and other Trojans designed to steal account credentials and sensitive data.

Experts at solution providers admit that there is no immediate technology fix to address the longstanding issue of password theft. Phishing and other social engineering attacks can easily trip up employees into giving up precious information, including their account credentials, said Don Gray, chief security strategist at managed security service provider Solutionary, a subsidiary of NTT Group. Gray said small and midsize businesses should review their security programs and ensure that basic security measures are being implemented.

[Related: 5 Ways To Avoid A Stolen Password Pitfall]

"In a way the stakes are higher for small-business owners that are in a competitive marketplace," Gray said. "A breach can be a business-ending event for them."

Security awareness training is an essential part of a company's security program, solution providers say. Businesses in highly regulated industries tend to have stronger, more mature IT security programs, but even they get tripped up on weaknesses tied to basic security practices, said Jon Sargent, director of technology architecture at Virginia Beach, Va.-based solution provider Endurance IT Services. Compliance mandates drive the bulk of the security spending, Sargent told CRN in a recent interview. Still, many small businesses don't know their responsibilities when it comes to data protection, Sargent said.

"They need help with the assessment process and truly understanding where their most sensitive data resides," Sargent said. "You have to understand exactly what you're protecting."

The Pony botnet controller is mainly tied to financially motivated cybercriminals. The automated toolkit enables relatively unsophisticated hackers to manage an attack and track stolen data and infection statistics, Trustwave said. It took only a few days to steal hundreds of thousands of account credentials using Pony. Victims were from more than 100 different countries, including the U.S.

Some of the account credentials discovered by Trustwave were tied to account access at payroll services provider ADP. The finding could mean the attacks may have had "direct financial repercussions," for some victims, Trustwave said. Trustwave informed ADP and other businesses tied to the stolen credentials, which reset the credentials tied to affected account holders.

In addition to more than 1.5 million website login credentials, the Trustwave researchers found credentials for hundreds of thousands of email and FTP accounts as well as remote desktop and secure shell services that could be tied to a variety of businesses.

Antivirus protection and updated and properly configured security appliances can help reduce some of the risk, but an attacker would look like a valid user on a corporate network simply by using stolen credentials, said Solutionary's Gray. Log analysis, also a security best practice, can help identify activity that signals the use of stolen credentials, but many business find the process of collecting and analyzing logs a tedious, costly operation, Gray said.

PUBLISHED DEC. 5, 2013