Slashdot Mirror
Hackers Behind Biggest-Ever Password Theft Begin Attacks
An anonymous reader writes Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports the hackers have begun using the list to try and access accounts. "Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts." They report that most login attempts are failing, but some are succeeding. Now is a good time to check that none of your important accounts share passwords.
Time to TFA bitches!
I suggest changing your Namecheap password and enabling 2 factor authentication. Problem solved.
Now is a good time to check that none of your important accounts share passwords.
Now is too late. Sadly the users with bad/duplicate passwords won't get the message until they are actually harmed by them.
Did Namecheep notify it's users via email that their system was compromised and they need to change their password? If so, and they ignored it, oh well, it's your own damn fault. If Namecheep didn't notify it's users via email, then Namecheep is at fault and should be accountable for any damages, monetary or otherwise.
--- Keep the choice with the user..
hackers should be taken out back and fed to the pigs. Alive.
It could be that the attackers are trying their list on Namecheap, not that they sourced the credentials from Namecheap. I suspect that we'll likely see login attempts to everything ranging from Wordpress to Gmail to Hotmail, with the attackers hoping that people use the same password in multiple areas.
So apparently celebrities use the same password, this is how their accounts were hacked. Duh
Although annoying i'm glad i have enabled 2-factor on Namecheap, plus my passwords are different from my email...
It's not a typo if you understood the meaning!
Reports at the time were that they stole billions of passwords, so why only target the domain registrar? This could be a sign of worse things to come, how many accounts have they accessed without alerting an IDS, and what are they doing once they gain entry. By starting with the domain registrars, they could gain much more information than even their previous massive trove of user data. This is highly troubling.
My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.
http://www.thedomains.com/2014...
The good news is that Namecheap found the attack early and took measures to defeat the attempt to log into NameCheap accounts, the bad news is this is not just a security issue for Namecheap but seems to be along the lines of the groups of Russian Hackers which gained access to hundreds of thousands of email accounts and millions of user Id’s and passwords last month so its an issue for all Internet Users
The truth shall set you free!
Does this mean we are approaching a preemptive strike from Russia? We always hear about our infrastructure being comprised via the internet, I guess a war with Russia is a good way to find out!
I'm watching Spaceballs right now so I'm really getting a kick out of this story.
I decided why not change the passwords, been a while anyway, 2 of the 3 sites I care about still do not allow what they call 'special characters' (!@# - etc). In this day an age I would think those restrictions would lifted. One day I will try UTF-8 or UNICODE characters and watch the fireworks at the sites. I do not do on-line banking and I have no incentive to start after seeing some finance sites will only accept US English letters and numbers for PWs.
My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.
Unless the users had the same password for their email account which is likely. This is the problem with the username/password system, people want single signon, but companies don't want to cooperate unless it involves giving up any shred of anonymity i.e. Facebook/Google longon.
Maybe someone stole 15 million accounts and are trying them out (way less than 1200 million and way more than normal on their website).
The first report was bullshit by some nobody to make money, nothing more and nothing less. This is more of the same bullshit to make bogeymen, and Russia has been a good target lately. I have worked in IT security for nearly 3 decades, so yes I do have some knowledge.
The 1.2 billion "credentials" was nothing to worry about (see disclaimer below), and still isn't. Hackers move massive lists of email addresses all the time, and try to run brute force attacks all the time. We block hundreds of thousands of these attacks every day. The majority are [email_addr@domain] with a password of 'password1'. Most of the time these are easy to see, as neither the user or domain exist on the targeted servers. Even the legit addresses are easy to detect, because hackers will use the top 25 worst passwords (just like you can find in articles every year, no I'm not kidding). Rarely do I ever see anything complex, like .00001% of the time rare, where there is actually a worm running on the back end (think John the Ripper).
If I was a conman and wanted to make fast cash, I could start dumping all of these email addresses to a DB, and say "Oh Noez! This email account is haxxored! When in reality, there is no such compromise. To fluff numbers, I hash 'password1' in SHA, MD5, CRYPT, and maybe even use plain text. 300 million accounts has now given me a claim of 1.2 billion 'credentials', and you can hopefully see that the claim is complete shit! I can gather that 300 million addresses in a week without breaking a sweat.
Disclaimer. You should be changing passwords for anything you care about frequently. 8 character passwords every 90 days, 14-16 character every 6 months. If you are using a strong password and are up for a change, go do so, no big deal. Since I write this shit for policies regularly, a "strong" password consists of the following.
