Guru3D.com Forums

Go Back   Guru3D.com Forums > General Chat > Frontpage news
Frontpage news Perhaps you have some news to report or want to check out the latest Guru3D headlines and comment ? Check it in here.


Reply
 
Thread Tools Display Modes
Another Mass website hack
Old
  (#1)
tsunami231
Ancient Guru
 
tsunami231's Avatar
 
Videocard: EVGA 660gtx sig2
Processor: i7 920 CNPS10X Quiet
Mainboard: Evga x58 SLI LE
Memory: 3x2gb Dominator@1600 6Gb
Soundcard: Realtek HD Audio
PSU: Antec Truepower 750
Default Another Mass website hack - 08-08-2014, 18:12 | posts: 3,497 | Location: USA

http://www.nytimes.com/2014/08/06/te...ials.html?_r=0

I am surprised no one posted this yet.
   
Reply With Quote
 
Old
  (#2)
RavenMaster
Master Guru
 
Videocard: 2x EVGA GTX 780's SLI
Processor: Core i7 4960X 4.0ghz
Mainboard: Asus RIVE Black Edition
Memory: 32GB DDR3 Corsair 1600mhz
Soundcard: Creative SB ZXR
PSU: CM Silent Pro Gold 1200w
Default 08-08-2014, 18:43 | posts: 527 | Location: UK

Reminds me of this

https://www.youtube.com/watch?v=m-konSUS_TA
   
Reply With Quote
Old
  (#3)
Clouseau
Master Guru
 
Clouseau's Avatar
 
Videocard: MSI HD6950 Twin Frozr III
Processor: Phenom II x4 940BE
Mainboard: ASUS M3A32-MVP WiFi
Memory: GSkill Pi-Black 4x2GB
Soundcard:
PSU: Antec HCP 1200
Default 08-08-2014, 20:01 | posts: 448

This is nothing more than a fluff piece to get their corp's name out there. Welcome to the new age of advertising. Why is it a fluff piece? Even in the article it states that nothing has been done with the information that was "hacked/stolen". If the article was about this is what happened and this is how it is prevented, then it would have had substance.

The article also gives rise to a question of, if they are in contact with this group credited with the hack, are they funding them to drum up business. Adept use of fear is a very persuasive tool.

Last edited by Clouseau; 08-08-2014 at 20:06.
   
Reply With Quote
Old
  (#4)
Veeshush
Maha Guru
 
Veeshush's Avatar
 
Videocard: MSI GTX 680 Lightning
Processor: Phenom II X6 1100T @ 4GHz
Mainboard: GA-MA790X-UD4P
Memory: CorsairDominator 4GB DDR2
Soundcard: X-Fi Titanium HD
PSU: ENERMAX REVOLUTION85+
Default 08-08-2014, 21:43 | posts: 915

Krebs covered it:

Quote:
Ok, but more than a billion credentials? That seems like a lot.

A: For those unfamiliar with the operations of large-scale organized crime syndicates, yes, it does. Unfortunately, there are more than a few successful cybercrooks who are quite good at what they do, and do it full-time. These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

One micro example of this: Last year, I wrote about a botnet that enslaved thousands of hacked computers which disguised itself as a legitimate add-on for Mozilla Firefox and forced infected PCs to scour Web sites for SQL vulnerabilities.

Q: What would a crime network even do with a billion credentials?

A: Spam, spam and….oh, spam. Junk email is primarily sent in bulk using large botnets — collections of hacked PCs. A core component of the malware that powers these crime machines is the theft of passwords that users store on their computers and the interception of credentials submitted by victims in the process of browsing the Web. It is quite common for major spammers to rely on lists of billions of email addresses for distributing their malware and whatever junk products they are getting paid to promote.

Another major method of spamming (called “Webspam”) involves the use of stolen email account credentials — such as Gmail, Yahoo and Outlook — to send spam from victim accounts, particularly to all of the addresses in the contacts list of the compromised accounts.

Spam is such a core and fundamental component of any large-scale cybercrime operation that I spent the last four years writing an entire book about it, describing how these networks are created, the crooks that run them, and the cybercrime kingpins who make it worth their while. More information about this book and ways to pre-order it before its release in November is available here.

Q: Should I be concerned about this?

A: That depends. If you are the type of person who re-uses passwords at multiple sites — including email accounts — then the answer is yes. If you re-use your email password at another site and that other site gets hacked, there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain.

