Russian Gang Amasses Over a Billion Internet Passwords

HriniakPosterChild

Member
SoSH Member
Jul 6, 2006
14,841
500 feet above Lake Sammammish
Russian Gang Amasses Over a Billion Internet Passwords
 

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
 
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
 
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
 
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.
 
There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
 
You think?
 
The login policies that worked well on a PDP-11 running a timesharing system are showing signs of their age.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
If websites would at least use 1970s-era login policies there would be a whole hell of a lot fewer breaches like this and they'd do less damage. The number of websites that actually store their user's passwords (either in plain text or encrypted) is ludicrous and disheartening, and is one of the big causes of these kinds of theft.
 

PayrodsFirstClutchHit

Bob Kraft's Season Ticket Robin Hoodie
SoSH Member
Jun 29, 2006
8,319
Winterport, ME
Let's get the SPAM emails cued up for "Click here to see if the Russians got your password".
 
The Hold Security site is currently offline.  Nice job preparing for the traffic increase. 
 
And nice job to the media/Hold on the zero details reporting.  Some sites have some passwords stolen by some Russians.  Very helpful. 
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
SumnerH said:
If websites would at least use 1970s-era login policies there would be a whole hell of a lot fewer breaches like this and they'd do less damage. The number of websites that actually store their user's passwords (either in plain text or encrypted) is ludicrous and disheartening, and is one of the big causes of these kinds of theft.
No kidding. Password incompetency and SQL injection by people who should know better are the two biggest problems facing software development today. The other being off-by-one errors.
 

Sox and Rocks

Member
SoSH Member
Apr 16, 2013
5,826
Northern Colorado
Mugsys Jock said:
Can I blame all the stupid posts placed here under my name on Russian cyber terrorists?
This was my first thought, too.  Not my bank accounts or emails, etc.  I don't want any Russians screwing with my SOSH posts. 
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
IpswichSox said:
Perhaps it's time for me to re-read the "Password Management Software" thread from earlier this year and take the plunge...
 
Imagine if LastPass or OnePassword or of the likes are in this. Anyone who uses online password tools is insane in my opinion. They are target #1. 
 
I'd rather use PasswordSafe or similar tool locally with a strong password, have 2 complex passwords I can remember for things I need on mobile in a pinch (Debit decline etc.) and not be able to check them remotely. 
 
There was an article a few weeks ago where a research group attempted to gain information from them and had success. 
 
Edit: http://www.net-security.org/secworld.php?id=17111
 
that's what i was looking at.
 
I love that Hold Security is offering a 30 day free subscription to their database and then pay for afterwards. If they discovered this months ago and have said nothing, disclosed nothing to the organizations involved, it'll be interesting to see what happens. On one hand by not disclosing it they "are digging deeper" on the other hand is "they knew about it and did nothing". It's probably somewhere in between. 
 

Drocca

darrell foster wallace
SoSH Member
Jul 21, 2005
17,585
Raleigh, NC
When do we get to move beyond passwords and what is in the works or most likely to circumvent their usage? I thought we would be further along with biometrics by now.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Non-invasive biometrics aren't reliable. Invasive ones are slow. Also invasive.

The real answer is two-factor authentication, which works on most reputable sites with important information (except Bank of America, because fuck you, customer) and avoiding password reuse.
 

Scott Cooper's Grand Slam

Member
SoSH Member
Jul 12, 2008
4,263
New England
Blacken said:
Non-invasive biometrics aren't reliable. Invasive ones are slow. Also invasive.

The real answer is two-factor authentication, which works on most reputable sites with important information (except Bank of America, because fuck you, customer) and avoiding password reuse.
 
