×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Alleged Massive Account and Password Seizure By Russian Group

Unknown Lamer posted about 4 months ago | from the security-through-well-everyone-else-is-compromised-too dept.

Botnet 126

New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?

Sorry! There are no comments related to the filter you selected.

because writing propet software (0)

Anonymous Coward | about 4 months ago | (#47613711)

Is just too hard....

Re:because writing propet software (4, Funny)

AaronLS (1804210) | about 4 months ago | (#47613761)

Apparently writing itself is hard, much less writing propet software.

Re:because writing propet software (2)

AlCapwn (1536173) | about 4 months ago | (#47613801)

Or propet sentences, even.

Re:because writing propet software (5, Funny)

RabidReindeer (2625839) | about 4 months ago | (#47613947)

The wisdom of the propets is written on the subway walls.

And tenement halls.

Re:because writing propet software (1)

kris2112 (136712) | about 4 months ago | (#47613983)

Ooooh...

A Rash reference.

Re:because writing propet software (1)

Anonymous Coward | about 4 months ago | (#47615411)

Here I thought it was Simon and Garfunkel.

Re:because writing propet software (1)

necro81 (917438) | about 4 months ago | (#47614029)

I misread "propet" like you did, then wondered what "prophet software" was supposed to be. Maybe Windows ME was supposed to be Windows Messiah? Instead it turned out to be Windows Anti-Christ.

Re:because writing propet software (0)

Anonymous Coward | about 4 months ago | (#47614281)

Did you know that Paul Simon originally wrote "and bathroom stalls" instead of "and tenement halls"? True story.

Re:because writing propet software (1)

Minwee (522556) | about 4 months ago | (#47614585)

This is Babel, Sensurround now. This place is death with stalls

Re:because writing propet software (0)

Anonymous Coward | about 4 months ago | (#47615319)

Interesting, for a long time I thought the lyrics were "subway stalls", maybe some sort of psychic temporal resonance interference.

Re:because writing propet software (1)

OhSoLaMeow (2536022) | about 4 months ago | (#47615539)

[citation needed]

Re:because writing propet software (1)

Anonymous Coward | about 4 months ago | (#47613799)

Writing proper sentances is also hard.

Re:because writing propet software (2)

Existential Wombat (1701124) | about 4 months ago | (#47616607)

Writing proper sentances is also hard.

So is spelling, apparently.

Re:because writing propet software (2)

gweihir (88907) | about 4 months ago | (#47614329)

Actually, why bother if nothing happens to those "losing" this data? Far cheaper not putting any protection in place.

Re:because writing propet software (1)

ganjadude (952775) | about 4 months ago | (#47614519)

apparently writing PROPER words is difficult as well

big whoop (1)

Anonymous Coward | about 4 months ago | (#47613777)

what is the use of accumulating a billion passwords if you already can sucessfully hack into the systems to steal them?

Re:big whoop (4, Informative)

Joe Gillian (3683399) | about 4 months ago | (#47613819)

The use is that you now have a database of 1.2 billion passwords that can be fed into a brute force cracker and used to make "educated guesses" to crack passwords.

Re:big whoop (4, Interesting)

wonkey_monkey (2592601) | about 4 months ago | (#47614071)

a) Because hacking isn't just a case of having access to everything or nothing. What if you can only hack the password database, but you can't hack the system that those logins are used for?

b) Because, lazy as people are, you now have some very likely candidate email/password combinations to try on all the systems you can't hack into.

Re:big whoop (2)

Jason Levine (196982) | about 4 months ago | (#47614707)

Because if you can hack into a system and get a billion passwords, you can sell those to "interested parties" for a penny each and retire.

Re:big whoop (1)

TWX (665546) | about 4 months ago | (#47616763)

With proper credentials on this scale, you can make subtle changes that don't set off any red-flags to create your profit, and it may take years for the scale and scope of your meddling to really be determined.

Re:big whoop (0)

Anonymous Coward | about 4 months ago | (#47616957)

It's just the internet, who cares. The internet is not for serious stuff.