1. No dictionary words, proper names or common acronyms in forward or reverse.
2. No QWERTY keys, including qazwsx, 54321, etc...
3. Contains at least 1 special character, 1 number, 1 upper and 1 lower case character.
4. Is not 'p@SSw0rd' or some other l337 speak that would be in a cracklib dictionary, and there is plenty there.
There are obviously restrictions in some places, so if you can't use certain characters make a longer password. If you can't make a longer password change the password more frequently. The majority of 'hackers' are script kiddies, not hackers. If you make things hard, they find a different target. There are numerous people out there that use 'password1' for their password, don't be one of them.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Yeah it's bad, and I protect my shit to the max and I still worry. The problem even with all the safeguards it only takes one gullible tech support person to completely destroy it. A 90 trillion character password is worthless if you can get it reset over the phone with half-assed information.
I talked AOL into resetting my password with only my name spelled incorrectly back in the day. "boredom at its finest" It made me feel so warm and fuzzy ins.. I mean terrified that I changed my service the same day.
Of course, it could not been any of thousand brute force attacks that is happening every day.
No.
It was a brute force attack by bad baby eating state sponsored Russian hackers, specifically using the imaginary end-of-the-world password list.
Of course, neither the "1.2 billion passwords" list, nor the "they're using it against Namecheap" events were/are cheap advertising.
Nope.
Why would these "Russian criminals" be the ones behind this attack? Sure, some company that used the argument that there seems to be a list of over 1 billion accounts floating around on the internet to sell their services some time ago. It may even be that this list was found for sale on a Russian market place. It may even been that there are actual Russians selling this list. The accounts could even be mostly real, although probably most of it will be relatively dated.
But why would that same group of people that are actively selling this list be the same group that is using it? It makes much more sense that some group that bought part of this list, or bought some other list, or has their own trojan to steal passwords is now attacking namecheap. Unless there is substantial evidence that the same group is behind it, this is just FUD and sensationalism.
Namecheap is under attack with what's most likely a brute force list with accounts that were compromised in some yet unknown way. I think those are the facts and the rest is purely speculation.
I was promised a flying car. Where is my flying car?
for sure the first site I'd attack is obscure registrar namecheap...
So long, and thanks for all the Phish
correcthorsebatterystaple
Assuming an attacker has no knowledge of the password make-up, according to your policy the password nkeL4(b3 sits in a keyspace of around 6.1 * 10^15 combinations.
Under equal conditions the password refineddisplayparcelsuited sits in a keyspace of around 6.2 * 10^36 combinations. When I get back from my appointment this morning, I will still remember refinddisplayparcelsuited and won't have to write it on a sticky note, or save it on to the Dropbox App on my phone, which has a crappy password I use everywhere, using the file name "Work login password.txt".
You may remember it when you're back from your appointment, but you might not be able to type it right twice (see example).
I wonder when someone finally gets to stops routing BGP with Russia.
Not as "hacking prevention" but as "military defence", as Russian mercenaries fight with whoever Cremlin tells them to.
So why USA/NATO/EU does not stop internet traffic with Russia and threaten to block these countries that try to provide net to Russia?
+ This would be also more effective than puny sanctions that USA and EU imposed so far.
+ The cost for US/EU would be low, cost for Russia - more painful.
+ This would produce some discontent in Russian society
+ This would reduce hacking attacks and spam by 50% globally
safer would be to cut routing to/from Russia. And like in 2001 threaten all countries to do the same or be treated like terrorists (and have also cut access to US+allied internet resources).
Your account has been locked out due to too many failed login attempts. Please contact your slashministrator.
[shameless plug, but apropros] - my company's Kaje Picture Passwords for the Web would have prevented these attacks almost completely. (I say "almost" because, well, "never say never".) We published a press release about this two weeks ago: Bright Plaza offers “Kaje” Website Security Solution to Russian Hacker Password Breach. Using Kaje, the password is no longer stored on the website so these breaches could not have exposed the passwords. Kaje never knows anything about the user other than the anonymous ID sent by the website.
Had all those websites been using Kaje, these breaches would not have resulted in the huge potential liability and recovery costs that so many businesses will be facing. From Sony a few years ago to Target and EBay recently, and now this Russian thing, password breaches are causing billions of dollars in damages, often borne by website owners - in some cases thousands of dollars per user. Health care and financial services websites are particularly subject to financial penalties from regulatory bodies as well as civil litigation. In comparison, the Kaje service costs fractions of a cent per use for large users.
