Home News Current Champs WAIL! Encyclopedia
The Cyber Boxing Zone Message Board
+ Reply to Thread
Results 1 to 2 of 2

Thread: What Do Hackers Do With Stolen Passwords?

  1. #1
    MANAGING EDITOR-IN-CHIEF
    Join Date
    Mar 2006
    Location
    In an undisclosed bunker deep in the weird, wild, woods of the Pacific Northwest
    Posts
    11,450
    vCash
    500

    What Do Hackers Do With Stolen Passwords?

    What Do Hackers Do With Stolen Passwords?
    Add them to dictionaries, trade them on the black market, and use them for “spear phishing.”
    By Will Oremus/Slate

    The news on Wednesday sounded like the setup for a lame Silicon Valley joke. Russian hackers stole 6 million passwords from LinkedIn. Did they mistranslate “world’s largest professional network” as “professional network that people actually use”? Where will they strike next, Google+? What are they going to do now that they’ve hacked all of those accounts, sell a bunch of résumés on the black market? Use your contact list to spam you with even more LinkedIn email invitations than you already get?
    Amid the yawns and derision, one small group of people took the LinkedIn breach very seriously: security experts.
    The answers to the facetious questions above are, in all probability, no, no, yes, and yes. No, the Russian hackers aren’t stupid, and they don’t care whether you actually use LinkedIn or not. No, they did not strike next at Google—too secure—but at the massively popular dating site eHarmony. Yes, stealing résumés and other personal information is almost certainly part of the plan, and a potential gold mine at that. And yes, sending you bogus emails that appear to be from people you know is one of the main ways they’ll hook you. It’s a lot more effective than sending emails from someone posing as a Nigerian prince.
    Advertisement

    The full dimensions of the breach are not yet clear. LinkedIn and eHarmony have not been particularly forthcoming about when and how it happened, perhaps because even they don’t know all the details yet. But computer security types are becoming increasingly convinced that the attack was more complex and sinister than the companies initially made it seem.
    The bottom line: If you have a LinkedIn or eHarmony account, you should be concerned. And if you use the same password for other sites—particularly sensitive ones such as PayPal or Facebook—you should be very concerned. If you fall into either of those categories, you should go change your passwords immediately. (Well, you should finish reading this article first. But then go change those passwords!)
    The first reports about the breach indicated that some 6.5 million LinkedIn user passwords had been published online, but without the email addresses needed to tie them to individual accounts. That sounded reassuring but raised a bunch of questions: Why would hackers post people’s passwords on an Internet forum for all to see? How could those passwords be used once they became public? And if your password wasn’t among those “cracked and leaked,” did that mean you were safe?
    Security experts have arrived at a surprising hypothesis: The hackers may have posted the passwords online because they needed the public’s help cracking some of them. If yours isn’t among those publicized, it may mean you’re not safe at all—it’s possible the hackers already figured out your password on their own. If that theory is true, that might also explain why no emails or other personal information was posted. Not because they don’t have it but because they’re keeping it to themselves, possibly with the intent of selling it to criminal hackers on the black market.
    The majority of systematic security breaches, according to Symantec’s Marian Merritt, are orchestrated by criminal gangs with a profit motive. A smaller number are the work of “hacktivist” groups such as Anonymous or LulzSec whose main goal is to embarrass, expose, thwart, or intimidate their targets, often large corporations that run afoul of the hackers’ ideology. The LinkedIn breach bore a passing resemblance to past LulzSec hacks, including one that compromised the personal information of 1 million Sony users last summer. But no hacktivists have claimed responsibility, and the fact that the data were first posted on a Russian forum dedicated to password decryption suggests that publicity was a by-product of this attack, not its main intent.
    So how exactly do cyber-crooks use these passwords once they have them? There are multiple potential uses, explains Chester Wisniewski, senior security adviser for data security firm Sophos. For hackers around the world, the huge trove of new leaked passwords is an opportunity to update their “rainbow tables”—vast databases that serve as a digital key for cracking encrypted passwords, called “hashes.” The most-secure websites use an extra layer of password encryption, called “salting,” so that two users with the same password—say, “123456”—will have different hashes. But LinkedIn didn’t do that, so the same key will unlock the accounts of every user who has that password, not only on LinkedIn but on any other site that uses the same hashing algorithm. (eHarmony apparently used an even weaker algorithm, also sans salt.)
    If the hackers have people’s email addresses as well as their passwords—and most security analysts suspect they do—the information can also be used to target LinkedIn and eHarmony users directly. One of the first things crooks will do is run software that will try out the same email/password combinations on other sites, to see if they can get into people’s financial or social media accounts.
    The personal information available on users’ LinkedIn accounts could also be ideal for a type of targeted attack known as “spear phishing.” The idea behind spear phishing is to lure someone into downloading malware or divulging sensitive information by sending them an email that looks legitimate, says Marcus Carey, a former security analyst for the National Security Agency who now works as a researcher for the cybersecurity firm Rapid7. Such a message might appear to be from a boss or colleague, or it might be designed to look like an email they have to respond to in the course of their work, like a request for a quote on a particular service. Because it doesn’t look like spam, the target’s guard is down.
    Spear phishing requires care and individual attention on the cyber-criminal’s part, so it’s only worth trying on high-value targets—like the professionals and executives who make up the core of LinkedIn’s membership.
    There’s one more type of phishing that almost always accompanies attacks like the LinkedIn and eHarmony breaches, and in some ways it’s the most devious. Internet mischief-makers know that lots of people will read articles like this and decide it’s time to change their passwords. The right way to do it is to go directly to the LinkedIn or eHarmony site. The wrong way is to click through a link in an official-looking email that sends you to an official-looking website with instructions on how to reset your account. If the hackers didn’t have your password before, they certainly will once you’ve dutifully entered a new one in the form they provide. Don’t be fooled. It’s bad enough to get your password hacked. It’s worse when you do it to yourself.