Is Your Antivirus Tracking You? You'd Be Surprised (-1)

Anonymous Coward | about 4 months ago | (#47613789)

Is Your Antivirus Tracking You? You'd Be Surprised At What It Sends

by Chris Hoffman, 28th May, 2014, MakeUseOf.com

#

PLEASE READ THE PDF. THE QUOTE FROM THIS ARTICLE DRAWS REFERENCE TO WEB URLs BUT IN ORDER TO PROPERLY COMPREHEND THE MAGNITUDE OF DATA COLLECTION, YOU NEED TO READ THE PDF. PREPARE TO BE FLOORED.

DOWNLOAD THE PDF. STORE IT. CONVERT IT TO OTHER FORMATS. SHARE IT. MAKE SURE IT IS ALWAYS AVAILABLE SOMEWHERE ON-LINE OTHER THAN THE SOURCE BELOW. DON'T BLINDLY TRUST ARCHIVE.ORG OR SITES LIKE IT TO KEEP IT FOR YOU.

EVERYONE NEEDS TO READ THIS PDF BEFORE CONTINUING TO USE ANTI-VIRUS PROGRAMS.

#

        "Your antivirus software is watching you. A recent study shows that popular antivirus applications like Avast assign your computer a unique identifier and send a list of all web addresses you visit to the manufacturer. If the antivirus finds a suspicious document, it will send the document to the antivirus company. Yes, your antivirus company might have a list of web pages you've visited along with your sensitive personal documents!

        AV-Comparatives' Data Transmission Report

        We're getting this information from AV-Comparative's Data transmission in Internet security products report, released on May 8, 2014. AV-Comparatives is an antivirus testing and comparison organization.

        The study was performed by analyzing antivirus products running in a virtual machine to see what they sent to the antivirus company, reading each antivirus product's end user license agreement (EULA), and sending a detailed questionnaire to each antivirus company so they could explain what their products do........""

#

Rest of article and comments here:
http://www.makeuseof.com/tag/a... [makeuseof.com] .PDF - The Study, dated May 20, 2014:
http://www.av-comparatives.org... [av-comparatives.org] .PDF-To-Images Free 0n-Line Viewer:
http://view.samurajdata.se/ [samurajdata.se]

Is this me? (3, Funny)

chinton (151403) | about 4 months ago | (#47613813)

Or is the hacker that stole my /. credentials writing this post?

Re:Is this me? (1, Insightful)

cdrudge (68377) | about 4 months ago | (#47614213)

How do we know they are mutually exclusive of each other?

Re:Is this me? (3, Informative)

LordLimecat (1103839) | about 4 months ago | (#47615257)

Courts have ruled that it is not possible to steal something from yourself, so they are mutually exclusive.

Re:Is this me? (1)

cdrudge (68377) | about 4 months ago | (#47616235)

Are the credentials to a website property of the website? Or of the user?

Or, if you steal the complete password file/database/whatever of a site, and your password is one of the many you obtained, is that considered a stolen password still?

SQL Injection? (2)

the eric conspiracy (20178) | about 4 months ago | (#47613817)

Come on man

Re:SQL Injection? (1)

Nimey (114278) | about 4 months ago | (#47614763)

In before all the hipsters posting that xkcd comic.

Re: SQL Injection? (0)

Anonymous Coward | about 4 months ago | (#47615711)

Hipster doofases.

Re:SQL Injection? (0)

Anonymous Coward | about 4 months ago | (#47616251)

In before all the hipsters posting that xkcd comic.

You misspelled hippies.

And yeah, it is that old.

Are the /. accounts affected ? (0)

Anonymous Coward | about 4 months ago | (#47613835)

Posting as AC since I do not know if my /. account has been affected or not ...

Re:Are the /. accounts affected ? (5, Funny)

Buchenskjoll (762354) | about 4 months ago | (#47614015)

I think the Anonymous Coward account is compromised. Look over his posts, it's mostly complete crap.

Re:Are the /. accounts affected ? (1)

Anonymous Coward | about 4 months ago | (#47614313)

Ha ha ha ha! Just try getting the account back or resetting its password. It's mine, Mine, MINE!

And something about some act your mother and I once performed.

Re:Are the /. accounts affected ? (1)

gweihir (88907) | about 4 months ago | (#47614393)

Nice one!

Hold on a second.. (5, Interesting)

jbmartin6 (1232050) | about 4 months ago | (#47613861)

Of course, the company which reveals this offers a $120/month breach notification service [holdsecurity.com] so they have a strong incentive to exaggerate. I'm not saying we should immediately discount these claims but let's make sure our grain of salt is in there.

