Techies under fire for holding 1.2bn passwords to ransom
The biggest ever haul of stolen email addresses, usernames and passwords has turned on the techies who detected it, to the likely amusement of the Russian hackers who masterminded it.
Hold Security, whose staff found 1.2billion log-in details in 4.5billion stolen web files, is charging people to tell them if their website is among the 420,000 sites it knows to be compromised.
“From as low as $120/year and….with a 2-week money back guarantee, unless we provide any data right away,” the security firm says, pitching its new Breach Notification Service.
A similar fee-charging scheme, albeit with 30 days “free” if you sign-up “now”, is also being touted by the firm, to consumers whose details may be contained in the haul of stolen data.
Both of the firm’s offerings are being condemned as ‘get-rich-quick’ schemes reliant, it seems, on the fear-factor, but it is the consumer version which is being denounced the most.
Security expert Graham Cluely points out that, to use it, people give Hold their email address and, if it’s on their list of stolen details, then type encrypted versions of their passwords into an online form.
“It seems to me to be an utterly idiotic approach. For one thing, what if the computer the user is typing on has keylogging malware in the background?” he asked on his blog.
“Or what about the possibility of bad guys creating phoney versions of this webpage, specifically with the intention of nabbing users’ passwords?
Hold says that assuming a match is found, the firm will let the customer know which of their passwords (up to 15 can be entered in the form) it is, so the person can choose a replacement.
But Cluely says users should never be encouraged to enter passwords for one website into an entirely different website, even if not transmitting them unencrypted to a third party-site.
Using a different password per site is the key from now on, security researchers at Zscaler are advising consumers, and always has been, as this can limit damage in the event of a breach.
Issuing the advice this week, Zscaler’s Michael Sutton cited the many password management tools designed to arm users with passwords that are easier to remember and safer.
The task facing website operators isn’t as easy however. Reflecting on how not even a dozen hackers reportedly used Russia-based servers to swipe 1.2bn user details, he told admins:
“The attackers crowd-sourced the hacking, leveraging botnet infected computers to do the ‘heavy lifting’ for them and identify sites vulnerable to SQL injection attacks.
"With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely.”
Addressing concerned companies, Cluely recommended: “Ensure that whoever is building and maintaining your website is aware of threats like SQL injection, and is coding to protect against that and other commonly-found vulnerabilities.”
Tim Keanini, CTO of Lancope preferred: “Security professionals need more than just traditional detection signatures looking for exploits and attacks because the adversary is just going to login to your network normally.”
He added: “Defenders need anomaly detection methods as it is the only way to discovery this abuse in its early stages.”