Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you:
No adverts like this in the forums anymore.
Times and dates in your local timezone.
Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance.
Email notifications for threads you want to watch closely.
Being a part of the oldest wargaming community on the net.
If you are already a member then feel free to login now.
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.
Spoiler:
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.
But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.
“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner, the research firm. “Until they do, criminals will just keep stockpiling people’s credentials.”
Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.
But selling more of the records on the black market would be lucrative.
While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.
Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time.
The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia.
“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.
Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.
“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.
Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.
The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release new research — to land new business, discuss with colleagues or simply for bragging rights.
Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach jumped 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.
Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.
“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.”
Nicole Perlroth reported from San Francisco and David Gelles from New York City
Jebus..they're going to buy a small island in the Pacific.
Proud Member of the Infidels of OIF/OEF
No longer defending the US Military or US Gov't. Just going to ""**feed into your fears**"" with Duffel Blog Did not fight my way up on top the food chain to become a Vegan...
Warning: Stupid Allergy
Once you pull the pin, Mr. Grenade is no longer your friend
DE 6700
Harlequin 2500
RIP Muhammad Ali.
Jihadin, Scorched Earth 791. Leader of the Pork Eating Crusader. Alpha
So people have been doing the same thing they've been doing for about 15 years to rip off passwords? Stop the presses.
Seriously though, the most noteworthy thing here is that SQL injection is still even a problem. We pretty easy ways of fixing that. I can't help but wonder what lowest bidders they're getting to write this stuff such that "SELECT * FROM table WHERE customer_name = " + thisIsAReallyBadIdea is even a thing anymore.
This message was edited 1 time. Last update was at 2014/08/06 06:06:53
Also, the article doesn't do a good job of explaining whether the password is actually the password, of if it's a salted hash of the password.
The first one is bad. The second one? Well, it still SOUNDS scary, to someone... I guess. Not nearly as useful. You'd be cracking a SHA-512 hash on 1.2 billion passwords until the end of days.
daedalus wrote: Also, the article doesn't do a good job of explaining whether the password is actually the password, of if it's a salted hash of the password.
The first one is bad. The second one? Well, it still SOUNDS scary, to someone... I guess. Not nearly as useful. You'd be cracking a SHA-512 hash on 1.2 billion passwords until the end of days.
That's what botnets are for.
Amongst other things.
[Edit]
This message was edited 1 time. Last update was at 2014/08/06 15:07:16
How do you presume they use the botnets for cracking hashed passwords? I mean, yeah, you might be able to make that work as some sort of distributed computing project if you knew what your target result looked like, but if you knew that, you wouldn't be trying crypto anyway, you'd just use the password. As it stands, the only thing you can really do with a properly hashed password is basically nothing.
Seriously, programmers who don't at least cover these basics on anything mission critical/financial related should be found criminally negligent.
The issue is adobe's framework had its sourcecode stolen. So the hackers can see the uncompiled code and identify all the exploits. Adobe has no idea what these exploits are in their own code until someone identifies them. The framework is flawed, not the developer's code.
Adobe Coldfusion is garbage and due to holes in the code, you can access direct file system and OS APIs simply by having unpached CF (and possibly patched because the exploits are unknown)
A year ago, a hot vulnerability was int he wild for 7 weeks before adobe patched it, and most adobe customers don't patch. I could basically go to any adobe CF site on the internet, and regardless of your code, upload a trojan page which roots your entire server via a nice easy gui. 70k US government sites were exploited.
The issue is these hackers, who have the source code have *MORE* exploits like this which they are keeping under wraps so adobe can't fix them. They are using those exploits to mine resources and have companies 'PAY' them to confirm if you were exploited and tell you how to fix your app. They figure people will pay the extortion money.
Adobe has no intentions on fixing or supporting coldfusion. All you can do is simply refuse to use any site running either on Adobe CF or adobe CMS platforms.
Automatically Appended Next Post:
daedalus wrote: Also, the article doesn't do a good job of explaining whether the password is actually the password, of if it's a salted hash of the password.
The first one is bad. The second one? Well, it still SOUNDS scary, to someone... I guess. Not nearly as useful. You'd be cracking a SHA-512 hash on 1.2 billion passwords until the end of days.
You assume people using gak adobe products for web hosting are the types of people who are encrypting PII in their DBs... that's funny. You are funny.