Re:Hold on a second.. (3, Interesting)

s.petry (762400) | about 4 months ago | (#47614477)

That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.

I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.

To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.

The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.

Re:Hold on a second.. (1)

mlts (1038732) | about 4 months ago | (#47614825)

I would place the blame less on intruders in general, the same way that I don't blame the bears (no comparison intended) at a park for getting tame and getting garbage due to tourists feeding them.

    I point the finger at the generally sorry state of computer security since the early 2000s where a number of companies could get by with "security has no ROI" as a mantra... and so far, there has been little to no long term consequences long term (other than to the end users with ID theft issues) for this behavior. So, it doesn't really matter where the blackhats are... they are just taking advantage of the fact that a lot of companies don't bother with adequate security measures.

Adequate measures do not have to be expensive. Google Authenticator is standard, decently secure, and can be added quite easily. Using this as backup with SSH RSA keys as a primary is not a tough job for even a notice sysadmin.

For websites, the best solution would be client certificates, other than dealing with a CA... but there is always adding a custom intermediate.

Finally, there are basic sanity checks to put on a host level. If two machines are set up to communicate with each other, and don't need anything else, they get tunneled, or I set up entry/exit rules to disallow anything else to contact them. For machines that only are used at certain times of the day, it might be a good idea (although it would have to be a definite part of any troubleshooting process) to turn ports off when not in use.

For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)

Security is an issue, but right now, there is so much in the way of low-hanging fruit that doing basic precautions can go a long way for a lot of businesses.

Re:Hold on a second.. (2)

s.petry (762400) | about 4 months ago | (#47615841)

You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password. Longer passwords are better, obviously, but should still be changed periodically to prevent a brute force attack from succeeding over time. It should go without saying that a Government would have additional processing power and could break it faster, but at the same time the majority of servers today rate throttle auth connections to reduce brute force attacks. The supercomputers help with a known hash, not necessarily when cracking into your bank account.

Where strong passwords tend to break down is in key loggers, phishing, and broken protocols.

For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)

A company called Intemedia has a "Securisync" product that uses both at rest and in transit encryption. So I agree the problem is solved, some much better than others, and even with "Cloud" storage. Cost is the obvious blocking factor in most cases.

Re:Hold on a second.. (1)

Algae_94 (2017070) | about 4 months ago | (#47616423)

You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password.

Statistically speaking this would work, but it is possible that of all the brute force attempts the cracker tries in that 60 day window, one of them is your password. One correct guess and they have the account. Plus this is a pain in the ass to change passwords every 2 months. Use at least 10 characters.

Re:Hold on a second.. (2)

s.petry (762400) | about 4 months ago | (#47616537)

I agree, and pointed out that it's a statistics issue. No system is perfect, but to have several "strong" passwords is more secure in my opinion than having all your eggs in a single (Google Auth) basket.

Re:Hold on a second.. (2)

Sqr(twg) (2126054) | about 4 months ago | (#47614587)

You mean:

#1 Set up a website with 1.2 billion accounts.
#2 Have Russian hackers crack your website.
#3 Proclaim: "We have a list of 1.2 billion accounts that were compromised by Russian hackers. Pay us $120 if you want to know if you're affected."
#4 Profit!

Re:Hold on a second.. (2)

Shadowhawk (30195) | about 4 months ago | (#47614813)

From the TFA:
    At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

Re:Hold on a second.. (1)

Phusion (58405) | about 4 months ago | (#47615985)

Yeah, I hadn't read the source article until today. I chuckled a bit when they mentioned the services they offer that could help mitigate this threat.

I'm sure several companies that have monitoring, pen-testing and other paid services are spooging their pants right about now. I'm sure that the story is legitimate, they may not be exaggerating, just letting their readers know that for a price, they're here to help :)

like the kettle calling the pot hackass? (-1)

Anonymous Coward | about 4 months ago | (#47614009)

j. public not alarmed enough 'story'. crown royal zionic nazi WMD on credit weapons manufacturers are not terrorists? spirit of creation remains undefeated by greed fear ego based MANic viagrant last gaspers.... some still calling this 'weather'?? https://www.youtube.com/results?search_query=wmd+weather+media+phosphorus+bombs

Bears repeating (1, Insightful)

MikeRT (947531) | about 4 months ago | (#47614021)

For those inclined to make moral equivocations between the NSA and the Russian government, both do what the NSA got caught doing. The difference is that the US Government would have the FBI kicking in this gang's door with a SWAT raid if they were Americans, whereas Putin is probably chuckling right now if he's reading about this.

