Print 59 comment(s) - last by Smilin.. on Jun 21 at 11:30 AM

  (Source: icanhascheezburger)
Facebook, Gmail, and Twitter pages defaced as mob mentality rules

Today everyone's favorite (or least favorite, perhaps) cyberbanditsLulzSec, leaked 62,000 peoples' email addresses and passwords.

The listing, which can be found here in text file form, has lots of different users and passwords.  A few notes -- the passwords appear to be all 15 or less characters and don't include capital letters (the last entry seems a fluke).  

This could simply be a coincidence that speaks to peoples' password tendencies these days, or it could be a sign that LulzSec used brute force attacks to crack these passwords.  

Using an SSD-driven rainbow tables approach, a 14-character hashed password can be cracked in about 5 seconds; cracking 62,000 passwords would take approximately three and a half days, at most (probably less if you exclude capitals).  Of course that's for Windows passwords, which use MD4 hashing.  More secure sites likely use MD5 and SHA1, in addition to salting, and a high iteration account -- of course there's plenty of sites that are probably using MD4 with no salting or -- as the Sony hacks showed -- storing passwords as cleartext in web accessible databases.

Many users whose email addresses were hacked subsequently had their Twitter or Facebook accounts illegitimately accessed and defaced [source].  It appears that the internet equivalent of a mob is behind these attacks -- thousands of individuals have downloaded the file containing the passwords and begun to try to access peoples' accounts.

The Next Web has been promoting a tool to find if you've been hacked, stating, "We've promised we won't say who built it, but can absolutely 100% assure it wasn't LulzSec and there's no email harvesting going on."

That said, the widget -- originally hosted here -- is the work of an unknown developer, so entrusting it with your emails might not be wise.

As always you can maintain safety online by:

  1. Using one-time use accounts for your various online registrations (to avoid one account being compromised allowing others to be compromised).
  2. Use passphrases with numbers, capital letters, and preferably ASCII symbols.
  3. Make sure your passwords are over 20 characters long.
  4. Don't reuse passwords.
  5. Don't share passwords with anyone.
While the above may seem difficult, it will allow you to remain safe from cybercrime online, for the most part.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Password recommendations
By bodar on 6/16/2011 10:19:45 PM , Rating: 2
Anyone who uses LastPass or KeePass.

RE: Password recommendations
By Ringold on 6/16/2011 10:35:43 PM , Rating: 2
I saw RyanVM below give a big vote for KeePass.

In this brave new world of internet insecurity, what do you guys that've used these programs recommend? I use a complex password but use it, with minor variations, a LOT, and its plain now to me the practice has to stop.

RE: Password recommendations
By nordicpc on 6/16/2011 11:00:47 PM , Rating: 3
We've recommended a text file that is stored on an encrypted volume, which is basically what those programs do. You can use TrueCrypt or BitLocker or whatever.

I've also heard that copying and pasting things can be safer, since you're not typing it in for a keylogger to grab, but I'd imagine those can view the clipboard too.

There has also been a study that a simple 5-word phrase is safer than most of these impossible-to-remember passwords, but we can't use those because they're either too long, or not complex enough. I think the whole thing needs to be revisited, and standardized.

RE: Password recommendations
By Targon on 6/17/2011 4:34:11 AM , Rating: 4
It would help if banks and many other places would filter access to servers based on location(IP block). I don't see much call to allow Internet access from Russia or China to just about ANYWHERE in the USA, except for select sites. Yes, attackers could use a compromised site or computer, but it would make it more difficult if places with virtually zero reason to access the site just wouldn't have access.

RE: Password recommendations
By NainoKami on 6/17/2011 5:49:12 AM , Rating: 2
So if you're from Russia or China you shouldn't be able to read an American website? Is that what you're saying?

RE: Password recommendations
By MrWho on 6/17/2011 9:53:56 AM , Rating: 4
No, but if I acess my bank account from my country only and not from abroad, it would be safe to say that any access to my bank account from a different country would be a hacking attempt, right?

RE: Password recommendations
By gmyx on 6/17/2011 2:27:00 PM , Rating: 2
No, but if I acess my bank account from my country only and not from abroad, it would be safe to say that any access to my bank account from a different country would be a hacking attempt, right?

What if you are traveling to another country? You need a better system than just blanket deny. Facebook for all its failings does this right.

I recently went to San Diego from Ottawa, Ontario. Facebook did not give me access to my account until I proved via an e-mail check that it was indeed me.

RE: Password recommendations
By MrWho on 6/17/2011 7:17:12 PM , Rating: 2
If you're a person that frequently travels abroad, you should be able to ask your bank to remove that limitation.

If you're not a frequent traveler but will go once in a while, you should be able to ask for it to be lifted for the duration of your stay abroad.

For the rest of us, it would be an added protection.

RE: Password recommendations
By kraeper on 6/17/2011 1:25:17 PM , Rating: 2
Easily defeated via proxy.

RE: Password recommendations
By nafhan on 6/17/2011 9:57:54 AM , Rating: 2
Another bonus these days is that some of these password encryption programs have mobile apps (Keepass for example). So, you can keep a copy of your encrypted passwords with you even when you're away from your PC.

RE: Password recommendations
By keegssj on 6/17/2011 8:49:56 AM , Rating: 2
Except when the site you are logging into doesn't accept long passwords:

Live Mesh: maybe they've fixed that by now?

UBI soft yesterday. I had a long password for my login there, but I've found out that it only works if you login from the web page - sigh.

"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki