Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Two Million Passwords Compromised By Keylogger Virus

samzenpus posted about 9 months ago | from the protect-ya-neck dept.

Security 174

Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."

cancel ×

174 comments

Sorry! There are no comments related to the filter you selected.

Happy Thursday from The Golden Girls! (-1)

Anonymous Coward | about 9 months ago | (#45603189)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Public Service TLDR (-1)

Anonymous Coward | about 9 months ago | (#45604903)

It's Windows.

Do not use Microsoft products if you value privacy or security.

OMG Pony BotNet! (1)

Anonymous Coward | about 9 months ago | (#45603239)

Surprise! Facebook is already selling your info and the NSA is watching them do it. No real reason not to make your password 1234

Re:OMG Pony BotNet! (1)

aliquis (678370) | about 9 months ago | (#45603271)

I've made one:

It'snotallowedtotypethisifyou'refromtheNSA!

(Actually that would make a pretty good password.. maybe I sho..)

Re:OMG Pony BotNet! (0)

Anonymous Coward | about 9 months ago | (#45603523)

I've made one:

It'snotallowedtotypethisifyou'refromtheNSA!

(Actually that would make a pretty good password.. maybe I sho..)

No, that would be a shitty password. A Dictionary attack weighted with how commonly the words are used in English would make short work of it.

Re:OMG Pony BotNet! (4, Interesting)

aliquis (678370) | about 9 months ago | (#45603667)

Got to be a whole freaking lot better than the 8 characters stuff even with various cases, numbers and symbols.

I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)

Guess a certificate / private key and password isn't all that much better but it's way more convenient.

Yeah, they all require an email address (0)

Anonymous Coward | about 9 months ago | (#45603841)

So should we setup a separate email address at google for each vendor account we create? I mean, half the time I cannot remember the password and ask for the password reset link anyway.

Re:Yeah, they all require an email address (4, Informative)

Nerdfest (867930) | about 9 months ago | (#45603943)

With your own domain and software like KeePassX, it's surprisingly easy. You never even have to type passwords or usernames. Once you get it set up it's actually even easier than using the same password everywhere, and vastly more safe.

Re:Yeah, they all require an email address (0)

UnknownSoldier (67820) | about 9 months ago | (#45603957)

> should we setup a separate email address at google for each vendor account we create?

You don't already use an alias? username+vendor@gmail.com

I have a personal domain name and create a separate email for every company I do business with. Along with KeePass it is trivial to remember passwords.

Re:Yeah, they all require an email address (5, Informative)

formfeed (703859) | about 9 months ago | (#45604493)

> should we setup a separate email address at google for each vendor account we create?

You don't already use an alias? username+vendor@gmail.com

Surprising how many scripts tell you that this is not a valid email address.

Re:Yeah, they all require an email address (2, Insightful)

Anonymous Coward | about 9 months ago | (#45605171)

So - just one email account password to crack - right? Discard to the right of the + symbol in the user portion of your address, and we're done. Brilliant solution you've got there..I hope the world adopts it. I'm rather tired of earning legitimate income - I'd like to use yours'.

Re:OMG Pony BotNet! (1)

aliquis (678370) | about 9 months ago | (#45603693)

Also it was a reference to all those old "bla bla You're not allowed to login bla bla bla" messages on various machines.

Re:OMG Pony BotNet! (1)

Sperbels (1008585) | about 9 months ago | (#45603735)

Now, that would be a good password. How many hackers would try composing a complex sentence like that? Maybe if everyone did passwords like that, but few people do. It would be like writing a virus to infect machines browsing the internet with Lynx...what's the point? Maybe 1 in 1,000,000 users will be using Lynx.

Re:OMG Pony BotNet! (0)

Ghaoth (1196241) | about 9 months ago | (#45604741)

"The report critiques how bad people are at making secure passwords" Why do "bad people" make secure passwords? Perhaps bad written language makes good passwords.

Re:OMG Pony BotNet! (1)

mrchaotica (681592) | about 9 months ago | (#45604847)

The "at" makes that sentence unambiguous, you know.

Re:OMG Pony BotNet! (1)

Ghaoth (1196241) | about 9 months ago | (#45604929)

The punctuation doesn't.

Re:OMG Pony BotNet! (1)

Nerdfest (867930) | about 9 months ago | (#45603959)

Throw in a single space, spelling mistake, or capital letter and try it.

Re:OMG Pony BotNet! (1)

Anonymous Coward | about 9 months ago | (#45603303)

fucking bronies....

Re: OMG Pony BotNet! (-1)

Anonymous Coward | about 9 months ago | (#45603559)

So login with your real account and post the passwords here. Email, Facebook, everything. I mean if they already have the information why try to hide it, right?

Or are you too afraid to put your money where your cocksucking brony mouth is?

Re: OMG Pony BotNet! (1)

fizzer06 (1500649) | about 9 months ago | (#45603597)

The Anonymous irony!

I have some bad news and some good news (5, Funny)

14erCleaner (745600) | about 9 months ago | (#45603245)

The bad news is that 2 million passwords have been compromised.

The good news is that they're all "123456".

Re:I have some bad news and some good news (2)

bob_super (3391281) | about 9 months ago | (#45603277)

The worse news is that the information they protect is all about Tim's lunch and Kristy's horrible new shoes.

Re:I have some bad news and some good news (2)

Lumpy (12016) | about 9 months ago | (#45603349)

You like my posts about lunch.... DONT YOU!!!!

Re:I have some bad news and some good news (4, Funny)

HairyNevus (992803) | about 9 months ago | (#45603325)

At least it wasn't 00000000...

Re:I have some bad news and some good news (1)

Anonymous Coward | about 9 months ago | (#45604155)

Hey, it was good enough for the Enterprise...

http://i.imgur.com/TDAZbs0.jpg

Re: I have some bad news and some good news (2)

Timothy Moore (3453905) | about 9 months ago | (#45603359)

Crazy! I have the same code on my luggage.

Re: I have some bad news and some good news (1)

SternisheFan (2529412) | about 9 months ago | (#45603879)

Crazy! I have the same code on my luggage.

NSA: Thanks, Mr. Nevus, we were having a hard time opening up your 'lost' luggage from your last trip.

Whoosh? (0)

Anonymous Coward | about 9 months ago | (#45604109)

NSA: Thanks, Mr. Nevus, we were having a hard time opening up your 'lost' luggage from your last trip.

The joke [youtube.com] is on you, NSA. Besides, his last "trip" involved taking four tabs of acid.

Re:Whoosh? (1)

Artifakt (700173) | about 9 months ago | (#45605081)

Besides, his last "trip" involved taking four tabs of acid

Nothing strange about that - people going to be out of the local reality set that damned long should definitely pack for the journey. I recommend an original era Steve Ditko Doctor Strange comic, and an autograph book just in case they see Leonard Nimoy or John Nobel.

Re:I have some bad news and some good news (5, Insightful)

dreamchaser (49529) | about 9 months ago | (#45604291)

It's a bit ironic that the summary mentions having strong passwords when it was a keylogger to blame. It wouldn't matter how strong the passwords are in that case.

For the record (5, Funny)

koan (80826) | about 9 months ago | (#45603265)

I'm not bad at making up secure passwords, I'm just bad at remembering them.

Re:For the record (0)

TechnoLuddite (854235) | about 9 months ago | (#45603435)

Sir, had I the points, I would mod you up as Interesting, Funny, AND Informative.

Re:For the record (1)

RabidReindeer (2625839) | about 9 months ago | (#45603687)

Sir, had I the points, I would mod you up as Interesting, Funny, AND Informative.

I still want a sad-but-true mod. I know someone else who has the same problem.

Our password policy is so bad that. . . (1)

smitty_one_each (243267) | about 9 months ago | (#45604199)

. . .I just went to keyboard patterns. Now I can paint the Last Supper on the keyboard, and log in, within a five minute span.

I'm not bad at guessing other people's passwords!! (3, Funny)

schlachter (862210) | about 9 months ago | (#45604907)

I just have trouble finding the people whom they belong to.

12345? (1)

Apothem (1921856) | about 9 months ago | (#45603279)

That's the sort of thing some idiot would put on his luggage!

Re:12345? (2)

tgetzoya (827201) | about 9 months ago | (#45603347)

Incredible, that's the combination to my luggage!

Re:12345? (1)

smitty_one_each (243267) | about 9 months ago | (#45604219)

And my safe at home, too!

