Crying ‘Wolf!’ seems to work for security

Breaches that weren’t have gotten a lot of attention — and that’s not such a bad thing

In the last few weeks, we’ve seen a lot of supposed mega hacks garner big media attention. And why not? We’re talking about more than 1 billion people at risk — if these breaches had been real and current. But that’s not the case.

The strange thing is that I’m not really upset about this. Normally, I get incensed when I see the media get security stories wrong. But the greater good in the security business counts for something, and it just may be that these overhyped breach stories led a lot of people to take the simple steps they need to follow to increase the security of their accounts.

The latest mega hack story that was misrepresented was the compromise of 117 million LinkedIn accounts. You can find stories about it on just about every major news site. Stories were posted on Facebook accounts. Clearly this must have been a significant hack that people needed to know about.

But the hack actually occurred four years ago. What is supposedly news is that a hacker is offering the 117 million account credentials garnered in that old breach for sale in criminal forums on the dark web. In theory, all of those passwords should have been changed long ago. In reality, a lot of them weren’t, so some accounts are still at risk — just not anywhere near 117 million of them.

Earlier this month, we had a report that 272 million accounts had been hacked, and a Russian hacker was selling all of the credentials for less than $1, primarily for the notoriety. The credentials were for accounts at almost all the major Internet sites, including Yahoo, Gmail and Hotmail. All the major news venues reported on the hack and issued urgent warnings for people to change their passwords. That was actually awesome from a security perspective.

But the hack was described as hype within two days. One website stated that 99.9% of the compromised credentials were invalid.

The largest mega hack that wasn’t in the last month was of Pwnedlist. In this incident, 866 million accounts were supposedly compromised. Pwnedlist is a site that was maintained by InfoArmor as a public service designed to help companies track public password breaches that may create security problems for their users.

In this case, a valid user of the site performed parameter tampering and was able to search for any domains or accounts listed on the site. A breach involving 866 million credentials certainly sounds awful. But all of the credentials available in Pwnedlist are there precisely because they have already been flagged as compromised. How do you compromise compromised credentials? There really was no increased risk for the accounts in question. It would have been better if the vulnerability had not existed, but that is a very different story from 866 million accounts being freshly compromised.

And so we had a string of stories that consistently missed the point. And yet I am grateful for the invaluable public service they performed by making security matters big news and quite possibly prompting thousands, if not millions, of people to change and strengthen their passwords.

On the other hand, I am dismayed when real incidents go unnoted. For example, how much attention was paid to reports that card skimmers were operating in Walmart? Stories about that would have been a great opportunity to highlight the importance of using chipped cards or, even better, Apple Pay or Google Pay, for transactions whenever possible. There were also dozens of data breaches in the healthcare field. As always, there was no dearth of real incidents.

As long as I am pondering the failures of the media when it comes to security matters, let me go back a moment to the coverage of the Heartbleed vulnerability. Heartbleed was, and sadly remains, a major problem. It was widely covered, but the mainstream media focused on the idea that the foundation of the Internet was at risk. What they didn’t do effectively was spread the word about what people can do to protect themselves, simply by changing their passwords. When that was mentioned, it tended to be an afterthought.

But I’ll take what I can get. The cries of “Wolf!” about breaches that weren’t really breaches seem to be effectively garnering mainstream attention for good security practices. As a security professional, I guess I should feel some satisfaction that users are being told to regularly change their passwords.

Nonetheless, I have the nagging thought that it would be even better to recommend that users implement multifactor authentication on their Internet accounts. At least I now know how to get the word out about that: Just make up a news story that every password in the world is at serious risk of compromise and the only thing that can stop it from happening is if people implement the free multifactor authentication that is available. Basically, it’s the truth.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFacebookGoogleHotmailYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place