CyberVor Update: Hold Security RespondsFirm Posts FAQ, Defends Its Intentions
Hold Security continues to deal with the backlash prompted by its recent warning that a Russian cyber gang breached 420,000 web and FTP sites to pilfer more than 1.2 billion credentials.
See Also: 2016 State of Threat Intelligence Study
News of the mega-breach was first reported Aug. 5, when the security vendor said the cyber gang, which it dubbed CyberVor - "vor" is Russian for thief - amassed over 4.5 billion records (see: Security Firm: 1.2 Billion Credentials Hacked). Of those credentials, 1.2 billion appeared to be unique and tied to more than a half-billion e-mail addresses. "The CyberVor breach may be the largest breach identified to this date," Milwaukee-based Hold Security announced on its website.
But that warning prompted critics to ask several questions, including:
- Why Hold Security wasn't naming which sites had been breached;
- Whether it was attempting to profit on the hacks by charging $120 to allow companies to see if attackers possessed their records;
- Why a breach of this magnitude had gone undetected for so long;
- Whether the report was just a marketing exercise.
Some information security experts also questioned the firm's free service for consumers, which requires that they share their passwords to see if the attackers compromised them.
Hold Security did not immediately respond to related requests for comment.
FAQ Fields Criticism
Now, however, Hold Security is addressing some of those questions via a CyberVor Breach Frequently Asked Questions page, published Aug. 12. To be clear, the FAQ adds little information about the gang behind the attacks, except to repeat that they used botnets to scan hundreds of thousands of websites for known vulnerabilities. "Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone," the firm says. "The CyberVors used these vulnerabilities to steal data from these sites' databases."
But the FAQ does attempt to set the record straight about the company's $120 breach notification service, albeit with occasional grammatical errors. "The Breach Notification Service are NOT aimed for individual e-mail users," it says. "It is a service to help website owners and other Internet services to be notified if the hackers are attacking or already exploited their systems." The company says the service will require any subscribing sites to verify their identity, as well as pull in data from other breach notification reports and data dumps.
Free Consumer Service
The FAQ also makes clear that the company offers a free check for consumers, to see if their credentials are part of the CyberVor gang's haul. Finding out requires filling in an online registration form. Hold Security says that by October, it also plans to launch a paid "Hold Identity" service, which "will allow individuals to know if their online credentials have been compromised," the FAQ says. "Plus, we will also offer continuous monitoring of your identity online."
For the CyberVor check, to see if their credentials were stolen, people must share their e-mail address. If Hold Security finds a hit with information in its CyberVor database, then it will request passwords that have been used for accounts tied to that address. "We will check up to 15 passwords per e-mail as we understand that many of us reuse the same e-mail address on different websites, such as internet banking [and] social media," it says. The service cannot, however, be used to check e-mails related to government or military domains.
That password request, as noted, has raised some eyebrows, but Hold Security says it's essential for discerning whether attackers only obtained an e-mail address - for example via a newsletter subscription - or hacked into a more sensitive service, such as an online bank. The FAQ also promises that only a one-time hash of the passwords - which get created on the person's PC, and which cannot be reverse-engineered - will be sent to Hold Security.
Little Added Attack Context
Hold Security urges consumers not to panic if there's a hit with their e-mail addresses and passwords. "To the best of our knowledge, the CyberVor breach was associated with spamming activities during most of the time of its existence," the FAQ says. "It only occurred recently that the hackers began using the credentials for other activities." No related evidence, however, has yet been published to back up those claims.
The company also notes that attackers may no longer be actively using some of the stolen information that it recovered. "Some passwords found in the database may be outdated, could be stolen from accounts which do not have any of your private information or be just generic passwords, sent to you during a registration," Hold Security says. Accordingly, that's why the service offers to check user-supplied passwords.
Outstanding CyberVor Questions
Many security experts were quick to question the legitimacy of the CyberVor report and scant details (see: 5 Facts About CyberVor Report). Security pros also didn't miss the timing of the warning, which coincided with two major information security conferences.
"Unfortunately there's so little information in Hold Security's report that it's hard to comment in much of a meaningful way," says Oxford, England-based independent security consultant Graham Cluley.
But Hold Security CTO Alex Holden tells Forbes that logistically speaking, the company cannot notify all 420,000 sites that they were hacked, and must thus be careful about what information it discloses publicly.
Holden also defends the company's altruistic motives for the service. "We are actually losing money, and negative publicity is actually affecting our financial backers," he says. "We're not trying to do it for publicity at all from the perspective of profiting, we are not pushing our services. In fact, we're trying not to go broke."
Despite the questions, the incident could drive more website owners to finally beef up security (see: Experts Analyze Impact of CyberVor). "In the end, it is not important whether this report is legitimate or not," says attorney Francoise Gilbert, founder and managing director of the IT Law Group. "This new incident, whether it is true or is the perfect script for Hollywood, reflects the brutal reality that many, or most, websites are not adequately secure."
(Mathew Schwartz contributed to this report.)