Professional Documents
Culture Documents
A Russian crime ring has amassed the largest known collection of stolen Internet
credentials, including 1.2 billion user name and password combinations and more
than 500 million email addresses, security researchers say.
Hold Security would not name the victims, citing nondisclosure agreements and a
reluctance to name companies whose sites remained vulnerable. At the request of
The New York Times, a security expert not affiliated with Hold Security analyzed
the database of stolen credentials and confirmed it was authentic. Another
computer crime expert who had reviewed the data, but was not allowed to discuss it
publicly, said some big companies were aware that their records were among the
stolen information.
“Hackers did not just target U.S. companies, they targeted any website they could
get, ranging from Fortune 500 companies to very small websites,” said Alex
Holden, the founder and chief information security officer of Hold Security. “And
most of these sites are still vulnerable.”
ADVERTISEMENT
Mr. Holden, who is paid to consult on the security of corporate websites, decided to
make details of the attack public this week to coincide with discussions at an
industry conference and to let the many small sites he will not be able to contact
know that they should look into the problem.
There is worry among some in the security community that keeping personal
information out of the hands of thieves is increasingly a losing battle. In December,
40 million credit card numbers and 70 million addresses, phone numbers and
additional pieces of personal information were stolen from the retail giant
Target by hackers in Eastern Europe.
New York City Transplants and a River Town’s Natives Fight for Its Soul
Alex Holden of Hold Security said most of the targeted websites were still
vulnerable.CreditDarren Hauck for The New York Times
Image
Alex Holden of Hold Security said most of the targeted websites were still
vulnerable.CreditDarren Hauck for The New York Times
But the discovery by Hold Security dwarfs those incidents, and the size of the latest
discovery has prompted security experts to call for improved identity protection on
the web.
“Companies that rely on user names and passwords have to develop a sense of
urgency about changing this,” said Avivah Litan, a security analyst at the research
firm Gartner. “Until they do, criminals will just keep stockpiling people’s
credentials.”
ADVERTISEMENT
Websites inside Russia had been hacked, too, and Mr. Holden said he saw no
connection between the hackers and the Russian government. He said he planned
to alert law enforcement after making the research public, though the Russian
government has not historically pursuedaccused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear
to be using the stolen information to send spam on social networks like Twitter at
the behest of other groups, collecting fees for their work.
But selling more of the records on the black market would be lucrative.
While a credit card can be easily canceled, personal credentials like an email
address, Social Security number or password can be used for identity theft. Because
people tend to use the same passwords for different sites, criminals test stolen
credentials on websites where valuable information can be gleaned, like those of
banks and brokerage firms.
Like other computer security consulting firms, Hold Security has contacts in the
criminal hacking community and has been monitoring and even communicating
with this particular group for some time.
The hacking ring is based in a small city in south central Russia, the region flanked
by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their
20s who know one another personally — not just virtually. Their computer servers
are thought to be in Russia.
“There is a division of labor within the gang,” Mr. Holden said. “Some are writing
the programming, some are stealing the data. It’s like you would imagine a small
company; everyone is trying to make a living.”
Interested in All Things Tech?
The Bits newsletter will keep you updated on the latest from Silicon Valley and the
technology industry.
SIGN UP
ADVERTISEMENT
They began as amateur spammers in 2011, buying stolen databases of personal
information on the black market. But in April, the group accelerated its activity.
Mr. Holden surmised they partnered with another entity, whom he has not
identified, that may have shared hacking techniques and tools.
Since then, the Russian hackers have been able to capture credentials on a mass
scale using botnets — networks of zombie computers that have been infected with a
computer virus — to do their bidding. Any time an infected user visits a website,
criminals command the botnet to test that website to see if it is vulnerable to a well-
known hacking technique known as an SQL injection, in which a hacker enters
commands that cause a database to produce its contents. If the website proves
vulnerable, criminals flag the site and return later to extract the full contents of the
database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how
computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a user name and
password — though many overlapped. After sorting through the data, Hold
Security found that 1.2 billion of those records were unique. Because people tend to
use multiple emails, they filtered further and found that the criminals’ database
included about 542 million unique email addresses.
“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the
hackers continue to exploit the vulnerability and collect data.
Mr. Holden said his team had begun alerting victimized companies to the breaches,
but had been unable to reach every website. He said his firm was also trying to
come up with an online tool that would allow individuals to securely test for their
information in the database.
The disclosure comes as hackers and security companies gathered in Las Vegas for
the annual Black Hat security conference this week. The event, which began as a
small hacker convention in 1997, now attracts thousands of security vendors
peddling the latest and greatest in security technologies. At the conference, security
firms often release research — to land new business, discuss with colleagues or
simply for bragging rights.
Yet for all the new security mousetraps, data security breaches have only gotten
larger, more frequent and more costly. The average total cost of a data breach to a
company increased 15 percent this year from last year, to $3.5 million per breach,
from $3.1 million, according to a joint study last May, published by the Ponemon
Institute, an independent research group, and IBM.
ADVERTISEMENT
Last February, Mr. Holden also uncovered a database of 360 million records for
sale, which were collected from multiple companies.
“The ability to attack is certainly outpacing the ability to defend,” said Lillian
Ablon, a security researcher at the RAND Corporation. “We’re constantly playing
this cat and mouse game, but ultimately companies just patch and pray.”
