Fear and Loathing in Las Vegas, Cyber EditionDune Lawrence, Michael Riley
The 17th iteration of the Black Hat security conference enticed more than 9,000 attendees to Las Vegas last week, with a schedule of more than 100 briefings. Want to hear about hacks into cars? You got it. Home alarms? Yes. How to save cyberspace from data breaches and mass surveillance? This way to room South Seas E.
The largely male crowds flowed between briefings and the Business Hall, snagging plastic Viking helmets from Norse or sunglasses rimmed with flashing green lights courtesy of AlienVault to spice up their shorts-and-T-shirt ensembles.
Still, amid the swag and late-night parties was plenty of sniping. The talks get worse every year, some said. And the gathering has lost its technical, geek flavor: “Black Hat is just like RSA now,” was the refrain, a reference to another business conference where companies push their products and services. Not surprisingly, Black Hat also held a touch of green—envy for those security practitioners that have hit the big time, such as FireEye, which went public last year.
Black Hat has become the moment of the big reveal for anyone with some security news to sell, ideally timed to maximize attention and boost the brand—and business. So it was on Aug. 5, when an outfit called Hold Security, based in Milwaukee, released a bombshell: a Russian cyber gang had amassed more than 1.2 billion stolen credentials—usernames and passwords. The New York Times ran with the exclusive, including a splash on the front page of its print edition the next day: “Russian Hackers Steal Passwords of Billion.”
Months of tracking a Russian crew, dubbed CyberVor, has revealed the cache of a billion-plus credentials pilfered from more than 420,000 sites, Hold said in a post on its website titled “YOU HAVE BEEN HACKED!”
A billion: That’s an incredible, frightening number to a civilian. At Black Hat, skepticism mounted quickly. E-mails ricocheted among the attendees. How big a deal was this? Should companies take urgent and potentially costly measures, such as requiring blanket password changes for corporate accounts?
It didn’t help that Hold was providing little information to other security companies to help them validate the claim and protect customers. Or that the company used the announcement to push a product. Companies that want to check whether any of their information is in the cache have to sign up for Hold’s breach-notification service, which starts as low as $120 a year, according to the company’s website.
Some well-respected companies suggested the release was overly hyped. Deloitte & Touche, which has a major cybersecurity practice, sent an analysis to clients on Wednesday informing them that it had “low confidence” that the Russian hackers and their data stockpile presented a risk.
Deloitte had analyzed an early cache of 360 million stolen credentials that Hold Security revealed in February and found that most were duplicates. Only 29.1 percent of the username and password combinations and only about one in five of the stolen e-mails were unique.
“Our field requires vetting and trust,” said Lance James, head of intelligence for the Cyber Risk Services practice at Deloitte. “You can’t go around scaring people and telling them to change every password without providing more information and context. Otherwise, it can end up seeming like raw self-promotion.”
James said it was strange that Hold wasn’t providing sample sets to other researchers or sharing more information, including whether the cache combines multiple sets of data.
“All we have are questions, and we need some answers,” he said.
Other researchers said the massive cache had been known to security experts for as long as two years. They were tracking the gang and watching to see if the credentials were being sold or used in damaging schemes rather than turning them into a marketing tool.
Brian Krebs, a prominent security blogger, wrote his own take on the discovery, essentially vouching for the research. He called Hold Security’s founder and chief information security officer, Alex Holden, “a talented and tireless researcher, as well as a forthright and honest guy.”
Holden’s research, Krebs explained, was central to some of the blogger’s big scoops, such as a hack of Adobe Systems that exposed tens of millions of customer records. The comments section of Krebs’s post exploded.
One commenter, “Bob,” was particularly pointed: “What gives holt [sic] security the right to profit off selling this data. Isn’t someone offering to sell data stolen about me, back to me technically blackmail?”
“Skeptical” wrote: “I’m at blackhat too. Every discussion I’ve heard includes eye rolling that Alex is charging a fee to find out which provider is impacted. He’s not making many friends.”
Holden says he will get back to companies who want to know if they’ve been hacked, even if they don’t sign up for the paid service, though they may get a faster response by signing up for the fee, because the service automates the process.
“We never had any intention of taking any money from people we consider to be victims,” Holden said in a telephone interview. “We have not gained a dollar yet from any of this.”
As far as technical indicators, they provided what they know—including the method of attack, SQL injection, Holden said. (“SQL injection” is a relatively simple technique of injecting code into username and password fields to access customer data through company websites.) Hold Security is giving what information it has about the CyberVor gang to law enforcement, he added.
Holden is equally unable to answer the key questions of why the criminals accumulated all the information and what they’re going to do with it.
“We don’t really know what’s in their minds, so guessing why they’re doing this would be pure speculation on my side,” Holden said. ”What they are doing with it, who knows?”
As Dan Geer, chief information security officer at the cyber-focused venture firm In-Q-Tel, put it in his keynote at Black Hat: “Every speaker, every writer, every practitioner in the field of cyber security who has wished that its topic, and us with it, were taken seriously has gotten their wish. Cyber security is being taken seriously, which, as you well know is not the same as being taken usefully, coherently, or lastingly.”
(Update: Adds revised attendance figure for the conference released Monday.)