Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Russian Hack Has Researchers Scratching Their Heads

Posted by timothy on from the schroedinger's-breach dept.

itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.

20 of 102 comments (clear)

  1. Objection! by alphatel · · Score: 4, Interesting

    "They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.

    A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.
    In addition it seems the above quote neglected this portion of the article:

    Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

    It's free and they still can't afford it? Sophos can't use a fraction of its 100,000 honeypot email accounts to sign up and see if it's legit?

    Much like Hold Security, Sophos has displayed nothing but news-unworthy jabber.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:Objection! by MightyMartian · · Score: 5, Insightful

      I'm getting pretty dubious of the entire claim. Some company wants to sell its security monitoring service, declares "we've got a huge database of stolen credentials, but we're not going to let you see it without paying up first, or at least signing up for a service that will bill you after 30 days."

      I call BS.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Objection! by Anonymous Coward · · Score: 5, Informative

      "They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.

      A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.

      Hey dimwit, it's $120 per year per site company not for disclosure of the entire data set. This is a protection racket.

    3. Re:Objection! by Andor666 · · Score: 5, Insightful

      It sounds quite fishy because they ask for a 120$ subscription, not to let you access the data, but for a service that lets you know if you are affected by it or not.

      - Here, my 120$, what's going on with this?
      - You're not affected, goodbye.
      - But, hey!
      - You're not affected, goodbye.

    4. Re:Objection! by Anonymous Coward · · Score: 3, Interesting

      I agree. I spent several years in the IT security arena before leaving for other IT pursuits. I started off as an investigator, then firewall engineer, then pen tester. Generally, most AV and security companies sell FUD to make their billions. I always tell my friends who continue to run Windows and Macs to create and use non-administrator accounts and surf the Web as a mortal user. This alone stops 90% of the crap out there, although some new stuff will install directly in the users' directory. Since Chrome can be installed w/o admin rights on most boxes, this has been problematic. More and more malware now installs with no goal of infecting the system, but rather wreaking havov within a user directory. Some of the ransomeware does this very thing.

      Fact is, there should be a bounty on the heads of those people who author malware. If you are caught, you are executed. Full stop. Enough already. A fine and a couple of years in prison are not a deterrant. Let's start taking a page from China and Singapore's book, shall we. Or even some of the ME countries.

    5. Re:Objection! by CaptainDork · · Score: 2

      I'm with you on this. For individuals, the free version expires after 30 days AND they state that, because of the size of the data, it will take a while.

      My guess is a little more than 30 days.

      --
      It little behooves the best of us to comment on the rest of us.
    6. Re:Objection! by myth24601 · · Score: 2

      If these people have knowledge of a crime, aren't they legally obligated to report it to law enforcement?

      Normally, one could claim no knowledge of a crime but in this case, they have announced that they have knowledge of crimes.

      --
      No matter where you go, there you are.
    7. Re:Objection! by Anonymous Coward · · Score: 3, Funny

      - But, hey, I have 649 passwords! Which one, what service?!?

      I got 99 passwords, but AC ain't one.

    8. Re:Objection! by multimediavt · · Score: 2

      If these people have knowledge of a crime, aren't they legally obligated to report it to law enforcement?

      Normally, one could claim no knowledge of a crime but in this case, they have announced that they have knowledge of crimes.

      Depends on the laws in their HQ location, but in most civilized nations this is called extortion by Hold Security. They are most likely in the cross hairs of law enforcement as I type this. If this turns out to be a bogus or inflated claim (like it smells) they could face some serious criminal and civil charges, regardless of what country they are in.

  2. Assume your credentials are in that database ... by Kardos · · Score: 5, Informative

    ... and change all of your passwords today. This is the best way to devalue the 'massive database'. Then sanitize your SQL queries!

  3. Not implausible by IamTheRealMike · · Score: 5, Informative

    More than 1B credentials does not sound implausible to me, though it's on the high end. You may be wondering why my opinion on this is more relevant than anyone else's, so let me explain.

