Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Massive Russian Hack Has Researchers Scratching Their Heads

timothy posted about 3 months ago | from the schroedinger's-breach dept.

Security 102

itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.

Sorry! There are no comments related to the filter you selected.

Objection! (4, Interesting)

alphatel (1450715) | about 3 months ago | (#47622021)

"They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.
In addition it seems the above quote neglected this portion of the article:

Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

It's free and they still can't afford it? Sophos can't use a fraction of its 100,000 honeypot email accounts to sign up and see if it's legit?

Much like Hold Security, Sophos has displayed nothing but news-unworthy jabber.

Re:Objection! (5, Insightful)

MightyMartian (840721) | about 3 months ago | (#47622037)

I'm getting pretty dubious of the entire claim. Some company wants to sell its security monitoring service, declares "we've got a huge database of stolen credentials, but we're not going to let you see it without paying up first, or at least signing up for a service that will bill you after 30 days."

I call BS.

Re:Objection! (3, Interesting)

Anonymous Coward | about 3 months ago | (#47622107)

I agree. I spent several years in the IT security arena before leaving for other IT pursuits. I started off as an investigator, then firewall engineer, then pen tester. Generally, most AV and security companies sell FUD to make their billions. I always tell my friends who continue to run Windows and Macs to create and use non-administrator accounts and surf the Web as a mortal user. This alone stops 90% of the crap out there, although some new stuff will install directly in the users' directory. Since Chrome can be installed w/o admin rights on most boxes, this has been problematic. More and more malware now installs with no goal of infecting the system, but rather wreaking havov within a user directory. Some of the ransomeware does this very thing.

Fact is, there should be a bounty on the heads of those people who author malware. If you are caught, you are executed. Full stop. Enough already. A fine and a couple of years in prison are not a deterrant. Let's start taking a page from China and Singapore's book, shall we. Or even some of the ME countries.

Re:Objection! (0)

Anonymous Coward | about 3 months ago | (#47622155)

I agree. I spent several years in the IT security arena before leaving for other IT pursuits. I started off as an investigator, then firewall engineer, then pen tester. Generally, most AV and security companies sell FUD to make their billions. I always tell my friends who continue to run Windows and Macs to create and use non-administrator accounts and surf the Web as a mortal user. This alone stops 90% of the crap out there, although some new stuff will install directly in the users' directory. Since Chrome can be installed w/o admin rights on most boxes, this has been problematic. More and more malware now installs with no goal of infecting the system, but rather wreaking havov within a user directory. Some of the ransomeware does this very thing.

Fact is, there should be a bounty on the heads of those people who author malware. If you are caught, you are executed. Full stop. Enough already. A fine and a couple of years in prison are not a deterrant. Let's start taking a page from China and Singapore's book, shall we. Or even some of the ME countries.

B--b-b-but that will just encourage MORE malware writers! /sarcasm

Re:Objection! (1)

Anonymous Coward | about 3 months ago | (#47623167)

I wouldn't go that far. It is too easy to plant evidence. All it takes is a botnet client that sticks a piece of code on a drive or E-mail account, and that's a conviction. Plus, the real perps are likely in countries with no agreements for extradition to their victim nations.

Lets be real here. There will always be bad guys and unlike bank robbers, catching them is next to impossible. Even if we find who it is, they will be sitting in a country that will actually give them the state's blessing for their nefarious deeds (sort of like Nigeria and the "chop your dollar" approbation/condoning of 419 scamming.)

Instead, we need to stop giving them low-hanging fruit and start pulling access to stuff that shouldn't be on the Internet in the first place. We also need to start thinking from a separation of privileges perspective.

Take the user account. Malware doesn't need root/Administrator these days to encrypt files, connect to sites, run a botnet, upload documents, and other business. There have been steps taken to separate programs running in a user context, but it still has to go further [1], perhaps with containers, security profiles, or some other mechanism so that the Web browser can't access files other than its own, and the word processor can access files imported into it, but can't just grab anything it pleases willy-nilly.

Of course, Internet access for user accounts is important as well. 2FA should be the norm, even if the second factor is "where you are from" [3], where access is limited to a small subset of the Internet. This isn't doable in a lot of cases (a public facing web server for example), but limiting IP space should be something considered for everything, and put in not just on the router/firewall level, but on individual hosts.

Another issue is relying on the network appliances to watch for bad things going on. With VMs becoming almost the norm rather than the exception, it might be wise to put a HIPS on the hypervisor level, perhaps occasionally snapshotting a VM (drives and RAM) for a heuristic analysis, or even a real-time monitor that would stop a VM, save the snapshot aside for forensic work, then roll back to a known good state, when done. I know VMWare offers a solution that does this, but this form of protection should be more common, since a rootkit can hide from a lot, but it will have great difficulties hiding from a hypervisor that can stop the entire VM and scan the memory space.

Finally there is the issue of social engineering. However, this is a solved problem, and this is what MBA schools are meant to teach -- how to deal with threats on the HUMINT level, and not electronic.

All and all, IT has come a long way... but it has not kept up in the backup arena, and in security. This can be addressed which would go far in making it tougher for all but state-sponsored groups (that can get "boots on the ground" for physical attacks) to get a foothold.

[1]: Of course, the "Dancing Pigs" security hole will always be with us, but it affects some platforms far more than others. For example, I never read about AIX or Solaris users getting gibbed by a Trojan downloaded from a website. I also have not seen Linux or FreeBSD users nailed (since it takes some effort to chmod 755 and execute the file.) Mac users tend to be not as affected. Of course Windows [2] is where I almost always see Trojan horses (be it ".pdf .exe" files, .scr files, or just a plain executable) run and malware get a good start.

[2]: MS isn't really to blame here. Metro is a good way of stopping it, but the behavior is still there to download a file and run it since there historically has been no trusted repository or store for the OS, so downloading and running is a part of life in the Windows ecosystem, while on other platforms, executing programs from anyplace but a store or repository is a very cautious exception, never the rule.