Re:Bears repeating (0)

Anonymous Coward | about 4 months ago | (#47614241)

... The difference is that the US Government would have the FBI kicking in this gang's door with a SWAT raid if they were Americans, whereas Putin is probably chuckling right now if he's reading about this.

(apologies for the AC)

Yes, the US would have the FBI (etc) kicking in the door with a SWAT raid, so they could get the database for themselves to monitor and potentially use against YOU! (while Putin merely chuckles).

Re:Bears repeating (0)

Anonymous Coward | about 4 months ago | (#47614541)

(while Putin merely chuckles). because he has the DB already

Fixed that up for ya...

Re:Bears repeating (1)

Carcass666 (539381) | about 4 months ago | (#47614521)

Not sure I get what you are saying... Is it that Putin is sitting in his easy chair, munching caviar, laughing about "those crazy kids", and that he is above instructing his former colleagues at the FSB to check things out? What are we supposed to base Putin's indifference (or altruism) about this purloined user data? The lack of a Russian Snowden? Absence of evidence is not evidence of absence.

Re:Bears repeating (1)

disposable60 (735022) | about 4 months ago | (#47615521)

Putin's in his Dacha, kickin' back with a vodka and some roe, laughing as the kickback payments accumulate in one account and the kneebreakers make lists of delinquents to visit in another.

Re:Bears repeating (2)

Opportunist (166417) | about 4 months ago | (#47614779)

If the NSA now wanted to apologize their domestic spying with "but the others do it too", we should get off the high horse of "we're the shining beacon of freedom in this world", too.

Have your cake or eat it. Either you're entitled to doing what the crooked states do, or you are entitled to look down your nose at them. Choose. You can't have both.

Re:Bears repeating (1)

idontgno (624372) | about 4 months ago | (#47615615)

I think "Superpower" status includes the ability to have both. Because hypocrisy doesn't matter if you're big enough that you don't have to care what other people think.

I'm pretty sure the U.S. passed that moral event horizon a long time ago.

I'm sure Snowden had nothing to do with this. (-1)

Anonymous Coward | about 4 months ago | (#47614101)

Putin, and Rand Paul's hero, Soulkilll's Idol was man enough to take on the challenge of stealing these passwords, but hey, he's got a higher purpose.

And Rand Paul's got such a pro-education thing going too:

"The video's description identifies the pair as Erika Andiola and Cesar Vargas. In the video, Andiola approaches King and Sen. Rand Paul (R-Ky.), telling them she's a Dreamer who's originally from Mexico but was raised in the United States and is a graduate of Arizona State University. (Paul quickly got up and left."

http://www.huffingtonpost.com/2014/08/05/steve-king-dreamer-video_n_5650469.html

It's a wonder he's not part of the 4% of Americans (Coinceidentally the percent of his supporters) who like Putin.

http://www.washingtonpost.com/blogs/worldviews/wp/2014/07/09/putins-antics-have-left-much-of-the-world-against-him-but-he-still-has-some-surprising-support/

Rand Paul, Snowden and Putin should lead the charge to defend whitey...

http://www.washingtonpost.com/blogs/post-partisan/wp/2014/08/04/rep-mo-brooks-talks-war-on-whites-as-the-gop-loses-the-battle-for-votes/

And steal as many passwords as possible.

Call a spade a spade (1)

Anonymous Coward | about 4 months ago | (#47614123)

Not a single mention of Windows in the article, only the term botnets which we all know is 99% Windows. The average joe needs to be educated that using Windows is dangerous, period. If they happy click in other OSs it's not impossible to get "infected", but it's certainly much more difficult. Period.

However, on the exploitation side, it's not really a Microsoft issue. It's hipsters writing crappy code in all languages who don't have the raw programming acumen to avoid things as basic as sql injections.

