Hold and catch fire: Debating ethical data breach notification policy

News roundup: When a breach occurs, it's common practice to share the information with victims -- both the users and the companies involved. However, Hold Security's billion-password hack disclosure hasn't followed standard procedure.

The security industry is no stranger to password hacks and breaches, and the past few months alone prove that. Yet, as details emerge about the repository containing more than a billion stolen credentials, the industry and scared Web users alike are left with unanswered questions.

Milwaukee-based Hold Security LLC announced Tuesday that following seven months of research, it has identified that Russian cyber gang dubbed CyberVor pilfered as many as 1.2 billion unique credentials from more than 420,000 websites and FTP sites. The hackers reportedly started by using databases acquired from the black market to send out spam and phishing attacks, and eventually began using information from botnets that identified SQL injection vulnerabilities in websites. Using this data, CyberVor pulled off what many are calling the largest hack in the history of cybercrime.

While the story has made headlines around the world, many in the security industry have been taken aback by the lack of information offered up by Hold Security. The company has not yet released the names of the victims (citing non-disclosure agreements), nor has it published the names of the vulnerable websites.

Company founder and CISO Alex Holden has only stated that hackers "did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these are still vulnerable."

Regarding the news, security expert Bruce Schneier commented that the story makes no sense to him and independent consultant Graham Cluley wrote that "something just [doesn't] feel right."

Could it be because Hold Security is seemingly using this breach -- which, by the way, has been confirmed as authentic by two outside authorities, one of whom said that some of the stolen records were part of previous breach investigations -- as a marketing ploy?

It seems uncanny that The New York Times broke the news of the hack at the same time that Hold Security's commercial monitoring services became available.

The company is also offering its Consumer Hold Identity Protection Service for free for 30 days. All a customer has to do is give Hold Security his or her name and email; if the company finds the info on its list of compromised names, it will check a list of the customer's encrypted passwords and determine which ones have been compromised -- in 60 days.

Sound sketchy? Don't worry, according to the company, "The passwords will be encrypted on your end using a very secure algorithm, so there would be no way for us or anybody else to read them in plain text." However, on his site, Cluley has a screenshot of Hold Security's submission form for the service, stating it "will never ask you for your passwords," but then promptly asks users to enter passwords.

Little is known about Hold Security, besides that it also offers services including pen testing, security auditing, code review and vulnerability research along with its credentials services. According to Schneier, Hold Security didn't even have a Web presence until the news broke.

Potential business-booster aside, many believe there's still something amiss with the whole situation. In a Wall Street Journal article, Irvine, California-based CrowdStrike Inc. CTO Dmitri Alperovitch said, "Typically when these leaks occur you do notifications of the victim parties and don't charge for it."

U.K.-based SophosLabs' Principal Virus Researcher Vanja Svajcer stated that this is an "unusual approach to remediating an alleged major credentials compromise," adding that "for a long time the security industry has freely shared information on breaches within its own community" and "researchers discovering credentials breaches usually help end users … so everybody can check that none of their email addresses have been compromised."

LastPass CEO Joe Siegrist stated, "It's just not how most people with breaches would react. If you have this kind of data, you want to help people and not capitalize on them. It's definitely a little suspicious."

While well-known security reporter and consultant Brian Krebs has vouched for Holden, many others are doubtful,  wondering what happened to camaraderie in the security industry, the unspoken oath to help thy neighbor -- especially when it comes to maintaining an ethical data breach notification policy.

In other news:

  • Google announced yesterday that it is lowering the ranks of websites in its search engine that do not use encryption. Therefore, if a website uses HTTPS, it is likely to rank higher than a site that does not. Google is hopeful this change will spur a website security revolution and urge Web users to favor websites that provide better protection against malicious actors. In its blog, Google wrote, "For now it's only a very lightweight signal -- affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content -- while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we'd like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the Web."
  • Researchers at Kaspersky Labs announced on Thursday they discovered "Epic Turla," a cyberespionage operation that has infected hundreds of computers in more than 45 countries, including those of government institutions, military, education and research companies. A prequel to the previously discovered Turla malware, Epic is believed to be the first stage of a multistage attack using spear phishing, social engineering and watering hole attacks to infect victims. Attackers then steal credentials and use sophisticated backdoors to deploy rootkits and steal sensitive data. Kaspersky notes that the attacks are ongoing and actively targeting users in Europe and the Middle East. Attacks have also successfully infiltrated two spy agencies since the beginning of the year.
  • Offensive Security has released details about a privilege-escalation zero-day vulnerability in Symantec Endpoint Protection 12.1 and 11.0 as well as SEP Endpoint Protection 12.1 Small Business Edition, SEP Cloud and Symantec Network Access Control. US-CERT has released an advisory on the issue. The vulnerability affects the products Application and Device Control component; if exploited, it could result in a crash or denial of service, or even enable hackers to achieve admin privileges and control the computers. Symantec Corp. has since released a patch and also offered workarounds on its website.

Next Steps

How does an SQL injection attack work? Find out here

View this guide on preventing and stopping SQL injection attacks

Get tips on preventing blind SQL injection attacks

What info has to be released after a data breach?

Learn how to defend the enterprise from password hacking.

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close