Security experts baffled by the extent of Russian hack

Security
Millions are at risk without knowing.

We've been inundated with comments from security experts in the UK and abroad as more details emerged on what appears to be the biggest hack of all times. The harvesting of tens of millions of emails from thousands of websites by Russian hackers is mind boggling and could well spell the start of a new era in security, permanent insecurity. We've collated the 10 of the best comments and published them below. Feel free to add your own thoughts in the commenting section at the end of the article.

Geoff Webb, senior director, solution strategy, NetIQ

"This again signals we are reaching the end of the usable lifespan of the username/password combination to security. The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user. People don't want to deal with complex passwords they use only once, and as we keep forcing users to be responsible for this security it's unsurprising we keep seeing the same results - weak passwords, reuse of passwords and breaches that cascade to many sites."

TK Keanini, CTO, Lancope

"There is a glutton of credentials always floating around the black market and because of this fact, security professionals need more than just traditional detection signatures looking for exploits and attacks because the adversary is just going to login to your network normally. In particular, defenders need anomaly detection methods as it is the only way to discovery this abuse in its early stages. "

Mark Bower, VP, Voltage Security

"This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren't patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale. Yet more evidence the bad guys are winning big at consumers' expense who will foot the bill for this in the end like a hidden tax. Clearly it's time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily."

Michael Sutton, VP of security research at Zscaler

"With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely. The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks. This is yet another warning of the dangers of using the same credentials on multiple sites. Consumers should assume that sites they trust will be breached at some point. If they use different credentials on all sites, at least they can limit the damage. Fortunately, there are many tools/services available so that users don't have to remember dozens of different passwords."

Eve Maler - vice president of innovation and emerging technology, Forgerock

"The digital identities of millions of UK consumers are at risk from this latest digital heist. Cyber criminals are more relentless than ever in their pursuit of personal and financial data, and identities have long been their target. We know by now that users are often reluctant to use unique passwords and identifiers for online accounts, so it is logical to think that breaches of this magnitude will shift the way businesses engage with end customers in today's digital age. This is why it is so important for organizations to leverage contextual and relational intelligence to measure risk. By doing so, security teams can apply a multi-layered approach to protect data on any external or internal application, device, or thing and can mitigate risk that may result from this type of breach."

Mark James, security specialist at ESET

"The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don't use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course."

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.