Besides, even if you did have them encrypted, that is simply at rest. Having to be unhashed at runtime or via the datasource means the root kit used in this exploit can usually enumerate and unhash the datasources. So I would assume that they have everything in regards to this particular adobe exploit.
This message was edited 2 times. Last update was at 2014/08/06 18:39:45
My Models: Ork Army: Waaagh 'Az-ard - Chibi Dungeon RPG Models! - My Workblog! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
RULE OF COOL: When converting models, there is only one rule: "The better your model looks, the less people will complain about it."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
MODELING FOR ADVANTAGE TEST: rigeld2: "Easy test - are you willing to play the model as a stock one? No? MFA."
So, this internet thing may just be a fad afterall when you combine insecurity isses and Net Nuetrality issues. Well, at least the internet as we know it.
Support Blood and Spectacles Publishing:
https://www.patreon.com/Bloodandspectaclespublishing
Generally the way I've seen it done is a 1-way hash that usually has some particular salt thrown in so that there's no consistent single hash algorithm. Theoretically the user's actual password has been completely destroyed. The salt is recorded, as is the hash, and then every time a user types in their password, it applies the salt to the passphrase the user actually typed, and then compares that with the hash. If they're equal, it's the user typing the correct password. Not even a sysadmin can know the user's password this way, and if it gets stolen, there's no way it can be recovered without actually knowing it to begin with.
The whole thing is kinda similar to public key crypto, but with your salt being your public key, your password being your private key, and then the hash being the message that needs to actually make it into the website for you to be authenticated.
Easy E wrote: So, this internet thing may just be a fad afterall when you combine insecurity isses and Net Nuetrality issues. Well, at least the internet as we know it.
Wat?
Automatically Appended Next Post:
daedalus wrote: Generally the way I've seen it done is a 1-way hash that usually has some particular salt thrown in so that there's no consistent single hash algorithm. Theoretically the user's actual password has been completely destroyed. The salt is recorded, as is the hash, and then every time a user types in their password, it applies the salt to the passphrase the user actually typed, and then compares that with the hash. If they're equal, it's the user typing the correct password. Not even a sysadmin can know the user's password this way, and if it gets stolen, there's no way it can be recovered without actually knowing it to begin with.
The whole thing is kinda similar to public key crypto, but with your salt being your public key, your password being your private key, and then the hash being the message that needs to actually make it into the website for you to be authenticated.
Man... it's been ages... but, I remember a time when I had to hack MS SQL 2005's SA password when my vendor didn't want to rebuild our db.
That was... fun. (back channel black hat sites... o.O )
This message was edited 1 time. Last update was at 2014/08/06 18:50:51
daedalus wrote: Generally the way I've seen it done is a 1-way hash that usually has some particular salt thrown in so that there's no consistent single hash algorithm. Theoretically the user's actual password has been completely destroyed. The salt is recorded, as is the hash, and then every time a user types in their password, it applies the salt to the passphrase the user actually typed, and then compares that with the hash. If they're equal, it's the user typing the correct password. Not even a sysadmin can know the user's password this way, and if it gets stolen, there's no way it can be recovered without actually knowing it to begin with.
The whole thing is kinda similar to public key crypto, but with your salt being your public key, your password being your private key, and then the hash being the message that needs to actually make it into the website for you to be authenticated.
I am going to say anyone using Coldfusion is probably not doing any of this... Especially the 70k government sites which were hacked Jan 2013 during that 7 week window when they got all adobe's source code.
My Models: Ork Army: Waaagh 'Az-ard - Chibi Dungeon RPG Models! - My Workblog! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
RULE OF COOL: When converting models, there is only one rule: "The better your model looks, the less people will complain about it."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
MODELING FOR ADVANTAGE TEST: rigeld2: "Easy test - are you willing to play the model as a stock one? No? MFA."
Easy E wrote: So, this internet thing may just be a fad afterall when you combine insecurity isses and Net Nuetrality issues. Well, at least the internet as we know it.
Wat?
Spoiler:
What I'm trying to say is as the internet becomes less secure, coupled with big business trying to copt-it at every turn; is there a time coming when people choose to use some alternative to the World Wide Web?
For example, Amazon is pretty popular right now as a way to buy stuff in the retail space, and big-box retail is slowly dying. Is there a time when internet shoppig is so insecure/inconvenient/costly that people will actually prefer to go to a brick-and-mortar store?