[3]: Usually authentication consists of something like what you know (passwords), who you are (biometrics), what you possess (app or hardware token), and even who knows you (shared-secrets). However, where you come from isn't an authentication means by itself generally, but can help.

Re:Objection! (1)

ShanghaiBill (739463) | about 2 months ago | (#47623945)

there should be a bounty on the heads of those people who author malware. If you are caught, you are executed.

It would make more sense to get to the root of the problem, and execute authors of browsers and email clients that don't implement proper sandboxing.

Re:Objection! (1)

MatthiasF (1853064) | about 2 months ago | (#47624741)

Since Chrome can be installed w/o admin rights on most boxes, this has been problematic.

Why is the installation of Chrome without admin rights a problem?

Not meaning to contradict, just interested in the reasoning.

Re: Objection! (1)

Anonymous Coward | about 2 months ago | (#47625563)

This is an individual who just proclaimed that if you steal you should be sentenced to death. Why are you even bothering to ask for further opinions from a clear asshat?

Re:Objection! (0)

Anonymous Coward | about 2 months ago | (#47628601)

Since Chrome can be installed w/o admin rights on most boxes, this has been problematic.

Why is the installation of Chrome without admin rights a problem?

Not meaning to contradict, just interested in the reasoning.

You forgot his security guy credentials very quickly. He's fully aware that you can't "trust" the installation of BROWSERS that are not "protected" by group policy (Firefox wasn't till scant months ago) and safeguarded/monitored by antivirus extensions (Chrome, at least for my McAfee-using overlords).

Were he to secure a Finance department, for instance, forced to give them access to a browser for some in-house app (regardless of the risks many out there will not fully block Human Resources or money guys) he'd be afraid of the users that make IE a gateway to a more customizable browser. Other browsers cannot be locked down as tightly. Some things I've seen done via GP are extremely unfair, but useful*. I've seen restricting a homepage and compressing window titles down to a single initial to protect from onlookers. You can also white-list or restrict domains by "security zones" and determine various runability parameters for LAN and scripts

Controlling what pages someone visits without some proxy or firewall-level matching isn't as "easy" to do for Firefox or Chrome out of the box, and won't be included in your boilerplate IT training-du-jour courses, or youtube videos and mainstream IT training materials... as a lead you'll need to train your fellow co-workers on this esoteric stuff if you want helpful hands to help with maintenance.

In other words, IE is the got-o browser. When suddenly users know a few tricks (or just want dubious extensions they use at home but can't inject into IE) and want to sidestep your carefully plan[nt]ed walled garden, they might just install Chrome so some of your rules won't apply to him. In some cases they'll get away with it if you plan ver poorly --security-by-assuming-your-guys-follow-rules. I'm not saying IE is better, but IT tend to leave many holes in place, and it is a shame that some viruses settle for owning just the local account silently at times.

It is annoying how Windows and Macs bother you when you double-click a freshly downloaded and perfectly legit EXE, while exploits routinely p0wn your OS into running stuff from your temp folder. No need to clicking on "This file is safe, pretty please let it run" It's not always Java and Flash that deliver the exploits. I hate that plugins are allowed to run batch files that download larger Exes that then sell out your entire security sand castle, while legit usage is chastised by ever-tightening defaults.

* like removing the Start button's functions except for "Shut down"

Re:Objection! (1)

david_thornley (598059) | about 2 months ago | (#47630501)

Two reasons it can be a problem:

First, malware can do a lot of harm without any sort of admin rights. All files on the account are vulnerable to whatever it might do. If you've got files in your account you can't afford to lose, and no good backups (yes, this is a disaster waiting to happen, but many people do it), you're vulnerable to ransomware. It'd be more effective if it could jump across accounts, but it doesn't need to. Or, if the machine is in some sort of trusted network, it may be able to infect other machines.

Second, once there's malware on your account it can look for exploits to get more privileges.

Re:Objection! (1)

MatthiasF (1853064) | about 2 months ago | (#47638891)

So, you're saying Chrome is malware?

Re:Objection! (0)

Type44Q (1233630) | about 2 months ago | (#47625005)

Let's start taking a page from China and Singapore's book, shall we.

Yes! Let's start by you offing yourself. Seriously.

Ignorant, brainwashed asshole.

Re: Objection! (0)

Anonymous Coward | about 2 months ago | (#47625547)

Right! Cause stealing things should = death.

Sounds like someone needs a crash course in basic morality.

Re:Objection! (2)

CaptainDork (3678879) | about 3 months ago | (#47622109)

I'm with you on this. For individuals, the free version expires after 30 days AND they state that, because of the size of the data, it will take a while.

My guess is a little more than 30 days.

Re:Objection! (0)

Anonymous Coward | about 3 months ago | (#47622119)

I want to ask the more intresting question, how did they get their hand on the data? I don't really see a legal way of doing it

Re:Objection! (1)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47622635)

What happens in Vegas stays in Vegas, and who hacks in Russia stays in Russia, seems to be the general rule.

I certainly can't think of any possibilities that wouldn't be 145,345 counts of CFAA violation if you did them to somebody the feds actually cared about even slightly; but team prosecutor has shown very, very, little interest in pursuing even the most blatant counter-intrusions (and it isn't too surprising, the victims are always unsympathetic and vanishingly unlikely to want to raise the issue or even enter US jurisdiction, while the law enforcement side doesn't exactly have the necessary expertise to take over the job); which makes pulling them off operationally more or less legal.

Re:Objection! (0)

Anonymous Coward | about 3 months ago | (#47622381)

Time for someone else to hack them and find out.

