Russian "Hack of the Century"

moderateGOP

Active Member
Working in the Information technology industry can be hectic and at times scary. Not only do you have to worry about setting up everything right in the first place and to make sure nobody loses any information if their computer crashes: usernames, passwords, emails, profiles, cloud accounts and servers. You also have to worry about what goes on in the outside world.

Like when the New York Times pulled this stunt on Tuesday 8/5.
http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0

There are many problems with this story:

1. 1.2 Billion Passwords seems like a lot. There are no details about which passwords and usernames were stolen and they in fact refuse to tell anyone! So we have no real "proof" except conjecture from an unknown security firm.

2. Did they do it overnight? At first glance that's what it sounds like in the NY Times article. However, for all we know these hackers could have just been collecting and buying this information since the 1990s! There's no way to tell for sure. How scary is 1.2 Billion passwords if 85% of them are useless?

3. Who and what is Hold Security? Just read this Forbes article to find out:
Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected Classic marketing scheme right over here:cool:

4. Not many websites actually have over a Billion user names to steal. So if we are led to believe that these hackers are currently going around and hacking some of the biggest sites on the internet. I think they would know about it, and fix their horrible user login systems. The fact of the matter is internet companies are usually one step ahead of hackers especially those with two step verification processes. Such as unique IDs or Captchas.
1.2 billion accounts, covering 500 million unique email addresses over 420,000 websites.
Content from External Source
5. To put this "credential collection," not a hack. As I'd like to call it in the same category as the Target Data Breach is just laughable in the IT world.

6. It is unclear if they bought the 1.2 Billion usernames and passwords or actually hacked them. It's looking more and more like they simply either bought them, or found them floating around the internet. This is quite easy to find.

7. Their hacking methods are outdated as well. SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.

8. Twitter seems to be the only large website affected. It's said the gang is using the passwords to spam twitter accounts. Probably just using old ones to rank up twitter followers.

The hype around this is pretty stupid to me.
 
Oh hello fellow collegue!

Not that I disagree anything which you said and I too call bullshit for this hack, but one thing which you said just caught in my eye.

SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.
SQL-injections are not outdated I believe that is one of widely used attack methods. The problem rises from PHP which is widely used language in websites, which does not handle properly/natively input from client side. The escaping the SQL commands from the input has to be done manually by programmer and it has to be done _right_. The IT companies do know about SQL-injection but to actually produce good quality code in real life production which does not have those bugs is whole new thing alltogether. To be blunt if you find a solution for achieving deadlines with constantly changing specs and producing quality you will be a rich man in IT business :)
 
SQL-injections are not outdated I believe that is one of widely used attack methods. The problem rises from PHP which is widely used language in websites, which does not handle properly/natively input from client side. The escaping the SQL commands from the input has to be done manually by programmer and it has to be done _right_. The IT companies do know about SQL-injection but to actually produce good quality code in real life production which does not have those bugs is whole new thing alltogether. To be blunt if you find a solution for achieving deadlines with constantly changing specs and producing quality you will be a rich man in IT business :)

Indeed, SQL injection isn't something you can just avoid by being aware of. Unfortunately there's diminishing returns to investing in security - at least diminishing immediate returns, replaced by a small risk. And while the very large companies like Facebook and Google/Youtube devote a lot of resources to it, they are not 100% immune, and there are plenty of companies a bit smaller, who still have tens of thousands of your passwords.

SQL Injection is not at all outdated. Especially as a very large number of people will use the same credentials for multiple sites, making it an indirect attack on the bigger sites too.

http://www.pcworld.com/article/2457...ll-street-journal-database-led-to-breach.html
Jul 23, 2014
A vulnerability in a web-based graphics system led to a breach of The Wall Street Journal’s network by a hacker, the newspaper acknowledged late Tuesday.