  2. #2
    MANAGING EDITOR-IN-CHIEF
    Join Date
    Mar 2006
    Location
    In an undisclosed bunker deep in the weird, wild, woods of the Pacific Northwest
    Posts
    11,450
    vCash
    500

    Re: What Do Hackers Do With Stolen Passwords?

    Fix Your Terrible, Insecure Passwords in One Minute
    A new, improved foolproof technique.
    By Farhad Manjoo/Slate
    What's the best password?


    Right now you’re scrambling to change all your passwords. If you’re not, you should be. In the wake of a couple of massive security breaches—one at LinkedIn that nabbed 6.5 million passwords and another at eHarmony that compromised 1.5 million accounts—security experts are advising that people change their passwords at the affected sites and at every other site where you used a similar password. By now you’ve probably heard the time-worn guidelines for creating strong passwords: Don’t use your name or other common words. Use different passwords for different sites. Change them often. Choose security questions that don’t involve information that everyone knows about you, or stuff that crooks can easily find on Facebook.
    For a lot of people, myself included, these rules are too much trouble. We’ve all got too many online accounts, so keeping track of different, ever-changing strong passwords for each site seems like a gargantuan task. The easiest way to fix this problem is to use password-managing software. I like LastPass, which generates and remembers passwords for all your sites across all your computers. (It’s free, but if you pay $1 a month for the premium version, you’ll get support for your mobile devices, too.) But for a lot of people—probably including you—even a password manager is too much trouble. Ignoring the guidelines, you pick a memorable password for all your sites, then just cross your fingers and hope for the best.
    Well, I’ve got a better way. In 2009, I stumbled upon a foolproof system to fix all your terrible, vulnerable passwords in just five minutes. My method, which I filched from a commenter at a security forum—who says Web commenters are good for nothing?—generates very strong passwords that are also very easy to remember. This means that you can create good passwords for every site you visit.
    Advertisement