Unproven, but plausible. Our reputation was plenty (1)

raymorris (2726007) | about 3 months ago | (#47622425)

We used to provide a similar service to web sites. We had many millions of compromised accounts. We didn't offer any services to consumers. The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other webmasters they know would report that our service worked well for them. That was sufficient that most customers would add that service or not based on what I recommended for their particular site. In general, on a site making over $5,000 / month it might make sense to spend $5 / month on the extra security. For sites making less than $1,000 / month, I'd suggest they put their limited resources elsewhere and check back in a year. In between, it depends on the type of site. Some are attacked more than others, and a compromise is likely to be more costly on some than on others.

Cui bono (4, Interesting)

s.petry (762400) | about 3 months ago | (#47622539)

Looking at who benefits is always a worthwhile pursuit. A company benefits, selling what appears to be FUD. US Government benefits because they have recently been blaming everything on Russia.

What is not happening? Nobody is going to jail over computer espionage act (or any other law allegedly violated). In fact there is no criminal investigation at all mentioned. No facts available to verify the alleged "stolen credentials", and the only way to even glimpse said data is to provide your information to some company that is an unknown in the security community.

I'll have to dig later, but I'm curious who the owner of this company is and who they are tied to. Surely a coincidence, but this comes out right after former NSA Director claims he's worth a million a month in consulting, working on over a dozen "IT Security" patents, all for his brand new private business. That may not be a rat, but sure has that "rodent" like smell to it.

At best, this is a company trying to profit off other people's pain. No thanks, I'm not buying anything they are selling.

Re:Objection! (1)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47622547)

It's not even clear that anyone gets to see the list itself(short of buying out the company or aggregating data from enough individual buyers of 'monitoring services'. 30 days to evaluate the actual data and $120/year for continued access would be quite generous indeed for a collection even markedly less interesting than the hype makes it sound. $120/year for 'we'll bother to tell you if your name pops up on the scary secret list.' is less compelling in absence of a more convincing demonstration of the value of the dataset, their desire and ability to continue expanding and updating it, and so on.

Re:Objection! (1)

Charliemopps (1157495) | about 3 months ago | (#47622561)

What's more likely is they went to one of the many "hacker" websites where they sell this sort of stuff and baught a large chunk of nearly worthless data from old geocities websites and such.

Re:Objection! (0)

Anonymous Coward | about 3 months ago | (#47623069)

This. Plus TPTB and MSM are grasping at straws lately in a losing effort to make Russia look bad.

Re:Objection! (1)

ark1 (873448) | about 2 months ago | (#47626613)

When personal information is compromised, I feel most companies DO NOT want to know that they were hacked because then they have to notify the users + take steps, or at least make it look like they do, to be more secure and reputation takes a hit. If only the hackers have this information and abuse it without revealing where they got it, the company could not care less as this does not affect their business.
Sure the hack may become public down the road but at least there is a chance it may never be.

Re:Objection! (5, Informative)

Anonymous Coward | about 3 months ago | (#47622057)

"They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.

Hey dimwit, it's $120 per year per site company not for disclosure of the entire data set. This is a protection racket.

Re:Objection! (1)

Anonymous Coward | about 3 months ago | (#47622085)

Hold Security probably orchestrated the website account credentials theft. I am always wary of security researchers and companies making these claims.

Re:Objection! (1)

Anonymous Coward | about 3 months ago | (#47623447)

Hey dimwit, it's $120 per year per site company not for disclosure of the entire data set. This is a protection racket.

Ahhh! So it is government work?

Re:Objection! (5, Insightful)

Andor666 (659649) | about 3 months ago | (#47622097)

It sounds quite fishy because they ask for a 120$ subscription, not to let you access the data, but for a service that lets you know if you are affected by it or not.

- Here, my 120$, what's going on with this?
- You're not affected, goodbye.
- But, hey!
- You're not affected, goodbye.

Re:Objection! (0)

Anonymous Coward | about 3 months ago | (#47622271)

Could be worse:

- Here, my 120$, what's going on with this?
- You're affected. Change your password, goodbye.
- But, hey, I have 649 passwords! Which one, what service?!?
- Yes, you're affected, goodbye.

PROTIP: Assume you're affected. Change your most important passwords regularly. Spend the $120 on something nice for yourself.

Re:Objection! (3, Funny)

Anonymous Coward | about 3 months ago | (#47622299)

- But, hey, I have 649 passwords! Which one, what service?!?

I got 99 passwords, but AC ain't one.

Re:Objection! (1)

arth1 (260657) | about 3 months ago | (#47622583)

Could be worse:

- Here, my $120, what's going on with this?
- You're affected. Change your password, goodbye.
- But, hey, my web site doesn't have any passwords, how can it be affected?
- Yes, you're affected, goodbye.

Until they pony up some evidence, this sounds like scam much like the cold callers who tell you you have a virus.

Re:Objection! (1)

quantaman (517394) | about 3 months ago | (#47622819)

It sounds quite fishy because they ask for a 120$ subscription, not to let you access the data, but for a service that lets you know if you are affected by it or not.

- Here, my 120$, what's going on with this?
- You're not affected, goodbye.
- But, hey!
- You're not affected, goodbye.

Then again they could just be trying to make money.

I'm definitely in favour of open disclosure and would like to think they'd do better businesswise releasing the info and getting good PR. But if you're looking to make money off the info that is the way to do it.

Of course it could also be a scam, if they're planning on this business strategy they should have someone respectable under an NDA to at least vouch that the information is legit.

Re:Objection! (2)

myth24601 (893486) | about 3 months ago | (#47622247)

If these people have knowledge of a crime, aren't they legally obligated to report it to law enforcement?

Normally, one could claim no knowledge of a crime but in this case, they have announced that they have knowledge of crimes.

Re:Objection! (1)

thieh (3654731) | about 3 months ago | (#47622333)

Whether the Law enforcement agencies are capable of producing evidence to link it is the wrongdoing of some particular group in the juridiction the group is operating in is entirely different.

I would guess Russia would start protecting these guys if it pisses of the US enough for the US to charge them with something, just like Edward Snowden.