Wrong problem? (5, Insightful)

Kwyj1b0 (2757125) | about 9 months ago | (#45603333)

The data says that the 10th password in the list was used by 1000 users out of two million. The top ten, combined, accounts for 36,000 (eyeballed) of the two million passwords. That doesn't seem like an epidemic to me. A bit less than 2% - that is actually, IMO, quite good. Two percent of internet users are bad at understanding security? Wow.

The keylogger is a bigger problem - so long as I type in my passwords, the keylogger can always find out what I am doing! I could have a 20 character really secure password, to no effect. Hell, things in real life are much worse. My pin is 4 digits long, banks identify me by the last four digits of my SSN (which, quite helpfully, they send out in the mail they send me). Maybe it is time to stop bashing people for choosing insecure passwords, and try to fix the systemic problems?

Re:Wrong problem? (4, Insightful)

Lumpy (12016) | about 9 months ago | (#45603371)

Like running insecure Operating systems?

Re:Wrong problem? (0)

Anonymous Coward | about 9 months ago | (#45603399)

Like running insecure Operating systems?

More like: Putting an air gap between your authentication device and the system with which you are authenticating.

Re:Wrong problem? (1)

lgw (121541) | about 9 months ago | (#45603671)

So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?

Re:Wrong problem? (1)

Anonymous Coward | about 9 months ago | (#45604609)

So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?

I would argue that SE Linux is still very secure. I would also argue it's not the only one out there (OpenBSD created a secure OS way before it became fashionable)

You seem to be under the assumption that you could actually secure yourself from the NSA regardless of what OS you run.

Re:Wrong problem? (1)

jd2112 (1535857) | about 9 months ago | (#45605123)

So what's that secure operating system again? I used to argue that SE Linux was the only OS that could reasonably called secure, but given the recent NSA revelations I think we're back to nothing. Or are you still complaining about Windows 98?

SE Linux is secure. It's designed so that the NSA can spy on you but no one else can.

Re:Wrong problem? (4, Insightful)

Anonymous Coward | about 9 months ago | (#45603697)

Someone's going to post "use Firefox and noscript, flashblock, ..." but that solution doesn't really work anymore as there are just too many sites and too many scripts to look at before getting any useful work done. I bet many others like me just make a quick judgement on whether the main site is legit, click "allow all this page" and hope to God or whatever that they are careful about where they pull data from. Security is valuable but so is my time and I have no choice if I need to get things quickly done. All the other custom crap like DNS blackholes, firewalling, etc... are even less manageable and more prone to errors. I suppose the best thing would be to browse in a VM and always browse a protected site in a unique session, resetting the VM after each instance but that's a massive headache too for casual browsing even for an experienced IT professional.

Re:Wrong problem? (1)

BillX (307153) | about 9 months ago | (#45604369)

+1 to this. The spread of good/bad/awful passwords (according to the authors' somewhat ad-hoc classification) is not too surprising on its own, but this data also has a strong selection bias toward users with lax security practices in general: this dataset consists exclusively of users with an active malware infestation.

Re:Wrong problem? (1)

plover (150551) | about 9 months ago | (#45605039)

2% is still a big problem. When you are trying to hack in, you don't care much which account lets you in the door. Get in first, then escalate your privileges.

2% means if I try these top ten bad passwords on about 50 accounts, I'll probably get a strike. If an account is locked out after three tries, then i can try the top three out on about 200 accounts, and might still have success.

Re:Wrong problem? (0)

Anonymous Coward | about 9 months ago | (#45605177)

Umm, if a user account is all they need to access the system and run a privilege escalation then all they have to do is sign up themselves...no need for anyone else's account.
If you are giving every Tom, Dick and Harry who gives you their e-mail address the opportunity to execute arbitrary code on your system then you have much bigger problems.

Rumors say ... (2)

angel'o'sphere (80593) | about 9 months ago | (#45603335)

... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.

Re:Rumors say ... (1)

Lloyd_Bryant (73136) | about 9 months ago | (#45603525)

... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.

Hmmm. No comment on the CHinese/Taiwan aspect, but that one *would* be an interesting type of penetration technique. Convince some target (maybe a bank) to participate in a "beta test" of some new super ergonomic keyboard that your "company" has developed. Have a keylogger built into each them. Have them rigged to "fail" randomly after 30-60 days of use. Aplogise profusely, take the "failed" keyboards, and dump the logs.

Of course, it'd be even easier to just build some sort of wireless system into them, and then have a "janitor" periodically wheel around a polling server in the bottom of a trash bin. Given the amount of empty volume inside most keyboards, this wouldn't be too hard to pull off (technically, that is).