The hacker gained entry into the network via a SQL injection vulnerability
Content from External Source
http://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html
February 4, 2014
In the leak of over 40,000 records from Bell in Canada. It was pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach, but now we have some pretty conclusive evidence of it as well:
Content from External Source
 
Indeed, SQL injection isn't something you can just avoid by being aware of. Unfortunately there's diminishing returns to investing in security - at least diminishing immediate returns, replaced by a small risk. And while the very large companies like Facebook and Google/Youtube devote a lot of resources to it, they are not 100% immune, and there are plenty of companies a bit smaller, who still have tens of thousands of your passwords.

SQL Injection is not at all outdated. Especially as a very large number of people will use the same credentials for multiple sites, making it an indirect attack on the bigger sites too.

http://www.pcworld.com/article/2457...ll-street-journal-database-led-to-breach.html
Jul 23, 2014
A vulnerability in a web-based graphics system led to a breach of The Wall Street Journal’s network by a hacker, the newspaper acknowledged late Tuesday.

The hacker gained entry into the network via a SQL injection vulnerability
Content from External Source
http://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html
February 4, 2014
In the leak of over 40,000 records from Bell in Canada. It was pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach, but now we have some pretty conclusive evidence of it as well:
Content from External Source

I never said you couldn't get anything by doing SQL hacks, but it is highly unlikely. But your examples do point out that it is still a problem like you said. Some companies don't invest well in security.

Sure but even comparing those breaches to this "collection" is a stretch. The article from NYT makes it sound like SQL is the method the gangs used to "hack" collect 1.2 Billion Passwords from the most popular websites on the internet. This is just impossible. Until they announce the full list for free and tell the companies involved how to protect themselves from this gang. I am calling BS on this entire story!
 
The article from NYT makes it sound like SQL is the method the gangs used to "hack" collect 1.2 Billion Passwords from the most popular websites on the internet.

No, it says:
420,000 websites, including household names, and small Internet sites.
Content from External Source
I'd agree there does seem to be a conflict of interest with Hold Security, but their story does not sound implausible:
http://www.holdsecurity.com/news/cybervor-breach/

How did this occur?

Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.

Who is affected?
The CyberVors did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.
Content from External Source
 
No, it says:
420,000 websites, including household names, and small Internet sites.
Content from External Source
I'd agree there does seem to be a conflict of interest with Hold Security, but their story does not sound implausible:
http://www.holdsecurity.com/news/cybervor-breach/

How did this occur?

Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.

Who is affected?
The CyberVors did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.
Content from External Source

Saying that the gang hacked 1.2 Billion passwords is a lot more scarier than saying over time some group has obtained 1.2 Billion login credentials. I have a lot of questions about this and not willing to pay them $120 for the info.
 
Saying that the gang hacked 1.2 Billion passwords is a lot more scarier than saying over time some group has obtained 1.2 Billion login credentials.

Sorry, I'm not really seeing the distinction. Is it just the "over time" thing?
 
Working in the Information technology industry can be hectic and at times scary. Not only do you have to worry about setting up everything right in the first place and to make sure nobody loses any information if their computer crashes: usernames, passwords, emails, profiles, cloud accounts and servers. You also have to worry about what goes on in the outside world.

Like when the New York Times pulled this stunt on Tuesday 8/5.
http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0

There are many problems with this story:

1. 1.2 Billion Passwords seems like a lot. There are no details about which passwords and usernames were stolen and they in fact refuse to tell anyone! So we have no real "proof" except conjecture from an unknown security firm.

Unknown?

and so what - it is a claim - the evidence is as described - "proof" is something else.

2. Did they do it overnight? At first glance that's what it sounds like in the NY Times article. However, for all we know these hackers could have just been collecting and buying this information since the 1990s! There's no way to tell for sure. How scary is 1.2 Billion passwords if 85% of them are useless?

Several points here - does it matter if they did it "overnight?

And "so what" if the passwords aer "useless" - how is anyone to know which are and which are not?

