Alleged Massive Account and Password Seizure By Russian Group

New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?

because writing propet software

Is just too hard....

Re:because writing propet software

[AaronLS]

Apparently writing itself is hard, much less writing propet software.

Re:because writing propet software

Writing proper sentances is also hard.

Re:because writing propet software

[AlCapwn]

Or propet sentences, even.

Re:because writing propet software

[RabidReindeer]

The wisdom of the propets is written on the subway walls.

And tenement halls.

Re:because writing propet software

[kris2112]

Ooooh...

A Rash reference.

Re:because writing propet software

[necro81]

I misread "propet" like you did, then wondered what "prophet software" was supposed to be. Maybe Windows ME was supposed to be Windows Messiah? Instead it turned out to be Windows Anti-Christ.

Re:because writing propet software

Did you know that Paul Simon originally wrote "and bathroom stalls" instead of "and tenement halls"? True story.

Re:because writing propet software

[gweihir]

Actually, why bother if nothing happens to those "losing" this data? Far cheaper not putting any protection in place.

Re:because writing propet software

[ganjadude]

apparently writing PROPER words is difficult as well

Re:because writing propet software

[Minwee]

This is Babel, Sensurround now. This place is death with stalls

Re:because writing propet software

Interesting, for a long time I thought the lyrics were "subway stalls", maybe some sort of psychic temporal resonance interference.

Re:because writing propet software

Here I thought it was Simon and Garfunkel.

Re:because writing propet software

[OhSoLaMeow]

[citation needed]

Re:because writing propet software

[Existential+Wombat]

Writing proper sentances is also hard.

So is spelling, apparently.

Re:because writing propet software

[arglebargle_xiv]

I misread "propet" like you did, then wondered what "prophet software" was supposed to be. Maybe Windows ME was supposed to be Windows Messiah? Instead it turned out to be Windows Anti-Christ.

No, that's Windows Vista. And then there's Windows Cthulhu, a.k.a. Metro/Win8.

big whoop

what is the use of accumulating a billion passwords if you already can sucessfully hack into the systems to steal them?

Re:big whoop

[timrod]

The use is that you now have a database of 1.2 billion passwords that can be fed into a brute force cracker and used to make "educated guesses" to crack passwords.

Re:big whoop

[wonkey_monkey]

a) Because hacking isn't just a case of having access to everything or nothing. What if you can only hack the password database, but you can't hack the system that those logins are used for?

b) Because, lazy as people are, you now have some very likely candidate email/password combinations to try on all the systems you can't hack into.

Re:big whoop

[Jason+Levine]

Because if you can hack into a system and get a billion passwords, you can sell those to "interested parties" for a penny each and retire.

Re:big whoop

[TWX]

With proper credentials on this scale, you can make subtle changes that don't set off any red-flags to create your profit, and it may take years for the scale and scope of your meddling to really be determined.

Re:big whoop

It's just the internet, who cares. The internet is not for serious stuff.

Re:big whoop

[budgenator]

User name: poiuyt, password:qwerty; Back in the day, circa 2001 I was involved in a failed get-rich scheme called poiuyt.com and we would be hammered with Email confirmations for people signing up at other sites using the above credentials and @poiuyt.com for an Email Address. There would be everything from free tech sites to for pay porn, I always managed to resist destroying the online reputations of these fools, but just barely. If that is the "quality of the creds the Russians have filtched then it's probably not that big of a deal; if it is that big of a deal then I'd worry about being an acessory before and after the fact if I was Hold Security.

Is this me?

[chinton]

Or is the hacker that stole my /. credentials writing this post?

Re:Is this me?

[cdrudge]

How do we know they are mutually exclusive of each other?

Re:Is this me?

[LordLimecat]

Courts have ruled that it is not possible to steal something from yourself, so they are mutually exclusive.

Re:Is this me?

[cdrudge]

Are the credentials to a website property of the website? Or of the user?

Or, if you steal the complete password file/database/whatever of a site, and your password is one of the many you obtained, is that considered a stolen password still?

Re:Is this me?

[Lotana]

What if I suffer from Multiple Personality Disorder and that other fucker stole my wallet and hid it where only he knows where it is? Are you saying I can't sue the bastard?

Re:Is this me?

[rpstrong]

You wouldn't believe the amount of time that I've stolen from myself . . .

SQL Injection?

[the+eric+conspiracy]

Come on man

Re:SQL Injection?

[Nimey]

In before all the hipsters posting that xkcd comic.

Re: SQL Injection?

Hipster doofases.

Re:SQL Injection?

In before all the hipsters posting that xkcd comic.

You misspelled hippies.

And yeah, it is that old.

Are the /. accounts affected ?

Posting as AC since I do not know if my /. account has been affected or not ...

Re:Are the /. accounts affected ?

[Buchenskjoll]

I think the Anonymous Coward account is compromised. Look over his posts, it's mostly complete crap.

Re:Are the /. accounts affected ?

Ha ha ha ha! Just try getting the account back or resetting its password. It's mine, Mine, MINE!

And something about some act your mother and I once performed.

Re:Are the /. accounts affected ?

[gweihir]

Nice one!

Hold on a second..

[jbmartin6]

Of course, the company which reveals this offers a $120/month breach notification service so they have a strong incentive to exaggerate. I'm not saying we should immediately discount these claims but let's make sure our grain of salt is in there.

Re:Hold on a second..

[s.petry]

That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.

I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.

To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.

The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.

Re:Hold on a second..

[Sqr(twg)]

You mean:

#1 Set up a website with 1.2 billion accounts.
#2 Have Russian hackers crack your website.
#3 Proclaim: "We have a list of 1.2 billion accounts that were compromised by Russian hackers. Pay us $120 if you want to know if you're affected."
#4 Profit!

Re:Hold on a second..

[Shadowhawk]

From the TFA:
    At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

Re:Hold on a second..

[mlts]

I would place the blame less on intruders in general, the same way that I don't blame the bears (no comparison intended) at a park for getting tame and getting garbage due to tourists feeding them.

    I point the finger at the generally sorry state of computer security since the early 2000s where a number of companies could get by with "security has no ROI" as a mantra... and so far, there has been little to no long term consequences long term (other than to the end users with ID theft issues) for this behavior. So, it doesn't really matter where the blackhats are... they are just taking advantage of the fact that a lot of companies don't bother with adequate security measures.

Adequate measures do not have to be expensive. Google Authenticator is standard, decently secure, and can be added quite easily. Using this as backup with SSH RSA keys as a primary is not a tough job for even a notice sysadmin.

For websites, the best solution would be client certificates, other than dealing with a CA... but there is always adding a custom intermediate.

Finally, there are basic sanity checks to put on a host level. If two machines are set up to communicate with each other, and don't need anything else, they get tunneled, or I set up entry/exit rules to disallow anything else to contact them. For machines that only are used at certain times of the day, it might be a good idea (although it would have to be a definite part of any troubleshooting process) to turn ports off when not in use.

For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)

Security is an issue, but right now, there is so much in the way of low-hanging fruit that doing basic precautions can go a long way for a lot of businesses.

Re:Hold on a second..

[s.petry]

You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password. Longer passwords are better, obviously, but should still be changed periodically to prevent a brute force attack from succeeding over time. It should go without saying that a Government would have additional processing power and could break it faster, but at the same time the majority of servers today rate throttle auth connections to reduce brute force attacks. The supercomputers help with a known hash, not necessarily when cracking into your bank account.

Where strong passwords tend to break down is in key loggers, phishing, and broken protocols.

For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)

A company called Intemedia has a "Securisync" product that uses both at rest and in transit encryption. So I agree the problem is solved, some much better than others, and even with "Cloud" storage. Cost is the obvious blocking factor in most cases.

Re:Hold on a second..

[Phusion]

Yeah, I hadn't read the source article until today. I chuckled a bit when they mentioned the services they offer that could help mitigate this threat.

I'm sure several companies that have monitoring, pen-testing and other paid services are spooging their pants right about now. I'm sure that the story is legitimate, they may not be exaggerating, just letting their readers know that for a price, they're here to help :)

Re:Hold on a second..

[Algae_94]

You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password.

Statistically speaking this would work, but it is possible that of all the brute force attempts the cracker tries in that 60 day window, one of them is your password. One correct guess and they have the account. Plus this is a pain in the ass to change passwords every 2 months. Use at least 10 characters.

Re:Hold on a second..

[s.petry]

I agree, and pointed out that it's a statistics issue. No system is perfect, but to have several "strong" passwords is more secure in my opinion than having all your eggs in a single (Google Auth) basket.

Re:Hold on a second..

[mlts]

I will agree on that count: If I had an AIX machine that was configured to lock out an account until it gets manually reset (i.e. permanently if there are no people on site or can log in) after 3-5 wrong accesses, an eight character password changed every two months would be good enough.

However, locking down in this manner will bring up issues, be it denial of service attacks (an ex-employee does this to lock all staff out on a Friday, or a salesperson before his big presentation.) Other ways may not help either. Fail2Ban is a must have for SSH, but the good attackers brute force by doing three guesses from one IP, three guesses from another, etc. Sounds like a lot of IPs are needed, but with tens of millions of botnet clients, the bad guys can throw a lot of bad guesses from a lot of ranges.

Storing passwords, even in a suitable bcrypted hash format is still having a database that someone, somewhere, with a lot of compute power, might be able to brute force, and then the info can be very useful to an attacker. However, not many sites are that secure. I'm willing to guess at best, there are a lot of sites there that will grab a password, hash it with MD5, drop all but 8 characters, and stash that in a field. Easy rainbow table material.

One way I have helped fortify the password database, is a dedicated device (pretty much a separate database server) that takes username/password tuples, and gives yes, no, or locked out due to too many unsuccessful attempts in too short a time. That way, if the Web service gets hacked, all the authentication is still on a physically separate device.

