Application Security //

Database Security

8/5/2014
07:15 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Biggest Cache of Stolen Creds Ever Includes 1.2 Billion Unique Logins

A Russian crime ring has swiped more than a billion unique username-password combinations, plus a half-million email addresses.

A Russian crime ring has amassed a gargantuan database of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.

According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.

What's puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. They're merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.

"At this stage of the game, using passwords for security is simply table stakes," David Rockvam, vice president of product management and marketing communications for Entrust, told us. "In order to truly protect our personal and financial information, second-factor authentication is a necessity."

Some companies "are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches," said Jay Kaplan, CEO of Synack. "In fact, it's likely that most of them do not even realize how many times they've been compromised, as it's very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks."

"Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight," said John Prisco, CEO of Triumfant, "but in reality... crime rings have been stealing information for years. They've just been doing it undetected, because there hasn't been a concerted effort on the part of companies entrusted with this information to protect it. Vendors haven't delivered a truly defensive product until recently. For so many years, we've relied on antivirus, which just doesn"t work. Vendors are in a transition period where the most effective products are not yet widely deployed."

Hold Security's researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
kstaron
50%
50%
kstaron,
User Rank: Apprentice
8/28/2014 | 3:17:15 PM
Scary if true
While some people may be skeptical becasue the company won't divulge how they got the information that might be more due to the fact if they did someone is going to get a lot of attention from Russian criminals. However the part where the company now offers a service to tell you if you're on the list isn't doing their reputation any favors given what they are charging for a search of a single login on a list they already have. If true though, very scary as someone who has to rely on several companies to keep my info secure.
Steve Riley
50%
50%
Steve Riley,
User Rank: Author
8/15/2014 | 3:44:47 PM
Count me skeptical
A lot of people are beginning to question the veracity of this story. For example, The Lie Behind 1.2 Billion Stolen Passwords:

Let's look at the warning signs right off the bat:

  • Announces 4 billion passwords have been taken across 420,000 websites
  • Makes zero indication on how he learned this or how he obtained the output of 420,000 website's U/P data
  • Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denver's One World Labs, said that Holden "[...] has gone off and done his own thing [...] he has his way of doing it — very different than mine"
  • Refuses to indicate any of the sites compromised so that users can change their passwords as "there is an ongoing investigation"
  • No law enforcement agencies (local, state, or federal) have corroborated that they are investigating
  • Explains that he knows the names and locations of these hackers but not the group they are affiliated with
  • Offers a for-pay service for individuals and companies to see if their data is being compromised which is odd because that generally doesn't happen during an investigation
  • Lied about where he went to school and graduated — the 2001 engineering degree from the University of Wisconsin-Milwaukee? That never happened as Holden never graduated.
  • Released information specifically during BlackHat for maximum attention when a very similar story was released in February by Hold Security.
  • Individuals quickly chimed in with similar-but-different ulterior motives: Chase Cunningham and Brian Krebs
  • Lacking a name for the criminal group, Holden simply references them as CyberVor — Vor meaning "thief" in Russian.
  • States that the "group" purchased large numbers of U/P lists; however, makes zero indication where the stolen content ends and the bought content begins.

Forbes: Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected

The Verge: The Russian 'Hack of the Century' Doesn't Add Up

IT World: Massive Russian Hack Has Researchers Scratching Their Heads

Bruce Schneier: Over a Billion Passwords Stolen?

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

And a decent Reddit thread

Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/11/2014 | 11:43:22 AM
Re: Self-serving
I think Hold Security is just trying for headlines and money here.  They will not disclose how they discovered the credentials but for $120/ year they will let you know if you are on the list.  Sounds fishy to me.

http://tech.firstpost.com/news-analysis/one-billion-password-theft-firm-wants-users-to-pay-120-to-know-if-their-account-was-compromised-228573.html
Dolos.Apate
50%
50%
Dolos.Apate,
User Rank: Apprentice
8/7/2014 | 4:17:05 PM
Re: Self-serving
They are not asking you for your password. They are asking you for a Hash of your password, which they can then use to check if someone else has your password.

http://en.wikipedia.org/wiki/Cryptographic_hash_function
briancobbler
100%
0%
briancobbler,
User Rank: Apprentice
8/6/2014 | 4:48:23 PM
Re: Self-serving
I find it more interesting that Hold is going to offer a service to allow individuals to pay (based on other reports) to determine if you were compromised. The Hold webpage indicates that they even plan to ask for your passwords for this service.

"We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification."

What happened to security rule #1 being "don't give out your passwords" and now the people who are supposedly security exports are planning to ask for all of everyones passwords as part of their service. Any respect I had for Hold, just went out the window.

http://www.holdsecurity.com/news/cybervor-breach/
marklfeller
0%
100%
marklfeller,
User Rank: Apprentice
8/6/2014 | 3:58:22 PM
asada
My last pay check was $9500 working 12 hours a week online. My sisters friend has been averaging 15k for months now and she works about 20 hours a week. I can't believe how easy it was once I tried it out. This is what I do,

 

 

=======================

WWW.JOBS606.COM

======================= 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
8/6/2014 | 11:03:57 AM
Re: SQL injection attacks?
how's asp classic is any worse than java?

a good framework helps, but the biggest problem is the dynamic sql - concatenated in code from strings such as "select ... where col1 = '" & var1 & "' and col2 = '" and so on.

as long as you keep your sql in stored procedures, and set up the access correctly, you should be ok.

but it takes a lot of planning and dedication to keep the database access under control. it is so much easier for a programmer to just create that select on the fly, and for the manager to keep a blind eye to it.

so sql injection will live on.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:36:39 AM
Re: SQL injection attacks?
Mainly old sites that were not re-developed with the latest frameworks. If we are still using ASP pages of course that would be a good option for black hats to try and exercise their skills.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:33:21 AM
Re: a billion credentials is stolen
They may not end up with anything but this shows there are good amount of sites out there that are vulnerable to SQL injections.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:31:26 AM
Not the number of records
 

The amount is huge and that make is impressive, however if you total last the breaches that will go beyond that, most of the time it is not the number of record it is what they end up with. Most passwords in most system are hashed, if a good algorithm is used it will take time for them to get the password and it may not even be worth after a while.
Page 1 / 2   >   >>
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.