Slashdot Mirror
Two Million Passwords Compromised By Keylogger Virus
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
Surprise! Facebook is already selling your info and the NSA is watching them do it. No real reason not to make your password 1234
The bad news is that 2 million passwords have been compromised.
The good news is that they're all "123456".
Have you read my blog lately?
I'm not bad at making up secure passwords, I'm just bad at remembering them.
"If any question why we died, Tell them because our fathers lied."
That's the sort of thing some idiot would put on his luggage!
The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.
The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?
... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
As far as we know, this thing happens all the time, and more than likely, these PCs that are infected, are infected by more than one key-logger. Update your antivirus is a moot point, because unless the 'virus' is known, then the antivirus folks cannot do anything about it anyway. By the time these things are found out, it's far to late anyway. There is no advise that can be given here, except, "Don't get a virus", which is silly to tell someone.
Politics; n. : A religion whereby man is god.
What security hole is the virus making use of? Is there something and end user should look out for? etc, etc?
Good thing I almost never key-in my passwords.
I copy them straight off of strongpasswordgenerator.com, and paste them into my password fields.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.
About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.
I'm looking for more technical information on this virus. Is there a collection of different key logging software all sending the passwords to the same proxy server? How does someone get infected by this virus? How about the IP addresses of the proxy servers so people can at least look for traffic from their firewalls?
This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!
A "secure" password does nothing to mitigate keyloggers. The only thing that does is two factor.
I think the comments regarding the password strength were general, and basically the usual Slashdot topic drift.
IMO it's way past time for two factor everywhere. Federating logins makes that much more feasible.
Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?
D0uble!!8R3view
T.I.A.
With your own domain and software like KeePassX, it's surprisingly easy. You never even have to type passwords or usernames. Once you get it set up it's actually even easier than using the same password everywhere, and vastly more safe.
Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security. On top the ever so secure four number PIN, and the usual login password, and the three digit CVV number (which I assume anyone stealing credit card info will also collect).
They now have two very secure additions to their arsenal:
1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.
Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.
Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.
2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.
The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.
Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?
Three Squirrels
. . .I just went to keyboard patterns. Now I can paint the Last Supper on the keyboard, and log in, within a five minute span.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I am just wishing for all access to my accounts from eastern Europe to be blocked. If Netflix can do it, why can't my bank?
If keyboards did store text "in a kind of flash" it should be trivial to retrieve the contents. The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort like SPI, JTAG, or even 1Wire. I guess you could get creative and do something with RFID or near field but again any good lab should find that in no time.
Only the State obtains its revenue by coercion. - Murray Rothbard
My old password was automatically generated and not used on any other site, and I generated a new password also not used on any other site.
This space left intentionally blank.
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
I don't. Most of all because not everyone has a mobile phone with SMS subscription. But also because coverage is rather spotty. I work in a building that's shielded. No cell phone service at all. And large areas outside the cities and suburbs have truly bad-to-non-existing coverage.
Even if the majority of people can use it, it would cut off a lot of people who can't.
> should we setup a separate email address at google for each vendor account we create?
You don't already use an alias? username+vendor@gmail.com
Surprising how many scripts tell you that this is not a valid email address.
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
My 2FA from Google stopped working a few months ago, so I had to turn it off. I don't know why, but I no longer got SMS messages when I asked them to authorize something. Annoying.
The subject who is truly loyal to the Chief Magistrate will neither advise nor submit to arbitrary measures (Junius)
The keygen would still work, plus Google will let you print out one-time use codes that you can keep in your wallet. I have had to use those before. Google will also let you set up a phone number that it will ring with the code - and naturally your desk phone at work sounds like a pretty good candidate.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Ask any slashdotter and they will tell you that you do not need AV software! All 100% of all malware is only caused by clicking and installing things.
So feel free to continue writing posts with they can have XP OVER MY COLD DEAD HANDS with just a scanner and no protection and keep java and flash unupdated on your system.
You will be just fine.
http://saveie6.com/
How many were: password, wordpass, password123, 12345 or 00000000?
I want to delete my account but Slashdot doesn't allow it.
On your comment about "assuming I ever put anything truthful on Facebook..."
Yes, if anyone asks for stuff that isn't their business, give them misinformation. If there's a lot of misinformation out there about you, it'll make it harder for an identity thief to have an accurate file.
What the Government should do is create a whole SLEW of false identities, make them "available", watch them, trace who is trying to use them, and arrest and prosecute them. If a good fraction of identities that people are able to snarf out there are these honey pots, we'll soon cut down severely on that crime.
--PM
And what's more likely: a hacker gains access to my email and bank account, or a hacker bypasses the bank's "security" entirely and has access to EVERYONE'S bank account?
Well, based on the torrents of spam that I get from friends and relatives hijacked accounts, I'd say pretty darned likely.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I just have trouble finding the people whom they belong to.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Besides, his last "trip" involved taking four tabs of acid
Nothing strange about that - people going to be out of the local reality set that damned long should definitely pack for the journey. I recommend an original era Steve Ditko Doctor Strange comic, and an autograph book just in case they see Leonard Nimoy or John Nobel.
Who is John Cabal?
So - just one email account password to crack - right? Discard to the right of the + symbol in the user portion of your address, and we're done. Brilliant solution you've got there..I hope the world adopts it. I'm rather tired of earning legitimate income - I'd like to use yours'.
I know. I once used 1Password and good passwords, but it didn't worked with Opera and all OSes. KeePass is more transferable but I feel I want to be able to access from everywhere and I also want to have access to passwords for things not web-related.
The first solution I had was passwords in a gpg-encrypted local text file but I stopped using that when I stopped using the drive which held both the file and the gpg key.
