Slashdot Mirror
Massive Russian Hack Has Researchers Scratching Their Heads
itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.
"They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.
A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.
In addition it seems the above quote neglected this portion of the article:
Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.
It's free and they still can't afford it? Sophos can't use a fraction of its 100,000 honeypot email accounts to sign up and see if it's legit?
Much like Hold Security, Sophos has displayed nothing but news-unworthy jabber.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.
Indeed, we used to operate a similar service, and many companies were excited to sign up at just $49 / year. Often, the bad guys get the entire password database, so being alerted to that right away is valuable. I designed our system many years ago and it was somewhat expensive to operate. Crackers compromise new sites every day, so you have to be constantly finding and processing newly compromised accounts. Over time, it became more costly to cover a smaller percentage of compromised accounts, so we advised more and more sites not to buy it, until at some point we just stopped offering the service pending a redesign.
Using different types of resources that are available now, it's possible to run such a system more efficiently. I have a design in mind, but I haven't implemented it yet. If I do, it will likely be priced pretty close to $120 / year. We won't make crazy profits at that price point because it'll cost us $2,800 / year to operate. We'll need about 25 sites to sign up just to break even, and that doesn't include the time spent developing the new system. For a site with $300,000 / year in revenue, $120 will be a great value. For a site with $3,000 / year in revenue, it wouldn't make sense for them to get it.
Good write up, but you make a false claim.
Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away.
Um, no you/they didn't. I work at an ISP, smaller than Google, and am constantly blocking various attacks. Every time one method gets blocked, we find new ones. Yes, this is for IMAP/POP over SSL just like Google (and I block numerous other attacks because we provide numerous services).
You may have stopped many of the attacks, or even most of the attacks, but not _all_ attacks. The most difficult to block are the attacks by Governments, and you can tell they are Governments by the complexity of attacks and amount of resources used in these attacks.
Script kiddies are easy to block, but real hackers are changing tactics as often as we find them and block them. If the real hackers find a method that works, the method will get eventually get migrated to the Script Kiddie toolkit.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Looking at who benefits is always a worthwhile pursuit. A company benefits, selling what appears to be FUD. US Government benefits because they have recently been blaming everything on Russia.
What is not happening? Nobody is going to jail over computer espionage act (or any other law allegedly violated). In fact there is no criminal investigation at all mentioned. No facts available to verify the alleged "stolen credentials", and the only way to even glimpse said data is to provide your information to some company that is an unknown in the security community.
I'll have to dig later, but I'm curious who the owner of this company is and who they are tied to. Surely a coincidence, but this comes out right after former NSA Director claims he's worth a million a month in consulting, working on over a dozen "IT Security" patents, all for his brand new private business. That may not be a rat, but sure has that "rodent" like smell to it.
At best, this is a company trying to profit off other people's pain. No thanks, I'm not buying anything they are selling.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.