The announcement last week that a Russian crime organization had stolen the credentials of 1.2 billion Internet users has shaken the technology world.
“If the number is accurate, it’s astounding,” says Roy Nutter, computer science and electrical engineering professor at West Virginia University. “That could be nearly half of the world’s estimated 3 billion Internet users.”
This latest data breach adds to the list of high-profile cybercrimes. Last year, Target saw credit and debit card information from 40 million customers and additional information (names, addresses, emails and phone numbers) from 70 million customers stolen from its databases, the largest breach for an American company.
“The common belief used to be that hackers were relatively harmless teenagers in their parents’ basements,” says Nutter. “The reality is that those kids have grown up and are now working for international crime syndicates operating on a global scale.”
These groups are highly organized and relentless. Hackers are hired for one purpose – to exploit flaws in computer software that will allow them to steal money. Crime rings infiltrate databases of companies to gather user information that they can use for financial gain.
As these cyberattacks grow in size, Nutter believes that companies will spend more time analyzing the associated risks. For law enforcement, the challenges can be far reaching. The perpetrators of these crimes are often located overseas, outside the jurisdiction of the countries they are hacking. “It is an immense challenge,” he says. “There is no such thing as completely secure software. There will always be vulnerabilities, which makes it easier for criminals to stay one step ahead of companies’ information-security departments and the authorities.”
Nutter compares the situation to a ship taking on water. “Just like the water, criminals only need to find one way in. On the flip side, a company is like the ship’s crew who has to find every possible hole and patch it in order to prevent disaster.”
He believes that the heightened awareness of these incidents will lead to increased focus on cybersecurity by business, law enforcement and private citizens. Nutter says that he and other researchers in WVU’s Lane Department of Computer Science and Electrical Engineering in the Statler College of Engineering and Mineral Resources are developing tools to assist law enforcement in bringing cybercriminals to justice.
He says that WVU’s academic programs are educating students to build stronger software systems, to know how to detect and prevent attacks on computer systems and to help track the perpetrators of these crimes. WVU is designated as a Center for Excellence in Information Assurance Education and in Research by the National Security Agency and the Department of Homeland Security, which certifies the quality of the academic programming.
Nutter also says that there are common practices that help keep user information protected. “Most people know they should change their passwords immediately when a breach like this occurs,” he says. “There is no easy way to find out if your information has been stolen. With hacks this large everyone should assume that their credentials have been compromised.”
“Changing your password is the easiest and most effective way to thwart cyberattacks. As soon as your password is changed, the stolen one becomes obsolete.”
But Nutter suggests going a few steps further. He recommends changing passwords frequently, especially for websites that contain sensitive records such as medical, banking or credit card information, and stresses that using a unique password for every content-sensitive website is a must. “Hackers are hoping that people use the same password across multiple sites,” he says. “Don’t make it easy for them.”
Strong passwords will also increase security. With modern computing power, password-cracking software can run through hundreds of millions of password combinations in under an hour. “The longer the password, the better,” Nutter said. “I recommend at least a 12-character password – more than the 8-character general rule – because it is less vulnerable.”
Passwords should use a mix of letters (lower- and upper-case), numbers, and symbols. The availability of more characters means an increase in permutations and combinations, making it more difficult, more time consuming and more expensive for password-cracking programs to “guess” a user’s credentials. Dictionary words and logical sets of letters or numbers should also be avoided. Anagrams of songs or phrases mixed with numbers and symbols are easy ways to create strong passwords.
“Unfortunately,” Nutter says, “users are usually their own worst enemies.” Internet users must be cautious of unknown links in emails and web advertisements. Additionally, changing account names or user names (if possible), updated computer anti-virus software and multistep verification will also reduce vulnerability.
Nutter is available for media interviews, and can be reached at Roy.Nutter@mail.wvu.edu or 304.293.9131.