However, passwords need a clean chain to work effectively. Both endpoints must be secure, and the communication channel must be solid. Any of these break, and passwords become virtually useless. A lot of users don't know or don't care how clean their home computer is because they know that having it "fixed" [1] takes a lot of time and expense (to them.)

Because of this, it isn't bad to have some type of two factor authentication. One example might be borrowing from the IBM ZTIC, having an app on a phone that confirms banking transactions done on the computer. Not 100%, but it means an attacker has to compromise two separate channels, and in general, smartphones tend to be more difficult to completely compromise than a desktop.

Inside a company (for AD access), a password can be good enough, especially when coupled with other security methods. However, externally, either 2FA or going to a public key/cert model is a proper precaution, as well as limiting the IP space that items connect to. If a company isn't doing business in Elbonia, maybe not exposing the shopping cart mechanism to that IP address range would be prudent.

[1]: "fixed" in quotes. Yes, one can spend a good long while de-lousing a machine, but it often is a lot faster to save off, erase, and reinstall.

Re:Hold on a second..

[s.petry]

Wait. Why would you need an AIX box or even permanent lockout? Answer: You don't need any such thing.

Native Unix LDAP supports time duration locking, it does not have to be permanent, and works with all NSS_LDAP libraries. I have run Servers of all types and Linux clients of all flavors (AIX, Solaris, HP-UX, RHEL, Ubuntu, etc..) and never had to permanently ban accounts for well over a dozen years (Early implementations were not as good as later, but still worked very well).

The majority of server side services (E.G. sshd) can idle for N seconds between auth attempts.

Assuming your servers are running like they should, permanent lockout is never really needed. On LDAP Servers I generally configure the policy to lockout an account for 30 minutes, not permanently.

You are never going to prevent all brute force attacks, and attempting to do so is idiocy. You want to deter them, which can be done in numerous ways. Stacking deterrence methods becomes extremely effective.

Do you really think a hacker is going to try for a 4th attempt, see that the account is locked, and keep trying after that? The answer to that is Hell no, the hacker will move to the next target and hope it's easier. He may come back tomorrow and try again, but after seeing account locks they will quickly move on to easier prey. Easier prey is everywhere...

Obviously deterrence won't fix everything, but there is no solution that is perfect. I can spoof biometric data as easy as brute force cracking passwords. I have found IPs trickling brute force attacks at extremely low rates, 1 every 4 hours for example. Your Auth subsystem does not find or fix these as much as having a good set of tools and admins that are monitoring what is happening in your environment.

Re:Hold on a second..

[Algae_94]

Oh I absolutely agree on the importance of several passwords. I really don't like these centralized authentication systems or password keepers. It may be the height of paranoia, but if I'm going to the trouble of making up all these multiple strong passwords, why would I then put them all in one location? That's one system to compromise to get the keys to all my accounts.

Really the issue is the inability to remember multiple passwords for the average person (or the inability to want to remember them). I like the idea of using a custom, human operable hash function to generate passwords. Take this site as an example, the input would be slashdot (the domain), you take that as the seed and apply some sort of algorithm/hashing function in your head to create the password. It needs to be complex enough to not just be "add '123' to the end", but simple enough to do while sitting at a keyboard. If you can still recognize the domain in the output it's a failure. The beauty of it is that you never need to remember your passwords, just the algorithm. If you want to log in to a site, you look at the domain and apply your hashing algo to 'remember' your password. If you want to change the passwords, change your algorithm. This is of course far beyond the level of the average user, but it avoids putting all your keys in one box.

Re:Hold on a second..

[Marxist+Hacker+42]

Yeah, the paper that broke the story, claims that they had "a security expert not affiliated with Hold Security" that they refuse to name, verify that the database exists.

Sounds to me like Hold Security, paid the New York Times to plant a story that is really an advertisement, who in turn paid a fake security expert to come up with a predetermined conclusion.

Re:Hold on a second..

[s.petry]

Really the issue is the inability to remember multiple passwords for the average person (or the inability to want to remember them).

Well, there is another statistics issue to consider then. Lets say you use math as your password, like "N=6*24/tan(lb)". Nice strong 14 character password right? If you changed N to I, you have changed your password enough to defeat a brute force attack and only changed 1 character of your password. It's not like a computer can brute force the last characters, or the first characters. The brute force crack needs to break the "Whole" password.

Extend the same statistics problem, and if you use "lb" for banking but replace that for "pp" for email you have 2 strong passwords that are similar enough for you to remember yet strong enough that brute force won't catch up.

Every couple years, you scrap that math problem and create a new one. Change the position of your bank/email markers, and you are staying pretty damn secure.

Sure, 1 lucky shot is all a hacker needs but a 14 character strong password has a 1 in 3.4e+38 chance of guessing.

Bears repeating

[MikeRT]

For those inclined to make moral equivocations between the NSA and the Russian government, both do what the NSA got caught doing. The difference is that the US Government would have the FBI kicking in this gang's door with a SWAT raid if they were Americans, whereas Putin is probably chuckling right now if he's reading about this.

