Ad by cosstminn | Close This Ad Technology Russian Hackers Amass Over a Billion Internet Passwords

By NICOLE PERLROTH and DAVID GELLESAUG. 5, 2014

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

Alex Holden of Hold Security said most of the targeted websites were still vulnerable. Credit Darren Hauck for The New York Times

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.

There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.

And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.

But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.

“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time. Continue reading the main story How to Keep Data Out of Hackers’ Hands

For people worried about identity theft and privacy, the discovery by Hold Security of a giant database of stolen data is highly personal. But there are steps everyone can take to minimize the hackers’ impact.

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.

Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.

Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.

The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.

Yet for all the new security mousetraps, data security breaches have only gotten larger, more frequent and more costly. The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

Last February, Mr. Holden also uncovered a database of 360 million records for sale, which were collected from multiple companies.

“The ability to attack is certainly outpacing the ability to defend,” said Lillian Ablon, a security researcher at the RAND Corporation. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” Nicole Perlroth reported from San Francisco and David Gelles from New York City.

4 Places Never to Swipe Your Debit Card

Now drones are being used to expose bank details and passwords

Hackers manage to access 150 phones an hour through Wi-Fi Experts in London have proved it's possible to use drones to steal data They modified an aircraft capable of tapping into a phone's Wi-Fi settings Once it had access, it was able to read and steal personal information Called Snoopy, the drone takes advantage of smartphones that actively search for networks From this it can also see networks those devices have accessed in the past During tests, hackers exposed credit card information and passwords By Sarah Griffiths News that hovering drones can now steal passwords from unsuspecting phones will do little to ease fears that the widespread use of unmanned aircraft could infringe upon our privacy. Hackers in the U.S have managed to 'steal' information, including Amazon passwords, bank details and even people’s home addresses using an aircraft. While it might sound like the crime of the century, the exercise was an experiment to show it is possible to use drones to tap into a smartphone’s Wi-Fi settings and access valuable information

Hackers have proved that it is possible to steal information, including Amazon passwords, bank details and even home addresses from smartphones that have Wi-Fi turned on, using specially adapted drones (a stock image of a quadcopter is pictured)

The test was conducted in London and the group will share their findings at the Black Hat Asia cybersecurity conference in Singapore next week, CNN reported. The drone, known as Snoopy, seeks out smartphones that have Wi-Fi turned on. It then makes use of built-in technology which can see what networks the phones have accessed in the past. In theory, almost any drone could be adapted to do this. HOW CAN A DRONE STEAL SOMEONE'S IDENTITY? The drone, known as Snoopy, seeks out smartphones that have Wi-Fi turned on. It then makes use of built-in technology which can see what networks the phones have accessed in the past. In theory, almost any drone could be adapted to do this. Phones 'noisily' reach out to networks, according to the experts. Snoopy looks for this activity and when hovering nearby it emits a signal masquerading as another network. The phone ‘trusts’ that it is accessing a trusted Wi-Fi network but instead connects to the quadcopter's network. Snoopy can then intercept everything a smartphone sends and receives and allows skilled hackers to see passwords, bank details and the phone's location. . London-based Sensepost security researcher Glenn Wilkinson, said: ‘Their phone will very noisily be shouting out the name of every network its ever connected to. 'They'll be shouting out, “Starbucks, are you there?...McDonald's Free Wi-Fi, are you there?”’ When this happens, Snoopy hovers nearby and emits a signal masquerading as another network and the phone ‘thinks’ it is accessing a trusted Wi-Fi network. However, when it connects to the quadcopter’s network, Snoopy will intercept everything a smartphone sends and receives using a complicated method described by the company. Wilkinson said: ‘Your phone connects to me and then I can see all of your traffic.’ He is able to see the websites a person visits, any credit card information entered or saved, their location, usernames and passwords. In the wrong hands, this could potentially leave a mystified smartphone user out of pocket. The hackers managed to gain access by looking at a unique identification number known as a Media Access Control (MAC) address. This number matches web traffic to a specific device. To demonstrate the effectiveness of the technology, Wilkinson spent an hour with CNN showing them how he could obtain network names and GPS coordinates for 150 smartphones used by Londoners. While collecting metadata and network names is not strictly illegal, intercepting passwords and credit card details with the intent of using them is. The ethical hackers said they're demonstrating the technology to highlight how vulnerable smartphone users can be. The drones might seem even more threatening to people than remote hackers because the aircraft can hover close to potential ‘victims’ are incredibly mobile. There is a prospect that the technology could be put to good use for law enforcement purposes, however, such as identifying looters in a riot. While it is not thought that anyone is currently using this snooping technique in the real world, smartphone users can protect themselves by shutting off their Wi-Fi when they are not using it, or only access secure networks.

The Dangers of Using Wi-Fi on Smart Phones

The Dangers of Using Wi-Fi on Smart Phones by Phillip Richards The next time you use your smart phone’s Wi-Fi to access the internet be careful that you are not also exposing yourself to hackers who can actually access information on your phone and login passwords as well. There is a growing threat with the broad use of internet hotspots for hackers to steal information that they gather with fake Wi-Fi gateways. And once these crooks get you to use their Wi-Fi connection they can decrypt the information on your phone and then sell it to 3rd parties or use it themselves to steal your identity. It has been estimated that there are over 100 million smart phone users in the United States alone. And this number continues to grow as smart phones overtake the use of feature phones and the ordinary cell phones that once dominated the market. One of the most useful features of these phones is the ability to access the internet via Wi-Fi. But since this wireless connection to the internet requires no identification, all mobile browsers see is a name of a Wi-Fi hotspot. And even with the best identity theft protection with services like Lifelock and Trusted ID, you are still at risk of identity theft if you access public Wi-Fi hotspots with your smart phone. To make the problem even worse, many smart phones will connect to an available hotspot automatically without the cell phone user doing anything about it. So even if your smart phone is just powered on and just sitting there a crook with the right software and hardware can hack into your personal life when your phone connects to the Wi-Fi connection he has setup. Companies are working on making Wi-Fi more secure, but it is increasingly difficult with more public places making free internet access available. All a hacker has to do is visit a high-traffic public coffee shop or park and setup his own fake Wi-Fi gateway. Then, while a user is surfing the internet and entering usernames and passwords, this information is automatically being picked up with the hacker’s software. Identity thieves are using the information picked up from fake Wi-Fi hotspots to access email accounts, bank accounts, and Facebook accounts and all of this information can be used to steal an identity while the hacker remains completely anonymous. So what can smart phone users do to prevent this? First of all, instead of using a public Wi-Fi hotspot you should just use your phones service provider to access personal accounts. So if you want to check your email, login to Facebook, or check your bank account, just use your phone’s 3g or 4g service. You can still use public Wi-Fi hotspots but only use it for generic internet surfing. Any internet usage that will not give away any personal data should be fine. However, if you know the internet connect is secure you should be ok to use it on your smart phone. If your cell phone has the ability to automatically connect to hotspots whenever they become available you should turn this feature off. Or you can just turn the Wi-Fi off until you know you are going to use it. Having it on just drains your battery anyway, so you really have no reason to leave it on.

Here's a great free resource

Hi Everyone ,
Here's another great place that will help you out greatly .Learn from how stuff works

Identity Theft

It's Tax Time Again

Hi Everyone,
I hope all of you are keeping safe out there. When money is being exchanged the crooks are extra busy and at tax time with so much money and information floating around it pays to be safe. Here's an interesting twist i just heard about.

Extortion Virus Fools Victims Into Thinking They Must Buy Anti-Virus Software

What's Old Is New Again

Hi Everyone,
By now you've all heard about the gang of Soviet spies we had here in the states. One of the suspect went old school dumpster diving and graveyard hunting to create a new identity. It was discovered by the deceased's brother.

Soviet Spies

The Dangers of Using a Debit Card

Well summer is here and there will be lots of travel and the thieves wil be hard at work for your vaction dollars so please be aware.