A Picture Password, which was demonstrated to be easier to use and more secure than text passwords by NIST as early as 2003 (using an earlier, less secure methodology), is more difficult to crack as well as resistant to man-in-the-middle attacks. The Kaje service has an HTTPS RESTful API, is compatible with OpenID, SAML, and other SSO systems, and plugins are available for Drupal and WordPress with others coming soon. Using Kaje basically requires SSL, one or two additional columns for the anonymous ID sent to Kaje by the website The first 10,000 uses are free, so smaller websites can use it for years without paying anything, while larger ones can try it out, do testing and prototyping with no cost or obligation.
If anyone is interested, check out Kaje or contact me through the website. We're looking for both website (customers) and web services (hosting, CMS vendors, developers), who can apply to be Kaje Affiliates and receive a commission from us by offering discounts to their customers.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Now is a good time to check that none of your important accounts share passwords.
No, now is a terrible time to check for that. You should not have to check.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Where are these "hacking attempts" originating? From Russia? From zombied machines/bots scattered all over the world? If they're coming from specific countries from which no legit traffic should be originating-- BLOCK IT. Sophos UTM (and others) has the ability to block traffic by country. You're damn skippy I block traffic from China and various eastern European countries known to be sources of attacks-- also monitor those logs to see what's going on....
Your rules are wrong, they actually reduce entropy and make the passwords easier to crack.
I won't run through the math with you, but anytime you reduce the number of characters that can be used in a given position, you've reduced entropy.
These "secure" rules are nothing but a CIA/NSA ploy to weaken passwords worldwide, and it's working.
oh that's rich, getting "logged" for capthca when using CIA and/or NSA in post.
...I don't understand why this is so difficult. If I go to youtube, from my PC at home, I am handed a suggestion-list based on past videos browsed (if I use my work PC then I get handed different suggestions). If I change some stuff in my browser (firefox add-ons or the like) then I notice that youtube's suggestions change, but soon learn that it's my PC and eventually suggest the same videos as before (even if I have not looked at those videos since the change). So it seems to me that it's very possible (for the site owner) to use a combination of user/pass with browser recognition in order to validate a user.
And if you think it'd be to much for anyone to develop, then you're not thinking of personalized ads.
Politics; n. : A religion whereby man is god.
thank you xkcd.org
I would love to use untypeable characters, which would render brute force hacking nearly impossible, but a majority of software (routers, websites, etc) choke on them. I've encountered many cases where my password will actually be accepted when chosen, but then when I try to log in with it, it won't be accepted, leaving me locked out.
Four words, strung together, can be a key space as small as 3000^4 (roughly 46 bits of entropy), especially if they are chosen from the top 3000 words in the dictionary. That's nowhere near 6.2 * 10^36.
Misspellings can help a lot and make it a lot stronger (adding maybe 3-4 bits per word). Adding spaces or punctuation between them adds maybe 1 bit per word. Random capitalization of something other then the first letter adds 2 bits per word.
Basically, if you're using English language phrases / words without any munging, you're only getting about 2 bits per character. A bit lower if it's a grammatically correct phrase (~1.5 bits/character), a bit higher if it's random words strung together (~2.3 bits/character). That puts a 26 character phrase like you provided at somewhere between 39-60 bits (and it is always better to assume the lower bound).
Most attackers will assume 2-6 words strung together, from the top N lists. So just tacking words together is not safe. Or they'll use N-grams (sort of like Markov chains, but more general) and go after the most common phrases.
In comparison, an 8-character password, chosen from a field of 64 possibles per character (6 bits) is 48 bits strong. If you managed to use one of 90 possible characters per position, that is 52 bits strong (6.5 bits/char * 8 bits).
48-52 bits is just not a lot these days, if the attacker gains access to the hashed password and can attack it offline. Minimum bits of complexity really needs to be about 64 bits (10-12 characters, fully random) to deal with offline attacks, and 80 bits of entropy is far better.
Wolde you bothe eate your cake, and have your cake?
I would agree that brute-force attacks are hardly news. The door-rattlers have always been there, but the news that over a billion user accounts, that is working credentials that grant access to something, are in the hands of organized criminals, is something else again. The wave of snowshoe spam we've seen over the last few weeks lines up nicely with that news, and our analysis is that compromised user accounts on a widespread assortment of services/hosts appears to be a fundamental part of the campaign. That is news. If we use our imagination a bit, that same trove of credentials could be used for other purposes as well. Owning some accounts with one or more services like namecheap.com would be a a very useful tool. I'm glad that namecheap has been as forthcoming as they have been vigilant.