Nicole Perlroth reported from San Francisco and David Gelles from New York City.
Los hackers rusos acumulan más
de mil millones de contraseñas de
Internet
Por Nicole Perlroth y David Gelles
5 de agosto de 2014
o
o
o
o
o
o 473
Los registros, descubiertos por Hold Security, una firma en Milwaukee, incluyen
material confidencial recopilado de 420,000 sitios web, incluidos nombres de
hogares y sitios pequeños de Internet. Hold Security tiene un historial de
descubrimientos importantes, incluido el robo el año pasado de decenas de
millones de registros de Adobe Systems.
El Sr. Holden, a quien se le paga para consultar sobre la seguridad de los sitios web
corporativos, decidió hacer públicos los detalles del ataque esta semana para
coincidir con las discusiones en una conferencia de la industria y dejar que los
muchos sitios pequeños a los que no podrá contactar sepan que deberían mirar en
el problema
El Nuevo 30-Algo
Más grande, más salado, más pesado: comida rápida desde 1986 en 3 tablas simples
Los trasplantes de la ciudad de Nueva York y los nativos de River Town luchan por su alma
Alex Holden, de Hold Security, dijo que la mayoría de los sitios web dirigidos aún
eran vulnerables.CréditoDarren Hauck para The New York Times
Imagen
Alex Holden, de Hold Security, dijo que la mayoría de los sitios web dirigidos aún
eran vulnerables. CréditoDarren Hauck para The New York Times
Los sitios web dentro de Rusia también habían sido pirateados, y el Sr. Holden dijo
que no veía ninguna conexión entre los hackers y el gobierno ruso. Dijo que
planeaba alertar a la policía después de hacer pública la investigación, aunque el
gobierno ruso no ha perseguido históricamente a los piratas informáticos acusados.
Hasta ahora, los delincuentes no han vendido muchos de los registros en línea. En
cambio, parecen estar usando la información robada para enviar spam en redes
sociales como Twitter a instancias de otros grupos, cobrando tarifas por su trabajo.
Al igual que otras firmas consultoras de seguridad informática, Hold Security tiene
contactos en la comunidad de piratería criminal y ha estado monitoreando e
incluso comunicándose con este grupo en particular durante algún tiempo.
"Hay una división del trabajo dentro de la pandilla", dijo Holden. “Algunos están
escribiendo la programación, otros están robando los datos. Es como si te imaginas
una pequeña empresa; Todos están tratando de ganarse la vida ".
Interesado en All Things Tech?
El boletín Bits lo mantendrá actualizado sobre lo último de Silicon Valley y la industria
de la tecnología.
REGÍSTRATE
ANUNCIO
Comenzaron como spammers aficionados en 2011, comprando bases de datos
robadas de información personal en el mercado negro. Pero en abril, el grupo
aceleró su actividad. El Sr. Holden supuso que se asociaron con otra entidad, a la
que no ha identificado, que puede haber compartido técnicas y herramientas de
piratería.
Desde entonces, los piratas informáticos rusos han podido capturar credenciales en
una escala masiva utilizando botnets (redes de computadoras zombie que han sido
infectadas con un virus informático) para cumplir sus órdenes. Cada vez que un
usuario infectado visita un sitio web, los delincuentes ordenan a la botnet que
pruebe ese sitio web para ver si es vulnerable a una técnica de piratería conocida
como inyección SQL, en la que un pirata informático ingresa comandos que hacen
que una base de datos produzca su contenido. . Si el sitio web es vulnerable, los
delincuentes marcan el sitio y regresan más tarde para extraer el contenido
completo de la base de datos.
"Ellos auditaron Internet", dijo Holden. Sin embargo, no estaba claro cómo se
infectaron las computadoras con la red de bots.
En julio, los delincuentes pudieron recopilar 4.500 millones de registros, cada uno
con un nombre de usuario y una contraseña, aunque muchos se
superponían. Después de clasificar los datos, Hold Security descubrió que 1.200
millones de esos registros eran únicos. Debido a que las personas tienden a usar
múltiples correos electrónicos, se filtraron más y encontraron que la base de datos
de delincuentes incluía alrededor de 542 millones de direcciones de correo
electrónico únicas.
"La mayoría de estos sitios aún son vulnerables", dijo Holden, enfatizando que los
hackers continúan explotando la vulnerabilidad y recolectando datos.
El Sr. Holden dijo que su equipo había comenzado a alertar a las compañías
víctimas de las violaciones, pero no había podido llegar a todos los sitios web. Dijo
que su firma también estaba tratando de encontrar una herramienta en línea que
permitiera a las personas realizar una prueba segura de su información en la base
de datos.
Sin embargo, para todas las nuevas trampas para ratones de seguridad, las brechas
de seguridad de datos solo se han vuelto más grandes, más frecuentes y más
costosas. El costo total promedio de una violación de datos a una compañía
aumentó 15 por ciento este año con respecto al año pasado, a $ 3.5 millones por
violación, de $ 3.1 millones, según un estudio conjunto realizado en mayo pasado,
publicado por el Instituto Ponemon, un grupo de investigación independiente, y
IBM.
ANUNCIO
En febrero pasado, el Sr. Holden también descubrió una base de datos de 360
millones de registros para la venta, que fueron recopilados de múltiples compañías.