Welcome!

Web 2.0 Authors: Liz McMillan, Elizabeth White, Pat Romanski, Natalie Lerner, Dana Gardner

Blog Feed Post

August 6 – Politico: More than 1 billion passwords stolen by Russian hacker gang – Haul highlights password problems

August 6, 2014

By: Joseph Marks

With help from David Perera, Tal Kopan and Shaun Waterman

MORE THAN 1 BILLION PASSWORDS STOLEN BY RUSSIAN HACKER GANG — Last night’s New York Times scoop that a gang of criminal hackers deep in the Russian hinterlands had amassed more than 1 billion usernames and passwords linked to half-a-billion email addresses demonstrates both that the Web is increasingly dangerous for consumers and that Russia remains a safe zone for hacking networks, analysts told MC. “The untouchables of the internet have developed a robust hacker economy of scale in Russia,” Trend Micro Chief Cybersecurity Officer Tom Kellermann said.

When hackers gather information at that massive scale — this is likely the biggest haul in history — the danger isn’t just the data they have but the data they can deduce from it, CrowdStrike General Counsel Steve Chabinsky told MC. Many people ignore security experts’ advice and don’t vary their passwords, which means attackers that know the password to one account can try the same password — or variations on it — to breach other accounts. “The volume of these records allows hackers to do their own form of big data analytics, scouring passwords and using them in attacks not only against these corporate victims but against others as well,” said Chabinsky, who was previously deputy assistant director of the FBI’s cyber division.

The massive trove of data — stolen from hundreds of thousands of websites — was discovered by the Milwaukee firm Hold Security, which dubbed the gang CyberVor (cyber thief in Russian). The findings were verified by an independent security expert working on behalf of the Times. The list of compromised sites “includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” Hold Security said. The hacking ring does not appear to be connected with the Russian government and does not appear to have sold many of the records, the Times reported. The story: http://politi.co/1y3H3L0 The Hold Security report: http://bit.ly/1oAdnUy

SECURITY FIRM FACES “CASHING IN” QUESTIONS — Demonstrating that no good deed goes unpunished, Hold Security has faced suggestions that they are “cashing in” on their discovery by offering a low-cost ($120 per year) service to webmasters to determine if their site was among the 420,000 breached by the gang. After questions from reporters, the firm appears to have taken down the page offering the service, reports Forbes blogger Kashmir Hill. The story: http://onforb.es/1opzTuG

HACKER HAUL HIGHLIGHTS PASSWORD PROBLEMS — The massive trove of stolen account credentials highlights the way the ubiquitous password has become one of the weakest links in the online security chain. Every new online account — from the vital like banking to the trivial like pizza delivery — means another different password to remember; or another chance for cybercrooks to steal your favorite one. Easily remembered passwords can generally be easily guessed, even when encrypted — by computers that try thousands of different possibilities a minute. But an Obama administration program exploring ways to make alternatives to the password commercially viable without infringing on privacy is caught in political crossfire on Capitol Hill.

For the third year running, House appropriators voted earlier this year to gut funding for the program, targeting cash for pilot implementation projects. As Dave Perera reports this morning, “the program’s backers say it’s pure politics. The National Strategy for Trusted Identities in Cyberspace, NSTIC, is a relatively tiny line item in the budget of the government’s technology lab. It comes in at just $16.5 million — a rounding error in the $51.2 billion appropriations bill that funds Commerce, Justice and U.S. scientific agencies.” The full story on NSTIC:http://politico.pro/1lzoXuN

HAPPY WEDNESDAY and welcome to Morning Cybersecurity, where today’s anniversary of the atomic bomb dropping on Hiroshima — whatever else you think about it — is a good opportunity to read the Times’ fascinating obituary of Theodore Van Kirk, the last surviving crew member of the Enola Gay, the plane that dropped that bomb 59 years ago. Van Kirk died last Monday at 93. http://nyti.ms/1pBCeqv Whatever you’re reading today, drop us a line. Send your thoughts, tips and feedback this week to [email protected] and follow @talkopan, @joseph_marks_, @POLITICOPro and @MorningCybersec. Full team info is below.

INTEL OFFICIALS PREPARE TO GO AFTER SECOND SNOWDEN — Intelligence officials are considering asking the Justice Department to open a criminal investigation into the leak of documents related to the government’s terrorist watchlist to Glenn Greenwald’s The Intercept, Reuters reported late yesterday. The documents were dated August 2013, two months after Edward Snowden bolted the NSA and passed a trove of documents to Greenwald and other journalists. The investigation threat would seem to confirm the intelligence community has a second leaker on its hands, but the community would not confirm that fact to Reuters. The story:http://reut.rs/1stSKuR

And some background: There have been rumors rumbling since early July that a second intelligence community source was feeding leaks to reports. That’s when German broadcaster ARD published an unsourced story about XKeyscore targeting users who visit anonymizing sites such as Tor. “I do not believe that this came from the Snowden documents … I think there’s a second leaker out there,” security researcher Bruce Schneier wrote at the time (http://bit.ly/1jO8F08) Greenwald responded by tweeting, “seems clear at this point.” (http://bit.ly/1v7YAWa).

But, even if The Intercept’s August 2013 documents are genuinely from a different source, that doesn’t mean a second leaker on the unprecedented scale of Snowden, a senior law enforcement official cautioned MC. “The unfortunate reality is some people leak information or provide information to those not entitled to receive it, but that’s not anything new,” the source said. “It’s certainly something we take seriously, but I don’t think anybody’s at the point where they think there’s another Edward Snowden.” Background from CNN, which broke the second leaker story: http://cnn.it/1y2AjwU and The Intercept report: http://bit.ly/1qVpsXQ

IN OTHER SURVEILLANCE NEWS, TOR — The Defense Department did not receive personal data about Tor users through a government-funded project to detect vulnerabilities, a DOD spokeswoman told Reuters yesterday. The project was conducted by researchers at Carnegie-Mellon University’s Software Engineering Institute with funding from DOD. The researchers had planned to describe their work at the Black Hat security conference in Las Vegas this week but the university canceled the talk amid the controversy, Reuters reported. In a note on Tor’s website last week, project leader Roger Dingledine said the service had identified computers on its network that had been quietly altering Tor traffic for five months in an attempt to unmask users connecting to “hidden services,” which include drug bazaars and whistleblower sites. Details from Reuters: http://reut.rs/V0viYM

FEDS FAIL EMAIL HYGIENE TEST — Most organizations are not doing enough to prevent their email domains from being forged by hackers and federal agency websites are especially failing — so much so that the government ought to mandate they put their house in order, a new report recommends. Just 4 percent of top federal sites qualified for the nonprofit Online Trust Alliance’s email honor roll, well below the 8.3 percent average for websites generally. Social media sites topped the list with 28 percent qualifying. Major financial institutions were next at 17 percent. To make the honor roll, organizations had to implement best practices for authenticating email that help prevent spearphishing and other malware attacks. Tal has the story http://politico.pro/1kmk6Ss

POSSIBLE IRANIAN CONNECTION IN ISRAELI DDOS ATTACKS — Security firm Arbor Networks spotted sharp upticks in DDoS attacks against Israel starting days after the Hamas-attributed deaths of three Israeli teenagers sparked the latest round of fighting. Attacks went from an average of 30 per day in June to an average of 150 per day in July, peaking at 429 attacks on July 21st, the firm said in a blog post. The attack pattern “bears a striking resemblance” to the “Itsoknoproblembro” botnet attacks launched against U.S. financial firms in 2013, Arbor adds. The Qassam Cyber Fighters, an Islamist hacking group with possible official Iranian ties, took responsibility for the financial industry attacks. Arbor says they don’t know who controls the “Brobot” botnet today, but it’s “being used to attack Israeli civilian governmental agencies, military agencies, financial services and Israel’s cc TLD DNS infrastructure.” The blog post: http://bit.ly/1kDe14s

OPERATION ARACHNAPHOBIA STILL GOING STRONG IN PAKISTAN: A Pakistani APT group has remained active even after it was outed by ThreatConnect’s Intelligence Research Team in August, 2013, launching malware attacks aimed at Indian military and government targets, according to a joint report from ThreatConnect and FireEye released yesterday. Since the first report, the group dubbed Operation Arachnophobia has embedded Bitterbug malware in phony news articles about the arrest of an Indian diplomat and about the disappearance of Malaysia Airlines flight 370 which the “lure” article casts as a Pakistani attack. Details:http://bit.ly/1ssTrDL

REPORT WATCH:

– Sixty percent of companies plan to spend their IT funds on improving cybersecurity over the next two years, and 88 percent said IT investments overall will be important or critical, according to a PwC survey of more than 200 private company leaders in the second quarter of this year: http://pwc.to/1ooEc9R

QUICK BYTES

– Former NSA Chief Keith Alexander is defending the profits of his new cybersecurity firm again — this time to the Associated Press. AP: http://bit.ly/1ATkuwQ

– Smart building technology could open up a new breed of cyberattacks. TechCrunch:http://bit.ly/XBcUYy

– Boston University researchers have been awarded a $10 million grant from the National Science Foundation to test a new cloud-based modular cybersecurity system. GCN:http://bit.ly/1y3Wdjp

– The Veterans Affairs Department launched a new campaign yesterday to educate veterans about identity theft prevention. VA: http://1.usa.gov/1kFwMUV

– Blackphone and Signal have different business philosophies but hit the same post-Snowden privacy concerns. Reuters: http://reut.rs/1sdaLLV

That’s all for today. Have a great Wednesday!

Read the full article at: http://www.politico.com/morningcybersecurity/0814/morningcybersecurity14903.html

The post August 6 – Politico: More than 1 billion passwords stolen by Russian hacker gang – Haul highlights password problems appeared first on ThreatConnect - Threat Intelligence.

Read the original blog entry...

More Stories By Adam Vincent

Adam is an internationally renowned information security expert and is currently the CEO and a founder at Cyber Squared Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect™, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, two children, and dog.

@ThingsExpo Stories
Connected devices and the Internet of Things are getting significant momentum in 2014. In his session at Internet of @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, examined three key elements that together will drive mass adoption of the IoT before the end of 2015. The first element is the recent advent of robust open source protocols (like AllJoyn and WebRTC) that facilitate M2M communication. The second is broad availability of flexible, cost-effective storage designed to handle the massive surge in back-end data in a world where timely analytics is e...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it's a mix of architectural styles ...
The Internet of Things will put IT to its ultimate test by creating infinite new opportunities to digitize products and services, generate and analyze new data to improve customer satisfaction, and discover new ways to gain a competitive advantage across nearly every industry. In order to help corporate business units to capitalize on the rapidly evolving IoT opportunities, IT must stand up to a new set of challenges. In his session at @ThingsExpo, Jeff Kaplan, Managing Director of THINKstrategies, will examine why IT must finally fulfill its role in support of its SBUs or face a new round of...
We are reaching the end of the beginning with WebRTC, and real systems using this technology have begun to appear. One challenge that faces every WebRTC deployment (in some form or another) is identity management. For example, if you have an existing service – possibly built on a variety of different PaaS/SaaS offerings – and you want to add real-time communications you are faced with a challenge relating to user management, authentication, authorization, and validation. Service providers will want to use their existing identities, but these will have credentials already that are (hopefully) i...
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water, are pursuing SmartGrid initiatives that represent one of the more mature examples of SAE. We have s...
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
One of the biggest challenges when developing connected devices is identifying user value and delivering it through successful user experiences. In his session at Internet of @ThingsExpo, Mike Kuniavsky, Principal Scientist, Innovation Services at PARC, described an IoT-specific approach to user experience design that combines approaches from interaction design, industrial design and service design to create experiences that go beyond simple connected gadgets to create lasting, multi-device experiences grounded in people's real needs and desires.
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at @ThingsExpo, Robin Raymond, Chief Architect at Hookflash, will walk through the shifting landscape of traditional telephone and voice services ...
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series data. By focusing on enterprise applications and the data center, he will use OpenTSDB as an example t...
The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup loading complex sites necessitates hundreds of DNS queries. In addition, as more internet-enabled ‘Things' get connected, people will rely on DNS to name and find their fridges, toasters and toilets. According to a recent IDG Research Services Survey this rate of traffic will only grow. What's driving t...
Enthusiasm for the Internet of Things has reached an all-time high. In 2013 alone, venture capitalists spent more than $1 billion dollars investing in the IoT space. With "smart" appliances and devices, IoT covers wearable smart devices, cloud services to hardware companies. Nest, a Google company, detects temperatures inside homes and automatically adjusts it by tracking its user's habit. These technologies are quickly developing and with it come challenges such as bridging infrastructure gaps, abiding by privacy concerns and making the concept a reality. These challenges can't be addressed w...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at Internet of @ThingsExpo, James Kirkland, Chief Architect for the Internet of Things and Intelligent Systems at Red Hat, described how to revolutioniz...
Bit6 today issued a challenge to the technology community implementing Web Real Time Communication (WebRTC). To leap beyond WebRTC’s significant limitations and fully leverage its underlying value to accelerate innovation, application developers need to consider the entire communications ecosystem.
The definition of IoT is not new, in fact it’s been around for over a decade. What has changed is the public's awareness that the technology we use on a daily basis has caught up on the vision of an always on, always connected world. If you look into the details of what comprises the IoT, you’ll see that it includes everything from cloud computing, Big Data analytics, “Things,” Web communication, applications, network, storage, etc. It is essentially including everything connected online from hardware to software, or as we like to say, it’s an Internet of many different things. The difference ...
Cloud Expo 2014 TV commercials will feature @ThingsExpo, which was launched in June, 2014 at New York City's Javits Center as the largest 'Internet of Things' event in the world.
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, phone and digital TV services to consumers primarily in rural areas.
"There is a natural synchronization between the business models, the IoT is there to support ,” explained Brendan O'Brien, Co-founder and Chief Architect of Aria Systems, in this SYS-CON.tv interview at the 15th International Cloud Expo®, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo (http://www.CloudComputingExpo.com), moderated by Ashar Baig, Research Director, Cloud, at Gigaom Research, Nate Gordon, Director of T...