Russian "Hack of the Century"

moderateGOP

Active Member
Working in the Information technology industry can be hectic and at times scary. Not only do you have to worry about setting up everything right in the first place and to make sure nobody loses any information if their computer crashes: usernames, passwords, emails, profiles, cloud accounts and servers. You also have to worry about what goes on in the outside world.

Like when the New York Times pulled this stunt on Tuesday 8/5.
http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0

There are many problems with this story:

1. 1.2 Billion Passwords seems like a lot. There are no details about which passwords and usernames were stolen and they in fact refuse to tell anyone! So we have no real "proof" except conjecture from an unknown security firm.

2. Did they do it overnight? At first glance that's what it sounds like in the NY Times article. However, for all we know these hackers could have just been collecting and buying this information since the 1990s! There's no way to tell for sure. How scary is 1.2 Billion passwords if 85% of them are useless?

3. Who and what is Hold Security? Just read this Forbes article to find out:
Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected Classic marketing scheme right over here:cool:

4. Not many websites actually have over a Billion user names to steal. So if we are led to believe that these hackers are currently going around and hacking some of the biggest sites on the internet. I think they would know about it, and fix their horrible user login systems. The fact of the matter is internet companies are usually one step ahead of hackers especially those with two step verification processes. Such as unique IDs or Captchas.
5. To put this "credential collection," not a hack. As I'd like to call it in the same category as the Target Data Breach is just laughable in the IT world.

6. It is unclear if they bought the 1.2 Billion usernames and passwords or actually hacked them. It's looking more and more like they simply either bought them, or found them floating around the internet. This is quite easy to find.

7. Their hacking methods are outdated as well. SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.

8. Twitter seems to be the only large website affected. It's said the gang is using the passwords to spam twitter accounts. Probably just using old ones to rank up twitter followers.

The hype around this is pretty stupid to me.
 

Sgt.Tinfoil

Member
Oh hello fellow collegue!

Not that I disagree anything which you said and I too call bullshit for this hack, but one thing which you said just caught in my eye.

SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.
SQL-injections are not outdated I believe that is one of widely used attack methods. The problem rises from PHP which is widely used language in websites, which does not handle properly/natively input from client side. The escaping the SQL commands from the input has to be done manually by programmer and it has to be done _right_. The IT companies do know about SQL-injection but to actually produce good quality code in real life production which does not have those bugs is whole new thing alltogether. To be blunt if you find a solution for achieving deadlines with constantly changing specs and producing quality you will be a rich man in IT business :)
 

Mick West

Administrator
Staff member
SQL-injections are not outdated I believe that is one of widely used attack methods. The problem rises from PHP which is widely used language in websites, which does not handle properly/natively input from client side. The escaping the SQL commands from the input has to be done manually by programmer and it has to be done _right_. The IT companies do know about SQL-injection but to actually produce good quality code in real life production which does not have those bugs is whole new thing alltogether. To be blunt if you find a solution for achieving deadlines with constantly changing specs and producing quality you will be a rich man in IT business :)

Indeed, SQL injection isn't something you can just avoid by being aware of. Unfortunately there's diminishing returns to investing in security - at least diminishing immediate returns, replaced by a small risk. And while the very large companies like Facebook and Google/Youtube devote a lot of resources to it, they are not 100% immune, and there are plenty of companies a bit smaller, who still have tens of thousands of your passwords.

SQL Injection is not at all outdated. Especially as a very large number of people will use the same credentials for multiple sites, making it an indirect attack on the bigger sites too.

http://www.pcworld.com/article/2457...ll-street-journal-database-led-to-breach.html
http://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html
 

moderateGOP

Active Member
Indeed, SQL injection isn't something you can just avoid by being aware of. Unfortunately there's diminishing returns to investing in security - at least diminishing immediate returns, replaced by a small risk. And while the very large companies like Facebook and Google/Youtube devote a lot of resources to it, they are not 100% immune, and there are plenty of companies a bit smaller, who still have tens of thousands of your passwords.

