backtop

Print 59 comment(s) - last by Smilin.. on Jun 21 at 11:30 AM

  (Source: icanhascheezburger)
Facebook, Gmail, and Twitter pages defaced as mob mentality rules

Today everyone's favorite (or least favorite, perhaps) cyberbanditsLulzSec, leaked 62,000 peoples' email addresses and passwords.

The listing, which can be found here in text file form, has lots of different users and passwords.  A few notes -- the passwords appear to be all 15 or less characters and don't include capital letters (the last entry seems a fluke).  

This could simply be a coincidence that speaks to peoples' password tendencies these days, or it could be a sign that LulzSec used brute force attacks to crack these passwords.  

Using an SSD-driven rainbow tables approach, a 14-character hashed password can be cracked in about 5 seconds; cracking 62,000 passwords would take approximately three and a half days, at most (probably less if you exclude capitals).  Of course that's for Windows passwords, which use MD4 hashing.  More secure sites likely use MD5 and SHA1, in addition to salting, and a high iteration account -- of course there's plenty of sites that are probably using MD4 with no salting or -- as the Sony hacks showed -- storing passwords as cleartext in web accessible databases.

Many users whose email addresses were hacked subsequently had their Twitter or Facebook accounts illegitimately accessed and defaced [source].  It appears that the internet equivalent of a mob is behind these attacks -- thousands of individuals have downloaded the file containing the passwords and begun to try to access peoples' accounts.

The Next Web has been promoting a tool to find if you've been hacked, stating, "We've promised we won't say who built it, but can absolutely 100% assure it wasn't LulzSec and there's no email harvesting going on."

That said, the widget -- originally hosted here -- is the work of an unknown developer, so entrusting it with your emails might not be wise.

As always you can maintain safety online by:

  1. Using one-time use accounts for your various online registrations (to avoid one account being compromised allowing others to be compromised).
  2. Use passphrases with numbers, capital letters, and preferably ASCII symbols.
  3. Make sure your passwords are over 20 characters long.
  4. Don't reuse passwords.
  5. Don't share passwords with anyone.
While the above may seem difficult, it will allow you to remain safe from cybercrime online, for the most part.

 

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Password recommendations
By wookie1 on 6/16/2011 8:33:59 PM , Rating: 4
How many people could possibly use passwords at least 20 characters long, with mixed up capitalization, numbers, (sometimes on websites that allow them) punctuation - and use a different one for every bank, facebook, e-mail, etc account. You're not supposed to write them down either, right?




RE: Password recommendations
By croc on 6/16/2011 8:57:11 PM , Rating: 5
Th1s_1s_My_b@nk_@cct_p255wd_for_jun_20ii...

40 characters, uc & lc, odd characters (_ @) etc. Easy to remember, hard to brute force, and only valid for a month... Now, find a bank that will let you use that password. Many have a much shorter string policy, or don't allow the use of _-+=~`!@#$%^&*() characters or all of the above. It is not the public's fault, in some cases, that they have a 'weak' password, it is the password policy of that institution.


RE: Password recommendations
By Darkefire on 6/16/2011 10:52:12 PM , Rating: 2
That is exactly what my bank does, which forces me to use a much weaker password than I would normally have. Fortunately they've got a few additional security checks in place if a computer tries to access my account from a previously unused location, but I'd still prefer to be able to use symbols again.


RE: Password recommendations
By probedb on 6/17/2011 2:58:54 AM , Rating: 4
Yep and try somewhere like amazon which only allows 8 characters and no symbols!!

You try and have secure passwords and companies don't let you for no reason what-so-ever.


RE: Password recommendations
By quiksilvr on 6/17/2011 8:59:56 AM , Rating: 2
? My amazon password is 9 characters and I changed it recently.


RE: Password recommendations
By jabber on 6/17/2011 10:15:46 AM , Rating: 3
Using 20 characters for Amazon currently.

In fact going round upgrading all my important passwords today.


RE: Password recommendations
By wrekd on 6/17/2011 10:15:17 AM , Rating: 2
They probably don't want too many phone calls from the old fogies that forget...well everything. Even the password reset option can be difficult for them.


