Two Million Passwords Compromised By Keylogger Virus 174
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
I have some bad news and some good news (Score:5, Funny)
The bad news is that 2 million passwords have been compromised.
The good news is that they're all "123456".
Re: (Score:3)
The worse news is that the information they protect is all about Tim's lunch and Kristy's horrible new shoes.
Re: (Score:3)
You like my posts about lunch.... DONT YOU!!!!
Re:I have some bad news and some good news (Score:5, Funny)
Re: I have some bad news and some good news (Score:2)
Re: (Score:2)
Re: (Score:2)
Besides, his last "trip" involved taking four tabs of acid
Nothing strange about that - people going to be out of the local reality set that damned long should definitely pack for the journey. I recommend an original era Steve Ditko Doctor Strange comic, and an autograph book just in case they see Leonard Nimoy or John Nobel.
Re:I have some bad news and some good news (Score:5, Insightful)
It's a bit ironic that the summary mentions having strong passwords when it was a keylogger to blame. It wouldn't matter how strong the passwords are in that case.
Re: (Score:2)
Use a password like "pass123word", first type "password", then place the cursor between the fourth and fifth character, then type "123". They'll need something a bit more sophisticated than a simple keylogger to catch those.
I remember many years ago some old version of Mac OS X refused to let you move the cursor in between already typed password characters, I filed a bug report and got "behaves as intended", but fortunately they came to their senses some time afterwards.
Re: (Score:2)
Many keyloggers log mouse clicks too. Your technique would stifle an automated scrape, but likely human eyes are going to be looking at keylogged data at some point anyway, otherwise it's just noise. There's no algorithm for "separate out the password typing from all this other typing." So at best they have to order the characters you've helpfully provided. That means the number of possible permutations is just 9: k (length) of "password" (8) + 1, in case you positioned the cursor before the first lette
Re: (Score:2)
That's amazing. I've got the same combination on my luggage!
Re: (Score:3)
You say that in jest, but according to Good Morning America the majority of them actually were 123456!
For the record (Score:5, Funny)
I'm not bad at making up secure passwords, I'm just bad at remembering them.
I'm not bad at guessing other people's passwords!! (Score:4, Funny)
I just have trouble finding the people whom they belong to.
Re: (Score:2)
Sir, had I the points, I would mod you up as Interesting, Funny, AND Informative.
I still want a sad-but-true mod. I know someone else who has the same problem.
Our password policy is so bad that. . . (Score:2)
12345? (Score:2)
Re: (Score:2)
Re: (Score:2)
Wrong problem? (Score:5, Insightful)
The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.
The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?
Re:Wrong problem? (Score:5, Insightful)
Like running insecure Operating systems?
Re: (Score:2)
So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?
Re: (Score:2)
So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?
SE Linux is secure. It's designed so that the NSA can spy on you but no one else can.
Re: (Score:2)
Well, I love the model used by SE Linux - make security program-oriented instead of user-oriented. It really ramps up the security of a trusted distro, by thwarting a malicious patch.
Re:Wrong problem? (Score:4, Insightful)
Someone's going to post "use Firefox and noscript, flashblock, ..." but that solution doesn't really work anymore as there are just too many sites and too many scripts to look at before getting any useful work done. I bet many others like me just make a quick judgement on whether the main site is legit, click "allow all this page" and hope to God or whatever that they are careful about where they pull data from. Security is valuable but so is my time and I have no choice if I need to get things quickly done. All the other custom crap like DNS blackholes, firewalling, etc... are even less manageable and more prone to errors. I suppose the best thing would be to browse in a VM and always browse a protected site in a unique session, resetting the VM after each instance but that's a massive headache too for casual browsing even for an experienced IT professional.
Re: (Score:2)
+1 to this. The spread of good/bad/awful passwords (according to the authors' somewhat ad-hoc classification) is not too surprising on its own, but this data also has a strong selection bias toward users with lax security practices in general: this dataset consists exclusively of users with an active malware infestation.
Re: (Score:2)
2% is still a big problem. When you are trying to hack in, you don't care much which account lets you in the door. Get in first, then escalate your privileges.
2% means if I try these top ten bad passwords on about 50 accounts, I'll probably get a strike. If an account is locked out after three tries, then i can try the top three out on about 200 accounts, and might still have success.
Re: (Score:2)
The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.
You're bad at understanding reality. This only shows that at least two percent of internet users are bad at understanding security. There's lots of ways your password can be bad which don't involve it being the same as someone else's.
Re: (Score:2)
Systemic problems (Score:2)
Good idea! For example:
Re: (Score:2)
More importantly, the key logger can also just download your CC # data from the first online transaction you make while its active and no longer need your passwords.