For a primer that attempts to explain the many other reasons that crooks might want to hack your inbox, your inbox’s relative market value, and what you can do to secure it, please see The Value of a Hacked Email Account and Tools for a Safer PC.
https://krebsonsecurity.com/2014/08/...mail-accounts/
   
Reply With Quote
 
Old
  (#5)
Clouseau
Master Guru
 
Clouseau's Avatar
 
Videocard: MSI HD6950 Twin Frozr III
Processor: Phenom II x4 940BE
Mainboard: ASUS M3A32-MVP WiFi
Memory: GSkill Pi-Black 4x2GB
Soundcard:
PSU: Antec HCP 1200
Default 08-08-2014, 22:02 | posts: 448

"... I spent the last four years writing an entire book about it, describing how these networks are created, the crooks that run them, and the cybercrime kingpins who make it worth their while. More information about this book and ways to pre-order it before its release in November is available here..."


It's all about lending credence to and advertise the book he spent the last four years on.
   
Reply With Quote
Old
  (#6)
Corrupt^
Ancient Guru
 
Corrupt^'s Avatar
 
Videocard: Geforce GTX770 - G2773HS
Processor: Core i7 2600K 4.5Ghz
Mainboard: Gigabyte P67-UD4-B3
Memory: Corsair DDR3 16GB 1600
Soundcard: Essence ST - Sennh. HD650
PSU: Antec Truepower 850W
Default 08-08-2014, 22:53 | posts: 5,463 | Location: Belgium

Quote:
Originally Posted by Clouseau View Post
"... I spent the last four years writing an entire book about it, describing how these networks are created, the crooks that run them, and the cybercrime kingpins who make it worth their while. More information about this book and ways to pre-order it before its release in November is available here..."


It's all about lending credence to and advertise the book he spent the last four years on.
I usually take this with a grain of salt. Stuff like this is often true but also often blown way out of proportion for all sorts of reasons... such as promoting a book
   
Reply With Quote
Old
  (#7)
tsunami231
Ancient Guru
 
tsunami231's Avatar
 
Videocard: EVGA 660gtx sig2
Processor: i7 920 CNPS10X Quiet
Mainboard: Evga x58 SLI LE
Memory: 3x2gb Dominator@1600 6Gb
Soundcard: Realtek HD Audio
PSU: Antec Truepower 750
Default 08-09-2014, 18:58 | posts: 3,497 | Location: USA

Everything on the web is blown out proportion fact remains if someone got accessed to 400k+ websites and there user/pass people should be worried and change passes none the less.
   
Reply With Quote
Old
  (#8)
Veeshush
Maha Guru
 
Veeshush's Avatar
 
Videocard: MSI GTX 680 Lightning
Processor: Phenom II X6 1100T @ 4GHz
Mainboard: GA-MA790X-UD4P
Memory: CorsairDominator 4GB DDR2
Soundcard: X-Fi Titanium HD
PSU: ENERMAX REVOLUTION85+
Default 08-09-2014, 19:03 | posts: 915

Quote:
Over a Billion Passwords Stolen?

I've been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords.

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

Yesterday, Forbes wrote that Hold Security is charging people $120 to tell them if they're in the stolen-password database:

"In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach," says the site's description of the service using its pet name for the most recent breach. "The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away."

Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a "coming soon" message.

Holden says by email that the service will actually be $10/month and $120/year. "We are charging this symbolical fee to recover our expense to verify the domain or website ownership," he says by email. "While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the 'good guys'. Believe it or not, it is a hard and often thankless task."

This story is getting squrrelier and squrrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.

Oh, and if you want to change your passwords, here's my advice.

EDITED TO ADD (8/7): Brian Krebs vouches for Hold Security. On the other hand, they had no web presence until this story hit. Despite Krebs, I'm skeptical.

EDITED TO ADD (8/7): Here's an article about Hold Security from February with suspiciously similar numbers.
https://www.schneier.com/blog/archiv..._billion_.html

edit
Quote:
Originally Posted by Corrupt^ View Post
I usually take this with a grain of salt. Stuff like this is often true but also often blown way out of proportion for all sorts of reasons... such as promoting a book
Nah, I don't see Krebs engaging in fear mongering for book profit or whatnot- I think his readers really did pester his email asking him to cover to the topic and give his thoughts on it (it happens a lot).



Quote:
Update: As several readers have pointed out, I am listed as a special advisor to Hold Security on the company’s Web site. Mr. Holden asked me to advise him when he was setting up his company, and asked if he could list me on his site. However, I have and will not receive any compensation in any form for said advice (most of which, for better or worse, so far has been ignored).
https://krebsonsecurity.com/2014/08/...mail-accounts/

Last edited by Veeshush; 08-09-2014 at 19:27.
   
