There is a story out that Russian cyber gangs stole 1.2 billion passwords. I think the story is FAKE. You’ll notice the story lacks and details about who and how this happened. They say it was from 400,000 web sites. Running what? How could they know that? I think it’s bull.
You noticed that to, huu? My miff stemms from the only link to the claim on my regulars being the NYT paywall site. For a whole day! — Even from HN at Y-combinator link to NYT thismorning….
“”With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.
http://holdsecurity.com/news/cybervor-breach/
I guess they didn’t have to say ‘Yahoo!’, … , gaysexymidget, …
“”Do not panic! Try to strategize.”” — I note that these guys are offering three subscription services to nag you in the future to pay them to protect you from this kind of thing…
——————————————–
But, being full of pi, I feel this is another *ruse*. Perhaps, somebody is remastering a record of misplaced names/numbers and they want everybody checking everything now to coorelate some several catagories of known/unknowns??
Yea, that is it. There is this bitch running for water commissioner district #5 that we would like to blackmail. We have her password for El3vator.com but forgot what she looks like — and they are all sluts there.
We’re mostly interested in old/abandoned accounts somebody may have set up from a library or something…. Also, we think you might have ebola and were gonna break out of our benevolent guidance to go ahead and let you know.
“”Running what? How could they know that?
That part is relatively straight forward… unless you think it reprehensible to port scan — it will tell you what is running on those ports; find the application vulnerable to the SQL injection and then wonder why my neighbor hasn’t already done that to me…
http://nmap.org/
If you think it’s bull then perhaps this lil’ bit o lernin’ will help:
http://youtube.com/watch?v=yoMOAIzBSpY
http://youtube.com/watch?v=wo19Y4tw0l8
Now that you have watched, you too now know that stealing passwords is total Hollywood crap! But stealing personal information like that which might be contained in an address book or data base is a completely different matter — and still, passwords aren’t saved like that.
So it seems to me that another so called unbiased (plagiarizing) junior journalist has struck with some more bogus facts. It’s probably in some kind of twisted attempt to once again vilify Russia since the first step in any war is to vilify one’s own enemy (usually by de-humanizing them as criminals and then as low brow unintelligent animals). That’s not to say that there isn’t s story to be told here — and we still haven’t got all the details. But if you thought anyone in the news “business” (like a reporter) had his/her facts straight, think again!
CBS does seem poised to become the next FOX or CNN when they allow crap like this to happen. So perhaps the bigger story here might be who allowed it to go to press.
“”Now that you have watched, you too now know that stealing passwords is total Hollywood crap!
Ouch! I’d have thought you’d have heard of *rainbow tables*, being a flammer and all…
http://en.wikipedia.org/wiki/Rainbow_table
stealing passwords is total Hollywood crap!
wait until you hear our child safety seat ones…
Let me clear something up:
… stealing actual passwords is total Hollywood crap! But stealing information which might be contained in an address book or a database ( which MIGHT even have a password written down in said database ) is a completely different matter — and still, passwords aren’t usually saved like that. NOT by competent professional entities, that is.
Very simply, (ASCII) passwords are NOT kept in a database as most of YOU and even certain CBS journalists seem to believe. HASHES (which require mathematical computations to reconstruct) ARE! But then, you’d know that if you watched the video which explains it.
Thanks for clearing that up.
“”Rainbow tables are not always needed, for there are simpler methods of hash reversal available. Brute-force attacks and dictionary attacks are the simplest methods available
http://en.wikipedia.org/wiki/Rainbow_table#Background
hehehehe….Hey, Bevis; He said “hash”.
Still suffering from a RAT, ………I BELIEVE whatever this OP is about.
I do believe it is one password stolen 1.2 billion times.
I’m not a math guy, but I think the equation works.
Looks like I “may” have gotten the Trojan ADH2, and Comcasts free Norton Anti-Virus may have cleaned it out. I don’t know….. magic is like that.
This story is simply a way to encourage many to change their passwords so that the latest gathering techniques can gather.
I think you are correct, sir. And, since this is an american firm, I’d give as much credence to their analysis toward ‘secure’ as i would their avid disavowment of their love of fishheads.
Still working on my Trojan, I read the short article at the link.
I believe it. No reason not to.
I suspect that most of the passwords are irrelevant ones to recipe forums, ZaptoIt tv Listings, Facedbook, and what not.