Re:Bears repeating

... The difference is that the US Government would have the FBI kicking in this gang's door with a SWAT raid if they were Americans, whereas Putin is probably chuckling right now if he's reading about this.

(apologies for the AC)

Yes, the US would have the FBI (etc) kicking in the door with a SWAT raid, so they could get the database for themselves to monitor and potentially use against YOU! (while Putin merely chuckles).

Re:Bears repeating

[Carcass666]

Not sure I get what you are saying... Is it that Putin is sitting in his easy chair, munching caviar, laughing about "those crazy kids", and that he is above instructing his former colleagues at the FSB to check things out? What are we supposed to base Putin's indifference (or altruism) about this purloined user data? The lack of a Russian Snowden? Absence of evidence is not evidence of absence.

Re:Bears repeating

(while Putin merely chuckles). because he has the DB already

Fixed that up for ya...

Re:Bears repeating

[Opportunist]

If the NSA now wanted to apologize their domestic spying with "but the others do it too", we should get off the high horse of "we're the shining beacon of freedom in this world", too.

Have your cake or eat it. Either you're entitled to doing what the crooked states do, or you are entitled to look down your nose at them. Choose. You can't have both.

Re:Bears repeating

[disposable60]

Putin's in his Dacha, kickin' back with a vodka and some roe, laughing as the kickback payments accumulate in one account and the kneebreakers make lists of delinquents to visit in another.

Re:Bears repeating

[idontgno]

I think "Superpower" status includes the ability to have both. Because hypocrisy doesn't matter if you're big enough that you don't have to care what other people think.

I'm pretty sure the U.S. passed that moral event horizon a long time ago.

Re:Bears repeating

[Opportunist]

Hypocrisy does matter. Unless you don't care that some people, usually from other countries, consider you a big enough asshole that they think it's allright to blow up a part of you.

Because that's what an attitude of "I can be as much an asshole as I please 'cause nobody can do anything against it" entails: Someone finds a way to do something about it.

Call a spade a spade

Not a single mention of Windows in the article, only the term botnets which we all know is 99% Windows. The average joe needs to be educated that using Windows is dangerous, period. If they happy click in other OSs it's not impossible to get "infected", but it's certainly much more difficult. Period.

However, on the exploitation side, it's not really a Microsoft issue. It's hipsters writing crappy code in all languages who don't have the raw programming acumen to avoid things as basic as sql injections.

Is it because of a dearth of talent in the labor pool? Possibly. It's sad to see companies having to hire hipster kids who are a whiz at using fb and twitter, but their only programming experience is completing a one month crash course in Rails. Until this changes and stakeholders realize that professional code can only be written by professionals, we'll be reading these types of stories for many years to come.

Just keepin it real.

Re:Call a spade a spade

[Opportunist]

The average Joe needs to be educated (by technology or the legal system) that his computer is his responsibility. You think people would stop clicking away any and all kinds of warning to see dancing bunnies if they had to use Linux or MacOS? If the latter had the 90% market share Windows enjoys today, we'd now have the same discussion with you complaining about how all those hipster Apple zealots are to blame for botnets.

A system's security is the minimum of the capability of the system and the capability of its admin. Not the average. The MINIMUM thereof.

Re:Call a spade a spade

Most ppl run windows.... Also there is no evidence that 99% of the bots are windows.
Windows is dangerous, and has alot of flaws.... But other OSes can be just as dangerous.....
Its just a target due its large user base

Re:Call a spade a spade

Right and using Windows made Synology's NAS easy to be hacked.

Much more difficult my ass. Linux servers get pwned a lot too.

Unless you know how to configure apparmor[1] or SELinux, Linux really isn't much more secure than Windows.

[1] Do check the distro's defaults before assuming their defaults are secure enough for you.

Stored in cleartext?

[MoonlessNights]

How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

You shouldn't be able to steal a password since the site shouldn't have it.

Re:Stored in cleartext?

Unless one also knows / manages to acquire the salting algorithm. Salting is simply additional security "through obscurity" attempting to make existing rainbow tables useless.

Re:Stored in cleartext?

[Charliemopps]

Not if trick the end user into installing a key logger.
I don't know if you work on PC's at all... I do. MOST people's computers are so heavily infected with malware that I don't even fix anything anymore. You bring your computer to me, I delete partitions, write 1's to every sector, then reinstall your OS. I've even started seeing boot sector viruses.

Re:Stored in cleartext?

Not a damn thing wrong with username password authentication.
And you don't need two-factor authentication either (aka: govt and corps tracking your ass by your phone number for life).
Although TOTP is ok for that where desired.

The problem is with ADMINS who can't admin securely, and USERS who can't keep their box secure.
And the sorry part about it is that keeping systems secure from crackers isn't that hard.
I've been on the net for over 20 years and the only time any of my hundreds of systems were
cracked is when I got lazy and let expendable-by-design systems in a DMZ get bent over
from time to time mostly for the laughs.

PS: You're a LOT more secure if you ditch that stupid Windows and run Unix.

Re:Stored in cleartext?

[MoonlessNights]

Yes, that is exactly what it does. That isn't a problem and calling it "through obscurity" isn't correct since you don't need to hide the algorithm for this to work.

Knowing the salting algorithm does not defeat this, at all (as you _can_ steal the salt). The point is that you would need to generate a rainbow table for each user since they each have unique salt. If you are going to do that, you might as well just try brute forcing them all as it would probably be faster.

Re:Stored in cleartext?

[MoonlessNights]

So, you think that the problem is that they compromised the site in order to phish the user into installing a keylogger? That would actually explain how they could get the passwords, no matter how they are stored on the server, so it is an interesting interpretation of the article.

I still think that it is a harder sell since it requires tricking millions of users into installing an exploit and hoping that they all use the site. If you were able to pull this off, stealing their password for the target site would be the least valuable thing you would have stolen.

Of course, if you could get that much control over the actual site, you could probably mess with the login page to the point where you could effectively keylog in the JS, which would impact everyone who tried to log in.

The details are too sparse to really tell which approach was used, if the article is actually legitimate.

Re:Stored in cleartext?

[SethJohnson]

Keyloggers are certainly a popular way for collecting passwords on a malware-infected computer. Undoubtedly, some portion of this claimed collection would have been built off keylogging.

The extortionists describing this password trove are claiming it was built by using compromised client computers to launch SQL injection attacks against servers where the computer's owner had an account. Such a strategy would allow the attackers access to injection vulnerabilities that are inaccessible to an unauthenticated visitor. Additionally, and perhaps more concerning should be that this type of attack would succeed against corporate intranets via employee computers connected via VPN.

Using keyloggers alone might yield a few million passwords (depending on the size of the botnet), but to achieve a collection of a billion, the compromised machines would have to gather passwords not belonging to their owners.

Re:Stored in cleartext?

[Anonymous+Psychopath]

How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

You shouldn't be able to steal a password since the site shouldn't have it.

It probably is hashes and not passwords. If they were the actual passwords, they'd be using them themselves instead of trying to sell them.

Re:Stored in cleartext?

Okay, so you're leaving ALL security to the discretion and diligence of admins? If there's a technology that mitigates the level of vulnerability associated with inferior security scheme + unavoidable human frailty (hint: two factor auth is such a technology), why not use it when it's available? It's called progress. At this rate, might as well stop using mobile phones and go back to land lines... or telegraph.

Makes me wonder how much you actually know what you're talking about.

Re:Stored in cleartext?

[david_thornley]

Thing is, AFAIK the hash is pretty useless by itself, so I wouldn't think the hashes would be salable. Besides, there are places that are run by people who don't know what they're doing who will store passwords in the clear. I suspect this every time I run into a length restriction on passwords (usually on financial sites, unfortunately).

Re:Stored in cleartext?

[Rich0]

I still think that it is a harder sell since it requires tricking millions of users into installing an exploit and hoping that they all use the site. If you were able to pull this off, stealing their password for the target site would be the least valuable thing you would have stolen.

No, you get people to install a keylogger period. You might have to hack into some site to do it, or maybe you hack directly into their computers, or maybe you send them an email with an exploit, or maybe you purchase a banner ad and embed an exploit.

If you install a "keylogger" (more likely a rootkit that captures everything in every form submission with URLs as well as keyboard input and probably a whole lot more) on somebody's computer, you get their usernames and passwords for every site that they use. You don't have to touch the target site at all. Infect them with a keylogger from some random unsecure blog, and you can log into their highly-secured bank website.

Re:Stored in cleartext?

[budgenator]

How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

You shouldn't be able to steal a password since the site shouldn't have it.

The site doesn't have to have the creds to be able for them to be stolen, it only needs to acknowedge the creds are correct and your logged in.

Re:Stored in cleartext?

[budgenator]

It's not that there is really a length restriction in the database, it's just how the javascript they cut and pasted to verify the user input is set up, you really can't expect free javascript form Russian-hackers.ru to not have a few limitations.

The fate of the Internet

[blackbeak]

Because of the ever increasing amounts of internet insecurity, shills paid to push corporate/government agendas and rebuke/dismiss detractors, "sock puppet" and AI posters, overzealous copyright take-down operations, pay-only access to verified (ie: useful) information, spamming, spoofing, bandwidth throttling, spying, tracking, personal information gathering, legal constraints and considerations, over-suspicion of anyone not 100% politically "correct" or aligned with power, agenda based "news", "echo effect" search results, and probably some other stuff I can't think of right now, the internet is quickly losing it's ability to be much other than a channel for light entertainment.

Has the internet hit it's nadir? It's probably only a matter of time before e-commerce fails in a major way due to these security leaks. And it may also be way too late to be useful in organizing any type of real grassroots socio-political change. Let's just go watch cute kittens on YouTube.

Re:The fate of the Internet

[blackbeak]

Gee, I just realized: How do I know that in 10 or 15 years cute kitten watching won't be linked to a mental disorder or something? Then, if my internet activity is ever reviewed, I'll be the worse for it! Damn! Even watching kitten videos isn't safe!