Not trolling here...I know this is the most common criticism: "Your password is only X characters long / doesn't have enough case diversity / has no special characters / contains dictionary words", etc.
But -- in general, someone either has your password because they stole it (in which case it really doesn't matter what the password is), or they don't, in which case they have to guess or brute-force it on the website.
Most sites won't give you more than a handful of attempts at logging in before they lock you out and force two-step authentication by making you change your password via an email/text or by asking security questions. And even if they somehow didn't, every failed attempt on a live website takes time; realistically, trying more than a few combinations isn't really worth the trouble in the vast majority of cases.
So, in the realm of security considerations, why is a "secure" password considered so critical? It seems to me that, practically speaking, someone guessing your password is about the LEAST likely way to get compromised. What am I missing here?
If passwords are stolen via key loggers and break-ins into online sites anyway, why should people even bother picking secure passwords?
The strong password helps protect people when it is only hashed and not salted. So if the site you use hashes the password but doesn't salt it, then your weak password would be broken more easily than a strong password. This assumes that the hackers somehow were able to access the username password database and would then employ brute force against that.
Also, a long term brute force attack against an account with a weak password would eventually succeed in less time than one with a strong password, although this does seem impractical.
I guess the point is that by using some unified login platform you don't give any password at all to the service providers you're using, just a token. so no, you don't need to create a new email account for every service unless you're worried about spam they might send in which case use an email alias(though probably half of the services that want to spam you are going to filter the +alias on gmail anyways soon enough... hotmail allows normal alias creation up to a certain number).
besides though, can you sign up to any service apart from email services without an email confirmation nowadays?
(look it up how it works if you have no clue yet).
world was created 5 seconds before this post as it is.
And you could turn it off without using 2FA?! Seriously?!
Even salted passwords can be cracked easily if they're not strong enough. It takes a little more time, but for passwords like "123456" it will take just a few microseconds, if that.
Log on, get your key texted to you, then walk outside to get the message :P. Not really any different than when google asks you to reauthenticate and your phone is downstairs or in the car or not charged.
that's why you using username-vendor@yourowndomain.com. works everywhere.
Good idea! For example:
I do ... obviously. Its a great trick, and it helps track spam sources too.
- Michael T. Babcock (Yes, I blog)
i set my FB acct to require 2FA if its accessed from an "unfamiliar" device. Yes, I need to be carrying my phone to make that work but the two conditions, novel device and carrying cell phone DO correlate for me. I think it worth the cost of a txt message since I wind up with a record [also event notification emails] of any attempt to break in to my account
now if I just had any social life or was someone interesting enough to be spied upon, this would all be justified and useful.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
If you *never* have to enter passwords (not even a master password to unlock the store?), I would be very suspicious of this tool's security.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Like hell I want to give facebook my phone number.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Or vagina--er, I mean, Google.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Log on, get your key texted to you, then walk outside to get the message :P. Not really any different than when google asks you to reauthenticate and your phone is downstairs or in the car or not charged.
Way different. Because Google has never asked me to reauthenticate. Google doesn't know my phone number, or even whether I have a phone. If you have given that information to Google, that's your problem, not mine.
Neither has called me on my cell phone, no have I seen an increase in solicitation or scam calls.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Doesn't help you now (probably), but 1Password works with Opera on OS X now, and they're working on Windows Opera support. There's also an Android version coming soon-ish.
If you can't convince them, convict them.
should we setup a separate email address at google for each vendor account we create?
You don't already use an alias? username+vendor@gmail.com
Surprising how many scripts tell you that this is not a valid email address.
Seriously!! I keep thinking I should set up a "shame" website to list sites that do stupid validation like this. There must be loads of devs using the same borked regex and it pisses me off no end!
Well, you do have to enter the master password. (Figured I would save you the research since you obviously don't have time to do so before posting.)
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Why not use KeePass on your phone then? It supports BlackBerry, Android and iOS.
Or export the data from KeePass and GPG ascii-armor that and email it to youself?
There's plenty of ways to do that. I keep lots of non-web data within KeePass, and it's been remarkably useful to me for more than just "logins".
Well, "once" does not equal "never," now, does it?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
I don't have a smartphone.
I think those random password generators and "keeptrackors" is the most convenient and best but I've also considered using https://www.grc.com/offthegrid.htm or that together with something else.
As for the the guy talking down the "bunch of words"-approach I guess one could take words from different languages and then throw in a few extra characters and numbers in a few groups here and there just to mess up if someone only use dictionaries and then it would become somewhat harder (though if one use the same password or the same places for things always it's not all that great anyway.)
Add this thing's C&C Servers to hosts like so, blocking them:
0.0.0.0 esco.myjino.ru
0.0.0.0 myjino.ru
0.0.0.0 s020.radikal.ru
0.0.0.0 i016.radikal.ru
0.0.0.0 radikal.ru
SOURCE -> http://malware.dontneedcoffee.com/2013/10/jolly-roger-stealer-c-panel.html
(Which is pointed to from the source article for this news on /. today...)
IF they add anymore, keep your eyes peeled for security articles regarding that - MOST (good ones that is) post the C&C Servers etc. to block this way!
APK
P.S.=> Enjoy - since what you can't touch, can't touch you... apk
Actually, no.
What you've done is make it take marginally longer to guess your password, but not impossible. By marginally, I mean minutes to hours in most cases, not days, weeks, months or years. Just try sticking a sample password of words from different languages into Google for example, and watch it cleanly cleave those words apart into a logical search.
Lexical matching + brute force is a solved problem. Password cracking doesn't just bash letters against a wall until it gets a match anymore. At least good ones don't.