Two Million Passwords Compromised By Keylogger Virus 174
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
Wrong problem? (Score:5, Insightful)
The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.
The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?
Re:Wrong problem? (Score:5, Insightful)
Like running insecure Operating systems?
Desktop attack (Score:5, Insightful)
Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.
About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.
Re: Secure password vs keylogger. (Score:5, Insightful)
A "secure" password does nothing to mitigate keyloggers. The only thing that does is two factor.
I think the comments regarding the password strength were general, and basically the usual Slashdot topic drift.
IMO it's way past time for two factor everywhere. Federating logins makes that much more feasible.
Re:Hey, if you get a minute. (Score:5, Insightful)
Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?
D0uble!!8R3view
T.I.A.
Actually they should publish a list of the hashed passwords. I am eagerly awaiting this to find out if I have been hacked! For example, if they published a list of the passwords hashed with SHA256, then average joe slashdot could do a lookup on the list of 2 million to see if their password was compromised, without having to reveal the actual password in plaintext. I just checked, the SHA256 hash of your password is: "497835d7e73195527ab79857ec051bf2c13ad51c02f48a2af252fa2805a866cb" So in my proposed scheme, you could download software to check SHA256 hash, type in your password, and then paste the resulting hash into a search query on the list of compromised passwords.
Re:Wrong problem? (Score:4, Insightful)
Someone's going to post "use Firefox and noscript, flashblock, ..." but that solution doesn't really work anymore as there are just too many sites and too many scripts to look at before getting any useful work done. I bet many others like me just make a quick judgement on whether the main site is legit, click "allow all this page" and hope to God or whatever that they are careful about where they pull data from. Security is valuable but so is my time and I have no choice if I need to get things quickly done. All the other custom crap like DNS blackholes, firewalling, etc... are even less manageable and more prone to errors. I suppose the best thing would be to browse in a VM and always browse a protected site in a unique session, resetting the VM after each instance but that's a massive headache too for casual browsing even for an experienced IT professional.
Re:This is a key-logger issue (Score:5, Insightful)
Good luck with that plan. I mean sure, if you're RMS and "browse the web" by wgetting the page and emailing to yourself to read in EMACS then sure, you're probably safe from drive-by attacks. But if you need JS enabled to browse then you're vulnerable.
My Bank Has The Solution: Mother's Maiden Name (Score:5, Insightful)
They now have two very secure additions to their arsenal:
1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.
Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.
Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.
2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.
The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.
Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?
Re:I have some bad news and some good news (Score:5, Insightful)
It's a bit ironic that the summary mentions having strong passwords when it was a keylogger to blame. It wouldn't matter how strong the passwords are in that case.
Re: Secure password vs keylogger. (Score:2, Insightful)
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
I don't. Most of all because not everyone has a mobile phone with SMS subscription. But also because coverage is rather spotty. I work in a building that's shielded. No cell phone service at all. And large areas outside the cities and suburbs have truly bad-to-non-existing coverage.
Even if the majority of people can use it, it would cut off a lot of people who can't.
Re:Yeah, they all require an email address (Score:2, Insightful)
So - just one email account password to crack - right? Discard to the right of the + symbol in the user portion of your address, and we're done. Brilliant solution you've got there..I hope the world adopts it. I'm rather tired of earning legitimate income - I'd like to use yours'.