Nothing good ever comes from anywhere East of the Rhine. They're gangsters and peasants. Block it all. Firewall it.
"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.
I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has no idea how much of the character set your password used until it's been cracked.
Gamingmuseum.com: Give your 3D accelerator a rest.
I'm not sure you ever tried to write a brute force tool, let alone run one. I'm not saying your method is horrible, but it is nowhere near as secure as you think. The actual strength is (dictionary_words)^4. The statistic you gave is not even accurate as a 26 character randomized password, which would be 26^26 (given that you are only using lower case letters). Your strength statistic is absolutely wrong.
There are many ways to make strong passwords. If you want to use words like that, mixing in what I gave as required makes a huge difference. 'R3defined?display/Parcel5suiteD' makes a massive difference to your 4 words. I can't use a dictionary alone to break it, I have to use brute force methods.
I personally prefer a math/programming method of making passwords. '21Y=acos[n-1]' for example is going to be a nasty amount of effort for someone to break. 'Fling[p00,u]' is another, and if you want to make it harder in your passwords change one of the brackets/parenthesis to an alternate. E.G. '{N-33]=Pi*qq'.
Some people prefer phrases and transformation. 'Mary had a little lamb, it's fleece was white as snow' would be 'Mhall,ifwwas' which again is not using dictionary words and going to be hard to break.
Stringing 4 words is not 'bad', because you are making it harder for a hacker than 'password1'. Being more secure than that person is what has kept your password safe, not the method of construction you gave here. Well, that and the fact that people shut down brute force attacks when they are detected normally.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
For posterity, it's not just the off line attack that's become a problem. There are numerous attacks that occur over huge IP ranges. If you locked the account at a few bad attempts most users would be perpetually locked out. Hackers are now hitting an account from thousands of IP addresses to brute force. They rate throttle to reduce detection, most connecting once every 30-60 minutes. The really stealthy attacks may have a single IP connecting once per day for 1 account, the next day the same account will be hit from a different IP, and the next day a new IP.
If you don't have a vigilant watch on log data, someone in your perimeter will be hacked in time. Some network devices (I won't give sales pitch for free) will help quite a bit, but we still manually block a whole lot of IPs that the devices miss.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Ok, "always" is an exaggeration. BUT,
Although Russians are only 2% of the worlds population, after reading about countless security breaches over the past 10 years, it seems like 50% of the crackers and black-hats are Russian.
Why? Is there something about 21st-century Russian culture that tends to produce unethical behavior?
Most attackers will assume 2-6 words strung together, from the top N lists.
No they won't.
correcthorsebatterystaple
22f0ebce1cbb13f9b9ea8ad40442c1852932156c
thanks sha1sum
"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.
I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has no idea how much of the character set your password used until it's been cracked.
Except guessing at strings of words is trivial if they are in the dictionary.
refined display parcel suited are 4 common words. I could write a tool to attack that very quickly, starting with the most common words arranged in 2,3,4 sets.
Not common, actually.
"Display" is beyond 2000 common words, and other three are not even in common 5000 ("suite" is, but not "suited").
So this is at least log2(5000^3) ~= 49.1 bit. Throwing in trivial capitalization and spacing, this is raised by ~6-8 bit, making it on the order of 9 character full printable ASCII random password, except this one is easy to memorize.
I meant log2(5000^4), of course.
Well, not to waste this comment, gonna plug for Diceware as a nice freely available ~7k word dictionary organised for passphrase generation. Oh yeah, and it doesn't contain "refined", still.
My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.
Unless the users had the same password for their email account which is likely. This is the problem with the username/password system, people want single signon, but companies don't want to cooperate unless it involves giving up any shred of anonymity i.e. Facebook/Google longon.
What happened to OpenID ?
Last time I checked, it didn't involve pesky social networks having all your IRL details and compiling complete dossiers on you to sell to advertisers.
I meant log2(5000^4), of course.
Well, not to waste this comment, gonna plug for Diceware as a nice freely available ~7k word dictionary organised for passphrase generation. Oh yeah, and it doesn't contain "refined", still.
The Diceware method is a good process it makes me uncomfortable to use a nice preformatted set of words to make a passphrase out of. Attackers could build a rainbow table pretty easily (and we know not enough people salt their database hashes) with a few PB of disk space. Why not make new Diceware lists from less common words, and change it every so often? It would require the same process but offer a lot more entropy.
Also w.r.t. your earlier claims about the top 5000 words, check that list again (you no doubt used the one from http://www.wordfrequency.info/...) there are only actually 4352 words in that list, it contains duplicates due to homographs.