Slashdot Mirror

← Back to Stories (view on slashdot.org)

Alleged Massive Account and Password Seizure By Russian Group

Posted by Unknown on from the security-through-well-everyone-else-is-compromised-too dept.

New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?

30 of 126 comments (clear)

  1. Re:because writing propet software by AaronLS · · Score: 4, Funny

    Apparently writing itself is hard, much less writing propet software.

  2. Re:because writing propet software by AlCapwn · · Score: 2

    Or propet sentences, even.

  3. Is this me? by chinton · · Score: 3, Funny

    Or is the hacker that stole my /. credentials writing this post?

    1. Re:Is this me? by LordLimecat · · Score: 3, Informative

      Courts have ruled that it is not possible to steal something from yourself, so they are mutually exclusive.

  4. SQL Injection? by the+eric+conspiracy · · Score: 2

    Come on man

  5. Re:big whoop by timrod · · Score: 4, Informative

    The use is that you now have a database of 1.2 billion passwords that can be fed into a brute force cracker and used to make "educated guesses" to crack passwords.

  6. Hold on a second.. by jbmartin6 · · Score: 5, Interesting

    Of course, the company which reveals this offers a $120/month breach notification service so they have a strong incentive to exaggerate. I'm not saying we should immediately discount these claims but let's make sure our grain of salt is in there.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Hold on a second.. by s.petry · · Score: 3, Interesting

      That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.

      I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.

      To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.

      The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    2. Re:Hold on a second.. by Sqr(twg) · · Score: 2

      You mean:

      #1 Set up a website with 1.2 billion accounts.
      #2 Have Russian hackers crack your website.
      #3 Proclaim: "We have a list of 1.2 billion accounts that were compromised by Russian hackers. Pay us $120 if you want to know if you're affected."
      #4 Profit!

    3. Re:Hold on a second.. by Shadowhawk · · Score: 2

      From the TFA:
          At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

      --
      My mind works like lightning. One brilliant flash and it is gone.
    4. Re:Hold on a second.. by s.petry · · Score: 2

      You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password. Longer passwords are better, obviously, but should still be changed periodically to prevent a brute force attack from succeeding over time. It should go without saying that a Government would have additional processing power and could break it faster, but at the same time the majority of servers today rate throttle auth connections to reduce brute force attacks. The supercomputers help with a known hash, not necessarily when cracking into your bank account.

      Where strong passwords tend to break down is in key loggers, phishing, and broken protocols.

      For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)

      A company called Intemedia has a "Securisync" product that uses both at rest and in transit encryption. So I agree the problem is solved, some much better than others, and even with "Cloud" storage. Cost is the obvious blocking factor in most cases.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    5. Re:Hold on a second.. by s.petry · · Score: 2

      I agree, and pointed out that it's a statistics issue. No system is perfect, but to have several "strong" passwords is more secure in my opinion than having all your eggs in a single (Google Auth) basket.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    6. Re:Hold on a second.. by s.petry · · Score: 2

      Wait. Why would you need an AIX box or even permanent lockout? Answer: You don't need any such thing.

      Native Unix LDAP supports time duration locking, it does not have to be permanent, and works with all NSS_LDAP libraries. I have run Servers of all types and Linux clients of all flavors (AIX, Solaris, HP-UX, RHEL, Ubuntu, etc..) and never had to permanently ban accounts for well over a dozen years (Early implementations were not as good as later, but still worked very well).

      The majority of server side services (E.G. sshd) can idle for N seconds between auth attempts.

      Assuming your servers are running like they should, permanent lockout is never really needed. On LDAP Servers I generally configure the policy to lockout an account for 30 minutes, not permanently.

      You are never going to prevent all brute force attacks, and attempting to do so is idiocy. You want to deter them, which can be done in numerous ways. Stacking deterrence methods becomes extremely effective.

      Do you really think a hacker is going to try for a 4th attempt, see that the account is locked, and keep trying after that? The answer to that is Hell no, the hacker will move to the next target and hope it's easier. He may come back tomorrow and try again, but after seeing account locks they will quickly move on to easier prey. Easier prey is everywhere...

      Obviously deterrence won't fix everything, but there is no solution that is perfect. I can spoof biometric data as easy as brute force cracking passwords. I have found IPs trickling brute force attacks at extremely low rates, 1 every 4 hours for example. Your Auth subsystem does not find or fix these as much as having a good set of tools and admins that are monitoring what is happening in your environment.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  7. Re:because writing propet software by RabidReindeer · · Score: 5, Funny

    The wisdom of the propets is written on the subway walls.

    And tenement halls.

  8. Re:Are the /. accounts affected ? by Buchenskjoll · · Score: 5, Funny

    I think the Anonymous Coward account is compromised. Look over his posts, it's mostly complete crap.

    --
    -- Make America hate again!
  9. Re:big whoop by wonkey_monkey · · Score: 4, Interesting

    a) Because hacking isn't just a case of having access to everything or nothing. What if you can only hack the password database, but you can't hack the system that those logins are used for?

    b) Because, lazy as people are, you now have some very likely candidate email/password combinations to try on all the systems you can't hack into.

    --
    systemd is Roko's Basilisk.
  10. Stored in cleartext? by MoonlessNights · · Score: 5, Insightful

    How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

    Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

    You shouldn't be able to steal a password since the site shouldn't have it.

    1. Re:Stored in cleartext? by MoonlessNights · · Score: 2

      Yes, that is exactly what it does. That isn't a problem and calling it "through obscurity" isn't correct since you don't need to hide the algorithm for this to work.