Rumors say ... (Score:3)
... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.
Re: (Score:2)
... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.
Hmmm. No comment on the CHinese/Taiwan aspect, but that one *would* be an interesting type of penetration technique. Convince some target (maybe a bank) to participate in a "beta test" of some new super ergonomic keyboard that your "company" has developed. Have a keylogger built into each them. Have them rigged to "fail" randomly after 30-60 days of use. Aplogise profusely, take the "failed" keyboards, and dump the logs.
Of course, it'd be even easier to just build some sort of wireless system into the
More conspiracy bullshit (Score:2)
If keyboards did store text "in a kind of flash" it should be trivial to retrieve the contents. The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort like SPI, JTAG, or even 1Wire. I guess you could get creative and do something with RFID or near field but again any good lab should find that in no time.
Re: (Score:2)
Every keyboard has such a bus -- the keystrokes have to get to the computer, after all! Just build the keylogger into the USB control chip itself.
Re: (Score:2)
the extra circuitry for that could/would be found.
and it would make it more expensive. and destroy your keyboard chip business.
now some kb's, let's say 30 out of all sold in the world, might have had chips changed for logging. but all? unlikely.
Re: (Score:2)
How? It would be built directly into the IC; you'd need an electron microscope to notice it (and who's going to bother looking?).
Re:More conspiracy bullshit (Score:5, Interesting)
And how many ordinary companies making a routine purchase of seemingly ordinary keyboards test them in labs for key loggers?
Commercial keyloggers (including devices like black market skimmers) can use GPRS cards, they can scout for open WiFi access points and transmit their payload once a day at 2:00 AM, or they can sit on a whole file waiting for a harvester to show up and retrieve the data via Bluetooth, 900 mHz, or some other wireless technology. The retrieval patterns are designed to evade detection.
The only people investigating this stuff today are forensic investigators hired by people who are already victims, and independent security firms with nothing better to do.
Re: (Score:3)
Actually, a few hundred PIN pads with built-in skimmers and GPRS modules were distributed around Europe a few years ago.
Re: (Score:2)
You have a very different definition of 'trivial,' my friend. Physically disassembling hardware and figuring out how to read from a hidden chip...
Re: (Score:2)
Sounds like the offspring of an old urban legend involving images stolen from Daniel Rutter's review of an actual keyboard logger.
http://www.snopes.com/computer/internet/dellbug.asp [snopes.com]
http://www.dansdata.com/keyghost.htm [dansdata.com]
Re: (Score:2)
This is a key-logger issue (Score:4, Informative)
Re: (Score:2)
Re:This is a key-logger issue (Score:5, Insightful)
Good luck with that plan. I mean sure, if you're RMS and "browse the web" by wgetting the page and emailing to yourself to read in EMACS then sure, you're probably safe from drive-by attacks. But if you need JS enabled to browse then you're vulnerable.
Re: (Score:3)
Or you can use this [qubes-os.org] ...which I am typing in at this moment.
Tell us more about the virus! (Score:4, Interesting)
Re: (Score:2)
Now its some " virus got onto so many personal computers" Was it a push down from the web 2.0 sites on the PC? Or some random PC virus that spread and got a lot of web 2.0 sites details?
Re: (Score:3)
It seems to be Windows, if you follow the links. I think the details are almost unimportant though; Desktops need an integrated hypervisor to be reliably secure. This greatly reduces the attack surface, though none are as good as Qubes OS at this point.
Re: (Score:2)
User should look out for... Windows. That's what this thing runs on according to a description of this malware's predecessor/sister (linked in article). /. stories suck when they don't mention the host OS.
not me (Score:5, Funny)
Good thing I almost never key-in my passwords.
I copy them straight off of strongpasswordgenerator.com, and paste them into my password fields.
Re: (Score:3)
Seems like a fun challenge for any (serious) keylogger author out there. Probably will add a couple of hours of the more fun kind of coding to his 'job'.
I'm not saying it's a bad idea, but it will only help out against the very basic keyloggers. Then again, it WILL protect against hardware keyloggers that sit between the keyboard and the computer as those have no access to the clipboard. But in that situation simple auto-typing or simple copy-pasting would be sufficient.
Desktop attack (Score:5, Insightful)
Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.
About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.
Little hint please? (Score:5, Informative)
I'm looking for more technical information on this virus. Is there a collection of different key logging software all sending the passwords to the same proxy server? How does someone get infected by this virus? How about the IP addresses of the proxy servers so people can at least look for traffic from their firewalls?
This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!
