Forgot your password?
typodupeerror
Security

Two Million Passwords Compromised By Keylogger Virus 174

Posted by samzenpus
from the protect-ya-neck dept.
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
This discussion has been archived. No new comments can be posted.

Two Million Passwords Compromised By Keylogger Virus

Comments Filter:
  • The bad news is that 2 million passwords have been compromised.

    The good news is that they're all "123456".

    • The worse news is that the information they protect is all about Tim's lunch and Kristy's horrible new shoes.

    • by HairyNevus (992803) <hairynevusNO@SPAMgmail.com> on Wednesday December 04, 2013 @08:14PM (#45603325)
      At least it wasn't 00000000...
    • Crazy! I have the same code on my luggage.
      • Crazy! I have the same code on my luggage.

        NSA: Thanks, Mr. Nevus, we were having a hard time opening up your 'lost' luggage from your last trip.

    • by dreamchaser (49529) on Wednesday December 04, 2013 @10:31PM (#45604291) Homepage Journal

      It's a bit ironic that the summary mentions having strong passwords when it was a keylogger to blame. It wouldn't matter how strong the passwords are in that case.

      • Use a password like "pass123word", first type "password", then place the cursor between the fourth and fifth character, then type "123". They'll need something a bit more sophisticated than a simple keylogger to catch those.

        I remember many years ago some old version of Mac OS X refused to let you move the cursor in between already typed password characters, I filed a bug report and got "behaves as intended", but fortunately they came to their senses some time afterwards.

        • by StikyPad (445176)

          Many keyloggers log mouse clicks too. Your technique would stifle an automated scrape, but likely human eyes are going to be looking at keylogged data at some point anyway, otherwise it's just noise. There's no algorithm for "separate out the password typing from all this other typing." So at best they have to order the characters you've helpfully provided. That means the number of possible permutations is just 9: k (length) of "password" (8) + 1, in case you positioned the cursor before the first lette

    • by Thanshin (1188877)

      That's amazing. I've got the same combination on my luggage!

    • by mcgrew (92797) *

      You say that in jest, but according to Good Morning America the majority of them actually were 123456!

  • by koan (80826) on Wednesday December 04, 2013 @08:08PM (#45603265)

    I'm not bad at making up secure passwords, I'm just bad at remembering them.

  • That's the sort of thing some idiot would put on his luggage!
  • Wrong problem? (Score:5, Insightful)

    by Kwyj1b0 (2757125) on Wednesday December 04, 2013 @08:16PM (#45603333)

    The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.

    The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?

    • Re:Wrong problem? (Score:5, Insightful)

      by Lumpy (12016) on Wednesday December 04, 2013 @08:19PM (#45603371) Homepage

      Like running insecure Operating systems?

      • by lgw (121541)

        So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?

        • by jd2112 (1535857)

          So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?

          SE Linux is secure. It's designed so that the NSA can spy on you but no one else can.

          • by lgw (121541)

            Well, I love the model used by SE Linux - make security program-oriented instead of user-oriented. It really ramps up the security of a trusted distro, by thwarting a malicious patch.

    • Re:Wrong problem? (Score:4, Insightful)

      by Anonymous Coward on Wednesday December 04, 2013 @09:00PM (#45603697)

      Someone's going to post "use Firefox and noscript, flashblock, ..." but that solution doesn't really work anymore as there are just too many sites and too many scripts to look at before getting any useful work done. I bet many others like me just make a quick judgement on whether the main site is legit, click "allow all this page" and hope to God or whatever that they are careful about where they pull data from. Security is valuable but so is my time and I have no choice if I need to get things quickly done. All the other custom crap like DNS blackholes, firewalling, etc... are even less manageable and more prone to errors. I suppose the best thing would be to browse in a VM and always browse a protected site in a unique session, resetting the VM after each instance but that's a massive headache too for casual browsing even for an experienced IT professional.

    • by BillX (307153)

      +1 to this. The spread of good/bad/awful passwords (according to the authors' somewhat ad-hoc classification) is not too surprising on its own, but this data also has a strong selection bias toward users with lax security practices in general: this dataset consists exclusively of users with an active malware infestation.

    • by plover (150551)

      2% is still a big problem. When you are trying to hack in, you don't care much which account lets you in the door. Get in first, then escalate your privileges.

      2% means if I try these top ten bad passwords on about 50 accounts, I'll probably get a strike. If an account is locked out after three tries, then i can try the top three out on about 200 accounts, and might still have success.

    • by drinkypoo (153816)

      The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.

      You're bad at understanding reality. This only shows that at least two percent of internet users are bad at understanding security. There's lots of ways your password can be bad which don't involve it being the same as someone else's.

