Just days before this issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.
With these kinds of numbers, you probably won’t be surprised to hear the perpetrators are professionals. That kind of a haul takes time, effort, servers, connectivity and other tools. It also takes patience, training and investment. After all, it’s business.
“There is a division of labor within the gang,” said Alex Holden of Hold Security, as quoted by the Times. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.” Holden also said the group likely had partnered with another group, which may account for an uptick in the group’s activity.
According to Google, Hold security offers deep web monitoring, and indexes and correlates public and private sources to identify cyber-threats. Hold Security’s website was oddly unavailable for additional details as I wrote this, offering a “503 service unavailable” error, which means the company’s web server is in maintenance or overloaded. I could only wonder if Hold Security had made itself a target to a denial-of-service attack after speaking with the media.
So I’m especially grateful to the many insurers who agreed to speak with me for the cover story this month, and especially to the ones who agreed to go on the record. While they obviously didn’t offer me the keys to the kingdom, they described their environments, the evolution of security threats, and their constantly evolving responses to the professionalization and commercialization of cyber-threats.
Each of the insurers, in their own way, said the same thing: You have to have the right security technology, but it’s not about the technology. The real threat is people, and not just criminals. The real threats are users, those who use weak passwords, give away credentials, click on bad links or otherwise exercise questionable judgment. To appropriate from Edmund Burke, the 18th century Irish politician, “All that is necessary for the triumph of evil is that good men don’t change their passwords.”