Consumers need to be particularly careful during vacation season because identity thieves come out in droves. That makes it pivotal that consumers keep their debit cards on ice, said Beth Givens, director of the Privacy Rights Clearing House and one of the nation's foremost experts on keeping your private information private

Cebit Card Dangers

A Picture Is Worth A Thousand Words

Hello,
For all of you who like to learn by other than reading I've put together a couple of million words together all about identity theft and online scams. They are in the form of Identity Theft Videos

Please Don't Lose Your Mind

Hi Again,
In today's world of everyone trying to get in on the social craze some of us go overboard and overshare . This can leave us open to a wide variety of crime including credit card fraud and identity theft among others. To see what I mean check out

Please Rob Me

Microsoft Scores One For The Little Guy

Hi Everyone,

In the never ending battle against hackers it seems Microsoft is taking an aggresive approach to hinder the attacks leading to credit card fraud and identity theft this includes spam an malware

Stop Identity Theft

Latest Podcast

A Never Ending Battle

Identity theft and credit card fraud is constantly growing but hackers are being caught. here's a who's who of been causing all the chaos.

Convicted: Nine Notorious Hackers of Our Time

Experts Gather For Hackers' Convention

Every year in Arlington, Va., thousands of computer security experts, hackers and FBI agents attend BlackHat in hopes of learning how to stop the next big cyber threat. Events include hacking competitions and training, as well as lectures on computer security

Hackers Convention

Fighting Cybercrime

Welcome back,
It's now 2010 and things are really cranking up due to the recession and the rapid advancements in technology. I came across this story which will give you a great overall picture of things the way they are.

Fighting Cybercrime-One digital thug at a time

The Anonymous Net

Article for 'Wired' Magazine- ''the Anonymous Net' PDF

How To Avoid Identity Theft Audio

How To Stop Identity Theft

Man Spends 35 Years Trying To Clear His name

Hi Everyone,
I've been saying for years that becoming a victim of identity theft is like falling into a black hole. Many think it's just all hype but here is a real life example.

Read 35 yr.Identity Theft Story here

Major Data Breach Puts Millions At Risk

If the market meltdown, housing and bank crises weren't enough, U.S. consumers can now add the potential of massive credit and debit card fraud to the list financial concerns. A major processor of credit card transactions just disclosed its system had been hacked, putting millions of consumers at risk.

--------------------------------------------------------------------------------

The cyber-thieves went straight to the heart of one of the biggest and most respected credit and debit card processing companies in the country, Heartland Payment Systems of Princeton, N.J.

"It could be the largest breach ever," said cyber law attorney Andrew DeVore. "It would dwarf the largest prior breach."

Sources tell CBS News that hackers cracked Heartland's computers as far back as May of last year. But it wasn't until last week, after being alerted to suspicious activity by Visa and MasterCard, that the company uncovered malicious software in its system.

Heartland, which acts as a middle man between retailers and banks, processes 100 million transactions per month at an estimated 200,000 merchants nationwide - mainly gas stations, bars and restaurants.

The company says about it has alerted about 150,000 of them, but CBS News found several that didn't learn about the breach until we told them.

"I'm disappointed from that point of view that they wouldn't be up front and proactive. Because customers trust us to protect their records and they are the keeper of the record,'' said bar owner Peter O'Connell.

I think the release of information was a bit manipulative in the timing.

Security analyst Avivah Litan of Gartner GroupNow there are concerns the public company has downplayed the danger to untold millions of consumers.

"I think the release of information was a bit manipulative in the timing," said security analyst Avivah Litan of Gartner Group. "It was released on inauguration day, but the incident was known about for days before that."

The president of Heartland originally agreed to an interview with CBS News before canceling. We wanted to ask why the company's inauguration day in which it didn't even mention that millions of credit card numbers and expiration dates - the only information needed for fraud - were stolen.

Only today did Heartland say it doesn't know how many card numbers were compromised. It's only advice was for consumers to check their own statements to make sure they're not the latest victims of financial fraud.

Credit Card Theft

Yesterday's announcement of an unprecedented identity theft bust exposed just how difficult it is to protect commerce in the digital age.

The Justice Department charged 11 people with stealing more than 40 million credit card and debit card numbers.



This link leads to a series of reports on how difficult it's becoming to protect your personal info. As the holiday season approaches it's pays to be vigilant.

Notebook