So, I’m trying to get my head around the whole “Russian hackers steal 1.2 billion passwords from 400,000 web sites” thing this morning. Certainly I know how bot-nets and SQL injection work, and for the most part the media is getting it right for once. Yes, what they are describing is plausible. I’ve been a security officer before … actually by default when I was tasked with getting my former employer their Level 1 PCI Certification. The methods described are two of the most basic tactics for hacking these days … only because guessing someone’s password is the word “password” will probably never go away.  Now, normally I love a good conspiracy theory, and I’m forever waiting for one to actually pan out … just so it can egg on new ones for the next decade.  This might actually be the first one.

Let’s take a look at this so called “Largest Security Breach Ever” …

  1. The news is incredibly well timed in that it is released to the press at the Black Hat Security conference in Las Vegas, where tons of companies go to get the shit scared out of them so they will spend millions on new security software and devices.  Really, there’s a convention center full of people selling security software right now while the press is completely freaking out about security.
  2. Thus far details seem to be completely nonexistent on exactly white sites were hit and who is affected.  Well, okay, we get wonderful soundbytes like “everyone can expect they had an account on at least one of the sites compromised.”  But nothing to go on.  If someone got ahold of my password on Antwon.com from ten years ago, I probably won’t freak out, but I would certainly look forward to a call from Twon telling me his server got hacked and I should change my password.  Wait … I haven’t gotten calls or emails from anybody.  In fact, I don’t know anybody who has been asked to change any password specifically because of this “Largest Security Breach Ever.”  Shouldn’t at least ONE company have released a press statement saying they were hacked, here’s what was stolen, and here’s what they’re doing about it?  I think there are SEC laws that say they HAVE to in fact.
  3. How exactly do they know the number of people and web sites were hit?  They’re pretty consistent with their numbers (400,000 / 1.2 Billion).  How did these get calculated? Who were the companies involved?  Can you give us the top ten or so names?  Even a common platform or operating system that we can go on?  Now that I mention it, how did somebody uncover this, trace it back to the source (Russia) and then reverse engineer the scheme to figure out who was hit?  You don’t need to give up trade secrets, but a general explanation of the tactics employed would be helpful in establishing the credibility and accuracy of your findings.  You expect me to believe that every one of these 400,000 companies are completely unaware that they’ve been breached and that this is an evil only YOU can see?  Isn’t this just a bit “Dr. Bennell” of you?
  4. SQL injection in its simplest form is essentially just tricking a machine into executing some piece of input from the screen as program code. (In this case it sounds like they turned a password into “Give me a copy of the database.”) It was a really popular hack back in the early days of the web, but most sites built in THIS century are wise to it. Trust me, you could probably break into my web site (Indy In-Tune) with a SQL injection attack — simply because I don’t have any data worth taking the time to harden the site.  You’ll NEVER get into a bank, Google, Yahoo, or any merchant that processes credit cards with that trick though. So, how many even vaguely important sites could be in that 400,000?  Oh, God, did they get my MySpace password?!
  5. In addition to hardening sites from SQL injection, administrators generally encrypt passwords inside the database to prevent employees and vendors from stealing customer passwords. Think of it as scrambling the contents of one column in an excel spreadsheet so that only the computer can read it. Therefore, simply copying the spreadsheet (or the database) would be of little use since the contents would still be unreadable without key to unlock those cells.
  6. The experienced firm of experts that supposedly discovered this breach — otherwise unnoticed by long-established, top-notch security firms and government agencies — is a company called “Hold Security.” They have a lovely web site. If you pull it up in Waybackmachine.org, however, you’ll see that the site didn’t even exist until a year ago, and was pretty much a single page until last week, when suddenly it had all kinds of company data that references media articles, press releases, and testimonials covering the past 18 months — which, like the site, seem to have miraculously appeared last week.
  7. Finally, isn’t it neat how the company that discovered every person on the planet was probably affected by this hack, has already couched it with a great offer of identity theft protection for a mere $120 per person?  Insert your own assessment of the quality and nature of this protection because, like their company, their website, and their methods, it also seems to be rather hollow.

I’m always thrilled to see the media taking an interest in technology stories, and amused at their oversimplifications and misrepresentations of things — “Most-damaging attack ever!” … “Everything we think we know about security of our information is wrong!” … “This is the end of privacy on the Internet!”  In this instance, however, it’s looking more and more like they’ve been the street team for a snake-oil salesman — and I’m betting we’ll see all that start to get downplayed over the next couple of days.  How long until the Y3K bucks start rolling in?