Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Massive Russian Hack Has Researchers Scratching Their Heads 102

Posted by timothy from the schroedinger's-breach dept.
itwbennett writes Some security researchers on Wednesday said it's still unclear just how serious Hold Security's discovery of a massive database of stolen credentials really is. "The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify." Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at $120 per year.
This discussion has been archived. No new comments can be posted.

Massive Russian Hack Has Researchers Scratching Their Heads More

Massive Russian Hack Has Researchers Scratching Their Heads

Comments Filter:

  • Re:Objection! (Score:5, Insightful)

    by MightyMartian ( 840721 ) on Thursday August 07, 2014 @09:31AM (#47622037) Journal

    I'm getting pretty dubious of the entire claim. Some company wants to sell its security monitoring service, declares "we've got a huge database of stolen credentials, but we're not going to let you see it without paying up first, or at least signing up for a service that will bill you after 30 days."

    I call BS.

  • Re:Objection! (Score:5, Insightful)

    by Andor666 ( 659649 ) <andor.pierdelacabeza@com> on Thursday August 07, 2014 @09:40AM (#47622097) Homepage Journal

    It sounds quite fishy because they ask for a 120$ subscription, not to let you access the data, but for a service that lets you know if you are affected by it or not.

    - Here, my 120$, what's going on with this?
    - You're not affected, goodbye.
    - But, hey!
    - You're not affected, goodbye.

  • Re:Not implausible (Score:2, Insightful)

    by Anonymous Coward on Thursday August 07, 2014 @11:43AM (#47623079)

    Trivial to prevent:

            a) delay 401 responses to incorrect logins for 15 seconds
            b) immediate 409 error if another thread tries to login while inside the 15 second window (see 'a' above), whether the password is correct or not.
            c) deactivate accounts after XX unsuccessful logins (pick any value of YY)
            d) make user validate themselves to unlock an account, or auto-unlock after YY minutes (pick any value for YY).

    I don't know why people think their website should aid-and-abet a bot swarm by allowing upteen-million failed login attempts (brute forcing) in minutes. The point is to stall the bot-swarm so that it effectively makes no progress on their password brute forcing attempts.

  • Wouldn't give them a dime (Score:5, Insightful)

    by forgottenusername ( 1495209 ) on Thursday August 07, 2014 @12:17PM (#47623345)

    Either they're in on the theft somehow, or they're a totally unethical company trying to extort people. No trustworthy security vendor would withhold information about sites that are compromised from the site operators.

    I think it's just a marketing ploy personally. "You may have already won! Contact us for details ($1.99 a minute)".

    Regardless, they're on my list of companies to never do business with in any way. I

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close