It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.
Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.
More on that later. First, let's look at what an analysis of the leaked passwords reveals.
Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456," used for 64 of the passwords. In second place was "123456789," used for 18 of them. Also, 42 percent of the passwords used only lower case letters.
While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.
For instance, 30 percent used a combination of uppercase and lowercase letters and numbers. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.
"My impression is that these passwords have been gathered using phishing kits," Calin writes. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."
Mary Landesman, senior security researcher at ScanSafe, theorizes that passwords were obtained by a data-stealing Trojan horse and not phishing.
There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she writes on the ScanSafe blog.
Among other reasons, Landesman notes that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.
Asked to comment on Landesman's speculation, Microsoft and Yahoo representatives said the companies still think the passwords were phished.
A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."
It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.
Regardless, be careful out there.
(Related: See Larry Magid's story for tips on making strong, easy-to-remember passwords.)
Update, 1:20 p.m. PDT on October 9: The list of passwords analyzed apparently was limited to usernames starting with A and B, which is not exactly a representative sample but could explain the use of Spanish words beginning with "A."
Update October 6 at 11:25 a.m.: This was later discovered to be an industrywide problem that has affected users of Gmail and possibly other e-mail services as well. See more details here.
Thousands of Windows Live Hotmail passwords have been leaked online, Microsoft has confirmed. The news was first reported by Neowin.
According to Microsoft, it "learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site" at some point over the weekend. Neowin originally reported that the credentials were posted to a developer forum on Pastebin.com on October 1.
After learning of the breach, Microsoft "immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," it wrote on its Windows Live blog.
The company was quick to point out that credentials were stolen through what was "likely a phishing scheme." The company said that it "was not a breach of internal Microsoft data." It's currently "working to help customers regain control of their accounts."
Microsoft did not immediately respond to CNET's request for comment.
Microsoft didn't say exactly how many accounts were affected, but Neowin reported that the original list displayed accounts with names starting with "A" and "B."
Twitter and other social networks are abuzz with people advising others to change their passwords. Microsoft wrote in the blog post that those who believe they were affected by the phishing scheme should immediately do just that.
Updated at 1:30 p.m. PDT to include Microsoft's confirmation of the breach.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
The list of PC security products never ends. For every name that drops off, two more jump on. In fact, determining the best security hardware and software is a full-time job. Sometimes, you just want to throw up your hands and take your chances.
Maybe I'm just a cockeyed optimist, but I think you can stay safe without spending all your spare time doing research, installing updates, and generally becoming a PC-security expert. Here are five relatively easy ways to improve your security.
Use the firewall that's closest at hand
In the computer industry, the reputation of a product, service, or Web site is just about worthless. Yesterday's best firewall, ad blocker, spam buster, virus spotter, or spyware cleaner is today's bust.
Maybe the product got bought and the new owners aren't as conscientious about updates as the previous ones. Or the service's management team decides to go for profits and skimp on support, updates, and enhancements. There are lots of reasons why a good product goes sour, and the computer industry has seen nearly all of them.
So if you can't go by reputation, how do you choose a security product? One way is to go with the tools you've already got. Windows' security is roundly criticized, but the fact is, it's better than it used to be, and third-party security products have their own shortcomings.
Last February, I recommended that you use a third-party firewall rather than the one built into Windows. Six months earlier, I suggested that you pass on the third-party tools and stick with the Windows Firewall despite its shortcomings.
So which side of the fence am I on now? The simple side. The fact is, any third-party security tool complicates your setup. It's not difficult to find weaknesses in the Windows Firewall, but it's safe enough for most PC users, and it's much better than using no software firewall at all.
My previous post included links to information on Microsoft's TechNet site providing technical details of the Windows Firewall, tips for customizing the Windows Firewall, and help troubleshooting the firewall in XP and Vista.
Don't hesitate to try another free antivirus program
Just last week, I switched antivirus programs on my XP test system--for the umpteenth time. Something was slowing the system down, and after defragging the hard drive and doing other standard maintenance tasks, the machine's performance didn't improve as I expected it to.