RE: Password recommendations
By The Raven on 6/17/2011 11:32:15 AM , Rating: 3
I think you are incorrect about Amazon, but last I checked AMEX limited you to 8 as well. Freaking AMEX!


RE: Password recommendations
By MozeeToby on 6/17/2011 12:47:05 PM , Rating: 2
The problem is that you're still a key-logger away from having your banking information stolen. 'Something you know and something you have' is the way to go for anything finance related. Find a bank that will give you a SecureID token or a one time pad (apparently these are quite common in Europe but almost unheard of in the US).


RE: Password recommendations
By CZroe on 6/17/2011 1:01:30 PM , Rating: 2
Good luck typing something like that into a touch-screen smartphone banking app while in line and needing to know some account/balance details. Most have two different pages for symbols and you have to switch between three different keyboards for each character!


RE: Password recommendations
By ultimatebob on 6/16/2011 9:11:24 PM , Rating: 5
Not to mention that even the best password is worthless if the boneheaded site operator is storing them in cleartext like Sony was.


RE: Password recommendations
By idiot77 on 6/16/2011 10:24:47 PM , Rating: 4
My favorite is VerizonWireless that changes my capitals to lower case, even though it verified it was upper when I put it in and matched. Some genius programming there.


RE: Password recommendations
By someguy123 on 6/16/2011 11:14:27 PM , Rating: 1
Seriously. Having this massive passwords will do nothing but make your logins a bit more annoying.

It takes an unbelievable amount of time to merely brute force passwords. These people aren't going around bruteforcing every website; they're finding exploits.


RE: Password recommendations
By SunTzu on 6/17/2011 6:03:52 AM , Rating: 2
No, it doesnt. They use rainbow tables to crack the encryption, they dont try to brute force the logins.


RE: Password recommendations
By Gamingphreek on 6/17/2011 7:41:31 AM , Rating: 3
Rainbow Tables are brute force. Instead of trying passwords and computing the hash, rainbow tables are a series of hashes. It eliminates turning Clear Text into Cypher Text for a speed up.


RE: Password recommendations
By nafhan on 6/17/2011 9:54:22 AM , Rating: 3
Brute force means they try every possible password (or a subset thereof). Rainbow tables are just a method of speeding up brute force attacks by pre-computing passwords and placing them in storage (i.e. trading CPU time for storage space).


RE: Password recommendations
By JasonMick (blog) on 6/17/2011 10:48:38 AM , Rating: 2
quote:
Brute force means they try every possible password (or a subset thereof). Rainbow tables are just a method of speeding up brute force attacks by pre-computing passwords and placing them in storage (i.e. trading CPU time for storage space).

True... I think the commenter was referring to the fact that hackers try to dump databases of usernames/passwords and then use brute force to reverse the encryption on the DUMPED contents, rather than to try to brute force (unencrypted) passwords via login attempts to an online interface (which would be ridiculously bandwidth limited)...

Technically their statement is correct, though the word was a bit confusing.


RE: Password recommendations
By SunTzu on 6/17/2011 4:32:18 PM , Rating: 2
That was precisely my point. The biggest problem isnt usually bandwidth, its that any system designed by someone who's not a 5 year old will limit the number of attempts over x time, which makes it unfeasible.


RE: Password recommendations
By SandmanWN on 6/17/2011 11:39:21 PM , Rating: 2
on the flipside, now they don't even have to try to break your account. a few bad entries and the bank system will suspend your account. one tiny script and the next day you and 10,000 of your fellow bankers will shut the bank down for them as you call-in an drop by en mass to figure out what why your account isn't working.


RE: Password recommendations
By The0ne on 6/17/2011 3:25:52 PM , Rating: 2
Pretty much, that's why key logger programs are so useful/dangerous. It doesn't take much to land a key logger into someone's computer.


RE: Password recommendations
By Depolarized on 6/20/2011 10:27:24 AM , Rating: 2
Regarding keyloggers, I'm scared enough of this I've started using an on-screen keyboard to enter crucial usernames & passwords (when I can remember).

I think my antivirus checks for keyloggers, but I don't trust it.


RE: Password recommendations
By bodar on 6/16/2011 10:19:45 PM , Rating: 2
Anyone who uses LastPass or KeePass.


RE: Password recommendations
By Ringold on 6/16/2011 10:35:43 PM , Rating: 2
I saw RyanVM below give a big vote for KeePass.