Re:Objection! (1)

Aighearach (97333) | about 2 months ago | (#47625741)

It does not matter where the perps are believed to be. They've claimed some of the companies are US companies, presumably with servers in the US. So it is a federal felony in the US, and yes, they should have reported it to law enforcement if they believe it is ongoing. Generally in the US that is not required. But...

If they're profiting off of it without reporting it, they're actually accomplices and I hope they get arrested for it. And if they committed any crimes in Russia to acquire the data, it should be at least considered by the State Department to try to trade extraditing them for something.

Re:Objection! (2)

multimediavt (965608) | about 3 months ago | (#47623125)

If these people have knowledge of a crime, aren't they legally obligated to report it to law enforcement?

Normally, one could claim no knowledge of a crime but in this case, they have announced that they have knowledge of crimes.

Depends on the laws in their HQ location, but in most civilized nations this is called extortion by Hold Security. They are most likely in the cross hairs of law enforcement as I type this. If this turns out to be a bogus or inflated claim (like it smells) they could face some serious criminal and civil charges, regardless of what country they are in.

we offered a similar service, it costs to operate (1, Interesting)

raymorris (2726007) | about 3 months ago | (#47622351)

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.

Indeed, we used to operate a similar service, and many companies were excited to sign up at just $49 / year. Often, the bad guys get the entire password database, so being alerted to that right away is valuable. I designed our system many years ago and it was somewhat expensive to operate. Crackers compromise new sites every day, so you have to be constantly finding and processing newly compromised accounts. Over time, it became more costly to cover a smaller percentage of compromised accounts, so we advised more and more sites not to buy it, until at some point we just stopped offering the service pending a redesign.

Using different types of resources that are available now, it's possible to run such a system more efficiently. I have a design in mind, but I haven't implemented it yet. If I do, it will likely be priced pretty close to $120 / year. We won't make crazy profits at that price point because it'll cost us $2,800 / year to operate. We'll need about 25 sites to sign up just to break even, and that doesn't include the time spent developing the new system. For a site with $300,000 / year in revenue, $120 will be a great value. For a site with $3,000 / year in revenue, it wouldn't make sense for them to get it.

Re:we offered a similar service, it costs to opera (1)

arth1 (260657) | about 3 months ago | (#47622629)

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach?

A billion dollar security firm won't sign up for a $120 per year service per site to not see the data behind the breach, but to be given an unsubstantiated statement of whether they allegedly are affected or not.

Why would they? That would just be opening up for all kinds of protection rackets.

the same as any service - reputation, etc. (1)

raymorris (2726007) | about 2 months ago | (#47623947)

You ask "why would they" sign up for a notification service that costs $120 / year. I suppose it's like just about any other online purchase - it comes down to the reputation of the seller. Why would you buy a computer on Dell.com, when you can't see the product before you buy it? You'd make that decision based on Dell's reputation, and any previous dealings you had with the company.

The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other professionals they know would report that our service worked well for them. When we identify a compromised account, we tell the owner of the sites which account(s) are known to be compromised and where we found the compromised account information if it's being publicly traded on a cracker board. Also we provide tools they can use to analyze activity on the account and see for themselves that people in Russia and China are trying to use the account or whatever.

A customer uses this service and tools and it works well for them. Six months later, someone in a Slashdot posts asks "how can I can tell if my site's password database has been compromised?" Other Slashdot users reply "the tools 'raymorris' supplies worked well for me". So pretty much like any other online purchase.

Re:the same as any service - reputation, etc. (1)

Aighearach (97333) | about 2 months ago | (#47625755)

Thanks ray, but you answered the wrong question, and with a data dump.

Re:the same as any service - reputation, etc. (1)

david_thornley (598059) | about 2 months ago | (#47630725)

Right. I've bought Dell computers before, and they've been quite serviceable machines that did what was advertised. That sort of thing gives Dell a good reputation, and is why I continue to buy from their website.

Hold Security doesn't have a reputation. The website is about a year old, and apparently was blank until quite recently. Looking at Bruce Schneier's blog [schneier.com] , it looks like the only thing in its favor is Brian Krebs saying it's legit.

The question is not "Why would I pay 'raymorris' or Dell?". It's "Why would I pay Hold Security?".

Re:Objection! (1)

mwvdlee (775178) | about 3 months ago | (#47622437)

What guarentee does anybody have these credentials are real and actually belong to ANY site?

They could just as well fabricate some large list of random credentials if their "disclosure" method doesn't actually require disclosing whose the data was.

All you would be paying for is a $120 "Thanks for the money, the credentials aren't from your site" notice.

Re:Objection! (1)

Aighearach (97333) | about 2 months ago | (#47625793)

What guarentee does anybody have these credentials are real and actually belong to ANY site?

They could just as well fabricate some large list of random credentials if their "disclosure" method doesn't actually require disclosing whose the data was.

All you would be paying for is a $120 "Thanks for the money, the credentials aren't from your site" notice.

I have a large database of real logins and passwords. They really do belong to a site. Of course, it went out of business and the user accounts were transferred to a competing service with different login system... 10 years ago. But they are real logins, from a real site.

And YOUR login could be affected! Just send me $extortion_amount1 and I'll tell you if you're in the list. And for $extortion_amount2 I'll even tell you the name of the site.

Re:Objection! (1)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47622503)

Sophos may well still be blowing smoke; but my understanding of the service is that it's $120/year to know if your site is on 'the list', not $120/year for access to the list itself(which is probably something you can buy, if you write a check large enough; but the price will look distinctly different.)

With that pricing structure it is markedly less practical for any sort of 'peer review' process to go on, or any accurate survey of "Site X was added to the database after being compromised by Y, how large was Y's contribution to the total pool of hacked credentials?" or similar questions. The offer appear to be 'We have a giant scary database of people that bad things are going to happen to. For $120/year, we'll tell you if your name shows up on it at some point during your subscription.'

