Krebs on security 8/14
Q&A on the Reported Theft of 1.2B Email Accounts
My
phone and email have been flooded with questions and interview requests from
various media outlets since security consultancy Hold Security dropped the
news that a Russian gang has stolen more than a billion email
account credentials. Rather than respond to each of these requests in turn,
allow me to add a bit of perspective here in the most direct way possible: The
Q&A.
Q:
Who the heck is Alex Holden?
A: I’ve known Hold
Security’s Founder Alex
Holden for nearly seven years. Coincidentally, I initially met
him in Las Vegas at the Black Hat security convention (where I am now). Alex is
a talented and tireless researcher, as well as a forthright and honest guy. He
is originally from Ukraine, and speaks/reads Russian and Ukrainian fluently.
His research has been central to several of my
big scoops over the past year, including the breach at
Adobe that exposed tens of millions of customer records.
Q:
Is this for real?
A: Alex isn’t keen on
disclosing his methods, but I have seen his research and data firsthand and can
say it’s definitely for real. Without spilling his secrets or methods, it is
clear that he has a first-hand view on the day-to-day activities of some very
active organized cybercrime networks and actors.
Q:
Ok, but more than a billion credentials? That seems like a lot.
A: For those unfamiliar
with the operations of large-scale organized crime syndicates, yes, it does.
Unfortunately, there are more than a few successful cybercrooks who are quite
good at what they do, and do it full-time. These actors — mostly spammers and
malware purveyors (usually both) — focus on acquiring as many email addresses
and account credentials as they can. Their favorite methods of gathering this
information include SQL injection
(exploiting weaknesses in Web sites that can be used to force the site to cough
up user data) and abusing stolen credentials to steal even more credentials
from victim organizations.
One
micro example of this: Last year, I wrote about a botnet that enslaved
thousands of hacked computers which disguised itself as a legitimate add-on for
Mozilla Firefox and forced
infected PCs to scour Web sites for SQL vulnerabilities.
Q:
What would a crime network even do with a billion credentials?
A: Spam, spam and….oh,
spam. Junk email is primarily sent in bulk using large botnets — collections of
hacked PCs. A core component of the malware that powers these crime machines is
the theft of passwords that users store on their computers and the interception
of credentials submitted by victims in the process of browsing the Web. It is
quite common for major spammers to rely on lists of billions of email addresses
for distributing their malware and whatever junk products they are getting paid
to promote.
Another
major method of spamming (called “Webspam”) involves the use of stolen email
account credentials — such as Gmail, Yahoo and Outlook — to send spam from
victim accounts, particularly to all of the addresses in the contacts list of
the compromised accounts.
Spam
is such a core and fundamental component of any large-scale cybercrime
operation that I spent the last four years writing an entire book about it,
describing how these networks are created, the crooks that run them, and the
cybercrime kingpins who make it worth their while. More information about this
book and ways to pre-order it before its release in November is available here.
Q:
Should I be concerned about this?
A: That depends. If you
are the type of person who re-uses passwords at multiple sites — including
email accounts — then the answer is yes. If you re-use your email password at
another site and that other site gets hacked, there is an excellent chance that
cyber crooks are plundering your inbox and using it to spam your friends and
family to spread malware and to perpetuate the cybercrime food chain.
For
a primer that attempts to explain the many other reasons that crooks might want
to hack your inbox, your inbox’s relative market value, and what you can do to
secure it, please see The Value of
a Hacked Email Account and Tools for a
Safer PC.
Got
more questions? Sound off in the comments section and I’ll try to address them
when time permits.
Update: As several readers
have pointed out, I am listed as a special advisor to Hold Security on the
company’s Web site. Mr. Holden asked me to advise him when he was setting up
his company, and asked if he could list me on his site. However, I have and
will not receive any compensation in any form for said advice (most of which,
for better or worse, so far has been ignored).
==================================================
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County New Jersey.
==========================================
No comments:
Post a Comment