Re:Rumors say ... (1)

Anonymous Coward | about 9 months ago | (#45605189)

Pfft, save yourself the trouble and bug a USB keyboard. That way it can just post the files *encrypted* to pastebin automatically.

* = if you give a shit.

Re:Rumors say ... (0)

Anonymous Coward | about 9 months ago | (#45603549)

... Chinese and Taiwan Keyboards have a logger build in in hardware, storing all key presses in a kind of flash. And they simply collect old keyboards on the way to the garbage deposits.

I didn't realize the homeless guy with a drinking problem who roots through my garbage for recyclables was really a Chinese spy.

Re:Rumors say ... (1)

thrillseeker (518224) | about 9 months ago | (#45603979)

They're that good!

Oh dear! (0)

Anonymous Coward | about 9 months ago | (#45604285)

I didn't realize the Chinese spy rooting around in your garbage was homeless.

Re:Rumors say ... (0)

Anonymous Coward | about 9 months ago | (#45603551)

That doesn't sound like utter-bullshit at all.

http://www.youtube.com/results?search_query=dr+horrible+so+they+say&sm=3

Re:Rumors say ... (0)

Anonymous Coward | about 9 months ago | (#45603557)

That would be retarded. All it takes is one guy opening a keyboard and your whole operation is fucked, and that is if you manage to keep it secret until any is sold.

More conspiracy bullshit (1)

ArchieBunker (132337) | about 9 months ago | (#45604415)

If keyboards did store text "in a kind of flash" it should be trivial to retrieve the contents. The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort like SPI, JTAG, or even 1Wire. I guess you could get creative and do something with RFID or near field but again any good lab should find that in no time.

Re:More conspiracy bullshit (1)

mrchaotica (681592) | about 9 months ago | (#45604899)

The chip or even die (black blob seen on pcbs) needs access to the outside world somehow. It would need a bus of some sort...

Every keyboard has such a bus -- the keystrokes have to get to the computer, after all! Just build the keylogger into the USB control chip itself.

Re:More conspiracy bullshit (1)

gl4ss (559668) | about 9 months ago | (#45605003)

the extra circuitry for that could/would be found.

and it would make it more expensive. and destroy your keyboard chip business.

now some kb's, let's say 30 out of all sold in the world, might have had chips changed for logging. but all? unlikely.

Re:More conspiracy bullshit (4, Interesting)

plover (150551) | about 9 months ago | (#45605169)

And how many ordinary companies making a routine purchase of seemingly ordinary keyboards test them in labs for key loggers?

Commercial keyloggers (including devices like black market skimmers) can use GPRS cards, they can scout for open WiFi access points and transmit their payload once a day at 2:00 AM, or they can sit on a whole file waiting for a harvester to show up and retrieve the data via Bluetooth, 900 mHz, or some other wireless technology. The retrieval patterns are designed to evade detection.

The only people investigating this stuff today are forensic investigators hired by people who are already victims, and independent security firms with nothing better to do.

My daughter always said... (-1)

Anonymous Coward | about 9 months ago | (#45603339)

... she wanted a pony.

I suppose since I didn't buy her one, she thought the Pony Botnet Controller would be the next best thing... :-/

Secure password vs keylogger. (0)

Anonymous Coward | about 9 months ago | (#45603343)

I don't see what protection a secure password offers against a keylogger.

Re: Secure password vs keylogger. (4, Insightful)

decsnake (6658) | about 9 months ago | (#45603519)

A "secure" password does nothing to mitigate keyloggers. The only thing that does is two factor.

I think the comments regarding the password strength were general, and basically the usual Slashdot topic drift.

IMO it's way past time for two factor everywhere. Federating logins makes that much more feasible.

Re: Secure password vs keylogger. (3, Informative)

MightyYar (622222) | about 9 months ago | (#45604317)

Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.

Re: Secure password vs keylogger. (1, Insightful)

arth1 (260657) | about 9 months ago | (#45604465)

Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.

I don't. Most of all because not everyone has a mobile phone with SMS subscription. But also because coverage is rather spotty. I work in a building that's shielded. No cell phone service at all. And large areas outside the cities and suburbs have truly bad-to-non-existing coverage.
Even if the majority of people can use it, it would cut off a lot of people who can't.