Is it because of a dearth of talent in the labor pool? Possibly. It's sad to see companies having to hire hipster kids who are a whiz at using fb and twitter, but their only programming experience is completing a one month crash course in Rails. Until this changes and stakeholders realize that professional code can only be written by professionals, we'll be reading these types of stories for many years to come.

Just keepin it real.

Re:Call a spade a spade (1)

Opportunist (166417) | about 4 months ago | (#47614747)

The average Joe needs to be educated (by technology or the legal system) that his computer is his responsibility. You think people would stop clicking away any and all kinds of warning to see dancing bunnies if they had to use Linux or MacOS? If the latter had the 90% market share Windows enjoys today, we'd now have the same discussion with you complaining about how all those hipster Apple zealots are to blame for botnets.

A system's security is the minimum of the capability of the system and the capability of its admin. Not the average. The MINIMUM thereof.

Re:Call a spade a spade (0)

Anonymous Coward | about 4 months ago | (#47616213)

Most ppl run windows.... Also there is no evidence that 99% of the bots are windows.
Windows is dangerous, and has alot of flaws.... But other OSes can be just as dangerous.....
Its just a target due its large user base

Stored in cleartext? (5, Insightful)

MoonlessNights (3526789) | about 4 months ago | (#47614131)

How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

You shouldn't be able to steal a password since the site shouldn't have it.

Re:Stored in cleartext? (0)

Anonymous Coward | about 4 months ago | (#47614741)

Unless one also knows / manages to acquire the salting algorithm. Salting is simply additional security "through obscurity" attempting to make existing rainbow tables useless.

Re:Stored in cleartext? (2)

MoonlessNights (3526789) | about 4 months ago | (#47614783)

Yes, that is exactly what it does. That isn't a problem and calling it "through obscurity" isn't correct since you don't need to hide the algorithm for this to work.

Knowing the salting algorithm does not defeat this, at all (as you _can_ steal the salt). The point is that you would need to generate a rainbow table for each user since they each have unique salt. If you are going to do that, you might as well just try brute forcing them all as it would probably be faster.

Re:Stored in cleartext? (1)

Charliemopps (1157495) | about 4 months ago | (#47614745)

Not if trick the end user into installing a key logger.
I don't know if you work on PC's at all... I do. MOST people's computers are so heavily infected with malware that I don't even fix anything anymore. You bring your computer to me, I delete partitions, write 1's to every sector, then reinstall your OS. I've even started seeing boot sector viruses.

Re:Stored in cleartext? (1)

MoonlessNights (3526789) | about 4 months ago | (#47614853)

So, you think that the problem is that they compromised the site in order to phish the user into installing a keylogger? That would actually explain how they could get the passwords, no matter how they are stored on the server, so it is an interesting interpretation of the article.

I still think that it is a harder sell since it requires tricking millions of users into installing an exploit and hoping that they all use the site. If you were able to pull this off, stealing their password for the target site would be the least valuable thing you would have stolen.

Of course, if you could get that much control over the actual site, you could probably mess with the login page to the point where you could effectively keylog in the JS, which would impact everyone who tried to log in.

The details are too sparse to really tell which approach was used, if the article is actually legitimate.

Re:Stored in cleartext? (2)

SethJohnson (112166) | about 4 months ago | (#47614897)

Keyloggers are certainly a popular way for collecting passwords on a malware-infected computer. Undoubtedly, some portion of this claimed collection would have been built off keylogging.

The extortionists describing this password trove are claiming it was built by using compromised client computers to launch SQL injection attacks against servers where the computer's owner had an account. Such a strategy would allow the attackers access to injection vulnerabilities that are inaccessible to an unauthenticated visitor. Additionally, and perhaps more concerning should be that this type of attack would succeed against corporate intranets via employee computers connected via VPN.

Using keyloggers alone might yield a few million passwords (depending on the size of the botnet), but to achieve a collection of a billion, the compromised machines would have to gather passwords not belonging to their owners.

Re:Stored in cleartext? (1)

Anonymous Coward | about 4 months ago | (#47614775)

Not a damn thing wrong with username password authentication.
And you don't need two-factor authentication either (aka: govt and corps tracking your ass by your phone number for life).
Although TOTP is ok for that where desired.

