nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."
There not being a whole lot to lose (or any porn that would get me in trouble;), if my shit gets compromised, I use the same password on everything. (eight letter word, YMMV) Of course, I'm not afraid to format the HDD and re-install the OS when my foolishness catches up with me, and I DO protect my router,as well. The only thing I worry about is if my node became a SPAMBot, but I check my traffic periodically to avoid that.(Ain't happened yet, but I've had to fix my friend's boxes a few times). I do have
My question is "why are they storing email passwords in plaintext"?
Of course, they're probably not, just comparing the hash values of $usr_pw" and "12345", but that is also the most common password on voice email boxes.
One guy up here was convicted - TWICE - for "hacking" into police detectives' voicemail by just randomly dialing extensions, and entering "12345". You'd think after the first conviction, the cops would, you knw, CHANGE THEIR FRIGGING PASSWORDS. Even 38258 (FUCK U) would have been bette
An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.
...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.
* The list initially contained 10,028 entries.
* After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
* There are 8931 (90%) unique passwords in the list.
* The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
* The shortest password was 1 char long : )
In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).
tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)
That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".
For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:
'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.
This is all well and good until you happen upon a website, network, or system that hasn't thought to allow all special characters in the password field. This is the other side of password theory that admins don't get. If you want really secure passwords, don't limit what they can be made of. Some don't allow or keep uppercase, some don't allow non alphanumeric characters. So your password must be slightly different than you would make by default and therefore remember on the first try after a while not usin
With the Psion Series 3, you could enter characters by their ASCII code (no unicode, this was 1993) by holding down a modifier. I thought this would be great for a password; no one would ever guess that they had to hold down a modifier while entering some digits in the middle of the password. It turned out that the password entry box in the settings pane did, indeed, allow this kind of thing. Unfortunately, the first time I locked the device afterwards, I discovered that the password entry box for unlock
As a hypothetical, since length is really what matters, I wonder how long it would take before something like
01234567890123 or even 0123456789
would get guessed?
My experience is that short passwords (less than 7 chars) are the ones that get guessed, even if they are "good" ones that have a mix of letters, number, and punctuation.
All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?
Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.
If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.
Ah, but only a great fool would fall for such an attack, and I am no great fool, so clearly I cannot click the link. But you must know that I am no great fool and thus I cannot not click the link....
How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?
It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).
From one article which was poorly written I think the plan was this:
1) From broken email account send to known email connections a note asking to visit cool shopping site 2) Victim goes to site and keylogger is installed 3) Sniff userid/password 4) Go to step 1
Not much actual phishing here but the article was poorly written and there were hints that they did not really know what was going on, they were just looking at list of broken accounts.
Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.
BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...
People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.
Alternatively, maybe the webmail providers should set more strict rules for the passwords.
People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.
Alternatively, maybe the webmail providers should set more strict rules for the passwords.
Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!
People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.
Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.
I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.
But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.
Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.
Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.
News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.
Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.
Huh??? I thought that was collected by phishing? Yeah, sorry for getting in the way of your ritual MS bashing, but it's something that can affect any service since it's essentially social engineering. Kind of.
The point to get across is that no (reputable) service or agency will ever, ever send you an email asking you to fill in and email back ANYTHING anymore.
If I were to ever get a legitimate email from my bank or credit card asking for personal information, I would call them as ask them WTF they were doing.
My estimate is that your average stupid phishing victim is just as likely to reply with their personal information regardless of whether the email is obviously fake.
> The fact that it's a free email account shouldn't mean you're allowed to set > your password to *anything* you want.
And one of the things you should not be able to set it to is anything anyone else has already used. In other words, on these systems passwords should be unique.
Wow! (Score:5, Funny)
An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'
That's amazing. I've got the same combination on my luggage.
Re: (Score:3, Insightful)
lol
But seriously, what kind of chickenshit mail server policy even allows that password in the first place?
OH... hotmail.. enough said...
Re: (Score:2)
There not being a whole lot to lose (or any porn that would get me in trouble ;), if my shit gets compromised, I use the same password on everything. (eight letter word, YMMV) Of course, I'm not afraid to format the HDD and re-install the OS when my foolishness catches up with me, and I DO protect my router,as well. The only thing I worry about is if my node became a SPAMBot, but I check my traffic periodically to avoid that.(Ain't happened yet, but I've had to fix my friend's boxes a few times). I do have
Re: (Score:2)
Of course, they're probably not, just comparing the hash values of $usr_pw" and "12345", but that is also the most common password on voice email boxes.
One guy up here was convicted - TWICE - for "hacking" into police detectives' voicemail by just randomly dialing extensions, and entering "12345". You'd think after the first conviction, the cops would, you knw, CHANGE THEIR FRIGGING PASSWORDS. Even 38258 (FUCK U) would have been bette
Re: (Score:2, Funny)
Saved by 123456!
