Massive Russian Hack Has Researchers Scratching Their Heads 102
itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.
Re:Objection! (Score:5, Informative)
"They decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year.
A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.
Hey dimwit, it's $120 per year per site company not for disclosure of the entire data set. This is a protection racket.
Assume your credentials are in that database ... (Score:5, Informative)
... and change all of your passwords today. This is the best way to devalue the 'massive database'. Then sanitize your SQL queries!
Not implausible (Score:5, Informative)
More than 1B credentials does not sound implausible to me, though it's on the high end. You may be wondering why my opinion on this is more relevant than anyone else's, so let me explain.
Although I left the company in January, for about 7.5 years I worked at Google and for ~3 of those years I worked on security and anti-spam related matters. Starting around April 2010 we started to see absolutely enormous numbers of compromised accounts sending spam to their contacts. This was not a problem that grew slowly. It went from zero to one gang compromising on the order of 100,000 accounts per day and that happened in the space of, it seemed, a few weeks. We learned about this problem through user complaints and by watching the flow of spam mails being reported to us via the "Report spam" button. We quickly realised this wasn't a Gmail specific problem but was simultaneously impacting Hotmail and Yahoo. Further investigation revealed that although this gang was capable of compromising ~100,000 accounts per day (more than one per second) this was the result of a 10-15% success rate for more like a million attempts per day: most account/password pairs they tried did not work. The reason was they were reversing password hashes stolen from third party websites using GPUs, and it turns out that people who use the same password everywhere make up (surprisingly) only about 10-15% of the user population. People suck less at security than you might imagine.
When this problem first started we believed that such an enormous supply of credentials must surely be some kind of freak one off, the result of compromising an unusually large site. I mean; one million credentials every fucking day was an unimaginably vast pool of stolen passwords. But as the user complaints of being hacked failed to dry up we came to accept the horrible truth - this was not some freak one off but the result of some kind of production line of passwords. Most likely a combination of automated web crawls to discover vulnerable sites, semi-automated popping of those sites, farms of GPUs reversing the passwords and the resulting packages being sold on the black market to spammers who then abused them for bypassing spam filters (mail from contacts is whitelisted by any good spam filter). We only got occasional snapshots of this market, for example we were able to find adverts on Russian blackhat forums by people advertising lists of "washed" vs "unwashed" account/password lists for hotmail, gmail etc, but mostly it was opaque.
Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away. But the underlying supply of passwords is still out there, and should those defences fall the problem would come back.
I gave a talk about this and various other webmail abuse related topics at the RIPE 64 conference in Ljubljana (video link) [ripe.net] in case anyone is interested in this. The slides [ripe.net] are also available though lots of info from the talk is missing from them.
Re:Alternatively... (Score:4, Informative)
Re:Not implausible (Score:5, Informative)
I didn't make a false claim. You quoted me saying we stopped bulk stolen password based attacks like the ones I described, and then proceeded to argue with a statement I never made (that we stopped all attacks).
To clarify, the attacks I'm talking about are ones where the attacker has a large list of passwords (in the order of hundreds of thousands of passwords or more) and try the password to see if it matches. If it does they log in, if it doesn't they give up and try the next one. Government sponsored attacks tend to care an awful lot about a small set of targets which is the exact opposite.
Google was able to stop these attacks so effectively the people behind them gave up, and there was a large but not infinite number of people who were carrying out such attacks, so eventually they became no longer a real issue for the userbase. Note that our competitors (with the notable exception of Facebook) were NOT able to do this, so if a small ISP struggles to do it too, that would not be very surprising.