SQL Injection is not at all outdated. Especially as a very large number of people will use the same credentials for multiple sites, making it an indirect attack on the bigger sites too.

http://www.pcworld.com/article/2457...ll-street-journal-database-led-to-breach.html
http://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html

I never said you couldn't get anything by doing SQL hacks, but it is highly unlikely. But your examples do point out that it is still a problem like you said. Some companies don't invest well in security.

Sure but even comparing those breaches to this "collection" is a stretch. The article from NYT makes it sound like SQL is the method the gangs used to "hack" collect 1.2 Billion Passwords from the most popular websites on the internet. This is just impossible. Until they announce the full list for free and tell the companies involved how to protect themselves from this gang. I am calling BS on this entire story!
 

Mick West

Administrator
Staff member
The article from NYT makes it sound like SQL is the method the gangs used to "hack" collect 1.2 Billion Passwords from the most popular websites on the internet.

No, it says:
I'd agree there does seem to be a conflict of interest with Hold Security, but their story does not sound implausible:
http://www.holdsecurity.com/news/cybervor-breach/
 

moderateGOP

Active Member
No, it says:
I'd agree there does seem to be a conflict of interest with Hold Security, but their story does not sound implausible:
http://www.holdsecurity.com/news/cybervor-breach/

Saying that the gang hacked 1.2 Billion passwords is a lot more scarier than saying over time some group has obtained 1.2 Billion login credentials. I have a lot of questions about this and not willing to pay them $120 for the info.
 

Mick West

Administrator
Staff member
Saying that the gang hacked 1.2 Billion passwords is a lot more scarier than saying over time some group has obtained 1.2 Billion login credentials.

Sorry, I'm not really seeing the distinction. Is it just the "over time" thing?
 

MikeC

Closed Account
Working in the Information technology industry can be hectic and at times scary. Not only do you have to worry about setting up everything right in the first place and to make sure nobody loses any information if their computer crashes: usernames, passwords, emails, profiles, cloud accounts and servers. You also have to worry about what goes on in the outside world.

Like when the New York Times pulled this stunt on Tuesday 8/5.
http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0

There are many problems with this story:

1. 1.2 Billion Passwords seems like a lot. There are no details about which passwords and usernames were stolen and they in fact refuse to tell anyone! So we have no real "proof" except conjecture from an unknown security firm.

Unknown?

and so what - it is a claim - the evidence is as described - "proof" is something else.

2. Did they do it overnight? At first glance that's what it sounds like in the NY Times article. However, for all we know these hackers could have just been collecting and buying this information since the 1990s! There's no way to tell for sure. How scary is 1.2 Billion passwords if 85% of them are useless?

Several points here - does it matter if they did it "overnight?

And "so what" if the passwords aer "useless" - how is anyone to know which are and which are not?

3. Who and what is Hold Security? Just read this Forbes article to find out:
Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected Classic marketing scheme right over here:cool:

Indeed - still not a debunking tho.....

4. Not many websites actually have over a Billion user names to steal. So if we are led to believe that these hackers are currently going around and hacking some of the biggest sites on the internet. I think they would know about it, and fix their horrible user login systems. The fact of the matter is internet companies are usually one step ahead of hackers especially those with two step verification processes. Such as unique IDs or Captchas.

as Mick pointed out - your initial claim is just wrong.

5. To put this "credential collection," not a hack. As I'd like to call it in the same category as the Target Data Breach is just laughable in the IT world.

I don't' particularly mind what you call it - passwords in the hands of someone not entitled to them is a problem.

6. It is unclear if they bought the 1.2 Billion usernames and passwords or actually hacked them. It's looking more and more like they simply either bought them, or found them floating around the internet. This is quite easy to find.

Irrelevant - passwords in the hands of someone not entitled to them is a problem

7. Their hacking methods are outdated as well. SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.

Obsolescence or otherwise doesn't matter either - they stil have the passwords.

8. Twitter seems to be the only large website affected. It's said the gang is using the passwords to spam twitter accounts. Probably just using old ones to rank up twitter followers.

The hype around this is pretty stupid to me.

Maybe so - but your headline is misleading - you haven't debunked anything - all you've told us is why you think it is overhyped.
 

moderateGOP

Active Member
1. and so what - it is a claim - the evidence is as described - "proof" is something else.

2. Several points here - does it matter if they did it "overnight?

3. And "so what" if the passwords aer "useless" - how is anyone to know which are and which are not?

4. as Mick pointed out - your initial claim is just wrong.

5. Obsolescence or otherwise doesn't matter either - they stil have the passwords.

6. Maybe so - but your headline is misleading - you haven't debunked anything - all you've told us is why you think it is overhyped.

1. As described??? Really? The NYT failed to mention that the security firm is using the information of the "hack" to get money out of people. In law that's called exploitation. Why should I or joe public pay some unknown security firm to find out if my passwords are on some list somewhere?? It's extremely shady. I've seen this done time and time again with other marketing schemes and this detail is one thing you and Mick seem to have overlooked. Not sure why you don't care about this part but you care a lot more about some dubious claims about 1.2 Billion passwords.

2. As I said there is no way to tell if these are passwords that they bought in the 1990s and just collected over time. Most internet companies require you to change your passwords or delete your profile after a certain amount of time or inactivity time. So if these passwords are current why isn't a Security firm letting the people know? I mean as much as I think Edward Snowden is a traitor to this country, he didn't try scam people outright. He told everyone what he had in a media blitz for free!!!

3. You have to pay to find out! In legal terms conspiracy is usually a part of exploitation. Is the security firm actually the Russian Gang? What type of "Nondisclosure agreements" do they have with hackers if they aren't?

4. Nobody is hacking Facebook itself with SQL injections.

5. So a so-called security firm wants money from you so that you can get a list of passwords that for all we know could be ten years old. They don't want to release the list because this breaks some type of deal that they made with the unknown hackers. A group nobody before has heard of. Then they turn around and break said deal all for a measly $120?? Honestly this thing reads like a poorly worded right wing campaign letter that asks people to donate $5 to stop Obama from taking over the world.

If they really had 1.2 Billion currently active passwords from the largest internet websites they could and should be doing a lot more damage than spamming twitter. They could be making a lot more money off this deal. They shouldn't be "telling" a security firm and making deals with them...It just doesn't make any sense whatsoever.

The only defense you guys are talking about is what they said. The real question is why should we believe a bunch of hackers without some type of proof? Why should we have to pay them to get the truth?
 

moderateGOP

Active Member
This is not really a debunk, more just that you are suspicious.

Ok I did some digging about Hold Security. Alex Holden is the man in charge. He broke a story about the Adobe Hack couple years back. Well known in hacker circles as some type of a shady wannabe.

Source is from reddit. Real hackers are none too happy with the story and how it has been sensationalized by the media.:

 

MikeC

Closed Account
Fair enough - it is still a story about overhype and not an actual debunking.

Can you pick on one claim of evidence and show that it is wrong?
 

moderateGOP

Active Member
Fair enough - it is still a story about overhype and not an actual debunking.

Can you pick on one claim of evidence and show that it is wrong?

I've read somewhere that they want your passwords if you sign up for their $120 service. So basically it is you paying them to hack you!

Here it is: http://grahamcluley.com/2014/08/cybervor-pay/

They don't have any evidence! It is a claim. To debunk a claim you have to do some digging yourself and see what is going on in the background and ask tough questions. In IT gathering lists of already publicly accessible data is not called hacking. It is not a breach of data as they said in their public release form. As I said to compare this to Target or even Adobe is laughable. Nobody has ever heard of the CyberVor gang and hardly anyone has heard of Alex Holden.

It's a PR stunt created by Holden so that he can get a free key note speaker slot at the Black Hat event in Las Vegas these next two weeks: http://www.usatoday.com/story/tech/2014/08/06/russian-crime-ring-cybersecurity/13658595/

I'm not really sure what else you need me to to say about it to prove to you that this entire story is dubious. Anyway, I'm sure you can easily find the list Holden is selling accessible online. I'm not going to link those sources here because they are currently on peer to peer networks.
 
Last edited:

MikeC

Closed Account
A claim is evidence - it might be GOOD evidence without something more to back it up - but it is evidence.

I am quite happy with your claim that the story is dodgy - you have provided quite a lot of evidence to support that - fine and good.

But that is not the same as debunking - I see the title has changed so my objection actually doesn't exist any more :)
 

moderateGOP

Active Member
From the moment you first turn on the computer you are told NEVER under any circumstances should you give your information to anybody. Other than your IT person. (At my job this is ME :))

So I say again. I don't think Hold Security has 1.2 Billion passwords. I'd put the Hold Security Website in the same category as Infowars, and Natrualnews. But if you want to believe them, go right ahead.

This is the same thing we do with all other conspiracy stories, so not sure why it's not debunked yet. I guess the final thing would be to find out if the list is faked. But average people not connected to the people involved can't do that. Unless you really want to give them your password???:confused::eek:o_O Even then they won't give you access to the list. It's a circle and that's why I say there is no list!

It's no different from the New Order or Illuminati Conspiracy Theories. You can't prove they don't exist, but we really know they don't.
 

Mick West

Administrator
Staff member
This is the same thing we do with all other conspiracy stories, so not sure why it's not debunked yet.

We don't debunk conspiracy stories. We debunk claims of evidence.

I think everyone agrees it's a bit fishy, but that does not make it debunked. It's possible there's a gang of Russian hackers who have been stealing passwords from vulnerable sites. It's possible a security company might hack the hackers.
 

moderateGOP

Active Member
We don't debunk conspiracy stories. We debunk claims of evidence.

I think everyone agrees it's a bit fishy, but that does not make it debunked. It's possible there's a gang of Russian hackers who have been stealing passwords from vulnerable sites. It's possible a security company might hack the hackers.

A bit fishy??? The whole thing is a scam. I need to see hard proof of this list and yet no media outlet is demanding it to see. They just question the motives of hiding it. I want to know who the unnamed people who "approved" of the list are.

No the security company isn't hacking the hackers. The "security" company is tricking (also known as Phishing) people into giving them their passwords!

What exactly would make it debunked. What else do you need? Do you actually need the list??
 

Hevach

Senior Member.
Actually? Yeah, I'd want to see the list.

This isn't the first time somebody's amassed a list of over a billion stolen credentials. If you've got some money, it's probably not even that hard. You can load up the Tor browser and if you know the onion routing information there are a handful of deepweb sites (hiddenwiki lists several of the more reliable ones) where stolen password databases are available, either for free or for bitcoins. I know of several big ones (PSN, AOL, Mt Gox, and eBay) that have even shown up on bittorrent, and with those four you can top about 250 million credentials. A billion is impressive, but without knowing what they actually have, it's impressive in the way that having a complete collection of 80's action figures or every issue of National Geographic is impressive.

The problem? They're worth dick, because passwords are saved in encrypted, salted hashes. If you know the algorithm used, you still can't reverse them but you can brute force them. If you don't know the algorithm, have fun. The eBay database is as close to uncrackable as they get, the PSN database is the least secure on the list and still hasn't been cracked. And even if you finally managed to, three of the four have issued mandatory password resets and the fourth no longer exists.
 
Last edited:

Mick West

Administrator
Staff member
The NYT seems to have done at least a little due diligence with this, as noted in the original story:

http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0
Some more detail would be nice though. What does "authentic" mean here? You could create a database of "credentials" by munging together existing leaked databases (like @Hevach mentioned, above), and adding some random passwords. Did they actually try to log in with any of the credentials?

Other people are also doubtful:

http://www.theguardian.com/technolo...russian-hacking-scare-hold-security-passwords

This Forbes blogger has a similar assessment:
http://www.forbes.com/sites/josephs...cal-about-1-2-billion-passwords-being-stolen/
Internet security expert Bruce Schneier, is also suspicious:
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
 

moderateGOP

Active Member
The NYT seems to have done at least a little due diligence with this, as noted in the original story:

http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0
Some more detail would be nice though. What does "authentic" mean here? You could create a database of "credentials" by munging together existing leaked databases (like @Hevach mentioned, above), and adding some random passwords. Did they actually try to log in with any of the credentials?

Other people are also doubtful:

http://www.theguardian.com/technolo...russian-hacking-scare-hold-security-passwords

This Forbes blogger has a similar assessment:
http://www.forbes.com/sites/josephs...cal-about-1-2-billion-passwords-being-stolen/
Internet security expert Bruce Schneier, is also suspicious:
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html


As I suspected as more and more people research into this the more holes are discovered. I think I've asked a lot of good questions that they (media) still haven't asked. So all we can do is wait and see I guess.
 

moderateGOP

Active Member
Actually? Yeah, I'd want to see the list.