In this brave new world of internet insecurity, what do you guys that've used these programs recommend? I use a complex password but use it, with minor variations, a LOT, and its plain now to me the practice has to stop.


RE: Password recommendations
By nordicpc on 6/16/2011 11:00:47 PM , Rating: 3
We've recommended a text file that is stored on an encrypted volume, which is basically what those programs do. You can use TrueCrypt or BitLocker or whatever.

I've also heard that copying and pasting things can be safer, since you're not typing it in for a keylogger to grab, but I'd imagine those can view the clipboard too.

There has also been a study that a simple 5-word phrase is safer than most of these impossible-to-remember passwords, but we can't use those because they're either too long, or not complex enough. I think the whole thing needs to be revisited, and standardized.


RE: Password recommendations
By Targon on 6/17/2011 4:34:11 AM , Rating: 4
It would help if banks and many other places would filter access to servers based on location(IP block). I don't see much call to allow Internet access from Russia or China to just about ANYWHERE in the USA, except for select sites. Yes, attackers could use a compromised site or computer, but it would make it more difficult if places with virtually zero reason to access the site just wouldn't have access.


RE: Password recommendations
By NainoKami on 6/17/2011 5:49:12 AM , Rating: 2
So if you're from Russia or China you shouldn't be able to read an American website? Is that what you're saying?


RE: Password recommendations
By MrWho on 6/17/2011 9:53:56 AM , Rating: 4
No, but if I acess my bank account from my country only and not from abroad, it would be safe to say that any access to my bank account from a different country would be a hacking attempt, right?


RE: Password recommendations
By gmyx on 6/17/2011 2:27:00 PM , Rating: 2
quote:
No, but if I acess my bank account from my country only and not from abroad, it would be safe to say that any access to my bank account from a different country would be a hacking attempt, right?


What if you are traveling to another country? You need a better system than just blanket deny. Facebook for all its failings does this right.

I recently went to San Diego from Ottawa, Ontario. Facebook did not give me access to my account until I proved via an e-mail check that it was indeed me.


RE: Password recommendations
By MrWho on 6/17/2011 7:17:12 PM , Rating: 2
If you're a person that frequently travels abroad, you should be able to ask your bank to remove that limitation.

If you're not a frequent traveler but will go once in a while, you should be able to ask for it to be lifted for the duration of your stay abroad.

For the rest of us, it would be an added protection.


RE: Password recommendations
By kraeper on 6/17/2011 1:25:17 PM , Rating: 2
Easily defeated via proxy.


RE: Password recommendations
By nafhan on 6/17/2011 9:57:54 AM , Rating: 2
Another bonus these days is that some of these password encryption programs have mobile apps (Keepass for example). So, you can keep a copy of your encrypted passwords with you even when you're away from your PC.


RE: Password recommendations
By keegssj on 6/17/2011 8:49:56 AM , Rating: 2
Except when the site you are logging into doesn't accept long passwords:

Live Mesh: maybe they've fixed that by now?

UBI soft yesterday. I had a long password for my login there, but I've found out that it only works if you login from the web page - sigh.


RE: Password recommendations
By AnnihilatorX on 6/17/2011 4:00:05 AM , Rating: 2
I used to use for fun once the full acronym of DDR SD RAM
But it takes 15 seconds to type it so I gave up after few days lol.


RE: Password recommendations
By MIKEPM9 on 6/17/2011 5:08:13 AM , Rating: 2
I just created an account with DailyTech just so I could comment on this. The answer to your problem is LastPass, https://lastpass.com/

I used LastPass to create a password for this account that is unique to this account only, over 20 characters long, using alpha-numeric, upper & lower case, numbers and special characters! It's a PW that I will never remember, nor do I have to because LastPass remembers it for me. The only PW that you need to remember is the one to access LastPass.

I used to be like a lot of other users out there, ONE Username and ONE Password for EVERYTHING!
But now with so many sites being hacked, if they have your one U/N and PW, BANG BABY, they can into all of your other accounts!!! Don't delay, LastPass, it's FREE.

p.s. Use MultiFactor Authentication!


RE: Password recommendations
By banvetor on 6/17/2011 5:55:32 AM , Rating: 2
Unless, of course, they hack LastPass...