3. Who and what is Hold Security? Just read this Forbes article to find out:
Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected Classic marketing scheme right over here:cool:

Indeed - still not a debunking tho.....

4. Not many websites actually have over a Billion user names to steal. So if we are led to believe that these hackers are currently going around and hacking some of the biggest sites on the internet. I think they would know about it, and fix their horrible user login systems. The fact of the matter is internet companies are usually one step ahead of hackers especially those with two step verification processes. Such as unique IDs or Captchas.
1.2 billion accounts, covering 500 million unique email addresses over 420,000 websites.
Content from External Source

as Mick pointed out - your initial claim is just wrong.

5. To put this "credential collection," not a hack. As I'd like to call it in the same category as the Target Data Breach is just laughable in the IT world.

I don't' particularly mind what you call it - passwords in the hands of someone not entitled to them is a problem.

6. It is unclear if they bought the 1.2 Billion usernames and passwords or actually hacked them. It's looking more and more like they simply either bought them, or found them floating around the internet. This is quite easy to find.

Irrelevant - passwords in the hands of someone not entitled to them is a problem

7. Their hacking methods are outdated as well. SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.

Obsolescence or otherwise doesn't matter either - they stil have the passwords.

8. Twitter seems to be the only large website affected. It's said the gang is using the passwords to spam twitter accounts. Probably just using old ones to rank up twitter followers.

The hype around this is pretty stupid to me.

Maybe so - but your headline is misleading - you haven't debunked anything - all you've told us is why you think it is overhyped.
 
1. and so what - it is a claim - the evidence is as described - "proof" is something else.

2. Several points here - does it matter if they did it "overnight?

3. And "so what" if the passwords aer "useless" - how is anyone to know which are and which are not?

4. as Mick pointed out - your initial claim is just wrong.

5. Obsolescence or otherwise doesn't matter either - they stil have the passwords.

6. Maybe so - but your headline is misleading - you haven't debunked anything - all you've told us is why you think it is overhyped.

1. As described??? Really? The NYT failed to mention that the security firm is using the information of the "hack" to get money out of people. In law that's called exploitation. Why should I or joe public pay some unknown security firm to find out if my passwords are on some list somewhere?? It's extremely shady. I've seen this done time and time again with other marketing schemes and this detail is one thing you and Mick seem to have overlooked. Not sure why you don't care about this part but you care a lot more about some dubious claims about 1.2 Billion passwords.

2. As I said there is no way to tell if these are passwords that they bought in the 1990s and just collected over time. Most internet companies require you to change your passwords or delete your profile after a certain amount of time or inactivity time. So if these passwords are current why isn't a Security firm letting the people know? I mean as much as I think Edward Snowden is a traitor to this country, he didn't try scam people outright. He told everyone what he had in a media blitz for free!!!

3. You have to pay to find out! In legal terms conspiracy is usually a part of exploitation. Is the security firm actually the Russian Gang? What type of "Nondisclosure agreements" do they have with hackers if they aren't?

4. Nobody is hacking Facebook itself with SQL injections.

5. So a so-called security firm wants money from you so that you can get a list of passwords that for all we know could be ten years old. They don't want to release the list because this breaks some type of deal that they made with the unknown hackers. A group nobody before has heard of. Then they turn around and break said deal all for a measly $120?? Honestly this thing reads like a poorly worded right wing campaign letter that asks people to donate $5 to stop Obama from taking over the world.

If they really had 1.2 Billion currently active passwords from the largest internet websites they could and should be doing a lot more damage than spamming twitter. They could be making a lot more money off this deal. They shouldn't be "telling" a security firm and making deals with them...It just doesn't make any sense whatsoever.

The only defense you guys are talking about is what they said. The real question is why should we believe a bunch of hackers without some type of proof? Why should we have to pay them to get the truth?
 
This is not really a debunk, more just that you are suspicious.

Ok I did some digging about Hold Security. Alex Holden is the man in charge. He broke a story about the Adobe Hack couple years back. Well known in hacker circles as some type of a shady wannabe.

Source is from reddit. Real hackers are none too happy with the story and how it has been sensationalized by the media.:

It doesn't sound like there are any "other people" at his firm. Hold Security is just Alex Holden.

Some pointers:

Content from External Source
 
Fair enough - it is still a story about overhype and not an actual debunking.

Can you pick on one claim of evidence and show that it is wrong?
 
Fair enough - it is still a story about overhype and not an actual debunking.

Can you pick on one claim of evidence and show that it is wrong?

I've read somewhere that they want your passwords if you sign up for their $120 service. So basically it is you paying them to hack you!

Here it is: http://grahamcluley.com/2014/08/cybervor-pay/


You see, Hold Security is asking users to sign up for what it calls the “Consumer Hold Identity Protection Service” (CHIPS). Hold Security says that CHIPS is a subscription service, but if you sign up right now you’ll get 30 days protection for free.

But hold your horses, because wait until you hear how it is supposed to work.

Hold Security wants you to give them your email address – and if they find it in their database of stolen credentials, they will then ask you (are you ready?) to “provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised”.
Content from External Source
They don't have any evidence! It is a claim. To debunk a claim you have to do some digging yourself and see what is going on in the background and ask tough questions. In IT gathering lists of already publicly accessible data is not called hacking. It is not a breach of data as they said in their public release form. As I said to compare this to Target or even Adobe is laughable. Nobody has ever heard of the CyberVor gang and hardly anyone has heard of Alex Holden.

It's a PR stunt created by Holden so that he can get a free key note speaker slot at the Black Hat event in Las Vegas these next two weeks: http://www.usatoday.com/story/tech/2014/08/06/russian-crime-ring-cybersecurity/13658595/

I'm not really sure what else you need me to to say about it to prove to you that this entire story is dubious. Anyway, I'm sure you can easily find the list Holden is selling accessible online. I'm not going to link those sources here because they are currently on peer to peer networks.
 
Last edited:
A claim is evidence - it might be GOOD evidence without something more to back it up - but it is evidence.

I am quite happy with your claim that the story is dodgy - you have provided quite a lot of evidence to support that - fine and good.

But that is not the same as debunking - I see the title has changed so my objection actually doesn't exist any more :)
 
From the moment you first turn on the computer you are told NEVER under any circumstances should you give your information to anybody. Other than your IT person. (At my job this is ME :))

So I say again. I don't think Hold Security has 1.2 Billion passwords. I'd put the Hold Security Website in the same category as Infowars, and Natrualnews. But if you want to believe them, go right ahead.

This is the same thing we do with all other conspiracy stories, so not sure why it's not debunked yet. I guess the final thing would be to find out if the list is faked. But average people not connected to the people involved can't do that. Unless you really want to give them your password???:confused::eek:o_O Even then they won't give you access to the list. It's a circle and that's why I say there is no list!

It's no different from the New Order or Illuminati Conspiracy Theories. You can't prove they don't exist, but we really know they don't.
 
This is the same thing we do with all other conspiracy stories, so not sure why it's not debunked yet.

We don't debunk conspiracy stories. We debunk claims of evidence.

I think everyone agrees it's a bit fishy, but that does not make it debunked. It's possible there's a gang of Russian hackers who have been stealing passwords from vulnerable sites. It's possible a security company might hack the hackers.
 
We don't debunk conspiracy stories. We debunk claims of evidence.

I think everyone agrees it's a bit fishy, but that does not make it debunked. It's possible there's a gang of Russian hackers who have been stealing passwords from vulnerable sites. It's possible a security company might hack the hackers.

A bit fishy??? The whole thing is a scam. I need to see hard proof of this list and yet no media outlet is demanding it to see. They just question the motives of hiding it. I want to know who the unnamed people who "approved" of the list are.

