MASSIVE Russian hacking

[BruceS]

Please read up about the recently announced Russian Hack of over a Billion usernames and passwords.
It's advised that everyone change their passwords as soon as possible and to try not to use the same password for each and every 'account'.
Applies to passwords for EVERYTHING!!
Forums, Facebook, Twitter, Banking, Ebay, Paypal etc etc

Article = http://au.pcmag.com/news/23160/close-kn ... -billion-i
Part of one article....

A "close-knit" gang of Russian hackers described as one-time "bottom feeders" has collected some 1.2 billion usernames, passwords, and other pieces of identifying information, according to information security firm Hold Security.

The gang operates out of a single Russian city, Hold Security founder Alex Holden told PCMag on Tuesday, confirming many of the details first reported by The New York Times.

Holden declined to name the city, in the event that law enforcement might want to act on his Milwaukee-based company's findings.

The gang numbers less than a dozen individuals who are "very social with each other," Holden said. The security contractor and researcher said cybercriminal gangs like the one his firm discovered have been "kind of dying out" of late in favor of loosely affiliated individuals working together semi-anonymously. The group which Hold Security has been tracking appears to be a throwback of sorts.

"They are much closer knit than other groups we see, possibly they have less conflicts over money because they know each other," he said.

Holden believes the gang has amassed "confidential material gathered from 420,000 websites, ranging from household names to small Internet sites," the Times reported. The newspaper added validity to Hold Security's claims by having another security expert look at the company's database of stolen credentials—that expert "confirmed it was authentic," according to the Times.

The massive database of stolen online identification data purportedly owned by the Russian gang was not attained in a single attack, and in fact, most of the credentials it now possesses were likely purchased over time from other people, Holden said.

The Times speculated that credentials acquired by the gang might have come from both high-profile, corporate security breaches like the Target hack from late last year to simple, opportunistic penetrations of small online operations.

"The gang started by just buying the databases that were available over the Internet. They used to be bottom feeders, buying at fire sales. Over time, they started buying better quality databases. It's kind of like graduating from stealing bicycles to stealing expensive cars," he said.

But the gang has recently begun running, or perhaps renting, a botnet of its own to perform SQL injections on websites to gain user information, Holden said, adding that this was how his company spotted the group. Hold Security is still trying to piece together exactly how such a massive database of online credentials was assembled.

"We recently got the full scope of their misdeeds and we were just as shocked as many who are now reading this news," Holden said, describing how his company managed to get a "peek into their dark world" by establishing online relationships with some of the hackers.

"Looking at some of the data they've stolen, I've even seen some my own passwords. Nothing significant, but shocking nonetheless," he said.

[bagmaker]

Funny how criminals are often so easily identified but nothing is done to stop them.
Its a good example of why the current push for data retention from our own spy associations would never protect its citizens, only restrict them.
In a society that fines, restricts and harrasses its people for exceeding a speed limit by 3km/h yet cannot stop a convicted crim from stabbing his own son in a public place, I would hesitate to use the words "intelligence" and "government" in the same sentence.

Rant over

I am struggling with passwords having recently bought my parents into the digital world.
They have an understandable inability to differentuate (jeepers, 3 big words !!) between a mailbox, a website, a secured webpage and an app.
They come from an age where the department store was a short walk from the post office, just up the road from the bank.
Its unbelievable that the whole world is actually available in a "calculator on steroids" and the potential that their savings could be accessed by a theif if they got a password wrong is fear invoking.

Here is what I tell them to do, (secret ssshhhh, keep it to yourselves)

1- pick any password you will remember and have some capitals and numbers in it (for example, MHome555)
2- when you first are asked for a new password, associate the site with a word that comes to mind immediately and repeatably (so for ozrvnews, I think "ozrvnews", for google gmail I might think just "gmail")
3- add the two together, that is your password (so now here, you have "MH555ozrvnews")

This means you only have to remember 1 password for everything but it is still different for each site.

Cheers!

[Liz Bailey]

Great idea, Bagmaker!

[shonky]

Hi, all.

There are SQL tutorials on the net dating back to 2010, believe it or not.