This is the double-edged sword of a password manager, isn't it? The easiest way to avoid password re-use (besides developing some personal mnemonic system) is to use a random-password generator. But then you've still got a critical failure point of your Master Password. As far as non-invasive biometrics, how about voice? Leaving aside the (in)adequacy of speech recognition, couldn't a voiceprint be sufficiently unique, convenient, and secure (for those with the ability and infrastructure to transfer voice, of course)? 
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
Scott Cooper's Grand Slam said:
 
This is the double-edged sword of a password manager, isn't it? The easiest way to avoid password re-use (besides developing some personal mnemonic system) is to use a random-password generator. But then you've still got a critical failure point of your Master Password. As far as non-invasive biometrics, how about voice? Leaving aside the (in)adequacy of speech recognition, couldn't a voiceprint be sufficiently unique, convenient, and secure (for those with the ability and infrastructure to transfer voice, of course)? 
I'm often in places where I can't or don't want to speak to log into something.  Checking email during a meeting, on a late-night flight, whatever.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Password managers are fine unless you do stupid shit with them. Unique master password, don't write it down, don't use cloud sharing unless it's encrypted again with a different key, locally, before it's uploaded.

Unless you get keylogged or shoulder surfed and have your phone stolen by a knowledgeable thief, you'll be fine. Both are easy to avoid.
 

HriniakPosterChild

Member
SoSH Member
Jul 6, 2006
14,841
500 feet above Lake Sammammish
Blacken said:
The real answer is two-factor authentication, which works on most reputable sites with important information (except Bank of America, because fuck you, customer) and avoiding password reuse.
 
Researcher says PayPal's two-factor authentication is easily beaten
 
 
Joshua Rogers, a 17-year-old based in Melbourne, found a way to get access to a PayPal account that has enabled two-factor authentication. He published details of the attack on his blog on Monday after he said PayPal failed to fix the flaw despite being notified on June 5.
 
By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers that requires confidentiality until a software vulnerability is fixed. Rogers estimated the reward might be around $3000, although PayPal didn’t give him a figure.
 

HriniakPosterChild

Member
SoSH Member
Jul 6, 2006
14,841
500 feet above Lake Sammammish
SumnerH said:
If websites would at least use 1970s-era login policies there would be a whole hell of a lot fewer breaches like this and they'd do less damage. The number of websites that actually store their user's passwords (either in plain text or encrypted) is ludicrous and disheartening, and is one of the big causes of these kinds of theft.
 
I don't know the number, but lots of sites are storing hashes. They're just not using salt, so common passwords are vulnerable to dictionary attack and rainbow tables.
 
Edit: my father in law thought "golf" was a nice password to use everywhere. (Used to think, I should add.)
 

Time to Mo Vaughn

RIP Dernell
SoSH Member
Mar 24, 2008
7,202
Blacken said:
Non-invasive biometrics aren't reliable. Invasive ones are slow. Also invasive.

The real answer is two-factor authentication, which works on most reputable sites with important information (except Bank of America, because fuck you, customer) and avoiding password reuse.
BoA allows two factor.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Huh, so it does. I've never seen it mentioned once before, I had to go digging into their help stuff to find it.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
HriniakPosterChild said:
I don't know the number, but lots of sites are storing hashes. They're just not using salt, so common passwords are vulnerable to dictionary attack and rainbow tables.
 )
Even that is a massive step forward for most sites. You would be shocked how many store passwords in plain-text or in reversable encrypted formats; just eliminating that would be a huge improvement for internet security.

Obviously bad passwords suck as well, but until sites are using basic 1978-era technology nothing else matters. Any site that stores actual or encrypted passwords should face massive liability; they are beyond negligent, but because nobody presses them on it it continues unabated.
 

HriniakPosterChild

Member
SoSH Member
Jul 6, 2006
14,841
500 feet above Lake Sammammish
SumnerH said:
Even that is a massive step forward for most sites. You would be shocked how many store passwords in plain-text or in reversable encrypted formats; just eliminating that would be a huge improvement for internet security.

Obviously bad passwords suck as well, but until sites are using basic 1978-era technology nothing else matters. Any site that stores actual or encrypted passwords should face massive liability; they are beyond negligent, but because nobody presses them on it it continues unabated.
Proving that a specific site is to blame for some guy's losing a chunk of money is really hard if he used the same password on multiple sites. So bad websites have a pretty good defense 80% of the time.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
HriniakPosterChild said:
Proving that a specific site is to blame for some guy's losing a chunk of money is really hard if he used the same password on multiple sites. So bad websites have a pretty good defense 80% of the time.
 