Re:The fate of the Internet

[sasparillascott]

Far from its nadir at this point, but your post makes excellent points. It definately seems to be getting worse at an accelerating rate.

At what point of security breakdown do online roles/uses become unusable...my guess is that the credit card folks have seen a significant falloff in use (and collection of fees) due to the constant capture of people's credit card numbers as an example - at some point that will become more pronounced.

What is the point where enough people start clamoring for a "secure" (by the state of course) system to replace the "internet"? It's an interesting question, hopefully we don't get to see the answer to that - but the trajectory for online security is not heading in the right direction.

Re:The fate of the Internet

[Opportunist]

The laws concerning internet security are in place, where we fail is executing them. As long as fines are petty change, security will be handled by accounting, not risk management.

Re:The fate of the Internet

[idontgno]

If watching cute adorable kitten videos is crazy, I don't want to be sane.

Because, cute adorable kittens.

Re:The fate of the Internet

[Rich0]

The laws concerning internet security are in place, where we fail is executing them. As long as fines are petty change, security will be handled by accounting, not risk management.

Writing secure software is hard though. Sure, projects like Chrome do a much better job of it than your typical corporate process automation application does. But, even Chrome has a steady stream of discovered vulnerabilities.

I think the password is the real weakness here. We really need to get away from having them at all. You should have a two-factor module that itself demands a password and does all the authentication. The thing is we can't have every website out there provide their own, because I don't want to carry around 387 dongles. We really need an authentication standard so that people can buy a smartcard that has their credentials on it, and use it for everything. Then you have to figure out what to do with authentication between computer systems, such as having Gmail access your ISP mail via POP3 using regular polling.

Security is hard. We could do better, but it is still only as strong as its weakest link.

Good time to adopt a new protection technique

A good reminder that organizations should consider adopting a storage technique that can protect against this.

For dedicated servers, we've used a hardware dongle to store a key used to encrypt password databases. It can be a PITA to move the dongle when a server crashes, but mostly works well.

For cloud services, you can leverage crypto techniques (PolyPasswordHasher) for protection. Migrating our existing password db over only took a few minutes and there doesn't seem to be any usability or performance downside.

What's the excuse for widespread issues? Are pointy-haired bosses emphasizing TPS reports and making password database protection low priority?

Re:Good time to adopt a new protection technique

Yeah. Every sensitive task should be handled by hardware operating at a low level of abstraction. Systems will become less compact, for sure, but thats the only solution I can think of to make computing more secure [and private].

Re:Good time to adopt a new protection technique

Are pointy-haired bosses emphasizing TPS reports and making password database protection low priority?

Yes. Many times over, yes.
(Had to AC, sorry)

proof?

Just because something is written in the NYT does not mean it is true, I have seen no evidence to substantiate that claim

Now's a Good Time

[Dave+Whiteside]

to change all your passwords
use something like keeppass or lastpass

YMMV

Re:Now's a Good Time

[sasparillascott]

The article noted that many of the sites are still vulnerable to attack (and probably still being harvested of UserID/pword data).

The Kee Pass (password manager) recommendation is probably the best - i.e. unique password for each website going forward.

How could this be SQL Injection?

I'm Confused. If the hack is SQL Injection that would mean that the password were stored in clear text in the DB. Who the hell does that anymore?

Re:How could this be SQL Injection?

[Opportunist]

You'd be surprised...

But right afterwards is badly or not salted hashes, begging for a replay elsewhere. And that's still quite common.

Re:How could this be SQL Injection?

Nah. They just need to use the same hashing algorithm SQL uses. The SQL implementation will then compare the newly minted hashed password to the hash of the original password in the DB and if they match then billy-bob is your uncle and you're in like flynn.

Tech News Lag

[Garisimo]

Why is it I am hearing about this on Slashdot two days later than other news sites? I used to be able to count on breaking tech news to show up here first.

-g-

Re:Tech News Lag

[Opportunist]

Because /. is an aggregator. It's Readers Digest, if you will. You come here for the news that are not so important to you, yet not unimportant enough that you'd want to miss them.

If ITSEC is especiall interesting to you, I think you might read some pages focusing on IT security. Of course, you won't hear about the latest events in IT court there, or hear about some new SoC toys.

What the participants have to say in Vegas...

[erikscott]

...stays in Vegas.

Story without any information

This story seems to have no actual meat to it. They say that a lot of sites have been hacked, some big names, we knew this. Many sites are still vulnerable, we knew this. By not disclosing the sites you're making more people vulnerable, and it's bad for everyone. It's going to take something bad happening to someone to learn the importance of password security for themselves. Some people will never learn certain concepts unless they experience them for themselves.

Re:Story without any information

That is the age old debate. Which does more harm, alerting the general public (and other attackers in that public which would then target those sites) or alerting the companies and giving them time to plug the hole.

There are valid arguments on both sides of the equation.

Re:Story without any information

How dare you to call that story "no actual meat to it"?! There's word "russian" in it!

OpenPGP + HTTPS (Enigform and Jiffy)

Check out http://wiki.buanzo.org/index.php?n=Main.Wp-enigform-authentication

Wordpress Plugin for Enigform Authentication - Definitive Guide

They also made an instant messenger called jiffie

Where's the list?

Where's the list that of breached sites?

Re:Where's the list?

[Marxist+Hacker+42]

Doesn't exist, is my guess. This whole thing is extremely phishy "Send us your e-mail and password and we'll charge you $120/year to keep checking it against our database". At which point your e-mail and password gets added to the database.

Is it an unfair generalisation to say that

[easyTree]

Within the phrase 'Russian crime ring', the last two words are redundant?

What's one gotta do with the other?

[Opportunist]

What does an SQL injection have to do with the alleged weakness of username/password authentication?

Re:What's one gotta do with the other?

[angel'o'sphere]

With an SQL injection you possibly can fetch the password out of the DB.

You would be surprised how many data bases for a certain business has a table called USERS with fileds like uname, real_name, email, password ...

By simlly putting "something ; select password from USERS where uname = 'user'" you can enhance every input field of a website with the stuff behind the semi colon. Even if somehow you cause an error on the server it is possible that the html returned containes the password you are seeking.

Or you add behind the semicolon " ; select * from Users sort by email first 1000" don't remember how 'paging works in SQL'. Replace the 'first 1000' with the approbriated statement.

So instead of a list of items you are looking for on ebay, you have an additional bunsh of text at the bottom of the list holding an extract of the USERS table.

Re:What's one gotta do with the other?

[Jason+Levine]

If you are using mySQL, it would be "Select * from Users limit 1000". If you are using Microsoft SQL Server, it would be "Select top 1000 * from Users".

Re:What's one gotta do with the other?

[MoonlessNights]

Yeah, it is an odd article.

It seems like they are talking about 2 real problems:
1) SQL injection (which could be solved by only using prepared statements)
2) storing cleartext passwords on the server (which could be solved by storing as hash with per-user salt)
Both of these techniques have been old hat for around a decade so the real news is that so many sites could apparently be compromised this way (of course, the entire article sounds invented, so who knows if that is even true).

The "alleged weakness of username/password authentication" seems to be just a "conclusion" they invented for click-bate purposes.

I completely agree with you that their derivation makes no sense. These problems are independent of each other and neither directly implies the conclusion they want to state.

Re:What's one gotta do with the other?

[Opportunist]

And that only works with passwords but not with any other form of authentication?

Actually, it's more likely that a well organized password database is more resilient against a replay attack than some half-baked solution that didn't get through a few decades of auditing.

Re:What's one gotta do with the other?

[angel'o'sphere]

Well, retrieving data, you should not be able to retrieve, that is done via SQL injection.
Ofc there are plenty of auth methods where SQL injections won't help, except if you get write access to the DB.
E.g. the server could send you a one time pin code to your mobile phone. But if I can change the phone number, it would sent it to me. Short enough time frame, I even could change it back to the old number and you won't notice easily.
Right now SQL injections are mainly used to retrieve data.
But consider I can inject SQL to change an order from an online retailer. Suddenly he does not only send me a book and a CD but also a boat, a fridge and a plasma screen ...

well, duh ...

> What do Black Hat security conference participants
> have to say about that in Vegas

Obviously, all passwords should be stored in Vegas.
Because what happens in Vegas stays in Vegas.

Security. That's how it works.

I Wonder...

[avgjoe62]

How many of those 1.2 billion passwords are "password"?

Once again proven

Once again proven that the IT community is not the bunch of geniuses that you guys like to paint yourselves up to be.

Re:Once again proven

IT community gave up their claim to anything, as soon as they allowed For-profit corporations to gain control of the landscape with their proprietary garbage.
Stop supporting proprietary software. Once the landscape is opensource, criminals will have a much harder time finding and using security flaws (gov't and corps are criminals too).

You are a troll if u bring up heartbeat as a counterargument :P

What web sites were compromised?

So what exactly was compromised? This is so vague I can't figure out what actually happened.

Re:What web sites were compromised?

[Algae_94]

My guess is that thousands of crappy WordPress sites or something on that level was compromised. Nothing of any extreme value.

Hash code != passwords

Normal log in mechanisms do not store passwords, but instead store hash codes.
A hacker can not log in using a hash code.
A hacker can only log in using text that converts to a matching hash code.
Good luck trying to figure that out.

Probably Not A Result Of Offshoring But...

[theshowmecanuck]

I worked on project at a telco a little under 10 years ago and much of the provisioning code was written in Moscow. I couldn't help but think even back then what would happen if Putin really got out of control. It was already apparent that he had overwhelming nostalgia for the CCCP. Sooner or later we'd be in some sort of conflict with him; was it really a good idea to allow this kind of software to go to a potential belligerent. Never mind code for financial and payment systems. Same with China. It probably isn't the case here, but maybe we should think about these things more.

Re:Probably Not A Result Of Offshoring But...

It could be even worse:
if the software had been written in the U S of - I fucking don't care about your privacy - A.