Re: Secure password vs keylogger. (4, Informative)

MightyYar (622222) | about 9 months ago | (#45604505)

The keygen would still work, plus Google will let you print out one-time use codes that you can keep in your wallet. I have had to use those before. Google will also let you set up a phone number that it will ring with the code - and naturally your desk phone at work sounds like a pretty good candidate.

Re: Secure password vs keylogger. (1)

JakartaDean (834076) | about 9 months ago | (#45604501)

Google and Facebook offer simple two-factor that works with any cellphone capable of SMS. Facebook also has a keygen built into their smartphone app. I wish everyone did this.

My 2FA from Google stopped working a few months ago, so I had to turn it off. I don't know why, but I no longer got SMS messages when I asked them to authorize something. Annoying.

Re: Secure password vs keylogger. (0)

Anonymous Coward | about 9 months ago | (#45604647)

My bank does this and it would be great except I don't feel like paying for a text message or phone call every time I want to check my balance (yes, I'm cheap and don't have a smartphone or unlimited texts, get off my lawn).

They have an email option but they won't let domestic customers choose it because they claim phone/email is more secure.

So what do they tell their international customers about security, whose only option is email authentication?

And what's more likely: a hacker gains access to my email and bank account, or a hacker bypasses the bank's "security" entirely and has access to EVERYONE'S bank account?

After social engineering and/or phishing, it's not really worth the effort to try and break into individual accounts. At least not in comparison to breaking into ALL accounts.

Re: Secure password vs keylogger. (1)

MightyYar (622222) | about 9 months ago | (#45604713)

And what's more likely: a hacker gains access to my email and bank account, or a hacker bypasses the bank's "security" entirely and has access to EVERYONE'S bank account?

Well, based on the torrents of spam that I get from friends and relatives hijacked accounts, I'd say pretty darned likely.

Re: Secure password vs keylogger. (1)

BradMajors (995624) | about 9 months ago | (#45604319)

I am just wishing for all access to my accounts from eastern Europe to be blocked. If Netflix can do it, why can't my bank?

Re: Secure password vs keylogger. (0)

Anonymous Coward | about 9 months ago | (#45605217)

They can, but you haven't threatened to leave them over it yet. Try it!
Don't go in there and make an ultimatum or anything like that. Just walk in, and act like you are just closing your account with them, and when they ask why, you tell them. They will probably make an offer. And if they offer nothing but "sorry!" then you know they never cared to begin with and you are making the right choice.

This is a key-logger issue (3, Informative)

BringsApples (3418089) | about 9 months ago | (#45603351)

As far as we know, this thing happens all the time, and more than likely, these PCs that are infected, are infected by more than one key-logger. Update your antivirus is a moot point, because unless the 'virus' is known, then the antivirus folks cannot do anything about it anyway. By the time these things are found out, it's far to late anyway. There is no advise that can be given here, except, "Don't get a virus", which is silly to tell someone.

Re:This is a key-logger issue (1)

jader3rd (2222716) | about 9 months ago | (#45603379)

Don't get a virus

Re:This is a key-logger issue (4, Insightful)

lgw (121541) | about 9 months ago | (#45603719)

Good luck with that plan. I mean sure, if you're RMS and "browse the web" by wgetting the page and emailing to yourself to read in EMACS then sure, you're probably safe from drive-by attacks. But if you need JS enabled to browse then you're vulnerable.

Re:This is a key-logger issue (2)

Burz (138833) | about 9 months ago | (#45604403)

Or you can use this [qubes-os.org] ...which I am typing in at this moment.

Re:This is a key-logger issue (0)

Anonymous Coward | about 9 months ago | (#45603691)

Update your antivirus is a moot point, because unless the 'virus' is known, then the antivirus folks cannot do anything about it anyway.

You know, there's a thing called heuristics? I'm not saying it catches everything, but it's a step in the right direction.

Tell us more about the virus! (3, Interesting)

jader3rd (2222716) | about 9 months ago | (#45603411)

What security hole is the virus making use of? Is there something and end user should look out for? etc, etc?

Re:Tell us more about the virus! (1)

AHuxley (892839) | about 9 months ago | (#45603603)

In the past you would get the OS or vendor name and hints at a fix.
Now its some " virus got onto so many personal computers" Was it a push down from the web 2.0 sites on the PC? Or some random PC virus that spread and got a lot of web 2.0 sites details?

