Jump to content

DANGER! All your passwords belong to us..


Recommended Posts

All your passwords belong to us


Summary: Password hacks and new cracker tools surfaced this week to reinforce passwords are indeed sitting ducks. Will anything be done about it?


By John Fontana for Identity Matters |
August 29, 2013 -- 21:03 GMT (14:03 PDT)

I think I detected a discernible sigh of relief this week from billions of Internet users with 56-character passwords.


I could be wrong. Likely I am.


People try all sorts of crazy things to manage passwords, but 55 character strings are not anywhere near the top of the list.


This week has been another example of the hacker blitz on passwords; leading off with the password-cracker program oclHashcat-plus, which was infused with upgrades that allow it to break passwords as long as 55 characters


Talk about bringing down barriers to entry. Perhaps the last of our defenses are gone. And by the way, oclHashcat-plus is a free download if you're looking for a cheap and sinister hobby.

I've argued for a while now that it's the infrastructure that needs to change more so than the tired password system. Users need to understand the value of their personal data and they need to take steps to protect it. Why? Because the bad guys are actively after it.


It was a phished password that brought down the New York Times this week. But it wasn't a password that belonged to someone at the newspaper. The password was spear phished out of an Australian DNS registrar by the Syrian Electronic Army and used to poison DNS records and direct traffic away from nytimes.com.


Security firm Sophos reported an attack going on this week trying to get Gmail users to click on a Google Docs link in order to see a "secure document" from their banking institution.


Not to pick only on Google users, the page said it would accept Google credentials, as well as, Yahoo, Outlook.com, Hotmail, AOL, Comcast, Verizon, 163.com or any other email account.


The ultimate target was passwords.


Also this week, a new mobile Trojan is creating havoc for online mobile banking customers who use two-factor authentication. Called Perkele, it infects your PC or laptop along with your mobile device to steal two-factor passcodes sent to the mobile devices.

Victims are being duped by text message or email to open malicious links or attacked via drive-by downloads. Versafe, which discovered Perkele, told the Bankinfo Security web site that "banking institutions have to build security into their mobile and online banking platforms that goes beyond authenticating the user."


What do hackers do with stolen passwords. Those pilfered in large chunks are used, among other ways, to update rainbow tables, which progressively makes it easier to crack additional stolen passwords.


Once the passwords are cracked, email addresses coupled with stolen passwords are the two ingredients in spear phishing attacks (see: New York Times). In addition, those email/password combinations are loaded into a program and run against other websites. Ones where end-users may have reused the password.


This lingering password problem has been a tough issue to fix, especially given that the weak link in the chain, end-users, are reluctant to change their behavior, and the fact hackers  are becoming more sophisticated. 


Two-factor authentication has been dominating the news as a solution, but Perkele begins to show its vulnerabilities. What else can be done? Where do researchers, vendors and others begin to look for answers?



Link to post
Share on other sites

These are dictionary attacks, not brute force attacks.  Though in time even that probably won't matter but for now as long as its not in a dictionary and the attacker doesn't have access to the hash then much of this is just scare tactics.


Most hackers (at least the password hacker kind) build custom dictionaries that far exceed normal the normal dictionaries used in dictionary attacks. I ran across an article a month or so ago that I should have published here. Three "password crackers" did a VERY remarkable job on a password file that was encrypted and included all numbers, letters (U&L-case), all punctuation marks and special symbols as well as the umlauts and other special accent markings. The password file was even "salted" and still hacked.. If I can run across it again I will post it.  :P



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.