Application Security //

Database Security

8/5/2014
07:15 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Biggest Cache of Stolen Creds Ever Includes 1.2 Billion Unique Logins

A Russian crime ring has swiped more than a billion unique username-password combinations, plus a half-million email addresses.

A Russian crime ring has amassed a gargantuan database of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.

According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.

What's puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. They're merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.

"At this stage of the game, using passwords for security is simply table stakes," David Rockvam, vice president of product management and marketing communications for Entrust, told us. "In order to truly protect our personal and financial information, second-factor authentication is a necessity."

Some companies "are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches," said Jay Kaplan, CEO of Synack. "In fact, it's likely that most of them do not even realize how many times they've been compromised, as it's very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks."

"Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight," said John Prisco, CEO of Triumfant, "but in reality... crime rings have been stealing information for years. They've just been doing it undetected, because there hasn't been a concerted effort on the part of companies entrusted with this information to protect it. Vendors haven't delivered a truly defensive product until recently. For so many years, we've relied on antivirus, which just doesn"t work. Vendors are in a transition period where the most effective products are not yet widely deployed."

Hold Security's researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
kstaron
50%
50%
kstaron,
User Rank: Apprentice
8/28/2014 | 3:17:15 PM
Scary if true
While some people may be skeptical becasue the company won't divulge how they got the information that might be more due to the fact if they did someone is going to get a lot of attention from Russian criminals. However the part where the company now offers a service to tell you if you're on the list isn't doing their reputation any favors given what they are charging for a search of a single login on a list they already have. If true though, very scary as someone who has to rely on several companies to keep my info secure.
Steve Riley
50%
50%
Steve Riley,
User Rank: Author
8/15/2014 | 3:44:47 PM
Count me skeptical
A lot of people are beginning to question the veracity of this story. For example, The Lie Behind 1.2 Billion Stolen Passwords:

Let's look at the warning signs right off the bat:

  • Announces 4 billion passwords have been taken across 420,000 websites
  • Makes zero indication on how he learned this or how he obtained the output of 420,000 website's U/P data
  • Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denver's One World Labs, said that Holden "[...] has gone off and done his own thing [...] he has his way of doing it — very different than mine"
  • Refuses to indicate any of the sites compromised so that users can change their passwords as "there is an ongoing investigation"
  • No law enforcement agencies (local, state, or federal) have corroborated that they are investigating
  • Explains that he knows the names and locations of these hackers but not the group they are affiliated with
  • Offers a for-pay service for individuals and companies to see if their data is being compromised which is odd because that generally doesn't happen during an investigation
  • Lied about where he went to school and graduated — the 2001 engineering degree from the University of Wisconsin-Milwaukee? That never happened as Holden never graduated.
  • Released information specifically during BlackHat for maximum attention when a very similar story was released in February by Hold Security.
  • Individuals quickly chimed in with similar-but-different ulterior motives: Chase Cunningham and Brian Krebs
  • Lacking a name for the criminal group, Holden simply references them as CyberVor — Vor meaning "thief" in Russian.
  • States that the "group" purchased large numbers of U/P lists; however, makes zero indication where the stolen content ends and the bought content begins.

Forbes: Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected

The Verge: The Russian 'Hack of the Century' Doesn't Add Up

IT World: Massive Russian Hack Has Researchers Scratching Their Heads

Bruce Schneier: Over a Billion Passwords Stolen?

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

And a decent Reddit thread

Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/11/2014 | 11:43:22 AM
Re: Self-serving
I think Hold Security is just trying for headlines and money here.  They will not disclose how they discovered the credentials but for $120/ year they will let you know if you are on the list.  Sounds fishy to me.

http://tech.firstpost.com/news-analysis/one-billion-password-theft-firm-wants-users-to-pay-120-to-know-if-their-account-was-compromised-228573.html
Dolos.Apate
50%
50%
Dolos.Apate,
User Rank: Apprentice
8/7/2014 | 4:17:05 PM
Re: Self-serving
They are not asking you for your password. They are asking you for a Hash of your password, which they can then use to check if someone else has your password.

http://en.wikipedia.org/wiki/Cryptographic_hash_function
briancobbler
100%
0%
briancobbler,
User Rank: Apprentice
8/6/2014 | 4:48:23 PM
Re: Self-serving
I find it more interesting that Hold is going to offer a service to allow individuals to pay (based on other reports) to determine if you were compromised. The Hold webpage indicates that they even plan to ask for your passwords for this service.

"We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification."

What happened to security rule #1 being "don't give out your passwords" and now the people who are supposedly security exports are planning to ask for all of everyones passwords as part of their service. Any respect I had for Hold, just went out the window.

http://www.holdsecurity.com/news/cybervor-breach/
marklfeller
0%
100%
marklfeller,
User Rank: Apprentice
8/6/2014 | 3:58:22 PM
asada
My last pay check was $9500 working 12 hours a week online. My sisters friend has been averaging 15k for months now and she works about 20 hours a week. I can't believe how easy it was once I tried it out. This is what I do,

 

 

=======================

WWW.JOBS606.COM

======================= 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
8/6/2014 | 11:03:57 AM
Re: SQL injection attacks?
how's asp classic is any worse than java?

a good framework helps, but the biggest problem is the dynamic sql - concatenated in code from strings such as "select ... where col1 = '" & var1 & "' and col2 = '" and so on.

as long as you keep your sql in stored procedures, and set up the access correctly, you should be ok.

but it takes a lot of planning and dedication to keep the database access under control. it is so much easier for a programmer to just create that select on the fly, and for the manager to keep a blind eye to it.

so sql injection will live on.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:36:39 AM
Re: SQL injection attacks?
Mainly old sites that were not re-developed with the latest frameworks. If we are still using ASP pages of course that would be a good option for black hats to try and exercise their skills.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:33:21 AM
Re: a billion credentials is stolen
They may not end up with anything but this shows there are good amount of sites out there that are vulnerable to SQL injections.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:31:26 AM
Not the number of records
 

The amount is huge and that make is impressive, however if you total last the breaches that will go beyond that, most of the time it is not the number of record it is what they end up with. Most passwords in most system are hashed, if a good algorithm is used it will take time for them to get the password and it may not even be worth after a while.
Page 1 / 2   >   >>
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...