Slashdot Mirror
Two Million Passwords Compromised By Keylogger Virus
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
The bad news is that 2 million passwords have been compromised.
The good news is that they're all "123456".
Have you read my blog lately?
I'm not bad at making up secure passwords, I'm just bad at remembering them.
"If any question why we died, Tell them because our fathers lied."
The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.
The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?
... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Incredible, that's the combination to my luggage!
As far as we know, this thing happens all the time, and more than likely, these PCs that are infected, are infected by more than one key-logger. Update your antivirus is a moot point, because unless the 'virus' is known, then the antivirus folks cannot do anything about it anyway. By the time these things are found out, it's far to late anyway. There is no advise that can be given here, except, "Don't get a virus", which is silly to tell someone.
Politics; n. : A religion whereby man is god.
What security hole is the virus making use of? Is there something and end user should look out for? etc, etc?
Good thing I almost never key-in my passwords.
I copy them straight off of strongpasswordgenerator.com, and paste them into my password fields.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.
About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.
I'm looking for more technical information on this virus. Is there a collection of different key logging software all sending the passwords to the same proxy server? How does someone get infected by this virus? How about the IP addresses of the proxy servers so people can at least look for traffic from their firewalls?
This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!
A "secure" password does nothing to mitigate keyloggers. The only thing that does is two factor.
I think the comments regarding the password strength were general, and basically the usual Slashdot topic drift.
IMO it's way past time for two factor everywhere. Federating logins makes that much more feasible.
Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?
D0uble!!8R3view
T.I.A.
Got to be a whole freaking lot better than the 8 characters stuff even with various cases, numbers and symbols.
I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)
Guess a certificate / private key and password isn't all that much better but it's way more convenient.
With your own domain and software like KeePassX, it's surprisingly easy. You never even have to type passwords or usernames. Once you get it set up it's actually even easier than using the same password everywhere, and vastly more safe.
Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security. On top the ever so secure four number PIN, and the usual login password, and the three digit CVV number (which I assume anyone stealing credit card info will also collect).
They now have two very secure additions to their arsenal:
1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.
Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.
Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.
2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?
In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.
The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.
Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?
Three Squirrels
Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
> should we setup a separate email address at google for each vendor account we create?
You don't already use an alias? username+vendor@gmail.com
Surprising how many scripts tell you that this is not a valid email address.
The keygen would still work, plus Google will let you print out one-time use codes that you can keep in your wallet. I have had to use those before. Google will also let you set up a phone number that it will ring with the code - and naturally your desk phone at work sounds like a pretty good candidate.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I just have trouble finding the people whom they belong to.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
And how many ordinary companies making a routine purchase of seemingly ordinary keyboards test them in labs for key loggers?
Commercial keyloggers (including devices like black market skimmers) can use GPRS cards, they can scout for open WiFi access points and transmit their payload once a day at 2:00 AM, or they can sit on a whole file waiting for a harvester to show up and retrieve the data via Bluetooth, 900 mHz, or some other wireless technology. The retrieval patterns are designed to evade detection.
The only people investigating this stuff today are forensic investigators hired by people who are already victims, and independent security firms with nothing better to do.
John
So - just one email account password to crack - right? Discard to the right of the + symbol in the user portion of your address, and we're done. Brilliant solution you've got there..I hope the world adopts it. I'm rather tired of earning legitimate income - I'd like to use yours'.
And you could turn it off without using 2FA?! Seriously?!
Actually, a few hundred PIN pads with built-in skimmers and GPRS modules were distributed around Europe a few years ago.
John