A fourth estate fail
For the vast majority of us, the breach report has to be accepted on its face, but do some digging and you'd be hard-pressed to find any news outlet that verified Hold's claims through a third party. In fact, most used the original New York Times story as the sole foundation for their pieces and went on to describe other such tragic breaches, usually Target's, which was also broken by the intrepid digital detectives at Hold.
Sure, it's a nice story, but dang, it's a tad anemic on verification. We could pay Hold its $120 to figure out whether we're one of the unlucky billion, but maybe we should pause and consider: How do we know this honking heist even took place?
I gave Hold's official statement a read, and it describes the company's tracking of CyberVor. According to Hold, the villains acquired stolen credentials from other black-market hackers, used those credentials to spam and redirect their initial victims, deployed botnets to identify SQL vulnerabilities in those 400,000-odd websites, then swiped the aforementioned 1.2 billion unique emails and passwords through those security holes. But that's it: No link to numbers or audit results or proof of any kind. Hold couldn't even name the affected websites "due to nondisclosure agreements."
Again, I'm not saying the report is full of the brown stuff that comes out of cows hopped up on hay and norovirus, but I am pointing out that most of us have no way of knowing for sure. Furthermore, the statement immediately links panicked companies and individuals to Hold services that can let them know if they've been affected and keep them informed of any future digital nastiness for a full year, but "we just need your credit card number."
That's fantastic marketing. It comes complete with lucky timing that exposes the theft at the same time the big black-hat security convention is going on in Vegas. Awesome!
Granted, I'm an old and maybe life has dealt me one too many kicks to the jewels, dropping me into a downward spiral of paranoia. The report is probably true given the state of Internet security today. But, gee, I wish we had a way to be certain.
This much is true
Then again, maybe the truth is irrelevant. Even if Hold's report is a fable, your credentials have doubtless been stolen by somebody: reprobate Russians, nefarious Nigerians, or any number of gleeful government spooks.
At least, rest assured in this one piece of complex advice (and save yourself $120): Don't ask "if." Assume you've been Web-mugged and change your passwords -- often.
This article, "On sale: False sense of Internet security, for the low, low price of $120," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely's Notes from the Underground newsletter.