'Breach fatigue' could leave you vulnerable to hack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.azcentral.com/story/money/business/consumer/2014/08/07/breach-fatigue-leave-vulnerable-hack/13709217/

Retired Phoenix lawyer Jim Ryder read about Russian hackers stealing more
than a billion network passwords Wednesday and didn't think twice about it.
He didn't take steps to secure his computer. He didn't reset any of his
financial passwords.

"The Russian thing," he said. "I haven't given it any thought."

That's unusual for Ryder, 74, who is computer savvy and usually security
conscious, keeping separate passwords for each of his accounts and changing
them every 90 days.

But his response to the world's largest data breach is symptomatic of the
"breach fatigue" experienced by more and more consumers, who in the past
year have been hammered with dire warnings about cyberattacks and phishing
schemes that could invade their privacy and leave them vulnerable to
identity theft.

Breach fatigue

Most people know they are at risk but don't do anything to protect
themselves, according to a study this year commissioned by
credit-monitoring giant Experian.

The study found that the majority of people surveyed were stressed over
data breaches, but about half failed to take any preventive measures.

"Inaction may be a result of data-breach fatigue, as 30 percent of those
surveyed received at least two data-breach notifications and 15 percent
received three in the last two years while 10 percent received more than
five," the study found. "Unfortunately, more than one-third of consumers
ignored the data-breach notification from the company and did nothing."

Cybersecurity alerts from major retailers, restaurants, colleges and
Internet providers come with urgent advisories to change passwords, monitor
credit reports and scrutinize bank charges.

Each alert seems to reference bigger, wider threats.

The cyberdominoes started falling in Arizona just before Thanksgiving, when
Maricopa Community Colleges announced records and personal data of 2.4
million current and former students and employees had been compromised.

Then came the holiday-season black eye for Target shoppers, when the
retailer confirmed that credit and debit-card data from 40 million
customers was stolen. At the time, it was the second-largest data theft in
history.

Not too long after Target customers received their new credit and debit
cards, the Heartbleed virus emerged.

The warnings indicated software used by more than two-thirds of Internet
servers for secure transactions were vulnerable to the bug. What's more, it
had been lurking in systems for about two years before it was discovered.

Add to the list various breaches at Michaels arts-and-crafts stores, P.F.
Chang's restaurants, eBay, Neiman Marcus, Bashas' supermarkets and AOL —
each with their own unique circumstances and the same generic security
advice: change, monitor, scrutinize.

Now come Russian hackers. According to security analysts, an
organized-crime syndicate has pulled off the biggest data heist yet,
amassing more than 1.2 billion user names and passwords and 500 million
e-mail addresses. Officials with Hold Security in Milwaukee, which exposed
the breach, said the data were snatched from more than 420,000 unnamed
websites.

The threat might be lost in the sustained beat of headline-grabbing
warnings. Does anyone still run to the parking lot when a car alarm starts
wailing?

Protecting data

Analysts say consumers can avoid breach fatigue through routine updates.
Instead of reacting to each alarm, adopt a password-change schedule every
60-90 days. Sooner in the case of major breaches.

"People are getting tired of all the data-breach headlines," said Mark
Pribish, vice president & ID theft practice leader at Merchants Information
Solutions Inc., a national ID-theft and background-screening provider based
in Phoenix. "People at a minimum should have two passwords: one for
financial information ... and one for everything else."

Pribish, who speaks to businesses about password security, said even these
passwords should change every six months.

The best passwords should involve eight-character combinations of letters
and numerals, he said.

SplashData, a California firm specializing in password management, ranked
"password" as second in its annual list of the 25 most-common passwords.
The top spot went to "123456."

Other passwords on the list included "iloveyou," "abc123," "trustno1,"
"admin," and "letmein."

Those aren't going to stop a hacker using software algorithms that can
guess 1,000 passwords a minute in what is called a "brute-force attack,"
Pribish said.

He said people often rely on the same password for years, even after they
change employers, move from one city to another and change health plans
without thinking that the information they used years ago remains alive on
the Internet forever.

Ryder, the retired Phoenix lawyer, said later in the conversation that he
should have paid more attention to the Russian data breach. After reading
past the headlines and talking to a security expert, he said he isn't going
to wait to reset his passwords.

"I will be going through the process of changing everything," he said.
"Even though it is a pain in the neck."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!