Re: (Score:2)
If the proxy's IP was known it would be shut down, you are looking at an after the facts solution.
Oh yeah, you could read the linked articles, they give reasonable data.
Hey, if you get a minute. (Score:5, Funny)
Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?
D0uble!!8R3view
T.I.A.
Re:Hey, if you get a minute. (Score:5, Insightful)
Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?
D0uble!!8R3view
T.I.A.
Actually they should publish a list of the hashed passwords. I am eagerly awaiting this to find out if I have been hacked! For example, if they published a list of the passwords hashed with SHA256, then average joe slashdot could do a lookup on the list of 2 million to see if their password was compromised, without having to reveal the actual password in plaintext. I just checked, the SHA256 hash of your password is: "497835d7e73195527ab79857ec051bf2c13ad51c02f48a2af252fa2805a866cb" So in my proposed scheme, you could download software to check SHA256 hash, type in your password, and then paste the resulting hash into a search query on the list of compromised passwords.
Re:Hey, if you get a minute. (Score:5, Funny)
I'll offer that as a web service.
Just type your most commonly used username/password pairs into my website, and I'll instantly tell you if they're compromised.
Re: (Score:3, Funny)
I think I've got you beat on entropy:
qbJSK08jPHl3t4u7
They can't crack 95-bit random passwords yet, so I should be totally safe, right?
-Posting as AC because I can't login to my /. account right now. I think must be a temporary glitch.
My Bank Has The Solution: Mother's Maiden Name (Score:5, Insightful)
They now have two very secure additions to their arsenal:
1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.
Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.
Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.
2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.
The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.
Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?
Re: (Score:2)
What's worse is that the mother's maiden name question doesn't work:
1) If your mother divorced your father and took her maiden name.
2) If you're relatively young and your mother lives in Quebec, where women are now required to keep their maiden names.
Poison the well..... (Score:2)
On your comment about "assuming I ever put anything truthful on Facebook..."
Yes, if anyone asks for stuff that isn't their business, give them misinformation. If there's a lot of misinformation out there about you, it'll make it harder for an identity thief to have an accurate file.
What the Government should do is create a whole SLEW of false identities, make them "available", watch them, trace who is trying to use them, and arrest and prosecute them. If a good fraction of identities that people are able
Re:My Bank Has The Solution: Mother's Maiden Name (Score:5, Informative)
UK banks have introduced personal card readers. When prompted you insert your card into your own card reader, enter your PIN and then enter a number that the website gives you. You then enter into the web form the resulting number that your card reader provides. In this way, you have proven that you have physical access to your bank card.
Re: (Score:2)
2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.
Never use a truthful answer for those questions. Just use an extra password as the answer. Of course that doesn't solve the problem of 99% of people actually typing correct answers to those questions, getting hacked, and possibly compromising your information via information they have about you.
Really, these security questions ought to be outlawed rather than required.
Re: (Score:2)
When a site asks me for things like mothers maidens name I generate another random string, give them that, store it in my encrypted password database and occasionally email that db to my email addresses in case I need one of those passwords in an emergency.
Re: (Score:3)
True story--in order to get my California driver's license I needed a birth cert. A copy would not do. I had to go back to my place of birth and get a copy with a raised seal on it. This was not easy to do directly or quickly. An expediting service was the most reasonable way to do it. The expediting service used security questions to assure that it was really me. There were several questions. Most of them were easy. Then I came to... "which one of these is a phone number you used in the past 10 yea
how many DISTINCT passwords? (Score:2)
How many were: password, wordpass, password123, 12345 or 00000000?
what's the point? (Score:2)
If passwords are stolen via key loggers and break-ins into online sites anyway, why should people even bother picking secure passwords?
Re: (Score:2)
Re: Secure password vs keylogger. (Score:5, Insightful)
A "secure" password does nothing to mitigate keyloggers. The only thing that does is two factor.
I think the comments regarding the password strength were general, and basically the usual Slashdot topic drift.
IMO it's way past time for two factor everywhere. Federating logins makes that much more feasible.
Re: Secure password vs keylogger. (Score:4, Informative)
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
Re: (Score:2, Insightful)
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
I don't. Most of all because not everyone has a mobile phone with SMS subscription. But also because coverage is rather spotty. I work in a building that's shielded. No cell phone service at all. And large areas outside the cities and suburbs have truly bad-to-non-existing coverage.
Even if the majority of people can use it, it would cut off a lot of people who can't.
Re: Secure password vs keylogger. (Score:5, Informative)
The keygen would still work, plus Google will let you print out one-time use codes that you can keep in your wallet. I have had to use those before. Google will also let you set up a phone number that it will ring with the code - and naturally your desk phone at work sounds like a pretty good candidate.