    Although I left the company in January, for about 7.5 years I worked at Google and for ~3 of those years I worked on security and anti-spam related matters. Starting around April 2010 we started to see absolutely enormous numbers of compromised accounts sending spam to their contacts. This was not a problem that grew slowly. It went from zero to one gang compromising on the order of 100,000 accounts per day and that happened in the space of, it seemed, a few weeks. We learned about this problem through user complaints and by watching the flow of spam mails being reported to us via the "Report spam" button. We quickly realised this wasn't a Gmail specific problem but was simultaneously impacting Hotmail and Yahoo. Further investigation revealed that although this gang was capable of compromising ~100,000 accounts per day (more than one per second) this was the result of a 10-15% success rate for more like a million attempts per day: most account/password pairs they tried did not work. The reason was they were reversing password hashes stolen from third party websites using GPUs, and it turns out that people who use the same password everywhere make up (surprisingly) only about 10-15% of the user population. People suck less at security than you might imagine.

    When this problem first started we believed that such an enormous supply of credentials must surely be some kind of freak one off, the result of compromising an unusually large site. I mean; one million credentials every fucking day was an unimaginably vast pool of stolen passwords. But as the user complaints of being hacked failed to dry up we came to accept the horrible truth - this was not some freak one off but the result of some kind of production line of passwords. Most likely a combination of automated web crawls to discover vulnerable sites, semi-automated popping of those sites, farms of GPUs reversing the passwords and the resulting packages being sold on the black market to spammers who then abused them for bypassing spam filters (mail from contacts is whitelisted by any good spam filter). We only got occasional snapshots of this market, for example we were able to find adverts on Russian blackhat forums by people advertising lists of "washed" vs "unwashed" account/password lists for hotmail, gmail etc, but mostly it was opaque.

    Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away. But the underlying supply of passwords is still out there, and should those defences fall the problem would come back.

    I gave a talk about this and various other webmail abuse related topics at the RIPE 64 conference in Ljubljana (video link) in case anyone is interested in this. The slides are also available though lots of info from the talk is missing from them.

    1. Re:Not implausible by s.petry · · Score: 2, Interesting

      Good write up, but you make a false claim.

      Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away.

      Um, no you/they didn't. I work at an ISP, smaller than Google, and am constantly blocking various attacks. Every time one method gets blocked, we find new ones. Yes, this is for IMAP/POP over SSL just like Google (and I block numerous other attacks because we provide numerous services).

      You may have stopped many of the attacks, or even most of the attacks, but not _all_ attacks. The most difficult to block are the attacks by Governments, and you can tell they are Governments by the complexity of attacks and amount of resources used in these attacks.

      Script kiddies are easy to block, but real hackers are changing tactics as often as we find them and block them. If the real hackers find a method that works, the method will get eventually get migrated to the Script Kiddie toolkit.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    2. Re:Not implausible by IamTheRealMike · · Score: 4, Informative

      I didn't make a false claim. You quoted me saying we stopped bulk stolen password based attacks like the ones I described, and then proceeded to argue with a statement I never made (that we stopped all attacks).

      To clarify, the attacks I'm talking about are ones where the attacker has a large list of passwords (in the order of hundreds of thousands of passwords or more) and try the password to see if it matches. If it does they log in, if it doesn't they give up and try the next one. Government sponsored attacks tend to care an awful lot about a small set of targets which is the exact opposite.

      Google was able to stop these attacks so effectively the people behind them gave up, and there was a large but not infinite number of people who were carrying out such attacks, so eventually they became no longer a real issue for the userbase. Note that our competitors (with the notable exception of Facebook) were NOT able to do this, so if a small ISP struggles to do it too, that would not be very surprising.