NOT, the basis of our growing economy: the encrypted transaction cash for goods and services accounts?
………althouth from what I’ve been looking at the last few days, I don’t see how the key logging Trojans wouldn’t be causing a meltdown RIGHT NOW! Spidey tells me the “banks” can tell when the cash transfer request comes from the “real” computer verses a Trojaned computer===otherwise our entire financial system would be gray goo right now.
What am I missing?
I think its fake too. Why aren’t NA posted here anymore? 🙁
Probably since we’re a bunch of asstards kibitzing about bullshit instead of commenting on the show.
Adam and John do such a good job, there is no need to… However, some may wander here to this necro-chamber and get the wrong idea.
me, the most common password I use is “idontcare” do I REALLY care that I have to have a user id and password to submit comments to the local paper? Hell no! Now, if it something I care about, like my bank I use a simple scheme that I was taught a long time ago. THink of a song then add something else, like the first name of the girl you lost your , ahem, virginity to
So, the ants go two by two and cindy turns into
TAgm2x2TAgm2x2C1ndy – figure that one, Putin!
“”like the first name of the girl you lost your , ahem, virginity to
fuck. me. running. Is there an ascii for {null string}??
I think that the story is more real than not. Forbes security writer Kashmir Hill found out last night that Hold Security was charging a person $120 to see if they’ve been hacked. The company has since taken down the page. Here’s her story with a screenshot of this page:
http://forbes.com/sites/kashmirhill/2014/08/05/huge-password-breach-shady-antics/?&_suid=140736849300307749188891611993
The New York Times article that broke the story states a very plausible method – Use of giant botnets that direct the infected computers to execute an SQL injection against a website upon login from the infected botnet computer.
Question: Couldn’t this be prevented if the passwords were stored in encrypted form?
Yes! Thank you for something a little more credible than some idiot with CBS saying the sky is falling.
“[quote]… passwords stolen.” Kiss my ass! It was INFORMATION that was stolen. Even more interesting is how it was done — or allowed to happen.
The fact that any database is so easily accessed is the real story here. It’s a bit like a 7-11 using a part of the check out counter for storage of money instead of putting it in a cash register or any other kind of drawer and then being shocked that some/all of it was stolen.
The fact that actual passwords and not password hashes are even kept is another issue. The very thought of storing user passwords along with user credentials in the same company database should have people up in arms. And not just stored in one old database but one that is either unencrypted or encrypted with a very crackable password itself! (Psssst! the password is “password” Mister Ludden.)
Sure, you might want to mention the criminals. But it’s really a wonder that with such rampant pompous stupidity in the IT circles that everyone in every developed country isn’t a victim of ID theft by now.
“”rampant pompous stupidity in the IT circles
You’re pretty good at hoola hoops, are you not?
Krebs says it’s real
http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
A pretty nifty ‘splainer.
From a reader comment
— Hold Security already reported this 2 months ago. At that time with zero details. Now a bit more, but it is also introducing its new payed service to see if you are hacked.
Now don’t get me wrong, it is fine to earn money on work like this, but it feels in this case like recycling an old discovery for PR purposes … —
———————–
SQL? where have I heard this before??
School: …Did you really name your son Robert’); DROP TABLE Students;–?
http://bobby-tables.com/
Krebs would be more convincing if he weren’t on Hold Security’s board and hawking his own book on the subject in his article. . .
I’ll admit that it’s probably the first time I’ve visited the site… I’ve always just taken the excerpts as ‘pretty credible’… I guess I still think that as his writing ‘rings true’ to an uninitiate as myself.
Deer in headlights?? Having to explain that his wife is having a rather heavy period and wouldn’t want to bleed all over the seats??
I feel his pain.
Story gets more detailed: here is a short article implying most of the info is probably garbage of little worth:
http://computerworld.com/s/article/9250212/Massive_Russian_hack_has_researchers_scratching_their_heads?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29
Given I’m still sensitive to these types of issues, I’ll be going through this info closely:
http://howtogeek.com/98601/easily-monitor-your-computers-internet-connection-activity/
Knowledge is Power===>to the stars, and beyond!!!!!
Just another attempt at FUD. Fear, Uncertainty, and doubt.
Great weblog here! Additionally your site rather a lot up very fast!
What host are you the usage of? Can I am getting your affiliate link
on your host? I desire my site loaded up as fast as yours lol