Massive Russian Hack Has Researchers Scratching Their Heads

itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.

Objection!

[alphatel]

"They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.
In addition it seems the above quote neglected this portion of the article:

Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

It's free and they still can't afford it? Sophos can't use a fraction of its 100,000 honeypot email accounts to sign up and see if it's legit?

Much like Hold Security, Sophos has displayed nothing but news-unworthy jabber.

Re:Objection!

I agree. I spent several years in the IT security arena before leaving for other IT pursuits. I started off as an investigator, then firewall engineer, then pen tester. Generally, most AV and security companies sell FUD to make their billions. I always tell my friends who continue to run Windows and Macs to create and use non-administrator accounts and surf the Web as a mortal user. This alone stops 90% of the crap out there, although some new stuff will install directly in the users' directory. Since Chrome can be installed w/o admin rights on most boxes, this has been problematic. More and more malware now installs with no goal of infecting the system, but rather wreaking havov within a user directory. Some of the ransomeware does this very thing.

Fact is, there should be a bounty on the heads of those people who author malware. If you are caught, you are executed. Full stop. Enough already. A fine and a couple of years in prison are not a deterrant. Let's start taking a page from China and Singapore's book, shall we. Or even some of the ME countries.

Cui bono

[s.petry]

Looking at who benefits is always a worthwhile pursuit. A company benefits, selling what appears to be FUD. US Government benefits because they have recently been blaming everything on Russia.

What is not happening? Nobody is going to jail over computer espionage act (or any other law allegedly violated). In fact there is no criminal investigation at all mentioned. No facts available to verify the alleged "stolen credentials", and the only way to even glimpse said data is to provide your information to some company that is an unknown in the security community.

I'll have to dig later, but I'm curious who the owner of this company is and who they are tied to. Surely a coincidence, but this comes out right after former NSA Director claims he's worth a million a month in consulting, working on over a dozen "IT Security" patents, all for his brand new private business. That may not be a rat, but sure has that "rodent" like smell to it.

At best, this is a company trying to profit off other people's pain. No thanks, I'm not buying anything they are selling.