Slashdot Mirror
Two Million Passwords Compromised By Keylogger Virus
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
Surprise! Facebook is already selling your info and the NSA is watching them do it. No real reason not to make your password 1234
The bad news is that 2 million passwords have been compromised.
The good news is that they're all "123456".
Have you read my blog lately?
I'm not bad at making up secure passwords, I'm just bad at remembering them.
"If any question why we died, Tell them because our fathers lied."
That's the sort of thing some idiot would put on his luggage!
The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.
The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?
... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
I don't see what protection a secure password offers against a keylogger.
As far as we know, this thing happens all the time, and more than likely, these PCs that are infected, are infected by more than one key-logger. Update your antivirus is a moot point, because unless the 'virus' is known, then the antivirus folks cannot do anything about it anyway. By the time these things are found out, it's far to late anyway. There is no advise that can be given here, except, "Don't get a virus", which is silly to tell someone.
Politics; n. : A religion whereby man is god.
What security hole is the virus making use of? Is there something and end user should look out for? etc, etc?
Good thing I almost never key-in my passwords.
I copy them straight off of strongpasswordgenerator.com, and paste them into my password fields.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.
About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.
I'm looking for more technical information on this virus. Is there a collection of different key logging software all sending the passwords to the same proxy server? How does someone get infected by this virus? How about the IP addresses of the proxy servers so people can at least look for traffic from their firewalls?
This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!
Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?
D0uble!!8R3view
T.I.A.
"...captured via a key logging virus....."
".. The report critiques how bad people are at making secure passwords..."
"...captured via a key logging virus....."
".. The report critiques how bad people are at making secure passwords..."
submission retarded.
So should we setup a separate email address at google for each vendor account we create? I mean, half the time I cannot remember the password and ask for the password reset link anyway.
Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security. On top the ever so secure four number PIN, and the usual login password, and the three digit CVV number (which I assume anyone stealing credit card info will also collect).
They now have two very secure additions to their arsenal:
1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.
Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.
Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.
2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.
The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.
Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?
Three Squirrels
The joke is on you, NSA. Besides, his last "trip" involved taking four tabs of acid.
. . .I just went to keyboard patterns. Now I can paint the Last Supper on the keyboard, and log in, within a five minute span.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I didn't realize the Chinese spy rooting around in your garbage was homeless.
If keyboards did store text "in a kind of flash" it should be trivial to retrieve the contents. The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort like SPI, JTAG, or even 1Wire. I guess you could get creative and do something with RFID or near field but again any good lab should find that in no time.
Only the State obtains its revenue by coercion. - Murray Rothbard
My old password was automatically generated and not used on any other site, and I generated a new password also not used on any other site.
This space left intentionally blank.
Ask any slashdotter and they will tell you that you do not need AV software! All 100% of all malware is only caused by clicking and installing things.
So feel free to continue writing posts with they can have XP OVER MY COLD DEAD HANDS with just a scanner and no protection and keep java and flash unupdated on your system.
You will be just fine.
http://saveie6.com/
How many were: password, wordpass, password123, 12345 or 00000000?
I want to delete my account but Slashdot doesn't allow it.
On your comment about "assuming I ever put anything truthful on Facebook..."
Yes, if anyone asks for stuff that isn't their business, give them misinformation. If there's a lot of misinformation out there about you, it'll make it harder for an identity thief to have an accurate file.
What the Government should do is create a whole SLEW of false identities, make them "available", watch them, trace who is trying to use them, and arrest and prosecute them. If a good fraction of identities that people are able to snarf out there are these honey pots, we'll soon cut down severely on that crime.
--PM
I just have trouble finding the people whom they belong to.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Not trolling here...I know this is the most common criticism: "Your password is only X characters long / doesn't have enough case diversity / has no special characters / contains dictionary words", etc.
But -- in general, someone either has your password because they stole it (in which case it really doesn't matter what the password is), or they don't, in which case they have to guess or brute-force it on the website.
Most sites won't give you more than a handful of attempts at logging in before they lock you out and force two-step authentication by making you change your password via an email/text or by asking security questions. And even if they somehow didn't, every failed attempt on a live website takes time; realistically, trying more than a few combinations isn't really worth the trouble in the vast majority of cases.
So, in the realm of security considerations, why is a "secure" password considered so critical? It seems to me that, practically speaking, someone guessing your password is about the LEAST likely way to get compromised. What am I missing here?
If passwords are stolen via key loggers and break-ins into online sites anyway, why should people even bother picking secure passwords?
The strong password helps protect people when it is only hashed and not salted. So if the site you use hashes the password but doesn't salt it, then your weak password would be broken more easily than a strong password. This assumes that the hackers somehow were able to access the username password database and would then employ brute force against that.
Also, a long term brute force attack against an account with a weak password would eventually succeed in less time than one with a strong password, although this does seem impractical.
Even salted passwords can be cracked easily if they're not strong enough. It takes a little more time, but for passwords like "123456" it will take just a few microseconds, if that.
Good idea! For example:
When you are talking about using a key logger to steal passwords, there is not such thing as a good password. To use this story as a launch pad to attack weak passwords is silly.
Add this thing's C&C Servers to hosts like so, blocking them:
0.0.0.0 esco.myjino.ru
0.0.0.0 myjino.ru
0.0.0.0 s020.radikal.ru
0.0.0.0 i016.radikal.ru
0.0.0.0 radikal.ru
SOURCE -> http://malware.dontneedcoffee.com/2013/10/jolly-roger-stealer-c-panel.html
(Which is pointed to from the source article for this news on /. today...)
IF they add anymore, keep your eyes peeled for security articles regarding that - MOST (good ones that is) post the C&C Servers etc. to block this way!
APK
P.S.=> Enjoy - since what you can't touch, can't touch you... apk