Re:Objection! (1)

MightyMartian (840721) | about 3 months ago | (#47622749)

It strikes me that the entire purpose of their pricing structure IS to avoid peer review. They're not letting anyone in the community see the data, or even some statistically useful amount of the data to actually judge what they have.

It's a scam, pure and simple.

Re:Objection! (1)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#47623087)

It isn't a pricing structure logically incompatible with also telling the truth about what you are selling; but it certainly is a pricing structure that rather neatly matches the one you would use if you were exercising a little creative license in describing the magnitude of your findings. According to TFA they haven't even clarified how fresh the various accounts that make up the 1.2 billion are. That's the sort of thing that is quite valuable in estimating how useful the collection is; but also wouldn't compromise its commercial value(unless it suggested that the product was junk; but it wouldn't be a direct substitute for the product in any case).

Even if they've avoided making directly false statements for legal reasons, they've left a fair amount of room for the quality of the data to...vary...without directly contradicting the claims made.

Re:Objection! (1)

Zontar_Thing_From_Ve (949321) | about 3 months ago | (#47622695)

Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

It's free and they still can't afford it? Sophos can't use a fraction of its 100,000 honeypot email accounts to sign up and see if it's legit?.

If I had to guess, "free" service users will have to provide a credit card and then hope that if they try to cancel that the cancellation is actually honored rather than getting into a common situation where they keep getting billed for months for a service that is almost impossible to actually cancel.

Re:Objection! (1)

davester666 (731373) | about 2 months ago | (#47624059)

it sounds like the service the firm is selling is notification if your specific company has been breached [as in data from your company is in the 'hacked data']. They won't let anybody else see the hacked data directly/independently.

Re:Objection! (0)

Anonymous Coward | about 2 months ago | (#47625317)

I don't think you understand how the service works

for $120/yr, after proving you own the website, they'll tell you if your website was the source of any leaked data

You don't get access to all of the data.

Assume your credentials are in that database ... (5, Informative)

Kardos (1348077) | about 3 months ago | (#47622065)

... and change all of your passwords today. This is the best way to devalue the 'massive database'. Then sanitize your SQL queries!

Alternatively... (2)

jd (1658) | about 3 months ago | (#47622161)

Assume they cracked the NSA backdoor default password and can now access everything on every computer not running a hardened operating system. In other words, everything, whether you change your passwords or not. Further, assume they have remote access via UEFI to every motherboard built in the past year.

You might as well, that level of access has been built into modern technology, if this group hasn't figured it out, someone will. Or maybe already has.

We live in an age where technology is insecure by design. You can either abandon all hope (my preferred option) or you can adjust your approach to not depend on external security.

Re:Alternatively... (3, Informative)

jones_supa (887896) | about 3 months ago | (#47622317)

That is possible, but for now, never has an "universal backdoor for the government" been provably found in an OS or a firmware. NSA has probably snuck a lot of trojan hardware and software into individually targeted devices, though.

Re:Alternatively... (1)

Kardos (1348077) | about 3 months ago | (#47622903)

That would be because any (competent) backdoor will be encrypted and cryptographically signed with key(s) known only to the TLA. Consider a router -- it passes all packets normally unless it finds one that is properly signed, then it extracts and executes the payload, fully opening up the device to the whims of the TLA. In lieu of someone leaking or determining the key, it would be extremely hard to identify such a backdoor.

Re:Alternatively... (1)

arth1 (260657) | about 3 months ago | (#47623133)

It's basically looking for a needle in a haystack, but for a router, the haystack is a lot smaller than on a full OS.
Any code affecting normal operation speeds would also be easier to spot - additional packet inspection can incur a noticable hit on a device that prides itself on passing packets as quickly as possible and allowing as many simultaneous connections as possible.

Re:Alternatively... (1)

vux984 (928602) | about 2 months ago | (#47626043)

Consider a router

1) It has a firmware that's pretty small, and finding something like an inspection routine that cryptographically evaluates every packet really would kind of stick out to anybody looking.

2) Many people run all sorts of traffic logging etc, promiscuous mode in front of the router etc. Unless you theorize that all network hardware and software is in on it, the command and control traffic would be visible; and someone would have seen it by now. As in ... why is my router sending traffic to X, when its just a dedicated point to point VPN to Y.

Re:Alternatively... (2)

Aighearach (97333) | about 2 months ago | (#47625829)

never has an "universal backdoor for the government" been provably found in an OS or a firmware

That's because nobody will admit to the hardware backdoors that have been found, not because none have been found. Take out the words "for the government" and it instantly stops being true.

Re:Assume your credentials are in that database .. (1)

tlhIngan (30335) | about 3 months ago | (#47622871)

... and change all of your passwords today. This is the best way to devalue the 'massive database'. Then sanitize your SQL queries!

Only if you're an idiot and used the same password on EVERYTHING.

Really - what likely happened is they breached some major sites, but those sites contained little of value. I mean, if you breach the New York Times database, what do you have? Just a bunch of emails and passwords of people who probably registered to read some article and which are completely worthless to anyone on the market. Oh yay, they can use my NYT password to compromise my some-blog.com account where I registered to post a comment.

Now, it does mean to change your important passwords though - eBay, Paypal, Amazon, your bank, Google, iTunes, etc., where there IS valuable information in it.

It's why all password guidelines are bullshit - I've had to deal with sites that force me to use "strong" passwords and change it monthly. Just to download some program because they offered it to me for free. Enforcing that really didn't benefit me (the account wasn't that valuable to me anyhow), and it was just a major annoyance.

Hell, break into my Facebook account so you can what... spam my 8 friends? Or my twitter where you can spam my 0 followers (I signed up for those things that required a twitter account, so all my tweets are of the form "blah blah blah you could buy X and win").

Re:Assume your credentials are in that database .. (1)

mlts (1038732) | about 2 months ago | (#47625637)

Even better, add IP blocks, client certs, SSH RSA keys, and some type of two factor authentication.

