password

600,000+ compromised account logins every day on Facebook, official figures reveal

Posted on


If you’ve an unauthorised party has logged into your Facebook account, then you’re far from alone.

New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.

Put another way, that’s more than 600,000 per day – or, if you really like to make your mind melt, one every 14 milliseconds.

Snippet of Facebook security infographic

The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.

The new security features include Trusted friends (called “Guardian angels” in the infographic). Read the rest of this entry »

Google publishes web safety advice for ‘Good to Know’ campaign

Posted on


Google cartoon

Google has launched a campaign promoting online safety, in association with the UK’s Citizen’s Advice Bureau.

The campaign, which will include adverts in newspapers, on public transport and online, is being run with the hope of encouraging internet users to take more care over their online activities – including using more secure passwords, and remembering to log out of websites when they have finished using them.

Awareness campaigns about online safety like this are important, as it’s clear that most internet users are pretty clueless about how to best secure their computers and surf safely online.

This isn’t because the public is disinterested in protecting themselves, but due to the fact that many people simply don’t know where to turn, or how to translate complicated buzzwords, geek talk and terminology into simple easy-to-understand English.

So, campaigns like Google’s “Good to Know” one are a *good* thing, as they translate sometimes complicated safety advice into simple terms.

Google, of course, has an interest in people not turning their backs on the internet – it wants users to feel safer online, as that will ultimately increase the popularity of the internet and help Google grow.

GmailTo their credit, Google provides a number of technologies to help users defend their accounts from being hacked – but only a minority of users seem know about them. If you haven’t already done so, check out my advice on how to stop your Gmail account being hacked, for instance.

It’s notable that part of the “Good to Know” campaign appears designed to reassure internet users about the data that Google collects about them to provide its services.

The critical thing, however, will be what I call my “Aunty Hilda test”. If the only people who hear about this advertising campaign are people who are already techie geeks or people who work in information security then it will have failed.

If, however, my Aunty Hilda hears about the campaign – and genuinely learns something about how to protect herself online – then it truly will have succeeded.

With cybercrime and internet fraud on the increase – it’s never been more important to raise awareness and give people simple instructions on how to be safer on the net.

You can find out more about the “Good to Know” campaign atwww.google.co.uk/goodtoknow.

Sony suffers another security scare – 93,000 user accounts broken into

Posted on Updated on


Hackers successfully broke into 93,000 accounts at Sony over the last few days, once again impacting users of the Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services.

According to a blog post by Philip Reitinger, Sony’s Chief Information Security Officer, credit card details were not compromised.

Sony blog entry about security breach

As a precautionary step, Sony has frozen the compromised accounts and will email impacted users asking them to confirm their identity and reset their passwords.

Some compromised accounts “showed additional activity prior to being locked,” but the only hint from Sony as to what that activity might entail is that the company says it will “work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”

PlayStation NetworkWhat’s interesting is that it appears that the hackers gained access to the Sony accounts by working through a large database of stolen usernames and passwords – believed to have been sourced from somewhere else. That suggests that the accounts which were broken into were using a non-unique password.

In other words, you were using the same password on the Sony PlayStation Network as you were on website X.

It’s never a good idea to use the same password in multiple places.

Sony’s security team were alerted to the intrusion when they noticed a high number of failed login attempts – so well done to those users who weren’tusing the same password.

At the end of its blog post, Sony’s Reitinger offers some sensible advice to users:

We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

The only silver lining for Sony is that this security breach appears to be much smaller in scale than the attacks which hit it earlier this year, where millions had their personal information stolen and the Sony PlayStation Network wasforced offline.

Sony’s reputation was badly harmed earlier this year by the series of hacking attacks. This latest incident certainly isn’t going to do them any favours – as customers will (rightly or wrongly) continue to associate the Sony brand with security breaches.

I’m sure Sony will be hoping that this is the last time a security incident will put their company in the news headlines for all the wrong reasons.

LulzSec, Anonymous and other hacks – should I change my password?

Posted on


by Paul Ducklin on June 21, 2011 | Comments (6)

With all the data breaches in the news lately, it’s hard to know whether you’ve been affected.

You could just change all your passwords after every reported breach – just in case. You could insist on tokens for everything. (Of course, that might raise additional concerns.) You could stop using the internet entirely. Or you could do nothing.

Cybercrime happens to other people, right?

Another approach is to keep trawling the internet for exposed password databases, grabbing copies and checking to see if you’re on anyone’s “hit list”. Of course, it doesn’t tell you much if you’re not in one of LulzSec’s or Anonymous’s triumphantly-publicised leaks. But if youare, then you’re facing a clear and present danger.

After LulzSec’s recent spray of 62,000 passwords, Twitter came alive with LulzSec hangers-on announcing the malevolent uses to which they’d quickly put the leaked data – such as sending a large pack of condoms to a random woman using someone else’s money, or trying to break up relationships by posting fake information on Facebook. Very funny.

