Tuesday, August 26, 2014

Ad by cosstminn | Close This Ad Technology Russian Hackers Amass Over a Billion Internet Passwords


A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

Alex Holden of Hold Security said most of the targeted websites were still vulnerable. Credit Darren Hauck for The New York Times

Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.

There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.

And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.

But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.

“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time. Continue reading the main story How to Keep Data Out of Hackers’ Hands

For people worried about identity theft and privacy, the discovery by Hold Security of a giant database of stolen data is highly personal. But there are steps everyone can take to minimize the hackers’ impact.

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.

Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.

Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.

The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.

Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.

“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” Nicole Perlroth reported from San Francisco and David Gelles from New York City.

Friday, June 13, 2014

Your Secrets Aren't Safe

Data thieves are after your most private info—when you use Wi-Fi and shop online, and even when you store files in the cloud

Monday, April 07, 2014

Now drones are being used to expose bank details and passwords

Hackers manage to access 150 phones an hour through Wi-Fi Experts in London have proved it's possible to use drones to steal data They modified an aircraft capable of tapping into a phone's Wi-Fi settings Once it had access, it was able to read and steal personal information Called Snoopy, the drone takes advantage of smartphones that actively search for networks From this it can also see networks those devices have accessed in the past During tests, hackers exposed credit card information and passwords By Sarah Griffiths News that hovering drones can now steal passwords from unsuspecting phones will do little to ease fears that the widespread use of unmanned aircraft could infringe upon our privacy. Hackers in the U.S have managed to 'steal' information, including Amazon passwords, bank details and even people’s home addresses using an aircraft. While it might sound like the crime of the century, the exercise was an experiment to show it is possible to use drones to tap into a smartphone’s Wi-Fi settings and access valuable information

Hackers have proved that it is possible to steal information, including Amazon passwords, bank details and even home addresses from smartphones that have Wi-Fi turned on, using specially adapted drones (a stock image of a quadcopter is pictured)

The test was conducted in London and the group will share their findings at the Black Hat Asia cybersecurity conference in Singapore next week, CNN reported. The drone, known as Snoopy, seeks out smartphones that have Wi-Fi turned on. It then makes use of built-in technology which can see what networks the phones have accessed in the past. In theory, almost any drone could be adapted to do this. HOW CAN A DRONE STEAL SOMEONE'S IDENTITY? The drone, known as Snoopy, seeks out smartphones that have Wi-Fi turned on. It then makes use of built-in technology which can see what networks the phones have accessed in the past. In theory, almost any drone could be adapted to do this. Phones 'noisily' reach out to networks, according to the experts. Snoopy looks for this activity and when hovering nearby it emits a signal masquerading as another network. The phone ‘trusts’ that it is accessing a trusted Wi-Fi network but instead connects to the quadcopter's network. Snoopy can then intercept everything a smartphone sends and receives and allows skilled hackers to see passwords, bank details and the phone's location. . London-based Sensepost security researcher Glenn Wilkinson, said: ‘Their phone will very noisily be shouting out the name of every network its ever connected to. 'They'll be shouting out, “Starbucks, are you there?...McDonald's Free Wi-Fi, are you there?”’ When this happens, Snoopy hovers nearby and emits a signal masquerading as another network and the phone ‘thinks’ it is accessing a trusted Wi-Fi network. However, when it connects to the quadcopter’s network, Snoopy will intercept everything a smartphone sends and receives using a complicated method described by the company. Wilkinson said: ‘Your phone connects to me and then I can see all of your traffic.’ He is able to see the websites a person visits, any credit card information entered or saved, their location, usernames and passwords. In the wrong hands, this could potentially leave a mystified smartphone user out of pocket. The hackers managed to gain access by looking at a unique identification number known as a Media Access Control (MAC) address. This number matches web traffic to a specific device. To demonstrate the effectiveness of the technology, Wilkinson spent an hour with CNN showing them how he could obtain network names and GPS coordinates for 150 smartphones used by Londoners. While collecting metadata and network names is not strictly illegal, intercepting passwords and credit card details with the intent of using them is. The ethical hackers said they're demonstrating the technology to highlight how vulnerable smartphone users can be. The drones might seem even more threatening to people than remote hackers because the aircraft can hover close to potential ‘victims’ are incredibly mobile. There is a prospect that the technology could be put to good use for law enforcement purposes, however, such as identifying looters in a riot. While it is not thought that anyone is currently using this snooping technique in the real world, smartphone users can protect themselves by shutting off their Wi-Fi when they are not using it, or only access secure networks.