Re: Russian Hacker story in today's news

["Manjak, Martin" <mmanjak () ALBANY EDU>]

What is in danger of being lost in the speculation over Holden’s operations and motives is the fact that PWs really are 
a terrible form of authentication for reasons pointed out by Louis in his post. This is certainly not a new topic for 
discussion, but whether or not Holden’s claims are legit, I think most of us agree that we’d prefer to have more robust 
(multi-factor) methods of authentication and protecting credentials.

I teach a graduate class to business students and by the end of the term, they are nearly all using multi-factor on 
their public accounts because they’ve come to realize that passwords, both their synchronization and gate-keeping 
functions for account resets, make them more vulnerable, rather than more secure.

Marty Manjak
ISO
University at Albany

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chuck 
Braden
Sent: Friday, August 08, 2014 11:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Russian Hacker story in today's news

http://www.youarenotpayingattention.com/2014/08/08/the-lie-behind-1-2-billion-stolen-passwords/

something to read – much ado about nothing ?


Jimmy C Braden
Information Security Officer
AgriLife Information Technology
979-862-7254
j-braden () tamu edu<mailto:j-braden () tamu edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenny 
Blaine
Sent: Wednesday, August 06, 2014 10:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Russian Hacker story in today's news

Greetings all,

I've been a lurker on this list because I'm not the UMN's CISO, but I appreciate the conversation. Thanks!

Jenny Blaine

On Wed, Aug 6, 2014 at 9:28 PM, Louis Aponte <louisaponte () weber edu<mailto:louisaponte () weber edu>> wrote:
Holden's reasoning or thinking and their response set aside; can this be the reuse of last years breached accounts 
being retested at other sites fishing for duplicated credential hits?
Regardless of security awareness programs the average user has the same password for almost everything they log into. 
IMHO
So this list can be changed and unchanged passwords, since users tend to return to a small given set of passwords again 
and again if allowed.
Hold Security has a known track record with the research they provided on the Adobe and Target breaches. I don't 
believe they are setting up a ransonware factory.
I don't think this is totally dismiss-able, just yet.

Louis

On Wed, Aug 6, 2014 at 1:45 PM, Tim Doty <tdoty () mst edu<mailto:tdoty () mst edu>> wrote:
On 08/06/2014 12:22 PM, Brad Judy wrote:
Brian Krebs has posted on the topic today:

http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/

Significantly, I think, Brian says that Mr. Holden didn't take most of
his advice...
It is true that Mr. Holden asked me to advise him when he was setting
up his business, but he hasn’t taken most of my advice. I have
received and will receive no compensation for said advice.

So while Krebs puts him in a positive light in the article, this seems more like the typical "security entrepreneur" 
than news of a notable breach. More (scare) business as usual.

Tim Doty

*From:*The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Keller, Alex
*Sent:* Wednesday, August 06, 2014 11:15 AM *To:*
SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] Russian

Hacker story in today's news

Hi Folks,

I read the NY Times article yesterday and it immediately triggered
the BS meter. Article is exceedingly light on details.

Hold Security website is rudimentary and vague:

http://www.holdsecurity.com

WordPress admin interface is running over HTTP (no SSL available):

http://www.holdsecurity.com/wp-admin

They list Brian Krebs (of Krebs on Security) as a “special advisor”:

http://www.holdsecurity.com/about/advisory-board/

But Brian has made no note of this story on his blog:

http://krebsonsecurity.com

None of this passes even the most basic sniff test.

Best,

alex

*http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html

 Alex Keller Information Technology Stanford School of Engineering
axkeller () stanford edu<mailto:axkeller () stanford edu> <mailto:axkeller () stanford edu<mailto:axkeller () stanford 
edu>> (650) 736-6421<tel:%28650%29%20736-6421>

SoE_IT_Logo

*From:* The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Chuck Braden
*Sent:* Wednesday, August 06, 2014 6:02 AM *To:*
SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> *Subject:* Re: [SECURITY]

Russian Hacker story in today's news
As I read Hold Security’s release this seems to be more of a
marketing
ploy to sell services combined with a credential collection scheme of
 their own.

A news resource I heard this morning said they would provide an
ability for users to query to see if their ID or what websites had
been compromised. No word when that would be available… Im not
hearing a lot from the vendor either – other than crickets and a cash
register bell ring. :-/

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254<tel:979-862-7254>
j-braden () tamu edu<mailto:j-braden () tamu edu> <mailto:j-braden () tamu edu<mailto:j-braden () tamu edu>>

*From:*The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Slocum, Stacy
*Sent:* Wednesday, August 06, 2014 7:57 AM *To:*
SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> *Subject:* [SECURITY] Russian

Hacker story in today's news

Good morning,

A news story caught my attention this morning regarding the 1+
billion user accounts being collected by “Russian Hackers” over the
last 18 months.

The story is based on Hold Security’s news release dated yesterday
(8/5/2014).  As I read Hold Security’s release this seems to be more
of a marketing ploy to sell services combined with a credential
collection scheme of their own.  Additionally their Terms of Service
must be agreed to before registering for their “trial” service of
matching your credentials with those from contained in the breach
database and they offer to let you know if your password was also in
the breached data… after you provide it to them…

Does this seem odd to anyone else?

Thanks, Stacy

Stacy Slocum

Chief Information Officer

St. John Fisher College

3690 East Avenue

Rochester, NY 14618

(585) 385-8388<tel:%28585%29%20385-8388>





--
Jenny C. Blaine
Security Analyst
University of Minnesota - University Information Security
jenny () umn edu<mailto:jenny () umn edu> - 612.625.8807 (office) - 612.978.7215 (mobile)
GSEC GCIH

CONFIDENTIALITY NOTICE:  This e-mail, including attachments, may include confidential information, and may be used only 
by the person(s) to whom it is addressed or intended. Be aware that the use of any information within may be restricted 
by privacy laws.  If the reader of this e-mail is not the intended recipient, the reader is hereby notified that any 
distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the 
sender by replying to this message and delete this e-mail immediately.