Reply With Quote
Old
  (#9)
Clouseau
Master Guru
 
Clouseau's Avatar
 
Videocard: MSI HD6950 Twin Frozr III
Processor: Phenom II x4 940BE
Mainboard: ASUS M3A32-MVP WiFi
Memory: GSkill Pi-Black 4x2GB
Soundcard:
PSU: Antec HCP 1200
Default 08-10-2014, 01:38 | posts: 448

Anyone who ran this story is running the fear campaign whether they thought they were dupped or not. This guy is trying to sell his book and promote his company. Krebs still ran the story regardless of what he says afterwards. Yes, he is profiting off this story. He is profiting from the web traffic to his site in the form of how much a company is willing to pay for advertising space on his site. So to say he is not getting compensated; he would need to qualify that statement by saying not directly. Krebs is trying to run damage control.

Last edited by Clouseau; 08-10-2014 at 01:41.
   
Reply With Quote
Old
  (#10)
Veeshush
Maha Guru
 
Veeshush's Avatar
 
Videocard: MSI GTX 680 Lightning
Processor: Phenom II X6 1100T @ 4GHz
Mainboard: GA-MA790X-UD4P
Memory: CorsairDominator 4GB DDR2
Soundcard: X-Fi Titanium HD
PSU: ENERMAX REVOLUTION85+
Default 08-10-2014, 02:11 | posts: 915

Right, Krebs doesn't run a site solely funded by donations. I don't think he and Alex Holden conspired together to run a story in hopes of making a killing in profit though.

Holden screwed himself on his own.
   
Reply With Quote
 
Old
  (#11)
Veeshush
Maha Guru
 
Veeshush's Avatar
 
Videocard: MSI GTX 680 Lightning
Processor: Phenom II X6 1100T @ 4GHz
Mainboard: GA-MA790X-UD4P
Memory: CorsairDominator 4GB DDR2
Soundcard: X-Fi Titanium HD
PSU: ENERMAX REVOLUTION85+
Default 09-02-2014, 23:31 | posts: 915

bump

Someone just posted this over at Wilders. Good run down.
Quote:
The Lie Behind 1.2 Billion Stolen Passwords

Or: How Alex Holden Spends Most of the Day Chillaxing on TOR and Lurking Russian Hack Boards

Preface: I’d like to personally thank Rick Romell and Bill Glauber of the Milwaukee-Wisconsin Journal Sentinel for absolutely nailing this story out of the park with regard to localized research on Holden. That the number of credential went from 4 billion, then to 1.2 billion, and then (as per Mother Jones) to ~500 million is absolutely absurd and warranted investigation. Both of you are absolutely awesome.

This will be short and sweet because Alex Holden does not need any further publicity for his actions. You have likely read the accusations that, earlier this week, Alex Holden of Hold Security announced to the NYT that he had discovered Russian hackers had stolen over 4 billion usernames and passwords. After running a duplication check, that narrowed to 1.2 billion and, while not often reported, that list was further whittled down to around 500 million individual users via unique email addresses.

Let’s look at the warning signs right off the bat:

Announces 4 billion passwords have been taken across 420,000 websites
Makes zero indication on how he learned this or how he obtained the output of 420,000 website’s U/P data
Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denver’s One World Labs, said that Holden “[...] has gone off and done his own thing [...] he has his way of doing it — very different than mine”
Refuses to indicate any of the sites compromised so that users can change their passwords as “there is an ongoing investigation”
No law enforcement agencies (local, state, or federal) have corroborated that they are investigating
Explains that he knows the names and locations of these hackers but not the group they are affiliated with
Offers a for-pay service for individuals and companies to see if their data is being compromised which is odd because that generally doesn’t happen during an investigation
Lied about where he went to school and graduated — the 2001 engineering degree from the University of Wisconsin-Milwaukee? That never happened as Holden never graduated.
Released information specifically during BlackHat for maximum attention when a very similar story was released in February by Hold Security.
Individuals quickly chimed in with similar-but-different ulterior motives: Chase Cunningham and Brian Krebs
Lacking a name for the criminal group, Holden simply references them as CyberVor — Vor meaning “thief” in Russian.
States that the “group” purchased large numbers of U/P lists; however, makes zero indication where the stolen content ends and the bought content begins.
http://www.youarenotpayingattention....len-passwords/
   
Reply With Quote
Old
  (#12)
sykozis
Ancient Guru
 
sykozis's Avatar
 
Videocard: Radeon R7 240
Processor: AMD Athlon 5350
Mainboard: Asus AM1M-A
Memory: 8gb G.Skill DDR3-1866
Soundcard: Creative SB X-Fi Go!
PSU: Unk 300watt
Default 09-03-2014, 01:03 | posts: 16,587 | Location: US East Coast

Things like this get blown out of proportion because these so called "security experts" know that inciting fear is the easiest way to sell a product/service. Most of these "security experts" couldn't stop a "hacker" if their lives depended on it.


   
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com
Copyright (c) 1995-2014, All Rights Reserved. The Guru of 3D, the Hardware Guru, and 3D Guru are trademarks owned by Hilbert Hagedoorn.