Entries Tagged "theft"

Page 7 of 22

Over a Billion Passwords Stolen?

I’ve been doing way too many media interviews over this weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords.

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

Yesterday, Forbes wrote that Hold Security is charging people $120 to tell them if they’re in the stolen-password database:

“In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach,” says the site’s description of the service using its pet name for the most recent breach. “The service starts from as low as 120$/month and comes with a 2-week money back guarantee, unless we provide any data right away.”

Shortly after Wall Street Journal reporter Danny Yadron linked to the page on Twitter and asked questions about it, the firm replaced the description of the service with a “coming soon” message.

Holden says by email that the service will actually be $10/month and $120/year. “We are charging this symbolical fee to recover our expense to verify the domain or website ownership,” he says by email. “While we do not anticipate any fraud, we need to be cognizant of its potential. The other thing to consider, the cost that our company must undertake to proactively reach out to a company to identify the right individual(s) to inform of a breach, prove to them that we are the ‘good guys’. Believe it or not, it is a hard and often thankless task.”

This story is getting squirrelier and squirrelier. Yes, security companies love to hype the threat to sell their products and services. But this goes further: single-handedly trying to create a panic, and then profiting off that panic.

I don’t know how much of this story is true, but what I was saying to reporters over the past two days is that it’s evidence of how secure the Internet actually is. We’re not seeing massive fraud or theft. We’re not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords—they’ve probably had most of them for a year or more—and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it’s all okay. This is a weird paradox that we’re used to by now.

Oh, and if you want to change your passwords, here’s my advice.

EDITED TO ADD (8/7): Brian Krebs vouches for Hold Security. On the other hand, it had no web presence until this story hit. Despite Krebs, I’m skeptical.

EDITED TO ADD (8/7): Here’s an article about Hold Security from February with suspiciously similar numbers.

EDITED TO ADD (8/9): Another skeptical take.

Posted on August 7, 2014 at 7:45 AMView Comments

Here's How Brazilian Crooks Steal Billions

Man-in-the-middle attack against a Brazilian payment system:

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

This is the sort of attack that bypasses any two-factor authentication system, since it occurs after all authentication has happened. A defense would be to send a confirmation notice to another device the account-owner owns, confirming the details of the transaction.

Posted on July 9, 2014 at 7:30 AMView Comments

These Pickpocket Secrets Will Make You Cry

Pickpocket tricks explained by neuroscience.

So while sleight of hand helps, it’s as much about capturing all of somebody’s attention with other movements. Street pickpockets also use this effect to their advantage by manufacturing a situation that can’t help but overload your attention system. A classic trick is the ‘stall’, used by pickpocketing gangs all over the world. First, a ‘blocker’, walks in front of the victim (or ‘mark’) and suddenly stops so that the mark bumps into them. Another gang member will be close behind and will bump into both of them and then start a staged argument with the blocker. Amid the confusion one or both of them steal what they can and pass it to a third member of the gang, who quickly makes off with the loot.

I’ve seen Apollo Robbins in action. He’s very good.

Posted on July 8, 2014 at 6:22 AMView Comments

1971 Social Engineering Attack

From Betty Medsger’s book on the 1971 FBI burglary (page 22):

As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked. There was no padlock to replace, as they had done at a draft board raid in Philadelphia a few months earlier, and no one in the group was able to pick the lock. The break-in technique they settled on at that office must be unique in the annals of burglary. Several hours before the burglary was to take place, one of them wrote a note and tacked it to the door they wanted to enter: “Please don’t lock this door tonight.” Sure enough, when the burglars arrived that night, someone had obediently left the door unlocked. The burglars entered the office with ease, stole the Selective Service records, and left. They were so pleased with themselves that one of them proposed leaving a thank-you note on the door. More cautious minds prevailed. Miss Manners be damned, they did not leave a note.

Posted on February 5, 2014 at 6:02 AMView Comments

1971 FBI Burglary

Interesting story:

…burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside.

They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive spying and dirty-tricks operations by the F.B.I. against dissident groups.

Video article. And the book.

Interesting precursor to Edward Snowden.

Posted on January 10, 2014 at 6:45 AMView Comments

Brazen Physical Thefts

Three brazen robberies are in the news this week.

The first was a theft at a small museum of gold nuggets worth $750,000:

Police said the daring heist happened between daytime tours, during a 20-minute window. Museum employees said the thief used an ax to smash the acrylic window, and then left the ax behind.

“He just grabbed it, threw in bag and over a fence he went,” Richard Hauck said, adding that there were no surveillance cameras operating at the time.

The second was at the Four Seasons Hotel in New York:

But now, the thieves have shattered the sense of security at the hotel, following the daring smash-and-grab around 2 a.m. Saturday in the middle of the hotel’s spectacular lobby.

The three thieves walked right into the hotel, and one pulled a sledgehammer and smashed the Jacob & Co. case right next to the front desk. They made away with some very expensive jewelry.

The thieves then made a quick getaway with the stolen watches, necklace, earrings, cufflinks and pendants—with a total value reported at $2 million.

And the third was the largest—$50 million in diamonds stolen from the Brussels Airport:

Forcing their way through the airport’s perimeter fence, the thieves raced, police lights flashing, to Flight LX789, which had just been loaded with diamonds from a Brink’s armored van from Antwerp, Belgium, and was getting ready for an 8:05 p.m. departure for Zurich.

[…]

Waving guns that the Brussels prosecutors’ office described as “like Kalashnikovs,” they calmly ordered ground staff workers and the pilot, who was outside the plane making a final inspection, to back off and began unloading scores of gem-filled packets from the cargo hold. Without firing a shot, they then sped away into the night with a booty that the Antwerp Diamond Centre said was worth around $50 million but which some Belgian news media reported as worth much more.

I don’t have anywhere near enough data to call this a trend, but the similarities are striking. In all cases, the robbers barreled straight through security, relying on surprise and speed. In all cases, security based on response wasn’t fast enough to do any good. And in all cases, there’s surveillance video that—at least so far—isn’t very useful.

It’s important to remember that, even in our high-tech Internet world, sometimes smash-and-grab still works.

Related: Here’s a nice essay about diamond thefts, and the particular problems of securing diamonds. And this essay, by the same author, explains how to fence stolen diamonds.

EDITED TO ADD (3/13): A similar case from The Netherlands.

Posted on February 28, 2013 at 6:35 AMView Comments

1 5 6 7 8 9 22

Sidebar photo of Bruce Schneier by Joe MacInnis.