Re:Tell us more about the virus! (2)

Burz (138833) | about 9 months ago | (#45604073)

It seems to be Windows, if you follow the links. I think the details are almost unimportant though; Desktops need an integrated hypervisor to be reliably secure. This greatly reduces the attack surface, though none are as good as Qubes OS at this point.

Re:Tell us more about the virus! (0)

Anonymous Coward | about 9 months ago | (#45603789)

You wouldn't believe how many times I've went to clean a PC to find a process called "passwordlogger.exe" running. What's really bad is that most of my clients know enough to open the task manager and kill a frozen program or anything using a lot of CPU/memory for no good reason. Yet somehow that name that sticks out like a sore thumb to me seems so innocuous to them.

Re:Tell us more about the virus! (1)

Burz (138833) | about 9 months ago | (#45604027)

User should look out for... Windows. That's what this thing runs on according to a description of this malware's predecessor/sister (linked in article). /. stories suck when they don't mention the host OS.

not me (4, Funny)

jafac (1449) | about 9 months ago | (#45603413)

Good thing I almost never key-in my passwords.

I copy them straight off of strongpasswordgenerator.com, and paste them into my password fields.

Re:not me (0)

Anonymous Coward | about 9 months ago | (#45604921)

This is tagged "funny" but pasting in your passwords from KeePassX style apps should in fact defeat keyboard loggers...as long as the logger wasn't installed when you setup your passwords.

Re:not me (0)

Anonymous Coward | about 9 months ago | (#45605239)

HAHAHA, keyloggers have access to the clipboard dude. Next!

Desktop attack (4, Insightful)

gmuslera (3436) | about 9 months ago | (#45603469)

Adobe password breach was about 40-100 millon passwords,a lot reused in other services. But the method was different, instead of hacking into a single server with a very bad password policy, this went right to the desktops of people in that botnet. So no matter how safe you were using your password or picking a complex one, if your desktop security is not good enough (and there are a lot of cases of widespread malware avoiding antivirus detection for years) your carefully built password policy could be defeated at the moment of using them.

About common passwords used, is almost predictable to find them having millons of passwords, but the strenght of the password is not the problem here.

Little hint please? (5, Informative)

Zakabog (603757) | about 9 months ago | (#45603479)

I'm looking for more technical information on this virus. Is there a collection of different key logging software all sending the passwords to the same proxy server? How does someone get infected by this virus? How about the IP addresses of the proxy servers so people can at least look for traffic from their firewalls?

This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!

Re:Little hint please? (1)

Teun (17872) | about 9 months ago | (#45603609)

It (still) takes a Windows computer to get infected but don't hold your breath...

If the proxy's IP was known it would be shut down, you are looking at an after the facts solution.
Oh yeah, you could read the linked articles, they give reasonable data.

Re:Little hint please? (0)

Anonymous Coward | about 9 months ago | (#45603817)

This article seems kind of useless other than to scare people into purchasing some protection, which conveniently the company writing the article sells!

To be fair, the only people who used the word "virus" were CNN and Slashdot. They didn't talk about attack vectors to plant the botnet software on the compromised workstations, but the usual and most likely method is a trojan or a drive-by download.

Sadly, people continue to use the word "virus" to mean "malware". Actual Viruses are exceptionally rare these days.

Hey, if you get a minute. (4, Funny)

mythosaz (572040) | about 9 months ago | (#45603553)

Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?

D0uble!!8R3view

T.I.A.

Re:Hey, if you get a minute. (5, Insightful)

Anonymous Coward | about 9 months ago | (#45603651)

Since they haven't published the impacted usernames yet, if one of you has access to the database, could you see if my password is in it?

D0uble!!8R3view

T.I.A.

Actually they should publish a list of the hashed passwords. I am eagerly awaiting this to find out if I have been hacked! For example, if they published a list of the passwords hashed with SHA256, then average joe slashdot could do a lookup on the list of 2 million to see if their password was compromised, without having to reveal the actual password in plaintext. I just checked, the SHA256 hash of your password is: "497835d7e73195527ab79857ec051bf2c13ad51c02f48a2af252fa2805a866cb" So in my proposed scheme, you could download software to check SHA256 hash, type in your password, and then paste the resulting hash into a search query on the list of compromised passwords.

Re:Hey, if you get a minute. (3, Funny)

Anonymous Coward | about 9 months ago | (#45604147)

I think I've got you beat on entropy:

qbJSK08jPHl3t4u7

They can't crack 95-bit random passwords yet, so I should be totally safe, right?