    • by CastrTroy (595695)
      What I see from this is that the sample is flawed. We can't infer from this data that internet users create bad passwords. What we can infer, if the passwords show a trend of being poor passwords, is that internet users who have a keylogger installed create bad passwords. If you already have a keylogger on your system, you are probably quite lax about security.
    • Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?

      Good idea! For example:

      • The X server does not allow any method of secure password entry. Some people actually still believe that grabbing the keyboard prevents keyloggers from reading their password. They should lookup the totally insecure XQueryKeymap call.
      • The X server allows invisible windows to take screenshots of your desktop at any time.
      • The SECURITY extension isn't secure because it does not pro
    • More importantly, the key logger can also just download your CC # data from the first online transaction you make while its active and no longer need your passwords.

  • by angel'o'sphere (80593) on Wednesday December 04, 2013 @08:17PM (#45603335) Homepage Journal

    ... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.

    • ... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.

      Hmmm. No comment on the CHinese/Taiwan aspect, but that one *would* be an interesting type of penetration technique. Convince some target (maybe a bank) to participate in a "beta test" of some new super ergonomic keyboard that your "company" has developed. Have a keylogger built into each them. Have them rigged to "fail" randomly after 30-60 days of use. Aplogise profusely, take the "failed" keyboards, and dump the logs.

      Of course, it'd be even easier to just build some sort of wireless system into the

    • If keyboards did store text "in a kind of flash" it should be trivial to retrieve the contents. The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort like SPI, JTAG, or even 1Wire. I guess you could get creative and do something with RFID or near field but again any good lab should find that in no time.

      • The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort...

        Every keyboard has such a bus -- the keystrokes have to get to the computer, after all! Just build the keylogger into the USB control chip itself.

        • by gl4ss (559668)

          the extra circuitry for that could/would be found.

          and it would make it more expensive. and destroy your keyboard chip business.

          now some kb's, let's say 30 out of all sold in the world, might have had chips changed for logging. but all? unlikely.

          • the extra circuitry for that could/would be found.

            How? It would be built directly into the IC; you'd need an electron microscope to notice it (and who's going to bother looking?).

      • by plover (150551) on Thursday December 05, 2013 @01:18AM (#45605169) Homepage Journal

        And how many ordinary companies making a routine purchase of seemingly ordinary keyboards test them in labs for key loggers?

        Commercial keyloggers (including devices like black market skimmers) can use GPRS cards, they can scout for open WiFi access points and transmit their payload once a day at 2:00 AM, or they can sit on a whole file waiting for a harvester to show up and retrieve the data via Bluetooth, 900 mHz, or some other wireless technology. The retrieval patterns are designed to evade detection.

        The only people investigating this stuff today are forensic investigators hired by people who are already victims, and independent security firms with nothing better to do.

      • You have a very different definition of 'trivial,' my friend. Physically disassembling hardware and figuring out how to read from a hidden chip...

    • by Sockatume (732728)

      Sounds like the offspring of an old urban legend involving images stolen from Daniel Rutter's review of an actual keyboard logger.

      http://www.snopes.com/computer/internet/dellbug.asp [snopes.com]
      http://www.dansdata.com/keyghost.htm [dansdata.com]

  • by BringsApples (3418089) on Wednesday December 04, 2013 @08:18PM (#45603351)
    As far as we know, this thing happens all the time, and more than likely, these PCs that are infected, are infected by more than one key-logger. Update your antivirus is a moot point, because unless the 'virus' is known, then the antivirus folks cannot do anything about it anyway. By the time these things are found out, it's far to late anyway. There is no advise that can be given here, except, "Don't get a virus", which is silly to tell someone.
  • by jader3rd (2222716) on Wednesday December 04, 2013 @08:24PM (#45603411)
    What security hole is the virus making use of? Is there something and end user should look out for? etc, etc?
    • by AHuxley (892839)
      In the past you would get the OS or vendor name and hints at a fix.
      Now its some " virus got onto so many personal computers" Was it a push down from the web 2.0 sites on the PC? Or some random PC virus that spread and got a lot of web 2.0 sites details?
      • by Burz (138833)

        It seems to be Windows, if you follow the links. I think the details are almost unimportant though; Desktops need an integrated hypervisor to be reliably secure. This greatly reduces the attack surface, though none are as good as Qubes OS at this point.

    • by Burz (138833)

      User should look out for... Windows. That's what this thing runs on according to a description of this malware's predecessor/sister (linked in article). /. stories suck when they don't mention the host OS.