Thankfully you have the answer in your post.  
 
Don't use the same password at multiple sites; that's as dumb as having the same lock at work, school, and home, giving them all a key, and then being surprised when you can't figure out if the person who broke into your house was a family member, coworker, or student in your class.  And it's entirely (and trivially) within your control.  And biometrics absolutely won't help it: if you're sharing the same thumb print with 3 places, they can use it to hack the others, just as they can with passwords.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
SumnerH said:
Even that is a massive step forward for most sites.
It really isn't. A G2 instance on Amazon can blow through millions of trivially hashed passwords (MD5, SHA-1, etc.) for twenty bucks.

If you aren't using scrypt, bcrypt, or PKBDF2, you are wrong.
 

smastroyin

simpering whimperer
Lifetime Member
SoSH Member
Jul 31, 2002
20,684
The problem is that you have one of three choices:
 
1)  Use a system like lastpass.
2)  Have a really good mnemonic system that isn't easy to crack 
3)  Have a photographic memory
 
I have over 50 passwords.  Some of these (say, my Marriot rewards account) are less important than others (my primary bank) but still, even if I used sloppier security standards for the less important ones, I'd still have about a dozen [bank, e*trade, mortgages, 401(k), credit cards, work, at least one google account, my home wifi] to remember, which to make each unique and not vulnerable to dictionary attack is just not possible.
 
So what can I do besides lastpass, really?
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
Blacken said:
It really isn't. A G2 instance on Amazon can blow through millions of trivially hashed passwords (MD5, SHA-1, etc.) for twenty bucks.

If you aren't using scrypt, bcrypt, or PKBDF2, you are wrong.
 
It's a huge step forward because it allows people who care to have password security.  If I pick a random password with enough entropy, it won't be revealed when the shadow file is stolen and will be extremely difficult to do a hash search for.  That's a big difference from storing in plain text.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
The number of sites we test where their password reset functionality is to email you your password is awful.
 

Spelunker

Member
SoSH Member
Jul 17, 2005
11,858
NortheasternPJ said:
The number of sites we test where their password reset functionality is to email you your password is awful.
This.

That's basically the easiest way to say 'no, I will never do business with you because you suck'.
 

NortheasternPJ

Member
SoSH Member
Nov 16, 2004
19,271
There's security manufacturers who so this and not unknown ones either. I was horrified when this happened on my partner account.
 

Yaz4Ever

MemBer
Lifetime Member
SoSH Member
Jul 10, 2004
11,256
MA-CA-RI-AZ-NC
Ok, if one wanted to truly become safe in what they do online - not worried about NSA spying on them for the most part (I'm completely against this invasion of privacy, but they would honestly be bored if they spied on me), more worried about hackers stealing personal information and sabotaging my credit - which of the following is truly necessary, highly advised, or a waste of time?
 
1.  Encryption of email
2.  Hiding digital footprints (browsing anonymously)
3.  Using a password manager (LastPass, OnePass, something else)
4.  Using a VPN (possibly the same as number 2, I guess - worst thing I do online might be torrenting files from time to time if I can't find something I want to watch on Netflix, Hulu, etc or I'm looking for obscure educational things like tutorials)
5.  2-Factor Authentication (honestly know very little about this other than it adds an extra step, thereby making hacking tougher)
6.  Antivirus/Malware for my Mac (does something even exist that would be worth using?)
7.  HTTPS Everywhere (I'm using this now but don't know if I really need to)
 
I use a Macbook Air for most of my online stuff.  I use my iPhone when on the road, but mostly just for checking email, social networks, and playing games.  Don't think I've ever purchased anything via my iPhone (other than iTunes stuff), although I use the Amazon app to check reviews for things I'm on the fence about buying.
 
