Yesterday I posted a story on the discovery of a cybergang who allegedly stole 1.2 billion passwords from a variety of websites. Today it has come to light that the group who discovered the hack, Hold Security is only going to notify website operators if they were affected if they sign up for its breach notification service, which starts at $120 per year. Here’s what IT World had to say:
Some security researchers on Wednesday said it’s still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.
“The only way we can know if this is a big deal is if we know what the information is and where it came from,” said Chester Wisniewski, a senior security advisor at Sophos. “But I can’t answer that because the people who disclosed this decided they want to make money off of this. There’s no way for others to verify.”
Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.
I’m a big believer that if you discover a flaw like this, you have a responsibility to disclose everything that you know as quickly as possible. If the party who is at the center of this doesn’t take the disclosure seriously, then you need to go public. To try and profit off of this is wrong. If there is a threat here, it is incumbent on Hold Security to get it out there as quickly as possible as the implications are huge if they don’t. I am of course assuming that this is real. The fact that no facts have been put on the table casts a shadow on their claim. That’s another reason why Hold Security should say what they know now.
Like this:
Like Loading...
Related
This entry was posted on August 7, 2014 at 12:47 pm and is filed under Commentary with tags hack, Russia, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Security Company Who Discovered Russian Hack Trying To Profit From It
Yesterday I posted a story on the discovery of a cybergang who allegedly stole 1.2 billion passwords from a variety of websites. Today it has come to light that the group who discovered the hack, Hold Security is only going to notify website operators if they were affected if they sign up for its breach notification service, which starts at $120 per year. Here’s what IT World had to say:
Some security researchers on Wednesday said it’s still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.
“The only way we can know if this is a big deal is if we know what the information is and where it came from,” said Chester Wisniewski, a senior security advisor at Sophos. “But I can’t answer that because the people who disclosed this decided they want to make money off of this. There’s no way for others to verify.”
Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.
I’m a big believer that if you discover a flaw like this, you have a responsibility to disclose everything that you know as quickly as possible. If the party who is at the center of this doesn’t take the disclosure seriously, then you need to go public. To try and profit off of this is wrong. If there is a threat here, it is incumbent on Hold Security to get it out there as quickly as possible as the implications are huge if they don’t. I am of course assuming that this is real. The fact that no facts have been put on the table casts a shadow on their claim. That’s another reason why Hold Security should say what they know now.
Share this:
Like this:
Related
This entry was posted on August 7, 2014 at 12:47 pm and is filed under Commentary with tags hack, Russia, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.