Russian Gang Amasses Over a Billion Internet Passwords

Discussion in 'privacy problems' started by ronjor, Aug 5, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I wonder how many of these username/password and email/password pairs come from websites, such as news outlets and social sites, where there's really not much to protect. The danger is that people may use the same authentication pairs for banking etc. In a sense, all those non-critical uses increase the attack surface for the critical uses. Maybe non-critical websites should set maximum-complexity rules for passwords, vs minimum-complexity rules for passwords for critical websites. But that's too complicated, I know.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    It's hard to tell the bad guys from the good guys :(

    Maybe Hold Security is just fronting for the hackers ;)
     
  7. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Not likely given Krebs' take on him and his character. Now is this about drumming up business? Perhaps that is a factor on the way the information has been released and the lack of details on sites hacked and on the research methodology + data. The fact remains however that this is a good kick in the rear for everyone to get serious about their password maintenance...
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    That is true. But the data is tainted, and profiting from it is dishonorable, as I see it.
     
  9. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    There is a kick in the rear every 2 months. What will be necessary to finally change behaviours?
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Last edited: Aug 8, 2014
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    @SweX You're welcome.

    Actually what I find annoying is the amount of articles out all without information on which websites have been affected.
     
  12. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Yep I haven't found any either, and I will of course not throw away $120 to find out.
     
  13. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,076
    So how would changing passwords help if the Websites are still vulnerable to SQL injection?
     
  14. WeAreAllHacked

    WeAreAllHacked Registered Member

    Joined:
    May 22, 2014
    Posts:
    28
    If someone is worried, just change password to those sites you care for (will take a few minutes maybe) but just paying these guys will take just as much time (and then you still hasn't gained the benefit of changing the password).
     
  15. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    If Brian Krebs says it's true (and I had serious doubts), then I must accept it. But as others have said, I do not like the "method" that Hold Security is employing to "help" us determine if any of us has suffered a breach. I'm going to wait for more info to come from this before I do much...
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Maybe it's just me, but I get bad vibes from him, and his attitude.

    In contrast to Bruce Schneier, for example.
     
  17. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    Not so easy to do every time another revelation.
    : (
    I can either use the internet or spend all the time changing passwords.
     
  18. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The real trick is to set up a routine where you change your passwords. IOWs, don't wait for a breach announcement, just change them regularly on YOUR schedule.
     
  19. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Umm, yeah:

    http://grahamcluley.com/2014/08/cybervor-pay/

    Suffice to say I am profoundly skeptical, and do not think I should consider Krebs trustworthy any more. As for Hold Security: yeah, I'm really going to give them my password hashes. Like hell.

    Edit: to be clear I've never heard of this Cluley fellow before, but the password submission part of the site? That's real:

    https://identity.holdsecurity.com/Submit/

    Also clicking on the link to it makes you implicitly agree to some license terms. Hmm. Really clean-looking, huh?
     
  20. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    FYI, Mr Cluley worked for Sophos before he became an "Independent Security Analyst". He also write for WeLiveSecurity sometimes. When he worked at Sophos he wrote regulary on Sophos "naked security" blog.

    http://www.welivesecurity.com/author/gcluley/#more
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    http://www.cnet.com/news/why-you-shouldnt-be-scared-by-the-largest-data-breach/
     
  22. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Interesting reading. I don't think it's the "freakiest security story since Heartbleed Tuesday". When I first read about this, before I found this very interesting thread, I was skeptical. We seem to have a lot of gloom and doom stories these days. What a terrible headline "Russian gang has amassed over a billion passwords." Sounds a lot like McDonald's one billion served. ;) I'm not one to panic over these things. I'm certainly not going out and change all of my passwords, I have a lot of them. Maybe later if more pertinent information is released. Right now I have no idea who was compromised, if I am affected or what was really was amassed by this Russian gang.

    Now we have this company who discovers this terrible security breach charging folks who want to know if they are affected. I wonder how many will bite. I am sure some will, will that company then in turn inform there users they have been compromised?
     
  23. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    https://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/

    I don't really have any issues with Krebs.

    If anything, I think Holds is profiting from using Kreb's name.
     
    Last edited: Aug 9, 2014
  24. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    So it seems that Alex is associated with Brian's criminal connections ;)
     
Loading...
Thread Status:
Not open for further replies.