This week’s cyber newsreel was dominated by a proclamation from a cybersecurity firm that it uncovered a massive heist of 1.2 billion usernames and passwords by a “Russian cyber gang.”
About 420,000 websites are allegedly affected by this years-long breach uncovered by Milwaukee-based Hold Security.
But what immediately struck me was that Hold Security gave the story to the New York Times as hackers and security companies gathered in Las Vegas for the Black Hat conference this week. That is nice exposure.
Then Hold Security—who claims to have in 2013 identified data breaches at Adobe Systems and “independently identified and tracked the Target breach,” and identified more than 360 million stolen credentials trafficked on the black market this year—stopped giving information. No names of hackers or victims, or how the firm cracked what was apparently a pretty darn good secret.
You can find out if you’re in the among the large list of stolen credentials…for a fee. Hold Security founder Alex Holden said the fee covers the firm’s expenses. Reports say he has since stopped responding to interview requests.
All of this has me confused. And I don’t feel bad about that because it looks like some cybersecurity experts and entrepreneurs are confused too. There is some doubt this is even legit but a guy I happen to trust, security blogger Brian Krebs, has known Holden a while and “it’s definitely for real.”
Won’t we find out soon if this is real when websites begin disclosing individual breaches? Don’t they have to in many cases? Or have they?
To me, there is a more important question because as of now, it appears these stolen credentials were used to send spam. But is this where we want to take cybersecurity? Do firms like Hold Security get to hold some information in their pockets until we empty ours?
Bruce Schneier, an internationally renowned security technologist, writes a great blog as well—especially for a guy like me still getting his cyber feet wet. Interestingly, he says this massive stockpile of passwords accumulated by the Russians (if that’s the case) is evidence of how secure the Internet is. “We’re not seeing massive fraud or theft. We’re not seeing massive account hijacking,” he writes. “A gang of Russian hackers has 1.2 billion passwords—they’ve probably had most of them for a year or more—and everything is still working normally.”
Speaking of Russia, congratulations to Edward Snowden. If you know me, you know to read the sarcasm. I contemplated writing a blog with the headline: “Snowden sentenced to 3 years…in Russia.”
I’m not giving my opinion re: Snowden because it’s really all over the map, which is probably why I could not get my thoughts together for even a semi-coherent blog. But dang that would’ve been a good headline.