The problem? They're worth dick, because passwords are saved in encrypted, salted hashes. If you know the algorithm used, you still can't reverse them but you can brute force them. If you don't know the algorithm, have fun. The eBay database is as close to uncrackable as they get, the PSN database is the least secure on the list and still hasn't been cracked. And even if you finally managed to, three of the four have issued mandatory password resets and the fourth no longer exists.

That's the point I've been trying to get across here. If the list is 95% useless how scary are some easy passwords combinations? The ones everyone knows about...So is the eBay database and PSN credentials also included in this list? What about the target Credit cards?

Have you read through the reddit link I posted above? The list appears to be available online somewhere and I haven't gone searching for it. So why is a security company charging money and asking for YOUR passwords! It's a complete scam.
 

moderateGOP

Active Member
This was taken from a press release on their website in February: http://www.holdsecurity.com/news/hold-security-llc-announces-credential-integrity-services/

Email addresses are NOT login credentials.
 

qed

Senior Member
7. Their hacking methods are outdated as well. SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.

Still the good old standard. From the Mueller Report.

upload_2019-4-29_17-33-9.png
 
Thread starter Related Articles Forum Replies Date
Stefan Leahu Russian ammo depot explosion near Achinsk, Krasnoyarsk Current Events 14
Mick West Russian Nuclear Sub Fire Kills 14, Current Events 9
tadaaa Debunked: Fake photos-Novichok attack Russian 'agents' (side by side gates) General Discussion 34
Mick West Russian Claims of a "False Flag" Chemical Weapons Attack in Douma, Syria Current Events 10
Mick West Conspiracy? Trump Repeating Falsely Attributed Quote from Russian Media. Conspiracy Theories 26
S Claim: Russian radar would have picked up MH17 missile Flight MH17 15
Mick West Explained: Head Of The Army Admits to "Little Green Men" [Covert Russian Agents] Conspiracy Theories 7
Mick West Did Russian Prime Minister Dmitry Medvedev say "World War"? General Discussion 28
Mick West Unusual Trail on the Russian Su-24 shot down By Turkey Contrails and Chemtrails 3
Pythagoras Drones shot down in Turkey and Ukraine, Russian or not? General Discussion 20
TEEJ Contrails during Russian Navy Cruise Missile Strike in Syria, 2015 Contrails and Chemtrails 3
Trigger Hippie Russian Troll Houses Practical Debunking 24
TEEJ Bellingcat Analysis of Satellite Imagery Used In Russian Claims Against Ukraine Flight MH17 104
Bruce Lansberg Claim: Jeroen Akkermans: Framents prove MH17 was shot down by a Russian made BUK Flight MH17 34
D RF humaid convoy to Donbass unloaded weapons and ammo 30th Nov 2014 General Discussion 0
Gridlock Russian DashCam 'Explosion' General Discussion 6
Mick West Debunked: Russian TV3's X-Version Segment on "Chemtrails" Contrails and Chemtrails 0
MikeC Russian graphics Flight MH17 4
CbIncus Russian Chemtrail Activists Contrails and Chemtrails 11
FreiZeitGeist Russian ICBM-Test photographed from the ISS Science and Pseudoscience 4
Pete Tar Debunked: Soul Leaving Body Photo (Russian scientist Konstantin Korotkov) Science and Pseudoscience 18
lamentiraestaahifuera.com DEBUNKED: Russian girl levitating in a forest UFOs, Aliens, Monsters, and the Paranormal 1
Mick West Debunked: AnonSec's NASA Hack, Global Hawk Hijack, Evidence of Chemtrails [Public Domain Data] General Discussion 32
Mackdog Claim: SONY hack was inside job Conspiracy Theories 6
Clock Patrick Michaels discusses "Ocean sea levels could rise 3 to 6 feet in this century" Science and Pseudoscience 39
Clock Analyzing the world of conspiracy theories in the early 21st century. General Discussion 0
Related Articles


























Related Articles

Top