08.06.14
Computer security stupefaction
I stopped writing about most incident and general computer security issues because there’s no longer any point to it. The stories of large breaches and new vulnerabilities come, often in multiples, every day.
News of it is of no practical use to the average person. It’s an endless river of excrement and a fact of life signifying nothing except the always on insecurity of the systems we are compelled to use every day.
So this is a bit of an exception. Hypocrisy? Yes, certainly. Guilty!
From the New York Times, a headline yesterday, of a small company that has determined Russian hackers have stolen passwords to 1.5 billion accounts:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks …
[Mr. Alex Holden, the founder and chief information security officer of Hold Security], who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.
There is no reason to doubt it. But what is to be done with such a number? One and a half billion accounts, 500 million e-mail addresses.
It’s stupefying.
So is the expectation of a fix. It’s beyond that. There’s no way to deal with 1.5 billion potential compromised accounts. To think so is to believe you can change the weather.
Go to a computer security vendor conference and interest the Times in getting the word out and that will do it? Seriously? I bet Hold Security doesn’t even believe that.
So what do you do if you’re on the computer security news beat or a system host and you read this? Write yet another piece advising people of the great gravity of the problem/revelation and that they should change their passwords? Speak for the millionth time about closing vulnerabilities? Should you automate another script or widget to badger or force your clients and users with mostly inconsequential accounts into changing their passwords? Again?
It’s so obvious that works.
From the Big Book of Cynical and Supercilious Jokes:
How do we fix a billion and a half accounts with stolen credentials?
Easy, pay Keith Alexander a billion and a half dollars.
Frank said,
August 7, 2014 at 11:06 am
It wouldn’t surprise me if the reports are true, given the propensity of many to run naked through the internet. For what it’s worth, Bruce Schneier is skeptical.
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
George Smith said,
August 7, 2014 at 11:38 am
I didn’t mention it but he points out what I’ve thought for a long time. It’s not even humanly possible to take advantage of that many potential compromises. What do you do with files and files containing over a billion credentials? Sell them in bulk, I suppose, to others who won’t be able to handle them, either. Who, in turn, sell them…
The sale of effectively almost worthless shite. The other side remains true. It’s like, so what? Who thinks badgering millions of average trivial users to change their passwords through their smartphones is something to do or even recommend.
With a landing at the NY Times before a security convention, it was obviously also a publicity opp. More hype. Who wouldn’t think so? Not a new observation, another reason why I stopped doing comsec writing regularly. I wasn’t suited for it & came to generally despise the people and the process. And it shows.
Reporting comsec vulnerabilities from the small business is publicity and, therefore, money. The computer security beat is dead.
George Smith said,
August 7, 2014 at 1:46 pm
Here’s an example of the point I was making, how computer security reporting is, fundamentally, a load of crap and advice, while it may be right, just no longer makes much of a difference at all to the millions.
The reporter, Molly Wood, means well but this is just like everything else for the last five years or more. Badger the users and clients with what they need to do at the point level, wash, rinse, repeat:
“It bears repeating: Be smarter about passwords. Make sure they’re not easily guessed, and don’t reuse passwords across any sites that contain important information. That way, if one is compromised (and it almost certainly will be at some point), it can’t take down your entire digital identity.
“Set up multifactor authentication — that is, multiple steps like a password and a text sent to your smartphone — where it’s available. It’s worth the effort. Be careful about what data you give out online: Use fake birth dates and make up your mother’s maiden name, if need be.
“Assume it’s the Wild West out there. And be happily surprised when it is not.”
Question, rhetorical: How long has it been the Wild West out there?
http://bits.blogs.nytimes.com/2014/08/07/in-fight-with-hackers-we-are-on-our-own/
Christoph Hechl said,
August 9, 2014 at 6:27 am
There is a fundamental error in assuming, that passwords may be guessed.
Under normal circumstances your credentials will not be stolen individually. Hackers will primarily attempt to compromise servers where they get entire databases or infect popular software to get credentials from scores of people in short time.
Most likely the hacker will only be interested in selling said data and not use it him(her)self.
The most important rule for hacking attempts: Attack where the developer didn’t expect it.
George Smith said,
August 9, 2014 at 11:26 am
That would seem to be a neglected point in the NYT link I stuck in the comment.
Ted Jr said,
August 11, 2014 at 10:13 pm
http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/
I think it’s just as likely the person in question is a shameless self promoting shill and this whole event just conveniently fits in with the ‘Vlad is Evil’ / ‘Rooshuns are evil’ meme which masquerades as current foreign policy.
If this story is exposed as untrue, the next lie will already be told and no one will call them on that one either, after a couple of days have elapsed.
———-
http://www.theregister.co.uk/2014/08/07/bgp_bitcoin_mining_heist/
It appears Empty Gox has some followers still active.
George Smith said,
August 12, 2014 at 2:47 pm
But if Hold can’t gather revenue to cover its costly and time-consuming research, “how are we to stay in business?” Holden asked.
Still, some didn’t like the combination of the big security scare and the offer to sell services.
Oh, perish forbid. It’s not like the guy’s covering rarely trod ground. I’m no fan, but he’s numbingly typical.
Brian Krebs has been a journalist in the mainstream for awhile. Some will take the story. The NYT has a better track record on publicizing in this manner. And, of course, it was timed for Black Hat. One assumes the researcher who put an open wifi network scanner on his cat’s collar wished he could have received a little better publicity.