Re:Now's a Good to monitor access

[Technician]

Most people with Gmail accounts are not familiar with the "Last Activity" on the lower right. Clicking "Details" will bring up a list of the recent IP addresses that accessed the account. Unless someone logs in and changes your password, you can monitor for unauthorised account access by checking the location and address of recent logins. I monitor my account. Some people would have no clue someone is regularly logging in to capture info. It even shows when two are logged in at the same time. Try it. Log in at work, and lock the screen. Go home and log in again. It will show the two as logged in.

The delusion of security

[omnix]

This may be a hoax; but it is certainly not impossible for this sort of thing to happen.

What governments and businesses need to know/do is:
1) Understand that there is no such thing as ABSOLUTE security - every castle, system, etc can (arguably will) be compromised. The dilemma is whether the cost/effort needed to compromise the system is worth the reward/gain.
2) They should only keep the essential information - don't keep what you don't need. Besides, what they don't store can't be stolen - in the long-run it's cheaper for them and better for the user/customer. Legally speaking, businesses/agencies that store personal/private information is assuming a fiduciary duty to the customer/user - particularly in protecting their data.
3) They should keep the data as atomic/discrete (ie separated) as possible. Instead of housing everything in one mega-database, user information should be kept separate from credentials (passwords), which should be kept separate from banking data, and that should be kept separate from transaction data.
4) All data access should require credentials (certificates and/or passwords) - preferably, the credentials should only provide limited and/or one-time access to the data.
5) Particularly sensitive information should be encrypted within the database, and all access should be logged on a separate system.
6) Credentials and certificates should NEVER be stored on the same system they access.
7) They should use randomly generated unique IDs for each segment of the data - preferably, these IDs should be changed on a regular basis (like passwords).
8) Government issued ID numbers should only be used by the government agency that issued the ID, just like bank account or credit card numbers should only be used by the bank that issued them. Employers should NEVER use the employee's SSN, driver's license, bank info, etc as an employee ID.
9) They should ONLY aggregate the data as needed (at transaction time) - if possible, they should even avoid having more than one segment within the same code.
10) They should make an effort (ie spend time & money) to protect user/customer information data - like it was their own.
A) They should have their entire system audited by certified external analysts - I wouldn't be opposed to (random) government audits of corporate data.
B) They should spend more time and money resolving the issues/findings, and then have their systems audited again.
C) They should also regularly update the system. Over time, the cost/effort to overcome any security system decreases while, in most cases, the value (ie gain) increases.
11) If they aren't willing or able to spend the time/money to protect the data, then they should NOT be allowed to store personal data on their systems.
12) If they do store a user's/customer's information, the user/customer should be able to request certified proof that the system was audited - to verify that their information is safe.
13) All parties should utilize up to date encryption, virus/malware, and security technology to secure their and/or the customer's information.
14) No matter how much effort/money is spent, there is no such thing as ABSOLUTE security.

Personally, I believe that what most businesses are doing with customer's data is reprehensible - and should be outlawed. A person's private information is just that, PRIVATE. Outside of storing financial transactions, user's/customer's information shouldn't be kept to do market research/analysis. They certainly should not be able to profit off of the data - that's a violation of their fiduciary duty. If you think of every worker as a little private enterprise and their employer is effectively "the customer", imagine how much information each of us could collect from every "customer" we've had. Then imagine if every worker started analyzing and selling/sharing "trends" with other "private enterprises", or using that information for their personal benefit. How

Even big companies are stupid

[bradley13]

We recently changed our Internet service with Swisscom (details unimportant, but it involved installing a different router). I received a letter in the mail confirming the user name and password in plain text. The password hadn't changed - it is the same one that I chose years ago when we originally selected Swisscom as our ISP. Which, of course, means that they have not hashed the password, but have stored it in a retrievable fashion.

Now, this is fairly minor, because the password isn't good for much beyond logging the router into the ISP. However, so many people use the same password for multiple things that it is still lousy security practice. When I challenged Swisscom about this, their explanation was that it enables them to provide better technical support. Meaning, I suppose, that lots of people forget their password, and this way they can be told what it is, rather than having to reset it.

It's still lousy security practice, and pretty shocking from a major company.

Re:Even big companies are stupid

When I challenged Swisscom about this, their explanation was that it enables them to provide better technical support.

Nah it's so that others (e.g. The Authorities) can use those passwords assuming the passwords are reused on other sites.

FWIW my ISP forces the use of a specific password for logging on to the ISP - e.g. account number + X. Don't think you can even change it.

Which is why I never paid for the VOIP stuff ;).

So who got hacked?

As far as I am concerned, either post the list of sites that have been compromised, or STFU!

In other words...

[DiEx-15]

...because Verizon can!

Collected email addresses used for spam

[rlh100]

Looks like they have started selling email addresses. I just got email from multiple spam runs for my email addresses from:
    netfirms.com
    joker.com
    sys-con.com
    mixonline.com
    livedesignonline.com

Spam does not bother me so much. But the first two email addresses do. They are my domain registrars. So they have my account information and could change my domain registration. Time to change some passwords.

RLH