For example, everyone knows the default root password for iOS is "alpine"... but knowing that does not help much to develop a new jailbreak or to get access to a device from remote.

special offer for /. readers (1)

Anonymous Coward | about 3 months ago | (#47622103)

For $799, you can get one year's service for protection from the Russian hackers plus a single-user license for Linux IP from The SCO Group.

Not implausible (5, Informative)

IamTheRealMike (537420) | about 3 months ago | (#47622131)

More than 1B credentials does not sound implausible to me, though it's on the high end. You may be wondering why my opinion on this is more relevant than anyone else's, so let me explain.

Although I left the company in January, for about 7.5 years I worked at Google and for ~3 of those years I worked on security and anti-spam related matters. Starting around April 2010 we started to see absolutely enormous numbers of compromised accounts sending spam to their contacts. This was not a problem that grew slowly. It went from zero to one gang compromising on the order of 100,000 accounts per day and that happened in the space of, it seemed, a few weeks. We learned about this problem through user complaints and by watching the flow of spam mails being reported to us via the "Report spam" button. We quickly realised this wasn't a Gmail specific problem but was simultaneously impacting Hotmail and Yahoo. Further investigation revealed that although this gang was capable of compromising ~100,000 accounts per day (more than one per second) this was the result of a 10-15% success rate for more like a million attempts per day: most account/password pairs they tried did not work. The reason was they were reversing password hashes stolen from third party websites using GPUs, and it turns out that people who use the same password everywhere make up (surprisingly) only about 10-15% of the user population. People suck less at security than you might imagine.

When this problem first started we believed that such an enormous supply of credentials must surely be some kind of freak one off, the result of compromising an unusually large site. I mean; one million credentials every fucking day was an unimaginably vast pool of stolen passwords. But as the user complaints of being hacked failed to dry up we came to accept the horrible truth - this was not some freak one off but the result of some kind of production line of passwords. Most likely a combination of automated web crawls to discover vulnerable sites, semi-automated popping of those sites, farms of GPUs reversing the passwords and the resulting packages being sold on the black market to spammers who then abused them for bypassing spam filters (mail from contacts is whitelisted by any good spam filter). We only got occasional snapshots of this market, for example we were able to find adverts on Russian blackhat forums by people advertising lists of "washed" vs "unwashed" account/password lists for hotmail, gmail etc, but mostly it was opaque.

Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away. But the underlying supply of passwords is still out there, and should those defences fall the problem would come back.

I gave a talk about this and various other webmail abuse related topics at the RIPE 64 conference in Ljubljana (video link) [ripe.net] in case anyone is interested in this. The slides [ripe.net] are also available though lots of info from the talk is missing from them.

Re:Not implausible (1)

smooth wombat (796938) | about 3 months ago | (#47622165)

You know, with such informative writing, you really shouldn't be posting on here. You brought cold, hard facts to this thread, something completely unknown to most users on here.

Re:Not implausible (0)

Anonymous Coward | about 3 months ago | (#47622219)

yeah save it for defcon and blackhat...
lols jk

Re:Not implausible (2, Interesting)

s.petry (762400) | about 3 months ago | (#47622385)

Good write up, but you make a false claim.

Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away.

Um, no you/they didn't. I work at an ISP, smaller than Google, and am constantly blocking various attacks. Every time one method gets blocked, we find new ones. Yes, this is for IMAP/POP over SSL just like Google (and I block numerous other attacks because we provide numerous services).

You may have stopped many of the attacks, or even most of the attacks, but not _all_ attacks. The most difficult to block are the attacks by Governments, and you can tell they are Governments by the complexity of attacks and amount of resources used in these attacks.

Script kiddies are easy to block, but real hackers are changing tactics as often as we find them and block them. If the real hackers find a method that works, the method will get eventually get migrated to the Script Kiddie toolkit.

Re:Not implausible (1)

geekoid (135745) | about 3 months ago | (#47622509)

For less then 1000 dollars, I can get 10,000 machines to attack your site, coordinated from several places from around the globe.

You reasoning for assuming it's a government is flawed.

Re:Not implausible (-1)

cyborg_monkey (150790) | about 3 months ago | (#47622563)

Re-read what was posted and then contemplate the fact that you're a fuckwit.

Re:Not implausible (-1)

Anonymous Coward | about 2 months ago | (#47624697)

It's geekoid. Introspection, in his case, is tantamount to autofellatio. It's simply beyond his ken to contemplate the fact he's a fuckwit, because he's such a fuckwit.

Re:Not implausible (4, Informative)

IamTheRealMike (537420) | about 3 months ago | (#47622519)

I didn't make a false claim. You quoted me saying we stopped bulk stolen password based attacks like the ones I described, and then proceeded to argue with a statement I never made (that we stopped all attacks).

To clarify, the attacks I'm talking about are ones where the attacker has a large list of passwords (in the order of hundreds of thousands of passwords or more) and try the password to see if it matches. If it does they log in, if it doesn't they give up and try the next one. Government sponsored attacks tend to care an awful lot about a small set of targets which is the exact opposite.

Google was able to stop these attacks so effectively the people behind them gave up, and there was a large but not infinite number of people who were carrying out such attacks, so eventually they became no longer a real issue for the userbase. Note that our competitors (with the notable exception of Facebook) were NOT able to do this, so if a small ISP struggles to do it too, that would not be very surprising.

Re:Not implausible (2, Insightful)

Anonymous Coward | about 3 months ago | (#47623079)

Trivial to prevent:

        a) delay 401 responses to incorrect logins for 15 seconds
        b) immediate 409 error if another thread tries to login while inside the 15 second window (see 'a' above), whether the password is correct or not.
        c) deactivate accounts after XX unsuccessful logins (pick any value of YY)
        d) make user validate themselves to unlock an account, or auto-unlock after YY minutes (pick any value for YY).

I don't know why people think their website should aid-and-abet a bot swarm by allowing upteen-million failed login attempts (brute forcing) in minutes. The point is to stall the bot-swarm so that it effectively makes no progress on their password brute forcing attempts.