  • not me (Score:5, Funny)

    by jafac (1449) on Wednesday December 04, 2013 @08:25PM (#45603413) Homepage

    Good thing I almost never key-in my passwords.

    I copy them straight off of strongpasswordgenerator.com, and paste them into my password fields.

  • Desktop attack (Score:5, Insightful)

    by gmuslera (3436) on Wednesday December 04, 2013 @08:30PM (#45603469) Homepage Journal

    Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.

    About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.

  • Little hint please? (Score:5, Informative)

    by Zakabog (603757) <john@@@jmaug...com> on Wednesday December 04, 2013 @08:32PM (#45603479)

    I'm looking for more technical information on this virus. Is there a collection of different key logging software all sending the passwords to the same proxy server? How does someone get infected by this virus? How about the IP addresses of the proxy servers so people can at least look for traffic from their firewalls?

    This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!

    • by Teun (17872)
      It (still) takes a Windows computer to get infected but don't hold your breath...

      If the proxy's IP was known it would be shut down, you are looking at an after the facts solution.
      Oh yeah, you could read the linked articles, they give reasonable data.

  • by mythosaz (572040) on Wednesday December 04, 2013 @08:41PM (#45603553)

    Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?

    D0uble!!8R3view

    T.I.A.

    • by Anonymous Coward on Wednesday December 04, 2013 @08:54PM (#45603651)

      Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?

      D0uble!!8R3view

      T.I.A.

      Actually they should publish a list of the hashed passwords. I am eagerly awaiting this to find out if I have been hacked! For example, if they published a list of the passwords hashed with SHA256, then average joe slashdot could do a lookup on the list of 2 million to see if their password was compromised, without having to reveal the actual password in plaintext. I just checked, the SHA256 hash of your password is: "497835d7e73195527ab79857ec051bf2c13ad51c02f48a2af252fa2805a866cb" So in my proposed scheme, you could download software to check SHA256 hash, type in your password, and then paste the resulting hash into a search query on the list of compromised passwords.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      I think I've got you beat on entropy:

      qbJSK08jPHl3t4u7

      They can't crack 95-bit random passwords yet, so I should be totally safe, right?

      -Posting as AC because I can't login to my /. account right now. I think must be a temporary glitch.

  • by rueger (210566) on Wednesday December 04, 2013 @09:58PM (#45604063) Homepage
    Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security. On top the ever so secure four number PIN, and the usual login password, and the three digit CVV number (which I assume anyone stealing credit card info will also collect).

    They now have two very secure additions to their arsenal:

    1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.

    Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.

    Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.

    2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?

    In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.

    The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.

    Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?
    • What's worse is that the mother's maiden name question doesn't work:

      1) If your mother divorced your father and took her maiden name.
      2) If you're relatively young and your mother lives in Quebec, where women are now required to keep their maiden names.

    • On your comment about "assuming I ever put anything truthful on Facebook..."

      Yes, if anyone asks for stuff that isn't their business, give them misinformation. If there's a lot of misinformation out there about you, it'll make it harder for an identity thief to have an accurate file.

      What the Government should do is create a whole SLEW of false identities, make them "available", watch them, trace who is trying to use them, and arrest and prosecute them. If a good fraction of identities that people are able

    • by whoever57 (658626) on Wednesday December 04, 2013 @11:52PM (#45604797) Journal

      Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security.

      UK banks have introduced personal card readers. When prompted you insert your card into your own card reader, enter your PIN and then enter a number that the website gives you. You then enter into the web form the resulting number that your card reader provides. In this way, you have proven that you have physical access to your bank card.

    • 2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
      In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.

      Never use a truthful answer for those questions. Just use an extra password as the answer. Of course that doesn't solve the problem of 99% of people actually typing correct answers to those questions, getting hacked, and possibly compromising your information via information they have about you.

      Really, these security questions ought to be outlawed rather than required.

    • by MrL0G1C (867445)

      When a site asks me for things like mothers maidens name I generate another random string, give them that, store it in my encrypted password database and occasionally email that db to my email addresses in case I need one of those passwords in an emergency.

    • by istartedi (132515)

      True story--in order to get my California driver's license I needed a birth cert. A copy would not do. I had to go back to my place of birth and get a copy with a raised seal on it. This was not easy to do directly or quickly. An expediting service was the most reasonable way to do it. The expediting service used security questions to assure that it was really me. There were several questions. Most of them were easy. Then I came to... "which one of these is a phone number you used in the past 10 yea

  • How many were: password, wordpass, password123, 12345 or 00000000?

  • If passwords are stolen via key loggers and break-ins into online sites anyway, why should people even bother picking secure passwords?

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...