      Knowing the salting algorithm does not defeat this, at all (as you _can_ steal the salt). The point is that you would need to generate a rainbow table for each user since they each have unique salt. If you are going to do that, you might as well just try brute forcing them all as it would probably be faster.

    2. Re:Stored in cleartext? by SethJohnson · · Score: 2

      Keyloggers are certainly a popular way for collecting passwords on a malware-infected computer. Undoubtedly, some portion of this claimed collection would have been built off keylogging.

      The extortionists describing this password trove are claiming it was built by using compromised client computers to launch SQL injection attacks against servers where the computer's owner had an account. Such a strategy would allow the attackers access to injection vulnerabilities that are inaccessible to an unauthenticated visitor. Additionally, and perhaps more concerning should be that this type of attack would succeed against corporate intranets via employee computers connected via VPN.

      Using keyloggers alone might yield a few million passwords (depending on the size of the botnet), but to achieve a collection of a billion, the compromised machines would have to gather passwords not belonging to their owners.

      --
      $5 / month hosted VPS on linux = awesome!
    3. Re:Stored in cleartext? by Anonymous+Psychopath · · Score: 3, Interesting

      How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

      Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

      You shouldn't be able to steal a password since the site shouldn't have it.

      It probably is hashes and not passwords. If they were the actual passwords, they'd be using them themselves instead of trying to sell them.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

  11. The fate of the Internet by blackbeak · · Score: 2

    Because of the ever increasing amounts of internet insecurity, shills paid to push corporate/government agendas and rebuke/dismiss detractors, "sock puppet" and AI posters, overzealous copyright take-down operations, pay-only access to verified (ie: useful) information, spamming, spoofing, bandwidth throttling, spying, tracking, personal information gathering, legal constraints and considerations, over-suspicion of anyone not 100% politically "correct" or aligned with power, agenda based "news", "echo effect" search results, and probably some other stuff I can't think of right now, the internet is quickly losing it's ability to be much other than a channel for light entertainment.

    Has the internet hit it's nadir? It's probably only a matter of time before e-commerce fails in a major way due to these security leaks. And it may also be way too late to be useful in organizing any type of real grassroots socio-political change. Let's just go watch cute kittens on YouTube.

    --
    Everything and its opposite is true. Get used to it.
    1. Re:The fate of the Internet by blackbeak · · Score: 2

      Gee, I just realized: How do I know that in 10 or 15 years cute kitten watching won't be linked to a mental disorder or something? Then, if my internet activity is ever reviewed, I'll be the worse for it! Damn! Even watching kitten videos isn't safe!

      --
      Everything and its opposite is true. Get used to it.
  12. Now's a Good Time by Dave+Whiteside · · Score: 2

    to change all your passwords
    use something like keeppass or lastpass

    YMMV

    --
    who where what when now?
  13. Story without any information by Anonymous Coward · · Score: 2, Insightful

    This story seems to have no actual meat to it. They say that a lot of sites have been hacked, some big names, we knew this. Many sites are still vulnerable, we knew this. By not disclosing the sites you're making more people vulnerable, and it's bad for everyone. It's going to take something bad happening to someone to learn the importance of password security for themselves. Some people will never learn certain concepts unless they experience them for themselves.

  14. Re:because writing propet software by gweihir · · Score: 2

    Actually, why bother if nothing happens to those "losing" this data? Far cheaper not putting any protection in place.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Re:What's one gotta do with the other? by angel'o'sphere · · Score: 3, Interesting

    With an SQL injection you possibly can fetch the password out of the DB.

    You would be surprised how many data bases for a certain business has a table called USERS with fileds like uname, real_name, email, password ...

    By simlly putting "something ; select password from USERS where uname = 'user'" you can enhance every input field of a website with the stuff behind the semi colon. Even if somehow you cause an error on the server it is possible that the html returned containes the password you are seeking.

    Or you add behind the semicolon " ; select * from Users sort by email first 1000" don't remember how 'paging works in SQL'. Replace the 'first 1000' with the approbriated statement.

    So instead of a list of items you are looking for on ebay, you have an additional bunsh of text at the bottom of the list holding an extract of the USERS table.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  16. Re:big whoop by Jason+Levine · · Score: 2

    Because if you can hack into a system and get a billion passwords, you can sell those to "interested parties" for a penny each and retire.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  17. Re:What's one gotta do with the other? by MoonlessNights · · Score: 2

    Yeah, it is an odd article.

    It seems like they are talking about 2 real problems:
    1) SQL injection (which could be solved by only using prepared statements)
    2) storing cleartext passwords on the server (which could be solved by storing as hash with per-user salt)
    Both of these techniques have been old hat for around a decade so the real news is that so many sites could apparently be compromised this way (of course, the entire article sounds invented, so who knows if that is even true).

    The "alleged weakness of username/password authentication" seems to be just a "conclusion" they invented for click-bate purposes.

    I completely agree with you that their derivation makes no sense. These problems are independent of each other and neither directly implies the conclusion they want to state.

  18. Re:Bears repeating by Opportunist · · Score: 2

    If the NSA now wanted to apologize their domestic spying with "but the others do it too", we should get off the high horse of "we're the shining beacon of freedom in this world", too.

    Have your cake or eat it. Either you're entitled to doing what the crooked states do, or you are entitled to look down your nose at them. Choose. You can't have both.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  19. Re:because writing propet software by Existential+Wombat · · Score: 2

    Writing proper sentances is also hard.

    So is spelling, apparently.