The problem is with ADMINS who can't admin securely, and USERS who can't keep their box secure.
And the sorry part about it is that keeping systems secure from crackers isn't that hard.
I've been on the net for over 20 years and the only time any of my hundreds of systems were
cracked is when I got lazy and let expendable-by-design systems in a DMZ get bent over
from time to time mostly for the laughs.

PS: You're a LOT more secure if you ditch that stupid Windows and run Unix.

Once again proven (0)

Anonymous Coward | about 4 months ago | (#47614793)

Once again proven that the IT community is not the bunch of geniuses that you guys like to paint yourselves up to be.

Re:Once again proven (0)

Anonymous Coward | about 4 months ago | (#47616501)

IT community gave up their claim to anything, as soon as they allowed For-profit corporations to gain control of the landscape with their proprietary garbage.
Stop supporting proprietary software. Once the landscape is opensource, criminals will have a much harder time finding and using security flaws (gov't and corps are criminals too).

You are a troll if u bring up heartbeat as a counterargument :P

Re:Stored in cleartext? (3, Interesting)

Anonymous Psychopath (18031) | about 4 months ago | (#47615493)

How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

You shouldn't be able to steal a password since the site shouldn't have it.

It probably is hashes and not passwords. If they were the actual passwords, they'd be using them themselves instead of trying to sell them.

The fate of the Internet (2)

blackbeak (1227080) | about 4 months ago | (#47614137)

Because of the ever increasing amounts of internet insecurity, shills paid to push corporate/government agendas and rebuke/dismiss detractors, "sock puppet" and AI posters, overzealous copyright take-down operations, pay-only access to verified (ie: useful) information, spamming, spoofing, bandwidth throttling, spying, tracking, personal information gathering, legal constraints and considerations, over-suspicion of anyone not 100% politically "correct" or aligned with power, agenda based "news", "echo effect" search results, and probably some other stuff I can't think of right now, the internet is quickly losing it's ability to be much other than a channel for light entertainment.

Has the internet hit it's nadir? It's probably only a matter of time before e-commerce fails in a major way due to these security leaks. And it may also be way too late to be useful in organizing any type of real grassroots socio-political change. Let's just go watch cute kittens on YouTube.

Re:The fate of the Internet (2)

blackbeak (1227080) | about 4 months ago | (#47614209)

Gee, I just realized: How do I know that in 10 or 15 years cute kitten watching won't be linked to a mental disorder or something? Then, if my internet activity is ever reviewed, I'll be the worse for it! Damn! Even watching kitten videos isn't safe!

Re:The fate of the Internet (1)

idontgno (624372) | about 4 months ago | (#47615723)

If watching cute adorable kitten videos is crazy, I don't want to be sane.

Because, cute adorable kittens.

Re:The fate of the Internet (1)

sasparillascott (1267058) | about 4 months ago | (#47614345)

Far from its nadir at this point, but your post makes excellent points. It definately seems to be getting worse at an accelerating rate.

At what point of security breakdown do online roles/uses become unusable...my guess is that the credit card folks have seen a significant falloff in use (and collection of fees) due to the constant capture of people's credit card numbers as an example - at some point that will become more pronounced.

What is the point where enough people start clamoring for a "secure" (by the state of course) system to replace the "internet"? It's an interesting question, hopefully we don't get to see the answer to that - but the trajectory for online security is not heading in the right direction.

Re:The fate of the Internet (1)

Opportunist (166417) | about 4 months ago | (#47614731)

The laws concerning internet security are in place, where we fail is executing them. As long as fines are petty change, security will be handled by accounting, not risk management.

Good time to adopt a new protection technique (0)

Anonymous Coward | about 4 months ago | (#47614157)

A good reminder that organizations should consider adopting a storage technique that can protect against this.

For dedicated servers, we've used a hardware dongle to store a key used to encrypt password databases. It can be a PITA to move the dongle when a server crashes, but mostly works well.

For cloud services, you can leverage crypto techniques (PolyPasswordHasher) for protection. Migrating our existing password db over only took a few minutes and there doesn't seem to be any usability or performance downside.

What's the excuse for widespread issues? Are pointy-haired bosses emphasizing TPS reports and making password database protection low priority?

Re:Good time to adopt a new protection technique (0)

Anonymous Coward | about 4 months ago | (#47614445)

Yeah. Every sensitive task should be handled by hardware operating at a low level of abstraction. Systems will become less compact, for sure, but thats the only solution I can think of to make computing more secure [and private].

Re:Good time to adopt a new protection technique (0)

Anonymous Coward | about 4 months ago | (#47615017)

Are pointy-haired bosses emphasizing TPS reports and making password database protection low priority?

Yes. Many times over, yes.
(Had to AC, sorry)

proof? (1)

Anonymous Coward | about 4 months ago | (#47614171)

Just because something is written in the NYT does not mean it is true, I have seen no evidence to substantiate that claim

Now's a Good Time (2)

Dave Whiteside (2055370) | about 4 months ago | (#47614187)

to change all your passwords
use something like keeppass or lastpass

YMMV

Re:Now's a Good Time (1)

sasparillascott (1267058) | about 4 months ago | (#47614249)

The article noted that many of the sites are still vulnerable to attack (and probably still being harvested of UserID/pword data).

The Kee Pass (password manager) recommendation is probably the best - i.e. unique password for each website going forward.

How could this be SQL Injection? (1)

Anonymous Coward | about 4 months ago | (#47614191)

I'm Confused. If the hack is SQL Injection that would mean that the password were stored in clear text in the DB. Who the hell does that anymore?

Re:How could this be SQL Injection? (1)

Opportunist (166417) | about 4 months ago | (#47614567)

You'd be surprised...

But right afterwards is badly or not salted hashes, begging for a replay elsewhere. And that's still quite common.

Re:How could this be SQL Injection? (0)

Anonymous Coward | about 4 months ago | (#47614657)

Nah. They just need to use the same hashing algorithm SQL uses. The SQL implementation will then compare the newly minted hashed password to the hash of the original password in the DB and if they match then billy-bob is your uncle and you're in like flynn.

Tech News Lag (1)

Garisimo (689294) | about 4 months ago | (#47614201)

Why is it I am hearing about this on Slashdot two days later than other news sites? I used to be able to count on breaking tech news to show up here first.

-g-

Re:Tech News Lag (1)

Opportunist (166417) | about 4 months ago | (#47614583)

Because /. is an aggregator. It's Readers Digest, if you will. You come here for the news that are not so important to you, yet not unimportant enough that you'd want to miss them.

If ITSEC is especiall interesting to you, I think you might read some pages focusing on IT security. Of course, you won't hear about the latest events in IT court there, or hear about some new SoC toys.

What the participants have to say in Vegas... (1)

erikscott (1360245) | about 4 months ago | (#47614273)

...stays in Vegas.

Story without any information (2, Insightful)

Anonymous Coward | about 4 months ago | (#47614283)

This story seems to have no actual meat to it. They say that a lot of sites have been hacked, some big names, we knew this. Many sites are still vulnerable, we knew this. By not disclosing the sites you're making more people vulnerable, and it's bad for everyone. It's going to take something bad happening to someone to learn the importance of password security for themselves. Some people will never learn certain concepts unless they experience them for themselves.

Re:Story without any information (0)

Anonymous Coward | about 4 months ago | (#47614605)

That is the age old debate. Which does more harm, alerting the general public (and other attackers in that public which would then target those sites) or alerting the companies and giving them time to plug the hole.

There are valid arguments on both sides of the equation.

Re:Story without any information (0)

Anonymous Coward | about 4 months ago | (#47615333)

How dare you to call that story "no actual meat to it"?! There's word "russian" in it!

OpenPGP + HTTPS (Enigform and Jiffy) (0)

Anonymous Coward | about 4 months ago | (#47614351)

Check out http://wiki.buanzo.org/index.php?n=Main.Wp-enigform-authentication

Wordpress Plugin for Enigform Authentication - Definitive Guide

They also made an instant messenger called jiffie

Where's the list? (0)

Anonymous Coward | about 4 months ago | (#47614429)

Where's the list that of breached sites?

Is it an unfair generalisation to say that (1)

easyTree (1042254) | about 4 months ago | (#47614535)

Within the phrase 'Russian crime ring', the last two words are redundant?

What's one gotta do with the other? (1)

Opportunist (166417) | about 4 months ago | (#47614555)

What does an SQL injection have to do with the alleged weakness of username/password authentication?