So a large part of the risk posed by these allegedly-amusing data leakage incidents comes not from traditional cybercrooks, but from a plethora of not-so-innocent bystanders.

Of course, continually chasing down hacked password lists and downloading them to see if you’re there is not only a hassle, but also creates a somewhat circular dependency on the hackers themselves.

The more downloads they achieve, the more notoriety; the more notoriety, the more incentive to continue; and the more positive uses which can be claimed for their stolen data, the easier their rationalisation for carrying on.

Fortunately, thoughtful Sydney infosec technologist Daniel Grzelak can help you keep track of the latest breaches, so you don’t have to.

(See how much nicer it is to hack to help, rather than to break?)

You can see if you’re in any of a number of recently-spilled leakages by simply searching for your email address at:

https://shouldichangemypassword.com/

Daniel doesn’t store your email address after you’ve looked it up – so he can’t spam you even if he wanted to, which he doesn’t – and he’s not accumulating a list of email addresses which spammers might like to break in and steal. And he doesn’t keep any of the stolen databases on his server, so he’s not offering a handy-to-hack repository for unlawfully-acquired loot, either.

As I mentioned above, a green light from Daniel’s website isn’t a clean bill of health. It just means, “You may proceed to the next intersection.” But if you get a red light about a recent breach, you should fix your passwords as soon as you can.

(And remember that the data probably wasn’t stolen from you, but from someone you trusted to keep it safe. You might want to rethink that relationship at the same time.)

26,000 sex website passwords exposed by LulzSec

Posted on


Red light district

The notorious LulzSec hacking group has published login passwords for almost 26,000 users of an x-rated porn website.

The hackers compromised the database of the hardcore website (called “Pron”), exposing not only the email addresses and passwords of over 25,000 members but also the credentials of 55 administrators of other adult websites.

Furthermore, LulzSec drew particular attention to various government and military email addresses (.mil and .gov) that appeared to have accounts with the porn website..

To add insult to injury, the LulzSec group called on its many recent Twitter followers to exploit the situation, by logging into Facebook with the email/password combinations and tell the victim’s Facebook friends and family about their porn habit.

Porn passwords

It should go without saying that logging into someone else’s account without their permission is against the law in most countries around the world.

Fortunately, it’s reported that Facebook’s security team responded quickly to the threat – and reset the passwords for all of the accounts it had which matched the email addresses exposed. Of course, it’s still possible that those email address/password combinations are being used on other websites.

If anything should be a reminder to internet users of the importance of usingdifferent passwords for different websites, this should be it.

The danger is that once one password has been compromised, it’s only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain or, in this case, potential embarrassment.

If you believe there might be a chance that your username/password were exposed, or if you’re simply in the habit of using the same password for multiple websites – now is the time to change your habits.

The top 50 passwords you should never use

Posted on


Username and password

Are you one of the many people who is using a dangerously easy-to-guess password?

Maybe now’s the time to fix that before it’s too late.

Twitter, LinkedIn, World of Warcraft and Yahoo are amongst the popular websites which are advising users to change their passwords in light of the recent security breach at the Gawker Media family of sites.

The issue is that many people (33% in our research) use the same password on every single website. That means that if your password gets stolen in one place (like Gawker’s Gizmodo or Lifehacker websites), it can be used to unlock access to other sites too.

Unfortunately, an analysis of the passwords stolen in the Gawker incident show that many people are choosing very poor passwords, that are easy for intruders to guess:

Top 50 passwords

Disturbing isn’t it? Too many of us are choosing risible passwords – and trust me, the hackers know about the most commonly chosen passwords and are quick to try them out when trying to break into your accounts. Malware like the infamous Conficker worm have even had lists of commonly-used passwordsbuilt into them – and have used them to try to spread further.

So, clearly people need to get out of the habit of using the same password everywhere, and they also need to ensure that their passwords are not easy to guess or crack.

But another thought springs to my mind. Why don’t more websites test the password that you’ve chosen to ensure that it’s strong enough?

It would be fairly simple, for instance, when a new user creates an account for the website to run the password they submit against a database of commonly used passwords and a dictionary. If the password you offer is a dictionary word, or is too easy to crack then it should be rejected by the website.

If websites simply tell users to change their passwords after the Gawker incident what’s to stop folks changing their “123456″ password to the just as bad “password” password?

We need to not just drum into users heads about the importance of password safety, but also police submitted passwords better to ensure weak ones *can’t* easily be chosen.

Contact me at : contactme.bijay@gmail.com

http://computeraddicted.wordpress.com

http://shenanigans-nepal.blogspot.com/

http://losthacker-deadbj.blogspot.com/