No the security company isn't hacking the hackers. The "security" company is tricking (also known as Phishing) people into giving them their passwords!

What exactly would make it debunked. What else do you need? Do you actually need the list??
 
Actually? Yeah, I'd want to see the list.

This isn't the first time somebody's amassed a list of over a billion stolen credentials. If you've got some money, it's probably not even that hard. You can load up the Tor browser and if you know the onion routing information there are a handful of deepweb sites (hiddenwiki lists several of the more reliable ones) where stolen password databases are available, either for free or for bitcoins. I know of several big ones (PSN, AOL, Mt Gox, and eBay) that have even shown up on bittorrent, and with those four you can top about 250 million credentials. A billion is impressive, but without knowing what they actually have, it's impressive in the way that having a complete collection of 80's action figures or every issue of National Geographic is impressive.

The problem? They're worth dick, because passwords are saved in encrypted, salted hashes. If you know the algorithm used, you still can't reverse them but you can brute force them. If you don't know the algorithm, have fun. The eBay database is as close to uncrackable as they get, the PSN database is the least secure on the list and still hasn't been cracked. And even if you finally managed to, three of the four have issued mandatory password resets and the fourth no longer exists.
 
Last edited:
The NYT seems to have done at least a little due diligence with this, as noted in the original story:

http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0
At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
Content from External Source
Some more detail would be nice though. What does "authentic" mean here? You could create a database of "credentials" by munging together existing leaked databases (like @Hevach mentioned, above), and adding some random passwords. Did they actually try to log in with any of the credentials?

Other people are also doubtful:

http://www.theguardian.com/technolo...russian-hacking-scare-hold-security-passwords


Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users. “We’ve had very little concrete information released,” said David Emm, senior researcher with security firm Kaspersky, talking to the Guardian.

“I’m inclined to take it with a pinch of salt for now.”

...

“Nothing has been released by an established security company – I personally haven’t come across Hold Security before – and we’ve had no information on the companies affected, or whether they’re still vulnerable,” said Emm. “There’s just what seems to me to be a pretty vague claim of the largest security breach to date.

‘Plausible but we need more data’
“There hasn’t been very much data released yet on exactly what these guys found,” explained Dr Brad Karp, a reader in computer systems and networks at the computer science department at University College London who researches internet and systems security.

Hold Security allowed an unnamed independent security expert to verify the database of stolen user details at the request of the New York Times.

“It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data,” said Karp. “We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.”

Candid Wueest, principal threat researcher with security firm Symantec agreed.

“Without having actual fact, it’s hard to say whether it happened like they explained or not,” said Wueest. “It is possible, but at the moment it’s speculation by one source and we haven’t seen any secondary proof, so at the moment we have to unfortunately wait and see how it evolves.”
Content from External Source
This Forbes blogger has a similar assessment:
http://www.forbes.com/sites/josephs...cal-about-1-2-billion-passwords-being-stolen/

The aforementioned points do not mean that passwords were not stolen. They certainly may have been. They do not mean that Hold Security and the New York Times are wrong; both may be 100% correct. They also do not mean that there are not serious vulnerabilities on many websites. There are. That’s the world we live in.

So, what to do now? Don’t panic, and go on with your life. Until more information comes out I would not suggest resetting passwords – they may be on systems that can be re-breached – or sending anyone encrypted copies of your passwords.

As far as claims that what was recently announced wasthe worst information-security breach ever: I am highly skeptical . I eagerly await more information. So far, this whole episode seems, to put it bluntly, quite strange.
Content from External Source
Internet security expert Bruce Schneier, is also suspicious:
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

...

This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.
Content from External Source
 
The NYT seems to have done at least a little due diligence with this, as noted in the original story:

http://www.nytimes.com/2014/08/06/t...billion-stolen-internet-credentials.html?_r=0
At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
Content from External Source
Some more detail would be nice though. What does "authentic" mean here? You could create a database of "credentials" by munging together existing leaked databases (like @Hevach mentioned, above), and adding some random passwords. Did they actually try to log in with any of the credentials?

Other people are also doubtful:

http://www.theguardian.com/technolo...russian-hacking-scare-hold-security-passwords


Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users. “We’ve had very little concrete information released,” said David Emm, senior researcher with security firm Kaspersky, talking to the Guardian.

“I’m inclined to take it with a pinch of salt for now.”

...

“Nothing has been released by an established security company – I personally haven’t come across Hold Security before – and we’ve had no information on the companies affected, or whether they’re still vulnerable,” said Emm. “There’s just what seems to me to be a pretty vague claim of the largest security breach to date.

‘Plausible but we need more data’
“There hasn’t been very much data released yet on exactly what these guys found,” explained Dr Brad Karp, a reader in computer systems and networks at the computer science department at University College London who researches internet and systems security.

Hold Security allowed an unnamed independent security expert to verify the database of stolen user details at the request of the New York Times.

“It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data,” said Karp. “We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.”

Candid Wueest, principal threat researcher with security firm Symantec agreed.

“Without having actual fact, it’s hard to say whether it happened like they explained or not,” said Wueest. “It is possible, but at the moment it’s speculation by one source and we haven’t seen any secondary proof, so at the moment we have to unfortunately wait and see how it evolves.”
Content from External Source
This Forbes blogger has a similar assessment:
http://www.forbes.com/sites/josephs...cal-about-1-2-billion-passwords-being-stolen/

The aforementioned points do not mean that passwords were not stolen. They certainly may have been. They do not mean that Hold Security and the New York Times are wrong; both may be 100% correct. They also do not mean that there are not serious vulnerabilities on many websites. There are. That’s the world we live in.

So, what to do now? Don’t panic, and go on with your life. Until more information comes out I would not suggest resetting passwords – they may be on systems that can be re-breached – or sending anyone encrypted copies of your passwords.

As far as claims that what was recently announced wasthe worst information-security breach ever: I am highly skeptical . I eagerly await more information. So far, this whole episode seems, to put it bluntly, quite strange.
Content from External Source
Internet security expert Bruce Schneier, is also suspicious:
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

...

This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.
Content from External Source


As I suspected as more and more people research into this the more holes are discovered. I think I've asked a lot of good questions that they (media) still haven't asked. So all we can do is wait and see I guess.
 
Actually? Yeah, I'd want to see the list.


The problem? They're worth dick, because passwords are saved in encrypted, salted hashes. If you know the algorithm used, you still can't reverse them but you can brute force them. If you don't know the algorithm, have fun. The eBay database is as close to uncrackable as they get, the PSN database is the least secure on the list and still hasn't been cracked. And even if you finally managed to, three of the four have issued mandatory password resets and the fourth no longer exists.

That's the point I've been trying to get across here. If the list is 95% useless how scary are some easy passwords combinations? The ones everyone knows about...So is the eBay database and PSN credentials also included in this list? What about the target Credit cards?

Have you read through the reddit link I posted above? The list appears to be available online somewhere and I haven't gone searching for it. So why is a security company charging money and asking for YOUR passwords! It's a complete scam.
 
This was taken from a press release on their website in February: http://www.holdsecurity.com/news/hold-security-llc-announces-credential-integrity-services/

To help our customers we tracked over 300 million abused credentials that were not disclosed publicly (that is over 450 million credentials if you count our Adobe find). But this month, we exceeded all expectations! In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses.
Content from External Source
Email addresses are NOT login credentials.
 
7. Their hacking methods are outdated as well. SQL injection is pretty much outdated. Basically you may be able to hack a wordpress blog with that, but not a giant well funded site like Facebook or Youtube. Any IT organization knows about SQL and how to protect against it.

Still the good old standard. From the Mueller Report.

upload_2019-4-29_17-33-9.png
 
Back
Top