I’ve been chased all day by the media, wanting to get my view on the New York Times story claiming that a Russian gang has been found sitting on a mountain of over one billion stolen usernames and passwords.
To give them credit, Hold Security did well to secure such a high profile piece in the NYT, perfectly timed with the security conferences going on in Las Vegas right now, and I am sure owner Alex Holden was pleased by the first round of follow-up coverage from mainstream media like the BBC.
But, frankly, I didn’t want to initially talk about the story.
The reason for my uncharacteristic reticence to mouth off about a security breach? Well, there was an alarming lack of information supplied by Hold Security in its official statement about the discovery and something just didn’t “feel right”.
And although I did end up reporting on the story myself on the We Live Security blog, something kept nagging in the back of my mind…
At first, Hold Security said that it could not name sites that had been breached because of non-disclosure agreements.
However, it transpired that Hold Security was blatantly using its discovery of a mountain of stolen credentials as a brazen sales pitch for its new breach notification service. For as little as “$120/year with a two-week money back guarantee” you can be alerted if your site is discovered to have suffered an attack.
And that’s before you even consider the bizarre approach that Hold Security is taking towards consumers whose details may have been included in the stash of stolen credentials.
You see, Hold Security is asking users to sign up for what it calls the “Consumer Hold Identity Protection Service” (CHIPS). Hold Security says that CHIPS is a subscription service, but if you sign up right now you’ll get 30 days protection for free.
But hold your horses, because wait until you hear how it is supposed to work.
Hold Security wants you to give them your email address – and if they find it in their database of stolen credentials, they will then ask you (are you ready?) to “provide an encrypted versions of your passwords to compare it to the ones in our database, so that we can let you know exactly which of your passwords have been compromised”.
When I did a little digging around the Hold Security website, I found the form where you are supposed to do this:
It seems to me to be an utterly idiotic approach.
For one thing, what if the computer the user is typing on has keylogging malware in the background – isn’t it going to be trivial for malicious hackers to scoop up the victim’s most sensitive passwords as they are entered on this web form?
Or what about the possibility of bad guys creating phoney versions of this webpage, specifically with the intention of nabbing users’ passwords?
But most fundamentally, you should never encourage users to enter passwords for website X into an entirely different website, even if the intention is not to transmit them unencrypted to a third-party site. Isn’t this the firm that just warned the world about a huge number of stolen credentials? And here it is coaxing users to behave in a way which is clearly unsafe.
Services like Troy Hunt’s terrific haveibeenpwned.com give you an easy way to tell if your credentials might have been grabbed by identity thieves after high profile hacks and he never asks you for a single password. Furthermore, his service is entirely free with no subscription fees (although, to be honest, I think he could consider charging).
It’s worth bearing in mind that even if you find Hold Security’s handling of the announcement either tasteless, cack-handed or conceived by somebody with no marketing common-sense, it doesn’t mean that its findings are not for real.
For instance, security blogger Brian Krebs, a highly respected member of the infosecurity community, was moved to post a blog which appears to support the notion that the stolen data accessed by Hold Security is genuine.
Krebs is also listed on Hold Security’s website as a trusted advisor to the company.
The key thing, as I explain in my We Live Security blog post on the topic, is to ensure that whoever is building and maintaining your website is aware of threats like SQL injection, and is coding to protect against that and other commonly-found vulnerabilities.
And for users it’s clear that the most important thing they can do is to break out of the dangerous habit of reusing the same passwords. You can’t necessarily stop a website from being hacked and online criminals accessing your password, but you can limit how much damage they can do to you by ensuring that you are not using the same password anywhere else on the web.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.