RE: Password recommendations
By dagamer34 on 6/17/2011 8:54:47 AM , Rating: 2
Which is why instead I use 1Password. Data is never stored on 1Password's website, just on your computers, but you can sync it via Dropbox. It's also encrypted with your master password, so it doesn't do them much good to steal your encrypted data (unless you've got governments on your back, I suppose).

I think it's a far better solution than something that just lives only in the cloud.


RE: Password recommendations
By aegisofrime on 6/17/2011 9:48:28 AM , Rating: 2
The way I do it is that I arrange my online accounts into tiers. My email and bank account are the highest priority, so they get unique difficult passwords. Throwaway sites and less important accouts get easier and repeated usage of passwords.


RE: Password recommendations
By mike8675309 on 6/17/2011 9:55:21 AM , Rating: 2
meh, let them hack LastPass. What would they get, a bunch of hashed tokens of zero value without the key?
Best hackers could hope for is some sort of man in the middle, but then all they get from the users is SHA-256 hashed tokens that don't unlock anything. Data sent back and forth from lastpass to the client is all AES-256 encrypted data that is decrypted and encrypted at the client side.

Could someone find a way to do it. Sure. Is it likely with todays tech? nope.


RE: Password recommendations
By Dr of crap on 6/17/2011 8:52:30 AM , Rating: 2
I do write them down.

I have an Excel file of all my sign ons. It's not possible to have so many ID and password combinations for all the logins you have and not have a list somewhere. And I reuse a some of them so that I can remember some of them without checking the list.

The ID, password setup needs to be fixed because stealing them will only get worse. I read that there is a better alternative, but can't remember what it was.


Why are you linking to the file and contributing
By SeeManRun on 6/16/2011 9:23:12 PM , Rating: 2
Why on earth is this article linking to the file and contributing to the problem? That is quite brutal!




By Manch on 6/16/2011 9:28:40 PM , Rating: 4
Maybe people want to check to see if they're on the list so they can change their passwords and delete their weiner pics?


By ShaolinSoccer on 6/17/2011 9:26:50 AM , Rating: 3
quote:
Why on earth is this article linking to the file and contributing to the problem?


It's not longer there. Does anyone know where we can see the list of names that were hacked? I don't wanna see the passwords. I just wanna see if anyone in my family is in the list.


By ShaolinSoccer on 6/17/2011 9:45:13 AM , Rating: 3
Nevermind. I found a website but if I were you, don't type in the whole email address. Just a partial name will work.

http://dazzlepod.com/lulzsec/


By tastyratz on 6/17/2011 1:01:01 PM , Rating: 2
THANK you. THAT is what we needed, not a list of passwords on dt!!
This needs to go in the main article pronto. The first thing I cared about was knowing if I was impacted by this. It should also say that there were many different providers. As I read on I was thinking... all att? hotmail?yahoo? etc. I never would have expected from everywhere.

Isn't this a little script kiddie for lulzsec though? They set the bar higher than a few days on rainbow tables I would think...


Brute Force? A web site?
By danobrega on 6/17/2011 9:11:44 AM , Rating: 1
Really, any brute force algorithm should not work on a web or any kind of remote site.

More than X failed consecutive logins to an account = blocked account.
More than Y failed logins by the same IP during Z seconds = blocked IP, for an amount of time.

Where X, Y and Z are small.

How the fuck are you going to brute force into that?




RE: Brute Force? A web site?
By jwf1776 on 6/17/2011 11:04:51 AM , Rating: 2
no kidding,

the article makes it sound like gmail was hacked. not that it can't be done, but if that is the case, the real story here is how it is possible to hack these websites with the security features like captcha and account lockout in place.

the article just pastes some jazz from the wikipedia entry on hacking and passwords, nevermind that there is nothing on ophcrack site about bruteforcing websites like gmail.

if the passwords were taken from the compromised 4chan bot-net computers then the attack wasn't necessarily from brute force, it could have just been a keylogger. in that case, it doesn't matter how long or complex the password is.