After the last big scare a couple of months ago, I changed the passwords for all of my banks, stocks/IRAs, credit cards, etc.  Then the dirty Ruskies came in and did this.  How does one keep up and stay safe?  I love the idea of a password manager, but I'm scared that if they get hacked ALL of my accounts become vulnerable as opposed to just one or two cards/accounts being hacked.
 

cgori

Member
SoSH Member
Oct 2, 2004
3,999
SF, CA
As far as your question:
 
I would strongly look into a password manager, one that doesn't store things on-line.  KeePass is probably the one I would look at for Windows (+iPhone), there may be something better that is Mac-centric but wait for someone else to come along and comment.  You'll need to find a safe place to put the master password, and make sure it's strong.
 
If you ever put your credit card into a web site form to buy something, it should be via HTTPS.  For random things like SoSH or online newspapers, it's not such a big deal.
 
Email encryption is almost certainly overkill for what you are worried about, as is 2-factor auth.  Never email your credit card (or any personal) info though.  If some particular aspect of your online identity is valuable in and of itself (probably doesn't apply to you, in all honesty), then 2-factor might make sense to prevent someone from say, hijacking your twitter account because it's an interesting name.  But in general this doesn't matter.
 
Anonymous browsing is to protect you from your wife :) - it won't help you otherwise.
 
VPN is not needed for what you are worried about at all.
 
I don't use a Mac, so I don't know about anti-virus for that platform - I wouldn't even speculate there.  Let someone else comment.
 
My other thoughts:
 
Try really hard not to give anyone online any more information than they need (i.e. don't use your social security number when you have another option for an account name).  Don't share the passwords (I do share the truly throw-away ones).  I generally don't save my credit card numbers at any sites, which makes buying stuff semi-annoying, but means that they don't have your info to lose.
 
Don't be afraid to link your cell phone number to an online account.  That's a weak form of 2-factor and generally is helpful.  You'll probably get a few more junk texts as a result, but so far I haven't seen google or amazon do this, and they are the main users of this stuff.
 
I would make sure you have 2 email addresses: one that you give to real live human beings, the other that you give to websites so that their marketing/spam/whatever goes there.  
 

derekson

Member
SoSH Member
Jun 26, 2010
6,224
cgori said:
As far as your question:
 
I would strongly look into a password manager, one that doesn't store things on-line.  KeePass is probably the one I would look at for Windows (+iPhone), there may be something better that is Mac-centric but wait for someone else to come along and comment.  You'll need to find a safe place to put the master password, and make sure it's strong.
 
If you ever put your credit card into a web site form to buy something, it should be via HTTPS.  For random things like SoSH or online newspapers, it's not such a big deal.
 
Email encryption is almost certainly overkill for what you are worried about, as is 2-factor auth.  Never email your credit card (or any personal) info though.  If some particular aspect of your online identity is valuable in and of itself (probably doesn't apply to you, in all honesty), then 2-factor might make sense to prevent someone from say, hijacking your twitter account because it's an interesting name.  But in general this doesn't matter.
 
Anonymous browsing is to protect you from your wife :) - it won't help you otherwise.
 
VPN is not needed for what you are worried about at all.
 
I don't use a Mac, so I don't know about anti-virus for that platform - I wouldn't even speculate there.  Let someone else comment.
 
My other thoughts:
 
Try really hard not to give anyone online any more information than they need (i.e. don't use your social security number when you have another option for an account name).  Don't share the passwords (I do share the truly throw-away ones).  I generally don't save my credit card numbers at any sites, which makes buying stuff semi-annoying, but means that they don't have your info to lose.
 
Don't be afraid to link your cell phone number to an online account.  That's a weak form of 2-factor and generally is helpful.  You'll probably get a few more junk texts as a result, but so far I haven't seen google or amazon do this, and they are the main users of this stuff.
 
I would make sure you have 2 email addresses: one that you give to real live human beings, the other that you give to websites so that their marketing/spam/whatever goes there.  
 
There's really no need for AV on a Mac unless you are stupid enough to actively seek out infections by doing things like downloading applications from random public torrents. If you have 2 active brain cells it's pretty tough to infect your Mac.