BreachExchange mailing list archives
'Breach fatigue' could leave you vulnerable to hack
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 8 Aug 2014 13:48:06 -0600
http://www.azcentral.com/story/money/business/consumer/2014/08/07/breach-fatigue-leave-vulnerable-hack/13709217/ Retired Phoenix lawyer Jim Ryder read about Russian hackers stealing more than a billion network passwords Wednesday and didn't think twice about it. He didn't take steps to secure his computer. He didn't reset any of his financial passwords. "The Russian thing," he said. "I haven't given it any thought." That's unusual for Ryder, 74, who is computer savvy and usually security conscious, keeping separate passwords for each of his accounts and changing them every 90 days. But his response to the world's largest data breach is symptomatic of the "breach fatigue" experienced by more and more consumers, who in the past year have been hammered with dire warnings about cyberattacks and phishing schemes that could invade their privacy and leave them vulnerable to identity theft. Breach fatigue Most people know they are at risk but don't do anything to protect themselves, according to a study this year commissioned by credit-monitoring giant Experian. The study found that the majority of people surveyed were stressed over data breaches, but about half failed to take any preventive measures. "Inaction may be a result of data-breach fatigue, as 30 percent of those surveyed received at least two data-breach notifications and 15 percent received three in the last two years while 10 percent received more than five," the study found. "Unfortunately, more than one-third of consumers ignored the data-breach notification from the company and did nothing." Cybersecurity alerts from major retailers, restaurants, colleges and Internet providers come with urgent advisories to change passwords, monitor credit reports and scrutinize bank charges. Each alert seems to reference bigger, wider threats. The cyberdominoes started falling in Arizona just before Thanksgiving, when Maricopa Community Colleges announced records and personal data of 2.4 million current and former students and employees had been compromised. Then came the holiday-season black eye for Target shoppers, when the retailer confirmed that credit and debit-card data from 40 million customers was stolen. At the time, it was the second-largest data theft in history. Not too long after Target customers received their new credit and debit cards, the Heartbleed virus emerged. The warnings indicated software used by more than two-thirds of Internet servers for secure transactions were vulnerable to the bug. What's more, it had been lurking in systems for about two years before it was discovered. Add to the list various breaches at Michaels arts-and-crafts stores, P.F. Chang's restaurants, eBay, Neiman Marcus, Bashas' supermarkets and AOL — each with their own unique circumstances and the same generic security advice: change, monitor, scrutinize. Now come Russian hackers. According to security analysts, an organized-crime syndicate has pulled off the biggest data heist yet, amassing more than 1.2 billion user names and passwords and 500 million e-mail addresses. Officials with Hold Security in Milwaukee, which exposed the breach, said the data were snatched from more than 420,000 unnamed websites. The threat might be lost in the sustained beat of headline-grabbing warnings. Does anyone still run to the parking lot when a car alarm starts wailing? Protecting data Analysts say consumers can avoid breach fatigue through routine updates. Instead of reacting to each alarm, adopt a password-change schedule every 60-90 days. Sooner in the case of major breaches. "People are getting tired of all the data-breach headlines," said Mark Pribish, vice president & ID theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. "People at a minimum should have two passwords: one for financial information ... and one for everything else." Pribish, who speaks to businesses about password security, said even these passwords should change every six months. The best passwords should involve eight-character combinations of letters and numerals, he said. SplashData, a California firm specializing in password management, ranked "password" as second in its annual list of the 25 most-common passwords. The top spot went to "123456." Other passwords on the list included "iloveyou," "abc123," "trustno1," "admin," and "letmein." Those aren't going to stop a hacker using software algorithms that can guess 1,000 passwords a minute in what is called a "brute-force attack," Pribish said. He said people often rely on the same password for years, even after they change employers, move from one city to another and change health plans without thinking that the information they used years ago remains alive on the Internet forever. Ryder, the retired Phoenix lawyer, said later in the conversation that he should have paid more attention to the Russian data breach. After reading past the headlines and talking to a security expert, he said he isn't going to wait to reset his passwords. "I will be going through the process of changing everything," he said. "Even though it is a pain in the neck."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- 'Breach fatigue' could leave you vulnerable to hack Audrey McNeil (Aug 14)