Hold Security have announced that the CyberVor gang (dubbed by Hold Security with “vor” meaning “thief” in Russian) has amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.
In 2009 OpenID announced that there were over 1 billion OpenID enabled accounts. That number that has certainly increased even if some have migrated to OpenID Connect (e.g. Google). OpenID & OpenID Connect can be used as Identity Providers that provide trusted identities to other websites / services that are relying parties. The same would also be true for SAML based Identity Providers.
If as is likely the CyberVor hack includes data from trusted identity providers then a certain proportion of the half a billion email addresses & credentials will grant access to a number of relying party sites. What to do? For individuals Hold Security are offering a CONSUMER HOLD IDENTITY PROTECTION SERVICE which will allow individuals to know if their online credentials have been compromised.
For website owners Hold Security are recommending that all sites including auxiliary sites are validated as not being susceptible to the SQL injection mechanism used by CyberVor. This should be done as part of your penetration testing approach.
What though should be the strategy in the case where your site does not maintain any identity data and instead trusts federated identity providers? This risk is dependent upon the security weaknesses of the identity provide and the trust placed on that weakness. The second guiding principle of the US National Strategy for Identities in Cyberspace (NSTIC) is “Identity solutions will be secure and resilient.” The security theory behind trusted federated identities is the one strong door theory because of the relying party’s (service provider) reliance on the strong door security of a single selected identity provider. The web penetration testing of trusted identity providers is sufficient to root out the SQL injection mechanism used by CyberVor. This though does not necessarily prevent user credentials having been gained through other mechanisms. The Identity Management Institute on their IMI blog are correct to state that “Businesses must counter the personal data breach threat with an effective identity theft prevention program”
The impact of the risk though depends on the services that are being offered. For example banks do not normally externalise identity management even with mobile solutions such as PAYM. eGovernment though is moving towards a trusted external identity provider as can be seen with the UK eGovernment Identity Assurance solution, which mitigates risk by required the user to go through higher levels of authorisation and by enforcing security policies on the identity provider. It is always worth considering risk based authentication mechanisms and step-up authentication factors when trusting externalised identities.