-Posting as AC because I can't login to my /. account right now. I think must be a temporary glitch.

you can make $1000/day working from home (-1, Flamebait)

alen (225700) | about 9 months ago | (#45603627)

quit your job

this explains the dozen or so people that have posted this to their facebook stream in the last week with a link to a tumblr blog

submission retarded (0)

Anonymous Coward | about 9 months ago | (#45603723)

"...captured via a key logging virus....."
".. The report critiques how bad people are at making secure passwords..."

"...captured via a key logging virus....."
".. The report critiques how bad people are at making secure passwords..."

submission retarded.

My Bank Has The Solution: Mother's Maiden Name (5, Insightful)

rueger (210566) | about 9 months ago | (#45604063)

Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security. On top the ever so secure four number PIN, and the usual login password, and the three digit CVV number (which I assume anyone stealing credit card info will also collect).

They now have two very secure additions to their arsenal:

1) Once you have logged in, and you wish to add another company to the list of those to whom you can send money - bill payments - you must also type in a five digit security code. A code that different from your PIN, or any other log-in.

Of course because you only use this about once a year you will have forgotten it, so you need to generate new one. While still logged in. With no further authentication.

Yes, adding a payee to the list requires you to enter a number that you created five seconds previously. Wow. I feel so safe.

2) Authentication Questions: the ever popular list of ten questions about things that you did thirty-five years ago, or where there could be multiple possible answers. Where did you meet your spouse? (Which one?) What was the name of your childhood pet? (Again, which one?) What was your favourite TV show at age 13? (Damned if I know.) What was the Zip Code of your Grade Three elementary school?

In other words, my money is secured through the use of a list of questions that any of my Facebook followers could find in about five minutes. Assuming that I ever put anything truthful on Facebook.

The basic problem is that the whole password concept stopped being an effective protection years ago, and no-one has come up with a really good way to replace it. So instead we get corporations forcing people to jump through meaningless hoops in the hopes that we won't notice.

Or worse, encouraging us to use one corporation's log-in across multiple platforms - thus ensuring that one security breach will open many doors to your on-line affairs. Seriously, does anyone think that using Facebook to log in elsewhere is a good idea?

Re:My Bank Has The Solution: Mother's Maiden Name (2)

javacowboy (222023) | about 9 months ago | (#45604469)

What's worse is that the mother's maiden name question doesn't work:

1) If your mother divorced your father and took her maiden name.
2) If you're relatively young and your mother lives in Quebec, where women are now required to keep their maiden names.

Poison the well..... (1)

PeterM from Berkeley (15510) | about 9 months ago | (#45604709)

On your comment about "assuming I ever put anything truthful on Facebook..."

Yes, if anyone asks for stuff that isn't their business, give them misinformation. If there's a lot of misinformation out there about you, it'll make it harder for an identity thief to have an accurate file.

What the Government should do is create a whole SLEW of false identities, make them "available", watch them, trace who is trying to use them, and arrest and prosecute them. If a good fraction of identities that people are able to snarf out there are these honey pots, we'll soon cut down severely on that crime.

--PM

Re:My Bank Has The Solution: Mother's Maiden Name (4, Informative)

whoever57 (658626) | about 9 months ago | (#45604797)

Of late my bank has been on a new drive to irritate all customers under the guise of protecting our security.

UK banks have introduced personal card readers. When prompted you insert your card into your own card reader, enter your PIN and then enter a number that the website gives you. You then enter into the web form the resulting number that your card reader provides. In this way, you have proven that you have physical access to your bank card.

Already changed my password (1)

javacowboy (222023) | about 9 months ago | (#45604449)

My old password was automatically generated and not used on any other site, and I generated a new password also not used on any other site.

Impossible!! (1)

Billly Gates (198444) | about 9 months ago | (#45604511)

Ask any slashdotter and they will tell you that you do not need AV software! All 100% of all malware is only caused by clicking and installing things.

So feel free to continue writing posts with they can have XP OVER MY COLD DEAD HANDS with just a scanner and no protection and keep java and flash unupdated on your system.

You will be just fine.

how many DISTINCT passwords? (1)

Gothmolly (148874) | about 9 months ago | (#45604667)

How many were: password, wordpass, password123, 12345 or 00000000?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>