I have to admit, it has been rather quiet on the security front the past month or two—and for everyone who uses a computer, that is a good thing. But as we wind down to the end of the year, the bad guys have aimed for (at least) one last hurrah of 2013 in the form of the Pony botnet.
You may not be familiar with the name Pony botnet itself, but you probably heard about the results—two million stolen passwords to popular accounts like Google and Facebook. As PC Magazine explained:
Trustwave’s SpiderLabs dug into source code from the Pony botnet, which was recently made public, and made some startling discoveries. The botnet managed to steal credentials for: 1.58 million websites; 320,000 email accounts; 41,000 FTP accounts; 3,000 remote desktops; and 3,000 secure shell accounts.
This is the type of security news that goes mainstream, where my friends will post to Facebook or in other forums with warnings about the breach and “change your passwords now!” exhortations. Of course, what my friends don’t usually add is “make sure it is a strong password!” because Trustwave said many of the passwords stolen were such hard-to-crack codes as “12345,” “password” and “admin.”
However, several security experts have warned me that we shouldn’t get hung up on the theft of the passwords alone. The problem goes much deeper than that, as Tom Cross, director of security research at Lancope, told me:
Although many of the accounts stolen in this case are for popular social networking sites such as Facebook, Twitter, and LinkedIn, other credentials in the attacker’s collection may be the ultimate objective. Attackers usually seek to compromise social network accounts because they provide a mechanism for further spreading their malware. An attacker who controls your social networking profile can send messages to your contacts with malicious embedded links that will infect their computers. In this way, attackers can spread their botnets from victim to victim through the social network.
Cross added that the attackers appear to have collected some login information that has a direct financial value to a criminal. For instance, logins for payroll service provider ADP could provide attackers with access to sensitive personal information that could be used to commit fraud, while the logins for FTP, RDP and SSH services provide the attacker with control over servers on the Internet, which may also contain sensitive information.
As Matthew Standart, director of threat intelligence at HBGary, said to me, the real problem being overlooked here is the ability of today’s sophisticated malware threats to slip past sensors and and the fact that they aren’t being detected with regularity. He went on to add:
For remediation to work, the first and most important step is to identify whether the system is compromised with malware. If so, the malware needs to be removed before the passwords (which should be done periodically as standard personal security hygiene) can be reset. Resetting the passwords first is like putting the cart before the horse because the new passwords will be compromised over and over again.
So it’s a good idea to encourage your staff to change passwords and educate them on how to make sure they use strong passwords. But before doing that, ensure the network and the computers are totally clean and free of malware. Otherwise, even good passwords provide no protection.