Re:What's one gotta do with the other? (3, Interesting)

angel'o'sphere (80593) | about 4 months ago | (#47614665)

With an SQL injection you possibly can fetch the password out of the DB.

You would be surprised how many data bases for a certain business has a table called USERS with fileds like uname, real_name, email, password ...

By simlly putting "something ; select password from USERS where uname = 'user'" you can enhance every input field of a website with the stuff behind the semi colon. Even if somehow you cause an error on the server it is possible that the html returned containes the password you are seeking.

Or you add behind the semicolon " ; select * from Users sort by email first 1000" don't remember how 'paging works in SQL'. Replace the 'first 1000' with the approbriated statement.

So instead of a list of items you are looking for on ebay, you have an additional bunsh of text at the bottom of the list holding an extract of the USERS table.

Re:What's one gotta do with the other? (1)

Jason Levine (196982) | about 4 months ago | (#47614737)

If you are using mySQL, it would be "Select * from Users limit 1000". If you are using Microsoft SQL Server, it would be "Select top 1000 * from Users".

Re:What's one gotta do with the other? (1)

Opportunist (166417) | about 4 months ago | (#47614799)

And that only works with passwords but not with any other form of authentication?

Actually, it's more likely that a well organized password database is more resilient against a replay attack than some half-baked solution that didn't get through a few decades of auditing.

Re:What's one gotta do with the other? (1)

angel'o'sphere (80593) | about 4 months ago | (#47614919)

Well, retrieving data, you should not be able to retrieve, that is done via SQL injection.
Ofc there are plenty of auth methods where SQL injections won't help, except if you get write access to the DB.
E.g. the server could send you a one time pin code to your mobile phone. But if I can change the phone number, it would sent it to me. Short enough time frame, I even could change it back to the old number and you won't notice easily.
Right now SQL injections are mainly used to retrieve data.
But consider I can inject SQL to change an order from an online retailer. Suddenly he does not only send me a book and a CD but also a boat, a fridge and a plasma screen ...

Re:What's one gotta do with the other? (2)

MoonlessNights (3526789) | about 4 months ago | (#47614757)

Yeah, it is an odd article.

It seems like they are talking about 2 real problems:
1) SQL injection (which could be solved by only using prepared statements)
2) storing cleartext passwords on the server (which could be solved by storing as hash with per-user salt)
Both of these techniques have been old hat for around a decade so the real news is that so many sites could apparently be compromised this way (of course, the entire article sounds invented, so who knows if that is even true).

The "alleged weakness of username/password authentication" seems to be just a "conclusion" they invented for click-bate purposes.

I completely agree with you that their derivation makes no sense. These problems are independent of each other and neither directly implies the conclusion they want to state.

well, duh ... (0)

Anonymous Coward | about 4 months ago | (#47614565)

> What do Black Hat security conference participants
> have to say about that in Vegas

Obviously, all passwords should be stored in Vegas.
Because what happens in Vegas stays in Vegas.

Security. That's how it works.

I Wonder... (1)

avgjoe62 (558860) | about 4 months ago | (#47614589)

How many of those 1.2 billion passwords are "password"?

What web sites were compromised? (0)

Anonymous Coward | about 4 months ago | (#47614841)

So what exactly was compromised? This is so vague I can't figure out what actually happened.

Re:What web sites were compromised? (1)

Algae_94 (2017070) | about 4 months ago | (#47616611)

My guess is that thousands of crappy WordPress sites or something on that level was compromised. Nothing of any extreme value.

Hash code != passwords (0)

Anonymous Coward | about 4 months ago | (#47614951)

Normal log in mechanisms do not store passwords, but instead store hash codes.
A hacker can not log in using a hash code.
A hacker can only log in using text that converts to a matching hash code.
Good luck trying to figure that out.

Probably Not A Result Of Offshoring But... (1)

theshowmecanuck (703852) | about 4 months ago | (#47615623)

I worked on project at a telco a little under 10 years ago and much of the provisioning code was written in Moscow. I couldn't help but think even back then what would happen if Putin really got out of control. It was already apparent that he had overwhelming nostalgia for the CCCP. Sooner or later we'd be in some sort of conflict with him; was it really a good idea to allow this kind of software to go to a potential belligerent. Never mind code for financial and payment systems. Same with China. It probably isn't the case here, but maybe we should think about these things more.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?