Re:Not implausible (2)

s.petry (762400) | about 3 months ago | (#47623251)

block logins with bulk-stolen passwords so successfully that they went away.

Maybe English is not your first language, but I doubt that to be true. That statement at least implies that Google no longer suffers from brute force attacks.

You then reinforce that same false claim in the post I'm commenting to now.

Google was able to stop these attacks so effectively the people behind them gave up

No, they didn't. You may have deterred a lot of them, but I'd bet a year salary that Google still experiences a measurable number of attacks every day.

Look, I freely admit that huge leaps can be made with security. I have worked in IT Security for a quarter century. Neither you nor Google can do what nobody else in the market can do and make hackers simply go away. The amount of attacks, even with exceptional security, will always be proportional to the size of your internet footprint, so Google is attacked a whole lot.

I'm not trying to knock you, or the progress Google made. I'm simply pointing out that the verbiage used is making a false claim. Reducing attacks by 99% is reasonable, reducing 100% is impossible. The only way to get 100% threat reduction is to isolate the host away from outside connectivity.

Re:Not implausible (1)

Anonymous Coward | about 3 months ago | (#47623461)

I think you're being pedantic here.

It is clear to me that he was referring to the specific group of actors who were compromising 100k accounts a day.

He never said the smaller fish didn't go away.

Re:Not implausible (1)

s.petry (762400) | about 3 months ago | (#47623863)

Am I being pedantic? Perhaps a bit, but not entirely. That specific group still does not go away, they are there every day trying again from a new set of IPs (if not sooner). Google's ability to notice and react to the attacks is not the same thing as making them "go away" as GP stated.

I have no problem with people talking about their accomplishments, hell even a bit of embellishment every now and then is fine. False claims are in a different category in my opinion.

Re:Not implausible (1)

slyborg (524607) | about 3 months ago | (#47623495)

>Maybe English is not your first language
>I'm not trying to knock you

Yes you are.

>is making a false claim

No. He made a statement that they stopped a particular class of attacks. You then incorrectly stated that the claim was that Google no longer suffered attacks (which is of course absurd) and proceeded to debunk THAT. So you are really arguing with yourself, which is kind of amusing but not very informative.

Re:Not implausible (1)

s.petry (762400) | about 3 months ago | (#47623797)

Claiming someone is incorrect is knocking them? Good job dude, glad to see that political correctness class in school did some work.

Re:Not implausible (1)

Rich0 (548339) | about 2 months ago | (#47624379)

This whole thread is basically somebody from Google saying that they did foo and attackers stopped doing bar. Then somebody else who has no affiliation with Google says that attackers didn't stop doing bar. There is no way for anybody outside of Google to know whether the original claim is correct or not.

By all means be skeptical, but it is a bit much to just say he's wrong.

Re:Not implausible (1)

s.petry (762400) | about 2 months ago | (#47624657)

So now you claim that the only way to have any knowledge is by working for a specific company, almost as good as your previous point. A person that understands math can look at a person claiming "I made 1+3=5" and say they are wrong. It does not take specific corporate knowledge to know that someone made an impossible claim, it takes knowledge of the subject matter.

Bravo, again!

Re:Not implausible (1)

Aighearach (97333) | about 2 months ago | (#47625935)

No, he's saying that to claim a data set you don't have access to says one thing or another is clearly false. You clearly don't know in what way the attacks changed over time. That data exists, and the other person had access to it and was explaining it from his understanding. You, however, haven't had access and so can't make authoritative statements. However, regardless of the fact you haven't seen the data, you make wild, absolutist claims about what it contains.

Normally I'd think somebody like yourself with a high user ID most be an ignorant whippersnapper. But in your case I'm going with early onset dementia. Now get off the lawn!

Re:Not implausible (1)

s.petry (762400) | about 2 months ago | (#47624675)

And I say "your" because you at least appear to be shilling for someone and not actually individuals. I fully admit that is a speculation, but a fair one given that not a single person who defended the GP has been willing to debate my points.

Re:Not implausible (0)

Anonymous Coward | about 2 months ago | (#47625071)

You seem to have a lot of time on your hands and little on your mind. Not trying to knock you.

Re:Not implausible (1)

IamTheRealMike (537420) | about 2 months ago | (#47626069)

There is no way for anybody outside of Google to know whether the original claim is correct or not.

That's not quite true actually. VirusBulletin is a third party spam filtering company that made a blog post stating that based on their own measurements, Gmail was indeed dramatically better at stopping hijackings than other providers [virusbtn.com] .

Re:Not implausible (1)

Aighearach (97333) | about 2 months ago | (#47625905)

Maybe English is not your first language, but I doubt that to be true.

Don't be a tool, his English is fine. Yours isn't very good, you make all sorts of contradictory statements, like the absurdity that you're "not trying to knock [him]." Perhaps you simply misunderstood his point, because of your low English comprehension level, and then presumed that he must have said it wrong.

And... you'd bet "a year of salary" that... [something different than he claimed.] I'm guessing that you don't make a salary. Maybe you're self employed and only make profit, or work hourly. I'm presuming you got both sides of that one wrong. But assuming you do make a salary, would you also be willing to wager a year's worth against what he actually said?

Re:Not implausible (0)

Anonymous Coward | about 3 months ago | (#47622889)

reading comprehension fail

do you know rotsky?

Re:Not implausible (1)

ShaunC (203807) | about 3 months ago | (#47622969)

Um, no you/they didn't. I work at an ISP, smaller than Google, and am constantly blocking various attacks.

It was pretty heavily implied that he was speaking about blocking these attacks on GMail. Thankfully, Google hasn't quite achieved the ubiquity needed to interfere with other ISPs' traffic.

Re:Not implausible (1)

s.petry (762400) | about 3 months ago | (#47623259)

My point was that even with Gmail they could not have reduced 100% of the attacks.

Re:Not implausible (1)

Aighearach (97333) | about 2 months ago | (#47625985)

They could easily have stopped 100% of the attacks. But you're the only one who thinks that means they would have stopped all attacks. Your tag line is scary, I'd hate to think you have to read manuals and operate servers based on what you thought you read. I'm not trying to knock you, I'm just sharing my feelings.

All blargs are blorgs. No blargs have been observed in Fooville since the policy of Bazification was implemented. There are no longer blorgs in Fooville. T/F

Given the lack of a discovered exploit... (0)

Anonymous Coward | about 2 months ago | (#47624323)

and the timeframe and success rate for it...

That totally sounds like it could have been the heartbleed exploit.

If you consider the length of time, the success rate, and consider how much time would have to be spent polling servers, that would coincide nicely with the prerequisites for making heartbleed give up passwords.

Unhashed passwords (0)

Anonymous Coward | about 3 months ago | (#47622205)

One interesting question is if the company really has found a data set of 1.2 billion account names and their plain text passwords.
I cannot believe this. It would require enormous stupidity to not store the passwords as salted hashes.
If all the concerned web sites had been using normal security measures, changing passwords right now would not be such an urgent need.

VISA and MC (-1)

Anonymous Coward | about 3 months ago | (#47622239)

There is not enough competition in the CC business. The government should step in and rip apart these companies. It's the same shit everywhere. Companies get too big and the customers get fucked in the ass. There is something seriously wrong with capitalism in this regard. In theory it's nice but in reality, companies strive not to compete but to eliminate competition in order to provide worse service (ie less costly for them). This needs to be fixed. If there were other CC companies that demanded higher security, people would switch. But there isn't because it's not possible because of VISA and MC.

Re:VISA and MC (1)

Sigmon (323109) | about 3 months ago | (#47622461)

I agree there is not enough competition. What causes conservative-thinking people like myself to tear our hair out is when we read "The government should step in". What you seem to fail to realize is things are the way they are because government HAS stepped in. How else do you think these unimaginably large banking organizations got so big in the first place? How do you think they squash their competition? There is absolutely nothing wrong with capitalism at all... what we have here is something called crony-capitalism. Asking government to do something about it only invites more of it! We need less government involvement - not more (not none either). Don't mean to turn the thread into a political battle... as it's off-topic. Sometimes I just can't let these "the government should do something" comments stand.

Re:VISA and MC (0)

Anonymous Coward | about 3 months ago | (#47622615)

Let me start off with I agree its off topic. But I need to vent sometimes ;)

I also agree with what you are saying about how gov intervention is what got us to the mess we have now. However, you are making a bad assumption with capitalism. That someone will not game the system. This is typically called collusion. They can even do it at arms length and not really talk to each other. Like many monetary theories it assumes there are no douchebags. Like communism assumes that everyone will work hard. Most capitalism theories assume that someone will not try to screw someone else.

Re:VISA and MC (0)

Anonymous Coward | about 2 months ago | (#47624445)

Well, if the government is not sending people to jail for things like this, someone else has to. Someone should start kidnapping people in power and put them in very small boxes for life.

Nuke Russia from orbit... (0)

Anonymous Coward | about 3 months ago | (#47622255)

It's the only way to be sure...

I have an idea (1)

Applehu Akbar (2968043) | about 3 months ago | (#47622715)

DO we even know at what business(es) or bureau(s) the breach occurred? Every database of logons should contain some intentionally faked entries that can be used to fingerprint the database, just like those imaginary towns that are put on maps to expose copyright dodgers.

So (0)

Anonymous Coward | about 3 months ago | (#47622801)

Lets make an even bigger database of stolen information. What's the worst that could happen?

Credentials... from what web sites(s)? (0)

Anonymous Coward | about 3 months ago | (#47623153)

Why don't we know what web sites these credentials are from? This story makes no sense. If 1b users were compromised on Gmail or something, there would be no way to keep that a secret. So what web site(s) are these credentials from? This doesn't pass the smell test.

Wouldn't give them a dime (4, Insightful)

forgottenusername (1495209) | about 3 months ago | (#47623345)

Either they're in on the theft somehow, or they're a totally unethical company trying to extort people. No trustworthy security vendor would withhold information about sites that are compromised from the site operators.

I think it's just a marketing ploy personally. "You may have already won! Contact us for details ($1.99 a minute)".

Regardless, they're on my list of companies to never do business with in any way. I

Re:Wouldn't give them a dime (1)

Aighearach (97333) | about 2 months ago | (#47626007)

Either they're in on the theft somehow, or they're a totally unethical company trying to extort people.

I would say that if they're extorting people with stolen data, regardless of how they acquired it, they're "in on the theft." They're materially benefiting from it, knowingly, intentionally, and are full accomplices even if they never met the original thief. It is the rare case where they're an accomplice, but not (known to be) a conspirator.

A scam (0)

Anonymous Coward | about 3 months ago | (#47623525)

This is a pure and simple scam to extract $$ from people who are nervous about this stuff. I consider it an advanced form of phishing attack.

Got a Hold on US Extorting America (0)

Anonymous Coward | about 3 months ago | (#47623527)

The United States Government needs to immediately AS IN NOW Commandeer that company's data base. I watch this Russian speaking through tv cameras and I can't believe he is serious to be charging for the knowledge if you have a website that has been compromised.. That is fucking good. What will they do next?

Kaspersky Labs & McAfee (1)

globaljustin (574257) | about 3 months ago | (#47623701)

how do we know Kaspersky Labs is legit?

they've got to have the means to do this...

same with McAfee

Scam (0)

Anonymous Coward | about 2 months ago | (#47624063)

Looks like a scam to me!

any in Soviet Russia jokes? (1)

k6mfw (1182893) | about 2 months ago | (#47624369)

I can't think of any but what a reputation this country has: Hackers, Russian dash cam car crashes, a leader with Tsar ambitions. And yet they have best competition ballroom dancers (and many moved here to US).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?