    But now I’ve got a better system. This new scheme generates even stronger passwords that are even easier to remember. The one disadvantage is that it doesn’t work at every site. For those places where it doesn’t work, you’ll have to use my 2009 method, which is still really good.
    Enough preamble. Here we go.
    The old, still very good way to fix your terrible passwords: Come up with a short phrase you’re likely to remember. Just like in school, it helps to make your mnemonic really bizarre—the stranger the phrase, the easier it’ll be to remember. For example, Kim Kardashian is the most amazing woman in all 50 states, or Mitt Romney and Barack Obama decided to make 10 waffles. Notice that my phrases use a mix of capitalized and lowercase words, and I added some numbers as well.
    To make a password, just take the first letter of each word in your phrase. The sentences above would turn into KKitmawia50s and MRaBOdtm10w. Both of those passwords are extremely strong—they’re long, and they’re free of common English words that can be guessed by a computer.
    You can generate different passwords for different sites by varying your phrase slightly for each one. The phrase LinkedIn is terrible at securing its passwords so it’s my 10th favorite social network will create a password for LinkedIn (LIitasipsim10fsn) as well as for Twitter (Titasipsim9fsn), Facebook, MySpace, and on and on.
    Note, too, that it’s OK for you to keep similar passwords at similar sites. On sites where a password thief can’t do much damage—say, publications like Gawker and the New York Times—you can repeat the same password. You’ll want to keep your social networking accounts slightly more secure, but the passwords don’t have to be extremely different; after all, if a bad guy gets into your Facebook account, he’s not going to be able to do much more additional damage if he gets into your Twitter profile, too. So varying them slightly—as I did above—is perfectly OK, as long as you remember to change them after you hear about a breach like the one at LinkedIn.
    You’ll want to reserve the most distinct passwords for sites where breaches would cause you a lot of trouble—your financial institutions and your webmail accounts, which hold the keys to the rest of your online life. (If a bad guy gets into your email, he can use the password reset feature to get into lots of other accounts, too.)
    The new, even better way to fix your terrible passwords (which sadly doesn’t work everywhere): Start with the same method as above—choose a short, memorable phrase. And that’s it. Instead of turning the phrase into a one-word password, just use the whole phrase as your password. For instance, Mitt loves when Barack makes waffles. That’s a memorable phrase. It’s also an extremely strong password just by itself—stronger, even, than a password made up of that phrase’s initial letters. Instead of shortening the phrase, just type the whole thing in as your password. That’s easier than typing a jumble of symbols and uppercase and lowercase letters, and it’s easier to remember, too.
    I didn’t come up with the idea of using a short phrase as a password. The credit should go to Thomas Baekdal, who runs the online magazine Baekdal, and who wrote about this method way back in 2007. Baekdal points out that if a crook were using a “brute force” attack to find your password—that is, a program that repeatedly tries to guess your password by using every potential combination of characters—the attacker would need about 219 years to guess a six-character password like J4fS<2. That’s not bad, but a short phrase of common words is even stronger. For instance, the phrase this is fun is 10 times stronger than J4fS<2—it would take a brute force attack 2,537 years to guess that phrase. And, obviously, this is fun is much easier to remember. The online comic strip XKCD repeated Baekdal’s point in a wonderful strip last year. The caption: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”
    I tried this method at several of the sites I frequent most. It works at Gmail, LinkedIn, Twitter, and Facebook, among others, and I encourage you to use short phrases as passwords there. But it doesn’t work at my bank, nor is it allowable at the many other sites that impose a maximum length on passwords and/or don’t allow spaces in passwords. Both of these requirements are pretty stupid. Limiting the number of characters in a password only makes them less secure, and a ban on spaces forces you to use special characters, which are harder to remember. I’m hoping that eventually, all sites come around to dropping their arcane password rules in favor of a much simpler password dictate: Pick a short, unique phrase.
    But that could take a while. In the meantime, either use a password manager or the first or second of my suggested methods, depending on the site. Whatever you do, just do it—your passwords are a mess, and you should really, really fix them now.

+ Reply to Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
News Current Champs WAIL! Encyclopedia Links Home