Print 59 comment(s) - last by Smilin.. on Jun 21 at 11:30 AM

  (Source: icanhascheezburger)
Facebook, Gmail, and Twitter pages defaced as mob mentality rules

Today everyone's favorite (or least favorite, perhaps) cyberbanditsLulzSec, leaked 62,000 peoples' email addresses and passwords.

The listing, which can be found here in text file form, has lots of different users and passwords.  A few notes -- the passwords appear to be all 15 or less characters and don't include capital letters (the last entry seems a fluke).  

This could simply be a coincidence that speaks to peoples' password tendencies these days, or it could be a sign that LulzSec used brute force attacks to crack these passwords.  

Using an SSD-driven rainbow tables approach, a 14-character hashed password can be cracked in about 5 seconds; cracking 62,000 passwords would take approximately three and a half days, at most (probably less if you exclude capitals).  Of course that's for Windows passwords, which use MD4 hashing.  More secure sites likely use MD5 and SHA1, in addition to salting, and a high iteration account -- of course there's plenty of sites that are probably using MD4 with no salting or -- as the Sony hacks showed -- storing passwords as cleartext in web accessible databases.

Many users whose email addresses were hacked subsequently had their Twitter or Facebook accounts illegitimately accessed and defaced [source].  It appears that the internet equivalent of a mob is behind these attacks -- thousands of individuals have downloaded the file containing the passwords and begun to try to access peoples' accounts.

The Next Web has been promoting a tool to find if you've been hacked, stating, "We've promised we won't say who built it, but can absolutely 100% assure it wasn't LulzSec and there's no email harvesting going on."

That said, the widget -- originally hosted here -- is the work of an unknown developer, so entrusting it with your emails might not be wise.

As always you can maintain safety online by:

  1. Using one-time use accounts for your various online registrations (to avoid one account being compromised allowing others to be compromised).
  2. Use passphrases with numbers, capital letters, and preferably ASCII symbols.
  3. Make sure your passwords are over 20 characters long.
  4. Don't reuse passwords.
  5. Don't share passwords with anyone.
While the above may seem difficult, it will allow you to remain safe from cybercrime online, for the most part.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Brute Force? A web site?
By danobrega on 6/17/2011 9:11:44 AM , Rating: 1
Really, any brute force algorithm should not work on a web or any kind of remote site.

More than X failed consecutive logins to an account = blocked account.
More than Y failed logins by the same IP during Z seconds = blocked IP, for an amount of time.

Where X, Y and Z are small.

How the fuck are you going to brute force into that?

RE: Brute Force? A web site?
By jwf1776 on 6/17/2011 11:04:51 AM , Rating: 2
no kidding,

the article makes it sound like gmail was hacked. not that it can't be done, but if that is the case, the real story here is how it is possible to hack these websites with the security features like captcha and account lockout in place.

the article just pastes some jazz from the wikipedia entry on hacking and passwords, nevermind that there is nothing on ophcrack site about bruteforcing websites like gmail.

if the passwords were taken from the compromised 4chan bot-net computers then the attack wasn't necessarily from brute force, it could have just been a keylogger. in that case, it doesn't matter how long or complex the password is.

RE: Brute Force? A web site?
By borismkv on 6/17/2011 6:49:13 PM , Rating: 2
The brute force method he's talking about involves intercepting hash values and using Rainbow Tables to decrease the time needed to crack the hash and come up with an acceptable password. This is extremely difficult to do without using a Man-in-the-middle and a packet sniffer, and impossible to do if traffic is encrypted (unless you feel like waiting until the universe explodes to brute-force an AES cypher).

RE: Brute Force? A web site?
By SandmanWN on 6/17/2011 11:52:41 PM , Rating: 2
so now all they have to do is write a script on a botnet to enter a few junk passwords and move on to the next account. you could shut down every account on a site in no time.

wonder how well your bank would operate if this happened just one day and they had to reactivate every account. then for giggles its done the next day and the next day and the day after that. locking down peoples money as long as they wanted.

they'd be better off with strong passwords against a brute force attack.

"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki