July 19, 2012 § 1 Comment
I’m thinking of changing the name of this blog to Who Has Been Hacked This Week? Perhaps we’ll take a poll and place bets, the winner gets to change all their passwords (again) for a few days – until the next major security breach.
In the past week alone we’ve heard about NVIDIA, Yahoo!, Billabong, Formspring, Android Forums, PBS, WHO, Exxon, BP, Shell, Gazprom, Rosneff, Asus and ISPdirectory.co.z.
A hacker posted to Pastebin a list of what he called NVIDIA Admin Hashes, as part of The Apollo Project. The 800 leaked accounts included numerous nvidia.com email addresses, plus Hotmail and Gmail Webmail accounts, as well as corporate accounts at ARM, Bloomberg, Fibertek, Givex, Honda, Patriot Memory, and many other companies. Apparently the list was only a “partial dump” of purloined data. In addition, the post also warned that NVIDIA’s online store had been hacked. That led NVIDIA to also suspend operations for the NVIDIA Gear Store.
Yahoo! confirmed that over 450,000 usernames and passwords were stolen and published in PLAINTEXT by group D33D Company as a warning for Yahoo! to step up their security. Which can’t be all bad, right?
A little over 21,400 passwords were leaked from Australian company Billabong. The WikiBoat collective, as part of WikiBoatWednesday, wanted to highlight the firm’s fragile security measures – which they’ve achieved, as Billabong protected their passwords with nothing (plaintext, for all to see and understand…)
Formspring, a social question and answer site, had around 420,000 usernames and passwords compromised. But in this case the passwords were all hashed and salted (much better security practices than Yahoo! and Billabong), and Formspring were very upfront about the hack and have reset all passwords as a precaution.
Exxon, BP, Shell, Gazprom and Rosneff, were all targets as part of an operation similar to OpSaveTheArctic, the targets were breached and the employee accounts used to sign the petition at http://www.savethearctic.org. This is, in my opinion, is “hacktivism” at its best, good luck to le4ky and Anonymous cohorts.
The World Health Organisation (WHO) was allegedly hacked by NullCrew because of pathetic health-care, “our Health-Care system has never been what it should be. Thousands of people are dying just because of this. Either waiting in the waiting room for too long, or not being able to pay the extreme amounts to be cared for.”
NullCrew have also taken credit for the Public Broadcasting Service, in which close to 1,000 email addresses and clear-text passwords were published. “We hacked PBS.org, for reason of broadcasting false information, and misleading the public.”
NullCrew have also claimed responsibility for posting 23 administrator usernames and passwords from ASUS, publishing them on Pastebin and urging everyone to try them out.
South Africa’s leading ISP directory site, http://www.ispd.co.z was hacked, also by NullCrew (who is very busy) and over 400 usernames, domains and passwords pasted on pasteBay in plaintext format. I’m not sure why though, as all the other attacks had specific reasoning.
I’m sure that there have been more that I’m not immediately aware off, let me know in the comments. And let me know who you think is next!
June 28, 2012 § 1 Comment
In the last few weeks there have been a LOT of password hacks on some pretty huge websites. This is a list of the ones I can think of without Googling:
WHMCS – massive breach with over 1.7G of User, password and credit card information taken and posted online for anyone to decrypt.
Linkedin – over 6 million passwords stolen
eHarmony – around 1.5 million passwords stolen
Last.fm – around 17.3 million passwords stolen
Twitter – in May around 55,000 passwords and usernames leaked.
The Department of Homeland Security and the U.S. Navy – these database hacks include usernames, passwords, email IDs, security questions and answers for all their users.
And just this morning I got an email from techradar.com stating that their user registration database has been compromised and user details including username, email address, date-of-birth and encrypted passwords have been stolen in the process.
The problem with websites that ask for a password is the best practices used to ensure that your password is safe from decryption if the website is hacked. Most ask for alpha-numeric, at least 8 characters long with at least 2 digits. This is not going to help you if the website is using MD5 or SHA-1 hash algorithms to keep your password secure. Hackers can use ‘guesses’ to find passwords; for example if they try ‘password21’ or ‘mydogbob’ then they will be able to see a list of usernames that will go with those passwords. And this isn’t just some gob sitting at a keyboard trying to come up with word and number combinations, there are programs to do this for them. Any word in any language, as well as short random letters and digits, can be checked at thousands per second.
The only way to ensure that you’re not part of the breach statistics is to have an ‘un-guessable’ password.
If the site you’re entering a password into has one of those “you can not use dictionary words” warnings then there is still something you can do. Find a passage in a book or a line from your favorite poem and use the first letter from each word – with some symbols thrown in for good measure: CTROBCTMO&BHW (that’s the first few lines of ‘The Emperor of Ice-Cream’ by Wallace Stevens) then add a few letters to describe the site you’re logging onto, so this one would be CTROBCTMO&BHW*WordP. No one is going to guess that.
The lesson in all these password hacks is that if the companies you are logging onto are not going to use best security practices for information or the manner that the information is encrypted, then it falls on you to have best security practices of your own.
UPDATE: I just learned that Tuts+ Premium was hacked and all user details were stored in CLEARTEXT which means no encryption at all. If that happens then I’m afraid that all your best password practices won’t help you. Change your password.