It has been reported by just about every major media outlet that the largest ever heist of user data took place recently by a group of Russian hackers. 1.2 billion passwords and 500 million email addresses. Over 420,000 websites are apparently involved.
Kashmir Hill from Forbes had the most interesting take on the story out of all the sites I read on the topic. Hill delved into how Hold Security the security firm who uncovered the hack was offering a service to tell people if they were vulnerable.
From the article:
The New York Times dropped the freakiest security story since Heartbleed Tuesday, warning people that a “Russian gang has amassed over a billion passwords.” The story provides few details beyond hyperbolic numbers: “ 1.2 billion username and password combinations” and “more than 500 million email addresses” are in the hands of a group of 20-something hackers in Russia, according to the report. No specifics about the state of those passwords: whether they’re in clear-text — the worst case scenario — or in encrypted form. The Internet predictably panicked as the story of yet another massive password breach went viral.
We don’t know whose email addresses are included or which sites are affected, which helps fuel insecurity hysteria. The only use of the passwords the story mentioned was the hackers using them to break into Twitter TWTR +0.83% accounts to send out spammy messages. The NYT says it found out about the hack from Alex Holden, of Milwaukee-based Hold Security, a security firm that looks for big hacks. He said the hackers got the passwords using a botnet and SQL injections — a popular hacking technique — but Holden “would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable,” reported the Times, which asked a third-party security expert to confirm that Hold Security’s database of stolen credentials was “authentic.” Holden wasn’t giving out details but he was willing to pump up the danger of the breach, telling the Times: “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”
Read the full article here
Hill goes on to say that Hold Security offered people the ability to pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach. Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up.
After others jumped on that story with one reporter asking questions about the service, Alex Holden said the cost was $10 a month or $120 for the year.
It remains to be seen what info will come out and when sites and users will know they are no longer vulnerable.
This takes me to another story out on The Verge entitled, “The internet doesn’t care about security” Russell Brandom covered a story that I read earlier on PC World and blogged on MorganLinton.com. The fact that a 17 year old Australian teen was able to bypass two factor authentication when using PayPal.
Joshua Rogers told PayPal on June 5, and they did nothing for two months. Rogers published his findings on his blog Internot.info. When people like to get on all young people about wanting everything fast and just about the money, Rogers shatters that stereotype. By going public he forfeited probably close to $3,000 that PayPal usually pays for security researchers that uncover bugs. One of the requirements is that it is done confidentially and they don’t go public. Rogers said he did not care about the money, that money was not everything.
Russell Brandom goes on in his article to point out some things that really are disheartening when dealing with businesses. Most notably, “Companies rarely care about security” If the choice is usability or security, usability will win out every time.
From the article:
PayPal’s bug is a great example. PayPal wanted to make it easy for eBay users to link their accounts, so the company set up a special cookie that identified anyone coming in from eBay. As it turned out, that cookie also let Rogers bypass PayPal’s two-factor protections. Fixing it should be simple, just disable the cookie and make eBay users log in the old-fashioned way. But if PayPal did that, fewer users would link the accounts and it would cost the company money — more money than they’re likely to lose as a result of this bug. Given the choice between security and usability, companies will take usability every time.
This is the central problem of every vulnerability report: researchers want to fix it and companies don’t. I’m usually more sympathetic to the security side, but the companies have a point too. It’s hard to make software with no vulnerabilities, just like it’s hard to make a door that can’t be broken into. As security ramps up, diminishing returns set in fast. You could put a three-inch steel door on your house, but it would be ugly and heavy and you don’t want to. Instead, you trust that no one will want to kick in your door. Aside from once-in-a-generation bugs like Heartbleed, most security failures don’t have much fallout, particularly for the companies that spawn them. Six months later, it’s hard to argue that Goto-Fail had much effect on Apple’s bottom line.
Instead, the bad effects show up at an ecosystem level. We’re left with a relatively unprotected web where nothing is perfect and (as Quinn Norton put it) everything is broken. Heavy-hitters like the NSA and China’s Unit 61398 can buy up vulnerabilities and break into most systems, while anyone without a corporate security budget is left to fend for themselves. PayPal isn’t the worst case — no one will die or go to jail over this bug — but it’s one more example of why the world of security can seem so bleak. The problem isn’t that we can’t protect ourselves, but that we don’t want to.
Read the full article here
Personally I don’t know when people are going to wake up, the comments in The Verge story were also filled with some salient points as well. The biggest point is that the user in most cases does not care about their own security. For some they are lazy for some they are overwhelmed with possibly 8 passwords required at work all with different requirements. Either way this has to change and possibly companies are going to need to be regulated into being more secure. As more of our lives move online I find this to be akin as a meat company selling meat with e-coli or a drug company not doing proper R & D on a new drug.