FUD and valid concerns surround stolen passwords
by Steve Ragan - Oct 7 2009, 19:10If you have read the stories on Google News this week, odds are you noticed the same one for the past few days. It would appear that thousands of passwords were posted online. Shortly after a tech blog broke the news, shock, outrage, fear, and panic ensued. Most of the news related to the event is FUD, but there is one valid concern, passwords will always be a problem.
It’s interesting that the posting of obviously Phished passwords made the major news. Even the likes of CNN are covering it, and the latest developments are calling it an “industry-wide Phishing scheme”. This story should have died on Monday when it broke.
While the idea that someone blasted three lists of usernames and passwords to the Internet with upwards of 30,000 accounts is noteworthy, it is not worth the hype it has been given. It’s Wednesday, and since Monday afternoon this story has been kicking. How many times can you rehash the fact that thousands of people were Phished?
The FUD:
Headlines are screaming with reports of GMail, Yahoo, and Hotmail users being exposed because of the posted passwords. However, tens of thousands of accounts looks good in the news only if you forget a few things. For every account on the lists posted, thousands – maybe millions – of users, if not more, were not listed because of the Phishing expedition.
Microsoft has millions of Hotmail users. The few thousand listed online, doesn’t even scratch the surface. The same can be said for Yahoo and GMail as well. While on the subject of user volume and providers listed in the Phishing lists, EarthLink, and Comcast can each make the same claim, as accounts for their services are listed too.
Phishing isn’t something random or rare. It’s a daily event online. Yet, the notion that this current wave is an industry-wide Phishing attack is almost comical. According to Websense, the three password lists that have been discovered are likely the result of the Phished accounts being used to Spam people in the account's address book.
The hijacked accounts would send personalized emails to “friends” and link them to fraudulent sites where their passwords are Phished and the process repeats. So no, this isn’t an industry-wide anything, this is classic Phishing and nothing more. Adding to this is an unreported event. The hijacked accounts are being used to send “shopping” links to contacts, and since the emails with the links are personalized and come from a known source, credit card information is stolen.
The notion that hijacked accounts are being used to steal personal information, such as credit card details, names and addresses, birthdates, passwords, etc. is nothing new, and has only gone up in the last few months. Attacks like this, according to Websense, are run-of-the-mill.
“This is just another example of online fraudsters becoming increasingly adept at gaining personal and confidential information from unsuspecting victims. Websense Security Labs have found that 37 percent of malicious Web attacks over the last six months included data-stealing code, demonstrating that attackers are clearly after essential information and personal data,” commented Carl Leonard, EMEA Threat Manager at Websense.
Passwords are the problem:
Phishing aside, passwords themselves can be a problem. With all the advice floating around these past few days about creating strong and unique passwords, some sites with password limitations will prevent this advice from being used.
Examples of this are sites where alphanumeric passwords are all that are allowed. To boost security, sometimes these sites enforce one capitol letter and the use of at least one number. Not a real solid layer of password security. What’s worse is that some of the sites that do this are finance related, even banks.
This leads to weak passwords, and since they are easy to remember, the same passwords will be used repeatedly. So if one account is compromised, all of the accounts with that password could be compromised.
There are solutions that harden password-based security. One example is two-factor authentication, often called 2FA. Yet, 2FA is useless in most cases, because most sites don’t support it. The sites that do will require a user to take optional action to initialize that level of security, either by ordering a device or registering for a separate service. In the majority of cases, this optional action is opted out of, which leaves only the password as a layer of security.
Other services such as OAuth, might help, but “OAuth is about giving access to your stuff without sharing your identity at all,” the project site says. So calls for that are only touching the surface of the problem. Not to mention if OAuth is paired with OpenID, which it can be, the weak password issue comes into play.
Of the passwords in the published lists, the most common one was “123456”, followed by “12345678”. So even if an ID standard was in place on a particular service, if your password is guessable, or too short, the OpenID’s of the world are moot.
What about password managers? Those are great options, and should be used if it helps a user manage password security better. Yet, they face the same problem. Again, the limitations of the website will come in to play in some cases, not to mention most password managers are used more for automatic log-in and not as a password security enhancement.
So what can you do?
If you are worried about Phishing, the best advice is to remain just a little paranoid when it comes to handing out information.
Phishing is a scam that takes advantage of your trust in a business, service, or person, in order to take information from you. Knowing who you are dealing with is always a smart move, and personal or sensitive information should be guarded like you would any other valuable object.
If you wouldn’t hand out your personal information and passwords to a person who just knocked on your door claiming to represent the IRS, then why would you blindly follow a link in a random email?
Check the URL before logging-in to a website, and ensure it’s the correct address and not a sub-domain. (Example: https://www.paypal.com vs. http://security.paypal.com.cn) Always look for HTTPS instead of a normal HTTP when logging-in.
If you want to register for a website, and they do not allow special characters or long passwords, don’t register for the account and complain to the site owner. Using a long password with mixed characters is always the best practice, if a website isn’t following this rule tell them so, and then avoid them like the plague.
If you use a password manager, use it to the fullest. Let the application generate passwords for you, access sites directly from it or type the address in yourself. Take note of how it works.
In most cases you’ll notice when you are on the proper site, the password manager will auto-fill fields for you. Sometimes it will even log-in for you. However, on a Phishing site, the password manager will remain inactive, that’s a huge clue that something isn’t right.
Don’t ignore certificate errors and warnings. If the SSL certificate is invalid, the site isn’t secure. When in doubt, contact the site owner. If the site is a bank, do not take the risk and log-in anyway. Check to ensure you entered the proper URL, and if that checks out, but you still see the SSL error, skip the online banking and go to the local branch.
Get into a routine of changing passwords often. Rotate passwords, when you change the oil in your car, or when you rotate your tires. Never use the same password that you use on Twitter that you would for your bank.
Finally, since they are related to the original focus and all the hype, here are pages for GMail, Hotmail, and Yahoo with tips on creating strong passwords.
Comment on this Story