    3. Re:Not implausible by Anonymous Coward · · Score: 2, Insightful

      Trivial to prevent:

              a) delay 401 responses to incorrect logins for 15 seconds
              b) immediate 409 error if another thread tries to login while inside the 15 second window (see 'a' above), whether the password is correct or not.
              c) deactivate accounts after XX unsuccessful logins (pick any value of YY)
              d) make user validate themselves to unlock an account, or auto-unlock after YY minutes (pick any value for YY).

      I don't know why people think their website should aid-and-abet a bot swarm by allowing upteen-million failed login attempts (brute forcing) in minutes. The point is to stall the bot-swarm so that it effectively makes no progress on their password brute forcing attempts.

    4. Re:Not implausible by s.petry · · Score: 2

      block logins with bulk-stolen passwords so successfully that they went away.

      Maybe English is not your first language, but I doubt that to be true. That statement at least implies that Google no longer suffers from brute force attacks.

      You then reinforce that same false claim in the post I'm commenting to now.

      Google was able to stop these attacks so effectively the people behind them gave up

      No, they didn't. You may have deterred a lot of them, but I'd bet a year salary that Google still experiences a measurable number of attacks every day.

      Look, I freely admit that huge leaps can be made with security. I have worked in IT Security for a quarter century. Neither you nor Google can do what nobody else in the market can do and make hackers simply go away. The amount of attacks, even with exceptional security, will always be proportional to the size of your internet footprint, so Google is attacked a whole lot.

      I'm not trying to knock you, or the progress Google made. I'm simply pointing out that the verbiage used is making a false claim. Reducing attacks by 99% is reasonable, reducing 100% is impossible. The only way to get 100% threat reduction is to isolate the host away from outside connectivity.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  4. Alternatively... by jd · · Score: 2

    Assume they cracked the NSA backdoor default password and can now access everything on every computer not running a hardened operating system. In other words, everything, whether you change your passwords or not. Further, assume they have remote access via UEFI to every motherboard built in the past year.

    You might as well, that level of access has been built into modern technology, if this group hasn't figured it out, someone will. Or maybe already has.

    We live in an age where technology is insecure by design. You can either abandon all hope (my preferred option) or you can adjust your approach to not depend on external security.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Alternatively... by jones_supa · · Score: 3, Informative

      That is possible, but for now, never has an "universal backdoor for the government" been provably found in an OS or a firmware. NSA has probably snuck a lot of trojan hardware and software into individually targeted devices, though.

    2. Re:Alternatively... by Aighearach · · Score: 2

      never has an "universal backdoor for the government" been provably found in an OS or a firmware

      That's because nobody will admit to the hardware backdoors that have been found, not because none have been found. Take out the words "for the government" and it instantly stops being true.

  5. Cui bono by s.petry · · Score: 4, Interesting

    Looking at who benefits is always a worthwhile pursuit. A company benefits, selling what appears to be FUD. US Government benefits because they have recently been blaming everything on Russia.

    What is not happening? Nobody is going to jail over computer espionage act (or any other law allegedly violated). In fact there is no criminal investigation at all mentioned. No facts available to verify the alleged "stolen credentials", and the only way to even glimpse said data is to provide your information to some company that is an unknown in the security community.

    I'll have to dig later, but I'm curious who the owner of this company is and who they are tied to. Surely a coincidence, but this comes out right after former NSA Director claims he's worth a million a month in consulting, working on over a dozen "IT Security" patents, all for his brand new private business. That may not be a rat, but sure has that "rodent" like smell to it.

    At best, this is a company trying to profit off other people's pain. No thanks, I'm not buying anything they are selling.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  6. Wouldn't give them a dime by forgottenusername · · Score: 4, Insightful

    Either they're in on the theft somehow, or they're a totally unethical company trying to extort people. No trustworthy security vendor would withhold information about sites that are compromised from the site operators.

    I think it's just a marketing ploy personally. "You may have already won! Contact us for details ($1.99 a minute)".

    Regardless, they're on my list of companies to never do business with in any way. I