“A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say,” Nicole Perlroth and David Gelles report for The New York Times.
“The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites,” Perlroth and Gelles report. “Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.”
“Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable,” Perlroth and Gelles report. “Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.”
“So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work. But selling more of the records on the black market would be lucrative,” Perlroth and Gelles report. “While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.”
Read more in the full article here.
MacDailyNews Take: The problem was/is that some people use one password for everything they do online and, when one thing gets compromised, everything is then accessible to criminals.
Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.
Did you know my sister-in-law earns $2,800 an hour from her own home? It’s fast and easy. You can do it too!
Learn how at http://www.polishingsteveballmersresume.com
Nice. Very nice.
So your SIL has sex with other men in her own home? Does your brother know?
Most probably these “news” are fake, PR stunt from “security” company.
As it turns out, I am not the only one suspicious:
http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever
As derss points out above, this report is fishy specifically because it is being used as a publicity stunt. It was perfectly timed. And if you read the source report, you find yourself being victimized by incessant marketing to buy the services of the reporting company. I’ve never seen such an ingenuous security report ever.
The source of the security breaches, according to the report, is the very old and commonly known problem of SQL code injection. SQL (a database platform common on the web) has has been known to have inherent security flaws for over a decade. It literally is of no surprise to any SQL literate user that this is a problem that requires careful coding to avoid.
There has already been some thrashing of the data provided by the reporting source. [Note how I avoid advertising their name]. But a lot more scrutiny will be forthcoming along with an eventual public list of the websites that have been breached. For now, there are ongoing attempts to contact the administrators of these websites in order to let them patch up the problems and contact their users.
One huge enabling factor in the record setting breach of website security has been the vast proliferation of botted/zombied/PWNed computers across the Internet. In the past, Macs have been implicated in a couple botnets. But the overwhelming majority of botted computers are running, you guessed it, WINDOWS. And that’s not because there are a lot more Windows boxes to bot. It’s because Windows has far more security holes as demonstrated by there being over 1000x more malware for Windows on a per-user basis. (So please don’t pull any ‘security through obscurity’ nonsense around here please. We’ll roast you alive).
As for SQL: Find a safer alternative folks. Its security inherently sucks bad.
As derss points out above, this report is fishy specifically because it is being used as a publicity stunt. It was perfectly timed for a major security convention. And if you read the source report, you’ll find yourself being victimized by incessant marketing to buy protection services from the reporting company. I’ve never seen such an ingenuous security report ever.
There has already been some thrashing of the data provided by the reporting source. [Note how I avoid using their name as I have zero interest in promoting their business]. But a lot more scrutiny will be forthcoming along with an eventual public list of the websites that have been breached. For now, there are ongoing attempts to contact the administrators of these websites in order to let them patch up the problems and contact their users.
(More about the situation in a further post…)
The source of the security breaches, according to the source report, is the very old and commonly known problem of SQL code injection. SQL (a database platform common on the web) has has been known to have inherent security flaws for over a decade. It literally is of no surprise to any SQL literate user that this is problem requires careful coding to avoid.
One huge enabling factor in the record setting breach of website security has been the vast proliferation of botted, zombied, PWNed computers across the Internet. In the past, Macs have been implicated in a couple botnets (all since shut down and the malware eliminated). But the overwhelming majority of currently botted computers are running, you guessed it, WINDOWS. And that’s not because there are a lot more Windows boxes to bot. It’s because Windows has far more security holes as demonstrated by there being over 1000x more malware for Windows on a per-user basis. (So please don’t pull any ‘security through obscurity’ nonsense around here please. Thank you).
As for SQL: Find a safer alternative folks.
… For reasons unknown, my further notes about this security breach report are being auto-censored by WordPress: “You comment is awaiting moderation” which means it was flung into a black hole. So here’s the abbreviated version:
All of the accounts were stolen by way of bad SQL database coding on the hacked websites. Nearly off the insecure websites were identified through the use of a vast botnet of, you guessed it, PWNed Windows boxes.
And this is what pisses me off the most. Website owners or service providers do not take security serious enough.
I want to know who’s been compromised so I can close my account there. :-/
Eventually the list of ~400,000 (reportedly) breached websites will be made public. We have to wait while hopefully these sites are contacted and clean up their code.
BTW: I’m going to guess that the bad code in these cases comes from readily available and popular object SQL code. Like the all too common buffer overruns in C object code, this is one of the big drawbacks of object oriented programming. One, ahem, not-so-good coder writes up something super useful that everyone enjoy using, except oops, it’s insecure and nobody bothered to go back and vet the object code for problems. Despite all the wonderful hype, this remains a common problem within the open source community: You can see the code! But nobody bothers to thrash through it for problems. Bleh.
AI… let it thrash and find the holes. Some day.
Gollum close your facebook book account, I know you have one. It’s been hacked!
someone tell them to erase my name off the list
It doesn’t matter…Not as much as what Kate Upton says about the 29 biggest balloons in Hollywood.
I’m changing my password from Password1234 to Password5678.
That made me smile