Slashdot Mirror
Hackers Behind Biggest-Ever Password Theft Begin Attacks
An anonymous reader writes Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports the hackers have begun using the list to try and access accounts. "Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts." They report that most login attempts are failing, but some are succeeding. Now is a good time to check that none of your important accounts share passwords.
From the namecheap link:
I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources. These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.
Although annoying i'm glad i have enabled 2-factor on Namecheap, plus my passwords are different from my email...
It's not a typo if you understood the meaning!
My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.
http://www.thedomains.com/2014...
The good news is that Namecheap found the attack early and took measures to defeat the attempt to log into NameCheap accounts, the bad news is this is not just a security issue for Namecheap but seems to be along the lines of the groups of Russian Hackers which gained access to hundreds of thousands of email accounts and millions of user Id’s and passwords last month so its an issue for all Internet Users
The truth shall set you free!
With a billion credentials, they certainly haven't had the chance to exploit them all yet. It's too late for 0.01% of the victims, but not too late for the rest of us.
John
... but that wasn't the original posters point....
Au contraire, that was the OP's point. The OP threw an unsubstantiated accusation at namecheap.com, "Did Namecheep notify it's users via email that their system was compromised"
.
The OP stated, incorrectly, that namecheap's system was compromised.
I decided why not change the passwords, been a while anyway, 2 of the 3 sites I care about still do not allow what they call 'special characters' (!@# - etc). In this day an age I would think those restrictions would lifted. One day I will try UTF-8 or UNICODE characters and watch the fireworks at the sites. I do not do on-line banking and I have no incentive to start after seeing some finance sites will only accept US English letters and numbers for PWs.
My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.
Unless the users had the same password for their email account which is likely. This is the problem with the username/password system, people want single signon, but companies don't want to cooperate unless it involves giving up any shred of anonymity i.e. Facebook/Google longon.
If so, and they ignored it, oh well, it's your own damn fault.
I hear this argument a lot. But the fact of the matter is, if you're neighbor is stupid enough to let their kids play with matches... yes, that's their fault, but that doesn't mean your house isn't going to burn down right along with theirs. A breach of this scale could have repercussions for the internet as a whole. I run into this attitude at work all the time... lets say we're building a website and we put a button on the screen over to the right, but if they have the window too small they can't see that button. Someone invariably says something to the effect of "Well, you'd have to be an idiot to have your window shrunk down to that size! It's their own fault for being stupid!" at which point I pipe up and say "We want stupid peoples money to don't we?"
You can't just ignore stupid people on the net. That's about 99.99% of people, and they're paying for the rest of us to actually use it properly.
The first report was bullshit by some nobody to make money, nothing more and nothing less. This is more of the same bullshit to make bogeymen, and Russia has been a good target lately. I have worked in IT security for nearly 3 decades, so yes I do have some knowledge.
The 1.2 billion "credentials" was nothing to worry about (see disclaimer below), and still isn't. Hackers move massive lists of email addresses all the time, and try to run brute force attacks all the time. We block hundreds of thousands of these attacks every day. The majority are [email_addr@domain] with a password of 'password1'. Most of the time these are easy to see, as neither the user or domain exist on the targeted servers. Even the legit addresses are easy to detect, because hackers will use the top 25 worst passwords (just like you can find in articles every year, no I'm not kidding). Rarely do I ever see anything complex, like .00001% of the time rare, where there is actually a worm running on the back end (think John the Ripper).
If I was a conman and wanted to make fast cash, I could start dumping all of these email addresses to a DB, and say "Oh Noez! This email account is haxxored! When in reality, there is no such compromise. To fluff numbers, I hash 'password1' in SHA, MD5, CRYPT, and maybe even use plain text. 300 million accounts has now given me a claim of 1.2 billion 'credentials', and you can hopefully see that the claim is complete shit! I can gather that 300 million addresses in a week without breaking a sweat.
Disclaimer. You should be changing passwords for anything you care about frequently. 8 character passwords every 90 days, 14-16 character every 6 months. If you are using a strong password and are up for a change, go do so, no big deal. Since I write this shit for policies regularly, a "strong" password consists of the following.
1. No dictionary words, proper names or common acronyms in forward or reverse.
2. No QWERTY keys, including qazwsx, 54321, etc...
3. Contains at least 1 special character, 1 number, 1 upper and 1 lower case character.
4. Is not 'p@SSw0rd' or some other l337 speak that would be in a cracklib dictionary, and there is plenty there.
There are obviously restrictions in some places, so if you can't use certain characters make a longer password. If you can't make a longer password change the password more frequently. The majority of 'hackers' are script kiddies, not hackers. If you make things hard, they find a different target. There are numerous people out there that use 'password1' for their password, don't be one of them.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Why would these "Russian criminals" be the ones behind this attack? Sure, some company that used the argument that there seems to be a list of over 1 billion accounts floating around on the internet to sell their services some time ago. It may even be that this list was found for sale on a Russian market place. It may even been that there are actual Russians selling this list. The accounts could even be mostly real, although probably most of it will be relatively dated.
But why would that same group of people that are actively selling this list be the same group that is using it? It makes much more sense that some group that bought part of this list, or bought some other list, or has their own trojan to steal passwords is now attacking namecheap. Unless there is substantial evidence that the same group is behind it, this is just FUD and sensationalism.
Namecheap is under attack with what's most likely a brute force list with accounts that were compromised in some yet unknown way. I think those are the facts and the rest is purely speculation.
I was promised a flying car. Where is my flying car?
Now is a good time to check that none of your important accounts share passwords.
No, now is a terrible time to check for that. You should not have to check.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Four words, strung together, can be a key space as small as 3000^4 (roughly 46 bits of entropy), especially if they are chosen from the top 3000 words in the dictionary. That's nowhere near 6.2 * 10^36.
Misspellings can help a lot and make it a lot stronger (adding maybe 3-4 bits per word). Adding spaces or punctuation between them adds maybe 1 bit per word. Random capitalization of something other then the first letter adds 2 bits per word.
Basically, if you're using English language phrases / words without any munging, you're only getting about 2 bits per character. A bit lower if it's a grammatically correct phrase (~1.5 bits/character), a bit higher if it's random words strung together (~2.3 bits/character). That puts a 26 character phrase like you provided at somewhere between 39-60 bits (and it is always better to assume the lower bound).
Most attackers will assume 2-6 words strung together, from the top N lists. So just tacking words together is not safe. Or they'll use N-grams (sort of like Markov chains, but more general) and go after the most common phrases.
In comparison, an 8-character password, chosen from a field of 64 possibles per character (6 bits) is 48 bits strong. If you managed to use one of 90 possible characters per position, that is 52 bits strong (6.5 bits/char * 8 bits).
48-52 bits is just not a lot these days, if the attacker gains access to the hashed password and can attack it offline. Minimum bits of complexity really needs to be about 64 bits (10-12 characters, fully random) to deal with offline attacks, and 80 bits of entropy is far better.
Wolde you bothe eate your cake, and have your cake?
"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.
I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has no idea how much of the character set your password used until it's been cracked.
Gamingmuseum.com: Give your 3D accelerator a rest.