By Liz Robinson, Principal Product Marketing Manager, RSA Identity and Data Protection
On January 30, the New York Times acknowledged that it had been a victim of a security breach. The Times claims this was the result of a long, targeted attack allegedly committed by attackers located in China to gain access to corporate email and data. Now it’s also coming out that the Wall Street Journal and Washington Post were also compromised in similar attacks for similar reasons.
According to the Times’ article, one major vector that the attackers employed at the New York Times was to dump the hashed passwords of every employee, easily decrypting those and using them to navigate internally. The market has seen other large password breaches recently as well (LinkedIn, for example), but typically these kinds of bulk password attacks have been aimed at consumer passwords, and for fraud reasons. The breach at the New York Times shows enterprise passwords being targeted, not for fraud, but for streamlined entry to corporate accounts and records.
As has been shown over and over again, password servers and domain controllers can easily fall victim to server-side attacks; and hashing and/or salting simply doesn’t protect these credentials any longer. Innovative technologies like RSA Distributed Credential Protection can provide extra layers of defense to prevent these types of attacks from being successful.
I applaud all three news organizations for speaking out and bringing these security breaches to the public. Many organizations would have kept this internal, but we at RSA certainly believe in being honest and revealing the truth so others can learn from these sorts of things.
But, the question remains: how many times do these password attacks have to happen before the market really learns and applies better protections?
Liz Robinson is on the product marketing team at RSA and is focused on the data protection portfolio, including encryption, tokenization and key management. You can follow her on twitter @lizrobinson117.