Another way to think about it is to look at radio. When radio was first invented and grwing in popularity and Tom, Dick, and Harry could start astation and start broadcasting. 20 years later and it was monopolized by big corporate entities, and regulatd by the FCC. Is the same thing going to happen to the world-wide internet?
Support Blood and Spectacles Publishing:
https://www.patreon.com/Bloodandspectaclespublishing
Easy E wrote: So, this internet thing may just be a fad afterall when you combine insecurity isses and Net Nuetrality issues. Well, at least the internet as we know it.
Wat?
Spoiler:
What I'm trying to say is as the internet becomes less secure,
I don't believe it's less secured... only that it's a constant one-upmanship between the black & white hats in the IT security industry.
Kids, if you're not sure what industry to get into... IT security is hot & will be hot for some time.
coupled with big business trying to copt-it at every turn; is there a time coming when people choose to use some alternative to the World Wide Web?
Nah... I don't see that happening for awhile.
For example, Amazon is pretty popular right now as a way to buy stuff in the retail space, and big-box retail is slowly dying. Is there a time when internet shoppig is so insecure/inconvenient/costly that people will actually prefer to go to a brick-and-mortar store?
Wholesale change back to brink-and-mortar? I doubt it... but, do believe that there's still a huge market for brick-and-mortar.
Another way to think about it is to look at radio. When radio was first invented and grwing in popularity and Tom, Dick, and Harry could start astation and start broadcasting. 20 years later and it was monopolized by big corporate entities, and regulatd by the FCC. Is the same thing going to happen to the world-wide internet?
Depends...
One of the great thing about the internet is that it's has a low barrier to enter the market... if that ever changes... look out!
This message was edited 1 time. Last update was at 2014/08/06 20:23:57
Don't worry, you're not the only one with more questions than answers about the 1.2 billion user credentials amassed by Russian hackers.
Some security researchers on Wednesday said it's still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.
"The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify."
Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.
Hold Security didn't respond to email and telephone requests for comment Wednesday, though it may have been inundated with inquiries.
To recap, Hold Security said Tuesday it had obtained a massive database of stolen credentials amassed by a gang of Russian hackers. The database contains 1.2 billion unique "credential pairs" -- made up of a user ID (mostly email addresses) and an associated password. Looking at email addresses alone, there are "over half a billion," the company said, since some email addresses correspond to multiple passwords.
To assess how serious the discovery is, researchers want to know how old the credentials collected by the Russian gang are, where they came from, and how well-protected the passwords are by "hashing," which scrambles the passwords but can be vulnerable to brute force attack.
The age is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee.
Hold Security acknowledged in its announcement that "not all" the credentials are "valid or current," with some associated with fake email addresses, closed accounts or even passwords a decade old.
It's also unclear how many of the login and password credentials were culled online recently by the hacker group, and how many were acquired on the black market from previous hacks.
Hold Security said the hackers began by buying credentials from previously attacked accounts, and then did some hacking work of their own. But it's unclear how many of the 1.2 billion credentials came from previous hacking incidents, and which incidents those were.
"If you take Sony, LinkedIn, eBay and Adobe," said Wisniewski, naming four of the biggest recent password breaches, "that's already 500 million accounts."
Experts said the passwords were likely hashed, a process used by most websites these days. But there are several methods of doing that, and the older "MD5" method, for example, is more vulnerable than a more modern method called "salting," said Wisniewski.
For now, researchers are left guessing and reading between the lines because Hold Security has not released more information.
"It will be interesting to see if public opinion pressures them," said Wisniewski.
Emphasis mine.
Automatically Appended Next Post: It's not unusual for security companies to name and shame websites that have been breached publicly and for free. It's a feather in the cap for the company that breaks the news, and doesn't compete with most business models.
That they're withholding this information makes me skeptical. I'm not in the netsec biz, but I have enough passing interest in security and crypto to know most of the big names in security. Hold is not one that even shows up on my radar. Sophos is though.
Automatically Appended Next Post:
Experts said the passwords were likely hashed, a process used by most websites these days. But there are several methods of doing that, and the older "MD5" method, for example, is more vulnerable than a more modern method called "salting," said Wisniewski.
Also, *cough*.
This message was edited 2 times. Last update was at 2014/08/07 14:45:09
6000 pts - Harlies: 1000 pts - 
4000 pts - 
1000 pts - 
1000 pts 