Take that haxor!
Remind me (Score:5, Funny)
"Remind me to change the password on my luggage!"
Parent
Re:Wow! (Score:4, Insightful)
Parent
Re: (Score:3, Funny)
Re:Wow! (Score:5, Informative)
From the blog of the guy who actually did the research [acunetix.com], I'm deducing that those probably weren't valid password.
In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).
tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)
Parent
HA! My password is 123456 (Score:5, Funny)
With an extra digit for security! ;-)
I have a real programmer's password (Score:5, Funny)
012345
Parent
Re: (Score:3, Funny)
012345
That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".
Re:Preaching to the church (Score:5, Interesting)
'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.
Parent
Re:Preaching to the church (Score:5, Informative)
And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,
Real grammar nazis also know that it wasn't a sentence.
Parent
Re: (Score:2, Funny)
Real grammar nazis also know that it wasn't a sentence.
I love you. Will you marry an anonymous coward?
Re: (Score:3, Funny)
Doesn't look like it [slashdot.org]. Sorry.
Re: (Score:2)
This is all well and good until you happen upon a website, network, or system that hasn't thought to allow all special characters in the password field. This is the other side of password theory that admins don't get. If you want really secure passwords, don't limit what they can be made of. Some don't allow or keep uppercase, some don't allow non alphanumeric characters. So your password must be slightly different than you would make by default and therefore remember on the first try after a while not usin
Re: (Score:3, Interesting)
Re: (Score:2)
If this becomes standard practice I predict the new common password will be "The quick brown fox jumps over the lazy dog".
Re: (Score:2, Interesting)
This was a phishing attack. The strength of the password didn't matter.
The article talks about analysis of password data and doesn't really point out anything we didn't know already.
Re:HA! My password is 123456 (Score:5, Funny)
Parent
12345? (Score:2, Funny)
Re: (Score:2, Funny)
Strong password (Score:3, Funny)
Stronger password (Score:2)
As a hypothetical, since length is really what matters, I wonder how long it would take before something like
01234567890123 or even 0123456789
would get guessed?
My experience is that short passwords (less than 7 chars) are the ones that get guessed, even if they are "good" ones that have a mix of letters, number, and punctuation.
much hype on this story (Score:2)
$ grep gmail pwd.txt | wc -l
25
I don't know.... (Score:4, Funny)
Where are the details? (Score:5, Insightful)
All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?
Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.
Re: (Score:2)
Re:Where are the details? (Score:4, Funny)
> ...how do I know if I've been affected?
Are you a fool? If not you are ok.
Parent
Re:Where are the details? (Score:4, Insightful)
> ...how do I know if I've been affected?
Are you a fool? If not you are ok.
If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.
Parent
Re: (Score:2, Insightful)
Re: (Score:2)
Your advice is not helpful. What percentage of fools think they are fools?
Approximately 12345 out of 123456.
Re:Where are the details? (Score:5, Funny)
Parent
Re: (Score:3, Informative)
It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.
Re:Where are the details? (Score:5, Informative)
How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?
It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).
There's one born every minute.....
Parent
Re: (Score:2)
From one article which was poorly written I think the plan was this:
1) From broken email account send to known email connections a note asking to visit cool shopping site
2) Victim goes to site and keylogger is installed
3) Sniff userid/password
4) Go to step 1
Not much actual phishing here but the article was poorly written and there were hints that they did not really know what was going on, they were just looking at list of broken accounts.
Re:Where are the details? (Score:5, Interesting)
Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.
BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...
Parent
Ban them. (Score:4, Insightful)
Re:Ban them. (Score:4, Funny)
People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.
Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!
Parent
Re:Ban them. (Score:5, Funny)
People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.
Didn't they use to call that "AOL"?
Parent
Re: (Score:3, Insightful)
I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.
It just
Re: (Score:3, Insightful)
But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.
Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.
Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.
31415 (Score:5, Funny)
Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.
Re: (Score:2)
You caught "knew" but missed "too" and "it's really fucking stupid to post your e-mail address in the clear".
In other words, whoosh.
Re: (Score:3, Interesting)
Re: (Score:2)
Baloney. Everyone knows the most commonly used password is "password1".
Re: (Score:3, Informative)
Fake URLs, DNS spoofing shouldn't matter (Score:2)
The point to get across is that no (reputable) service or agency will ever, ever send you an email asking you to fill in and email back ANYTHING anymore.
If I were to ever get a legitimate email from my bank or credit card asking for personal information, I would call them as ask them WTF they were doing.
My estimate is that your average stupid phishing victim is just as likely to reply with their personal information regardless of whether the email is obviously fake.
Re: (Score:3, Funny)
> The fact that it's a free email account shouldn't mean you're allowed to set
> your password to *anything* you want.
And one of the things you should not be able to set it to is anything anyone else has already used. In other words, on these systems passwords should be unique.