Rather than go through a bunch of diagnostic tests, I simply uninstalled the system's antivirus tool and downloaded a competing package. The old and new programs were both free, and the switch didn't take much time to complete. The topper? The XP machine's performance perked up immediately.
Two antivirus programs that are free for home use and that are currently highly rated are Avast Home Edition and Avira AntiVir. You'll find a list of dozens of antivirus programs for Windows on this Download.com page.
Change your password...again
I hate those "your password will expire in x days" warnings as much as you do, but one of the simplest ways to protect yourself is by keeping your passwords fresh. Last year, I described the Ten Password Commandments, one of which was to devise a password-creation strategy that's all your own.
Just two months ago, I complained about the shortcomings of passwords as our primary security option, though I concluded that there's nothing better, for now. Lots of people swear by password managers such as RoboForm, but then you have yet another third-party app complicating matters.
For me, it's simpler just to devise a new password based on my unique, inimitable password-creation system, which I share with no one. No need to write it down, enter it in an online form, or encrypt it in a master-password file. Temporary amnesia, well, that's another matter.
For secure e-mail, use encryption
You would think that encrypting e-mail would be a breeze, but doing so is anything but. You and the recipient have to deal with digital certificates, public and private keys, and any number of other time-eating preparations and precautions.
The simplest way I know of to encrypt your e-mail is by using the Mozilla Foundation's Thunderbird with the Enigmail extension. Jason Thomas provides step-by-step instructions in this tutorial on the Lifehacker site.
Gmail users can secure their e-mail communications by enabling the service's built-in encryption. To do so, click the Settings button at the top-right of the main Gmail screen, scroll to the bottom of the General tab, select "Always use https," and click Save Changes.
Select "Always use https" under the General tab in Gmail's Settings to encrypt your messages.
(Credit: Google)
Keep your browser up-to-date
Most people will tell you that the Mozilla Foundation's Firefox browser is the safest way to surf, but a recent report from Google Switzerland and the Swiss Federal Institute of Technology found that "(u)sing the most recent version of a browser will lower the risk associated with drive-by-downloads and other Web-based attacks, which start by targeting the browser."
The report cites Google Chrome's silent updates as the best way to ensure that your browser is protected. The researchers also laud Chrome's lack of a way for users to disable its silent-update feature. Some people will object to software being downloaded to and installed on their system without their knowledge, but the fact is, these behind-the-scenes updates are the best way to keep you safe from the Internet bad guys.
Personally, I'm starting to rethink my choice of default browser. But as I mentioned earlier, you can't put any faith in a computer security product's reputation. And you can't be afraid to switch.
FireID was set to announce at RSA 2009 on Monday technology that allows people to access multiple Web sites on their mobile phone without having to remember all the passwords.
The FireID universal personal authenticator app turns any phone that runs Java into a one-time password generator and generates the password directly on the phone instantly so there is no risk of it being intercepted and no waiting for an SMS like with other password-generator systems, said Jenny Dugmore, chief executive of FireID.
The system also works with multiple applications and creates a unique encrypted password for each session. It identifies the app and the make and model of the phone and downloads a version of FireID that is specific for that phone rather than a generic version.
The only password the user needs to remember is the one to access the FireID app.
FireID runs on any phone that can run a Java app, and the technology is compliant with the open authentication standard so organizations using key fobs can use it too, Dugmore said.
There is a Blackberry version of the FireID app. Apple is testing it on its iPhone and FireID is in talks with Google, said Dugmore.
Facebook has changed the way its password reset tool works so that it does not easily verify e-mail addresses to potential spammers, after CNET News contacted it with concerns from an Israeli security expert.
On a separate matter, the company also has asked the maker of the Photo Stalker Facebook app to make it clear that despite the name, the app conforms to Facebook's privacy guidelines.
This is the new message Facebook displays when people reset their passwords.
(Credit: Facebook)First off, Facebook is making it harder for spammers to mine the site for valid e-mail addresses.
