Schneier skeptical of NYT's 'over a billion passwords stolen' hack story

[Permalink]

One important detail (that, as best I can tell, is currently not available to the outside observer) is the age distribution of these credential pairs.

Accounts get abandoned, passwords get changed, companies go under or change authentication mechanisms, so freshly compromised accounts are much more likely to actually be usable than your antedeluvian yahoo account. How many of these are newly exploited? How many aggregated or purchased from earlier exploits? How many kicked around long past their sell-by date and and likely valueless? Depending on age, the same billion-odd passwords could be fairly dramatic news or an interesting bit of back catalog, or some of both.

Brian Krebs appears to be less skeptical than does Chairman Bruce:

http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/

Apparently Krebs is on the board of Hold Security, which is worth at least one grain of salt…

6 Likes

Toldja so.

Which is a shame, as I hate the thought of watching his credibility evaporate. He seems like a really good guy, but this looks like it may get ugly for him really quick-like.

This reminds me of that SSH exploit that caused everybody to change their passwords all at once… and it makes me want to ask again: I wonder what kinds of exploits are possible if you can convince a significant percentage of users across a broad number of websites to go and change their passwords all within a short period of time?

Perhaps the goal here is actually to get people to change their passwords, because that’s what their real exploit requires?

All these NSA revelations make me all tin foil hat.

5 Likes

This reminds me of that SSH exploit that caused everybody to change their passwords all at once…

That would be the “heartbleed” SSL vulnerability, correct? SSH is a whole other animal.

1 Like

Yeah, I was talking about Heartbleed. But these massive “OMG everybody change your password RIGHT NOW!” scares are becoming increasingly common. It could just be a coincidence caused by the media glomming on to it combined with increased paranoia/awareness about security.

But seriously… if massive password changes can be exploited somehow, here are some ample opportunities.

I wonder if it is a means to an attack?

This topic was automatically closed after 5 days. New replies are no longer allowed.