Massive Russian Hack Has Researchers Scratching Their Heads 102
itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.
Re:Objection! (Score:5, Insightful)
I'm getting pretty dubious of the entire claim. Some company wants to sell its security monitoring service, declares "we've got a huge database of stolen credentials, but we're not going to let you see it without paying up first, or at least signing up for a service that will bill you after 30 days."
I call BS.
Re:Objection! (Score:5, Insightful)
It sounds quite fishy because they ask for a 120$ subscription, not to let you access the data, but for a service that lets you know if you are affected by it or not.
- Here, my 120$, what's going on with this?
- You're not affected, goodbye.
- But, hey!
- You're not affected, goodbye.
Re:Not implausible (Score:2, Insightful)
Trivial to prevent:
a) delay 401 responses to incorrect logins for 15 seconds
b) immediate 409 error if another thread tries to login while inside the 15 second window (see 'a' above), whether the password is correct or not.
c) deactivate accounts after XX unsuccessful logins (pick any value of YY)
d) make user validate themselves to unlock an account, or auto-unlock after YY minutes (pick any value for YY).
I don't know why people think their website should aid-and-abet a bot swarm by allowing upteen-million failed login attempts (brute forcing) in minutes. The point is to stall the bot-swarm so that it effectively makes no progress on their password brute forcing attempts.
Wouldn't give them a dime (Score:5, Insightful)
Either they're in on the theft somehow, or they're a totally unethical company trying to extort people. No trustworthy security vendor would withhold information about sites that are compromised from the site operators.
I think it's just a marketing ploy personally. "You may have already won! Contact us for details ($1.99 a minute)".
Regardless, they're on my list of companies to never do business with in any way. I