Re: (Score:2)
Re: (Score:2)
Log on, get your key texted to you, then walk outside to get the message :P. Not really any different than when google asks you to reauthenticate and your phone is downstairs or in the car or not charged.
Way different. Because Google has never asked me to reauthenticate. Google doesn't know my phone number, or even whether I have a phone. If you have given that information to Google, that's your problem, not mine.
Re: (Score:2)
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
My 2FA from Google stopped working a few months ago, so I had to turn it off. I don't know why, but I no longer got SMS messages when I asked them to authorize something. Annoying.
Re: (Score:2)
And you could turn it off without using 2FA?! Seriously?!
Re: (Score:2)
now if I just had any social life or was someone interesting enough to be spied upon, this would all be justified and useful.
Re: (Score:2)
Like hell I want to give facebook my phone number.
Re: (Score:2)
Or vagina--er, I mean, Google.
Re: (Score:2)
And what's more likely: a hacker gains access to my email and bank account, or a hacker bypasses the bank's "security" entirely and has access to EVERYONE'S bank account?
Well, based on the torrents of spam that I get from friends and relatives hijacked accounts, I'd say pretty darned likely.
Re: (Score:2)
I am just wishing for all access to my accounts from eastern Europe to be blocked. If Netflix can do it, why can't my bank?
Re: (Score:2)
Re:OMG Pony BotNet! (Score:4, Interesting)
Got to be a whole freaking lot better than the 8 characters stuff even with various cases, numbers and symbols.
I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)
Guess a certificate / private key and password isn't all that much better but it's way more convenient.
Re:Yeah, they all require an email address (Score:5, Informative)
With your own domain and software like KeePassX, it's surprisingly easy. You never even have to type passwords or usernames. Once you get it set up it's actually even easier than using the same password everywhere, and vastly more safe.
Re: (Score:2)
If you *never* have to enter passwords (not even a master password to unlock the store?), I would be very suspicious of this tool's security.
Re:Yeah, they all require an email address (Score:5, Informative)
> should we setup a separate email address at google for each vendor account we create?
You don't already use an alias? username+vendor@gmail.com
Surprising how many scripts tell you that this is not a valid email address.
Re: (Score:2)
that's why you using username-vendor@yourowndomain.com. works everywhere.
Re: (Score:2, Insightful)
So - just one email account password to crack - right? Discard to the right of the + symbol in the user portion of your address, and we're done. Brilliant solution you've got there..I hope the world adopts it. I'm rather tired of earning legitimate income - I'd like to use yours'.
Re: (Score:2)
I guess the point is that by using some unified login platform you don't give any password at all to the service providers you're using, just a token. so no, you don't need to create a new email account for every service unless you're worried about spam they might send in which case use an email alias(though probably half of the services that want to spam you are going to filter the +alias on gmail anyways soon enough... hotmail allows normal alias creation up to a certain number).
besides though, can you si
Re: (Score:2)
I do ... obviously. Its a great trick, and it helps track spam sources too.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The "at" makes that sentence unambiguous, you know.
Re: (Score:2)
I can't be bothered to diagram the sentence for you, but I promise there's nothing grammatically wrong with it (not even the punctuation).
Re: (Score:2)
Throw in a single space, spelling mistake, or capital letter and try it.
Re: (Score:2)
Each word in a dictionary attack is still better entropy than a single letter in the alphabet (1 out of [words in dictionary] vs 1 out of 26). Granted, that password is still only 12 pieces to grab, its still better than a 12 character password in terms of entropy by my math.
For my clients I recommend 16 character fully random passwords. ymmv.
Re: (Score:2)
- Avoid the 5000 most commonly used English (or your language's) words.
- Odd capitalization helps, as long as you can remember it
- Misspellings are a good idea
- L33T speak ("0" in place of "o") is basically worthless
- Tacking together 2-4 less commonly used words, mixed in with numbers/symbols still works moderately well. Figure 16 or 17 bits per word, plus 4-5 bits per symbol/number, plus 0.5 bits for every change in case.
- Pure random is difficult, unless you have KeyPass or sto
Re: (Score:2)
The strong password helps protect people when it is only hashed and not salted. So if the site you use hashes the password but doesn't salt it, then your weak password would be broken more easily than a strong password. This assumes that the hackers somehow were able to access the username password database and would then employ brute force against that.
Also, a long term brute force attack against an account with a weak password would eventually succeed in less time than one with a strong password, althou
Re: (Score:2)
Nice try, but the party line is that the built-in AV software under Windows is more than sufficient.