I’ve been chased all day by the media, wanting to get my view on the New York Times story claiming that a Russian gang has been found sitting on a mountain of over one billion stolen usernames and passwords.
To give them credit, Hold Security did well to secure such a high profile piece in the NYT, perfectly timed with the security conferences going on in Las Vegas right now, and I am sure owner Alex Holden was pleased by the first round of follow-up coverage from mainstream media like the BBC.
But, frankly, I didn’t want to initially talk about the story.
The reason for my uncharacteristic reticence to mouth off about a security breach? Well, there was an alarming lack of information supplied by Hold Security in its official statement about the discovery and something just didn’t “feel right”.
And although I did end up reporting on the story myself on the We Live Security blog, something kept nagging in the back of my mind…
At first, Hold Security said that it could not name sites that had been breached because of non-disclosure agreements.
However, it transpired that Hold Security was blatantly using its discovery of a mountain of stolen credentials as a brazen sales pitch for its new breach notification service. For as little as “$120/year with a two-week money back guarantee” you can be alerted if your site is discovered to have suffered an attack.
And that’s before you even consider the bizarre approach that Hold Security is taking towards consumers whose details may have been included in the stash of stolen credentials.
You see, Hold Security is asking users to sign up for what it calls the “Consumer Hold Identity Protection Service” (CHIPS). Hold Security says that CHIPS is a subscription service, but if you sign up right now you’ll get 30 days protection for free.
But hold your horses, because wait until you hear how it is supposed to work.
Hold Security wants you to give them your email address – and if they find it in their database of stolen credentials, they will then ask you (are you ready?) to “provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised”.
When I did a little digging around the Hold Security website, I found the form where you are supposed to do this:
It seems to me to be an utterly idiotic approach.
For one thing, what if the computer the user is typing on has keylogging malware in the background – isn’t it going to be trivial for malicious hackers to scoop up the victim’s most sensitive passwords as they are entered on this web form?
Or what about the possibility of bad guys creating phoney versions of this webpage, specifically with the intention of nabbing users’ passwords?
But most fundamentally, you should never encourage users to enter passwords for website X into an entirely different website, even if the intention is not to transmit them unencrypted to a third-party site. Isn’t this the firm that just warned the world about a huge number of stolen credentials? And here it is coaxing users to behave in a way which is clearly unsafe.
Services like Troy Hunt’s terrific haveibeenpwned.com give you an easy way to tell if your credentials might have been grabbed by identity thieves after high profile hacks and he never asks you for a single password. Furthermore, his service is entirely free with no subscription fees (although, to be honest, I think he could consider charging).
It’s worth bearing in mind that even if you find Hold Security’s handling of the announcement either tasteless, cack-handed or conceived by somebody with no marketing common-sense, it doesn’t mean that its findings are not for real.
For instance, security blogger Brian Krebs, a highly respected member of the infosecurity community, was moved to post a blog which appears to support the notion that the stolen data accessed by Hold Security is genuine.
Krebs is also listed on Hold Security’s website as a trusted advisor to the company.
The key thing, as I explain in my We Live Security blog post on the topic, is to ensure that whoever is building and maintaining your website is aware of threats like SQL injection, and is coding to protect against that and other commonly-found vulnerabilities.
And for users it’s clear that the most important thing they can do is to break out of the dangerous habit of reusing the same passwords. You can’t necessarily stop a website from being hacked and online criminals accessing your password, but you can limit how much damage they can do to you by ensuring that you are not using the same password anywhere else on the web.
If you find passwords a burden – simply use password management software like Bitwarden, 1Password, and KeePass to make them both safer and easier to remember.
The page in the screenshot is riddled with typos and spelling mistakes. Fishy as heck.
Or you could use Google. If I think that a username/password pair has been compromised, I google it. Usually, google finds a few hits of the pair.
There's a *huge* number of username/password pairs floating around. Several years ago, I downloaded a file of them, and it was pretty big. I don't remember where I got it, but I think I found it using google. Or maybe altavista. Anyway. Google "username/password list" and you'll see what I mean. One list claims 50 billion hashes. I haven't downloaded that.
https://xato.net/passwords/more-top-worst-passwords/ says that 1% of users are using one of the top 1000 passwords.
Very true. And I refer to the lists. Somewhat like dictionary files. I seem to remember specific google queries that help find this type of thing but I might creating that from my own derangement … that is hard to know, but the first part isn't: it is very true and your point is excellent.
Something's definitely fishy with these guys. Back in February the same "Hold Security" researchers supposedly found thousands of FTP sites infected with all kinds of malware, and that turned out to be largely BS. They're doing nothing other than creating media hype to try and build their company.
Well, obvious phishing. But there are plenty of people who will trust it and I don't get it how it's possible. There is a simple and short article which can help them to recognize if it's phishing email or not: http://blogen.stickypassword.com/3-phishy-things-to-watch-out-for/ .
You don't get how it is possible? One word and it is the single biggest problem in security (computer, network and non technical as well!): trust.
It is given far too easily and it is far too easy to influence others to trust you (even when they would normally not e.g., like an experienced social engineerer might manage to do). Good examples: telco employees and other utility employees (or supposed employees). Or having inside information at the right time which allows it to look very convincing. Of course those are more advanced but the point is the same: people believe and trust things too easily (and when you bring in money people react too quickly due to the fear and so they are not in a thinking state. In general the more susceptible you are to emotions the more careful you need to be. Somewhat like sleep deprivation and your thinking state, I might add).
Krebs… ouch.
So they clearly have a database of hashed, but not salted, passwords sitting online now…?
Short answer: of course that is common. Some even have passwords stored in plaintext … As for salt versus not, consider this:
Even salted passwords are easy to crack if you know how the salt is determined ("brute force" or more correctly "brute force by dictionary attack"). Yes, salted is better but dictionary attacks are ancient and very efficient. They were two decades ago and computers are far more powerful now. And with more disk space, and the size of dictionary files, well…
Put another way: salted or not, having the hash is – as long as they know how the salt is determined [that's the key if you'll excuse the pun] – having the password (assume the worst). And here's the problem with suggesting they don't have a way to find out what the salt is: how do you think the authentication system/software/whatever authenticates? It does it this way (and yes I know this because I am a programmer for a server that does involve authentication and yes it includes salted passwords): take the password given, encrypt it as it should be done, and compare the hash on file and the hash just generated. So if you can see the authentication source code, then you have the information you need. Even then, depending on the hash, the possibility to determine the algorithm exists. But consider this: they don't have either of those. If they compromised the server, though, do you think they cannot find out more (see above)? Never assume that these things cannot be done. Hope that it isn't but never assume it is all fine and secure. This is exactly why security is a layered thing (and passwords are among the weakest layers …).
I should also point something else out: the salt might be determined from the hash itself. For instance, the following for glibc2 in the Linux kernel for the man (manual) page of the crypt library call:
If salt is a character string starting with the characters "$id$" followed by a string terminated by "$":
$id$salt$encrypted
(crypt is only really useful for passwords but that's what this is all about. the algorithms supported are:
md5
blowfish (in some)
sha256
sha512)
Those are the additional algorithms. DES is far easier to brute force.
So depending on how it is stored it is even easier…. But even then if you have the source code of the authentication software (or the part of the software that authenticates users) then there's a large risk.
Good ciritical thinking of yours, Graham, standing in the good tradition of which I've come to know you a bit.
Some additional thoughts:
————————————————————————————-
1) Sure, when entering those passwords on that "so greatly SSL-protected" site [*cough*], those passwords are subsequently enncrypted. WTF?! They hold both the public and private key to that encryption process. In other words: some way Hold would be able to decrypt the bloody stuff, As a matter of fact, I am sure they do: in order to be able to make the check against their database. Giving away my credentials? No way!
2) If (now .. IF….) you would like to put in your -probably most vulnerable- passwords – would a maximum of 15 suffice? I don't think so. I am one of those people who is NOT re-using passwords. Actually , I do not even know my passwords anymore. I got hundreds of those. Instead, I am using a password manager.
3) I'm sure the NSA will be listening in on the site, and -for once- you almost couldn't blame them for doing so :-) What a treasure to them! Or… might Hold actually be part of a great NSA scheme? (Freaking the heck out of each and every common computer user, doing so by pushing the story all over the news networks, worldwide, then to collect some great info?). Hm. This sounds far fetched, I know.
But I need not even contemplate on point 3. The first point I mentioned is already enough for me, to not go ahead with the great Hold site.
The page describes the process. The passwords are hashed (not encrypted) on the client (in the browser) not the server. If you doubt this you can check because all the code is on your computer and executed on your computer and you can easily check what's leaving your computer and being sent to Hold.
In other words your password doesn't leave your computer, the process of hashing takes place on your computer and then you send a hash to Hold Security. The hash is sent over HTTPS so it can't be picked up on-the-wire. The hash can't be decrypted by Hold, it can only be compared to other hashes they have.
Technically this is a very similar process to the one used by Facebook when they froze the accounts of users found to be using passwords exposed by the Adobe breach, something for which they were rightly praised. They were able to identify compromised accounts without ever storing raw text passwords.
The only difference is that Hold want to charge – and that is what stinks.
There is plenty to find distasteful in the way Hold are dealing with this situation and the page is all the things Graham said it is; contradictory and easy to forge, but the technical process does not work the way you describe.
I'd like to call and raise that.
Although Hold will only have SHA-512 hashes, these hashes will go into a hash table and linked to the submitted email addresses, even if they do not know the passwords themselves, and even if they are not found in the existing database.
If they come across these same hashes in future, they will have email addresses to sales pitch with FUD.
The only restriction to this is that it only applies to passwords that they find in SHA-512 in the future.
@Stewart: they wouldn't be THAT stupid, would they? ;-)
"Hold Security wants you to give them your email address – and if they find it in their database of stolen credentials, they will then ask you (are you ready?) to “provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised."
In other words, they want you to tell them that yes, you are a victim. Then, since they have the hash they essentially have your password. Using that (and even without it) they can get more information about you. Since they have your email address, and since they now confirmed the hash is for your password (one of), then let's see, you are now a victim of _another_ attack ("another" more like it). I suggest phishing is far too nice of a word for it because they are also asking for money upfront (or so it seems). Then they can do whatever else once they confirmed they have your password.
This whole thing is a scam. Holder Security puts out a news release, 1.2 billion user names and passwords hacked. Through in Russia to make it sound plausible. Than Hold charges $120 to see if you were hacked. BS, there was never a hack, Hold said there was a hack and then makes money to tell you if you were hacked. Hacked or not hacked don't matter because no one was hacked. Very clever
I will be interesting to see if the Krebs/Holden relationship continues. Brian has used him for years. Alex has been his window into the Russian and Ukrainian language carding forums. I'd like to know more about Hold Security and how large of a company it is.
I read Krebs article too. I got the feeling that Hold was playing off Krebs name,as he says that Hold never really used any advice he offered,and they are not that close. His name being on Holds site as an advisor only lends respectability to Hold.
Now my BS meter is pegged on the excuses this guy offers up on just about all aspects of how this is being played. This is not the end, I fully expect many more experts are going to start crying foul. This very well may be a career ender in the makeing. Dead man walking.