RE: Brute Force? A web site?
By borismkv on 6/17/2011 6:49:13 PM , Rating: 2
The brute force method he's talking about involves intercepting hash values and using Rainbow Tables to decrease the time needed to crack the hash and come up with an acceptable password. This is extremely difficult to do without using a Man-in-the-middle and a packet sniffer, and impossible to do if traffic is encrypted (unless you feel like waiting until the universe explodes to brute-force an AES cypher).


RE: Brute Force? A web site?
By SandmanWN on 6/17/2011 11:52:41 PM , Rating: 2
so now all they have to do is write a script on a botnet to enter a few junk passwords and move on to the next account. you could shut down every account on a site in no time.

wonder how well your bank would operate if this happened just one day and they had to reactivate every account. then for giggles its done the next day and the next day and the day after that. locking down peoples money as long as they wanted.

they'd be better off with strong passwords against a brute force attack.


err..ah
By just4U on 6/16/2011 8:16:12 PM , Rating: 2
off topic but god damn... I don't know if I should tell that kitty to shoo or give it a bellyrub.




RE: err..ah
By Ticholo on 6/17/2011 7:30:19 AM , Rating: 2
Close the notebook on it. That'll teach it not to spy on your passwords!


RE: err..ah
By MrBlastman on 6/17/2011 10:42:49 AM , Rating: 2
I'd have to give it a bellyrub. It's too cute not not.


Windows -> MD4 = not true
By Flunk on 6/17/2011 9:56:12 AM , Rating: 2
Windows Vista and newer use MD5 for password hashes. It's not great but it's not MD4 (l0phcrack made WinXP's security obsolete long ago).




RE: Windows -> MD4 = not true
By borismkv on 6/17/2011 11:55:04 AM , Rating: 2
Everything after Windows 2000 (AKA, using NTLMv2) uses an MD5 hash for passwords. It's just that the default settings caused the old MD4 LANMAN hash to be stored as well for backward compatibility with NT4. That can be turned off very easily in local policy. And this type of hacking can't be done without access to the Registry, which you can't get remotely without already having access to the system.


RE: Windows -> MD4 = not true
By Smilin on 6/21/2011 11:30:29 AM , Rating: 2
lophcrack worked against NTLM v1 which hasn't been used since the early service packs of the NT4 days.


KeePass
By RyanVM on 6/16/2011 8:38:48 PM , Rating: 3
KeePass makes generating and storing passwords a cinch. Highly recommended!
http://keepass.info/




By imaheadcase on 6/17/2011 3:51:57 AM , Rating: 2
Getting a password to a site might seem scary. But honestly if its a site like amazon.com or bank for example its easy to prove who YOU are without a password to recover the account and put things back to normal.

If you think about it, most people use throw-a-way passwords for most things. Making a password that is easy for you to remember is the same thing.

After all, like a nuke bomb, having a password does not mean you can launch it, other fail safes are in place.




Get it easy and strong.
By wsc on 6/18/2011 12:04:32 PM , Rating: 2
Even putting numbers in your password helps significantly.

whatialreadydoremember + 62531 (mother in law zip code) =

1) what6i2already5do3remember1. Then add some underscores:
2) what_6_i_2_already_5_do_3_remember_1. Then capitalize second letter:
3) wHat_6_i_aLready_5_dO_3_rEmember_1. Then put %!() after chosen word:
4) wHat_6_i_aLready%_5_dO_3_rEmember_1

Not that much work. And no rainbow tables for such schema (yet).

TC.




long passwords not practical
By LumbergTech on 6/18/2011 3:13:35 PM , Rating: 2
super long passwords are not practical..not to mention the zillions of accounts that people have now days...do you have any idea how many times a day the average internet user logs in? you really think they are going to type out these phrases over and over and over again just to login? no its not going to happen... ever maybe a few people will, but not many percentage wise




Use a passphrase!
By dcollins on 6/17/2011 11:35:48 AM , Rating: 1
Here's what I tell my users: use a simple phrase instead of a complicated password. Something as simple as "Cheese is Delicious, Man!" is more or less impossible to brute force, but yet is easy to remember and quick to type. Some website are stupid and don't allow spaces so you can use # or _ or - or what is available.

I do that for all my important passwords, protect my gmail with two step authentication and reuse the same shitty password for all sites I don't care about. I feel fairly confident in my security. Best of all, this strategy is easy enough to implement that non-technical people will actually do it.




"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki