Alleged Massive Account and Password Seizure By Russian Group 126
New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring".
Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?
Hold on a second.. (Score:5, Interesting)
Re:big whoop (Score:5, Interesting)
a) Because hacking isn't just a case of having access to everything or nothing. What if you can only hack the password database, but you can't hack the system that those logins are used for?
b) Because, lazy as people are, you now have some very likely candidate email/password combinations to try on all the systems you can't hack into.
Re:Hold on a second.. (Score:4, Interesting)
That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.
I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.
To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.
The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.
Re:What's one gotta do with the other? (Score:4, Interesting)
With an SQL injection you possibly can fetch the password out of the DB.
You would be surprised how many data bases for a certain business has a table called USERS with fileds like uname, real_name, email, password ...
By simlly putting "something ; select password from USERS where uname = 'user'" you can enhance every input field of a website with the stuff behind the semi colon. Even if somehow you cause an error on the server it is possible that the html returned containes the password you are seeking.
Or you add behind the semicolon " ; select * from Users sort by email first 1000" don't remember how 'paging works in SQL'. Replace the 'first 1000' with the approbriated statement.
So instead of a list of items you are looking for on ebay, you have an additional bunsh of text at the bottom of the list holding an extract of the USERS table.
Re:Stored in cleartext? (Score:4, Interesting)
How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).
Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?
You shouldn't be able to steal a password since the site shouldn't have it.
It probably is hashes and not passwords. If they were the actual passwords, they'd be using them themselves instead of trying to sell them.