"Last night, we took steps to make sure that our password reset tool is not confirming e-mail addresses," Facebook spokesman Barry Schnitt wrote in an e-mail on Thursday. "Specifically, we now give users the same message whether or not we recognize the e-mail address, and we are adding random amounts of time to the response to ensure that measuring the time isn't an indication of anything."
Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."
Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."
Under the old system, an attacker could easily have built a script to generate random e-mail addresses and test them via the reset page, said Shlomi Narkolayev, an independent security consultant based in Israel. "Someone could make a lot of money by selling the list or using it to spam people directly."
He suggested that Facebook offer a generic message for all password reset attempts so as to throw spammers off the trail of legitimate e-mail addresses.
Facebook initially dismissed the concern when contacted on Tuesday. To get a third opinion, I then consulted with Web security expert Jeremiah Grossman, chief technology officer of WhiteHat Security.
"Yes. Facebook's Web site behavior is a common practice, but that doesn't necessarily mean it's a good thing," Grossman wrote in an e-mail. However, even displaying a generic password reset message could end up revealing whether an e-mail address is legitimate or not, he said. That's because the system takes the same time to respond to legitimate e-mail addresses and a different amount of time to respond to bogus ones when it doesn't immediately find them in the database, he said.
"The real lesson here is that Web sites should not use e-mail addresses for usernames," Grossman said.
Well, Facebook came up with a compromise, changing the confirmation message users see.
Facebook, however, didn't make any changes to address an additional concern Narkolayev had with the site's login page. He had complained that an attacker could use a brute force attack on the login page to guess passwords using a program designed to try a large number of options in a systematic way.
To prevent such attacks, Facebook should require people to type in Captchas with each login and password reset attempt, Narkolayev said.
To that point, Schnitt said Facebook blocks accounts if someone tries too many incorrect passwords and that users would find it "unwieldy" to have to fill in a Captcha every time they mistyped a wrong password or e-mail address.
Narkolayev said he was able to try wrong passwords 50 times before being blocked. He suggested the site present a Captcha after four attempts and block the account after seven attempts so "the user will not 'suffer from the Captcha' and the system will be safe from brute force and dictionary attack."
The Photo Stalker Facebook app conforms to Facebook's privacy guidelines but still might concern people who think their photos are private.
(Credit: Photo Stalker)Photo Stalker
Because of its popularity, Facebook gets more scrutiny for privacy and security than other Web sites and services (you can call it the Windows curse), even when it's following common practice or doing more than other sites are doing. The intense attention is merited because of the millions of people who use the site, many of whom may not understand the privacy risks they put themselves at in their quest to interface with friends on the site.
Take, for instance, the Facebook app called "Photo Stalker." It lets anyone see any Facebook user's public photos, even when they are not friends, just by typing in a name, friend ID, or user ID in a search box. (Thanks to Byron Ng for bringing it to the attention of CNET News.)
While the app does not violate Facebook's privacy guidelines, I'm sure it would still shock many people on Facebook to learn that photos they thought were visible only to friends in their network can so easily be seen by complete strangers.
After being contacted by CNET News about Photo Stalker, Facebook asked the developer of the app, Josh Carcione, to change the name to something less provocative. So far, he hasn't done so. But he did add this message to the app profile page:
"This application does not circumvent Facebook privacy settings to deliver these photos. You can edit the privacy settings on your own photos so that they are not visible to everyone on Facebook, including through this application."
So, you might want to double-check and manually set any photos to "private" that you don't want to be viewable by anyone on Facebook.
This screenshot shows varying frequencies of keystrokes, with the arrow pointing to what a stroke on the space bar looks like on a spectrogram.
(Credit: Inverse Path)VANCOUVER, B.C.--Presenters at the CanSecWest security conference detailed on Thursday how they can sniff data by analyzing keystroke vibrations using a laser trained on a shiny laptop or through electrical signals coming from a PC connected to a PS/2 keyboard and plugged into a socket.
Using equipment costing about $80, researchers from Inverse Path were able to point a laser on the reflective surface of a laptop between 50 feet and 100 feet away and determine what letters were typed.
Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping that's typically used for speech recognition applications, to measure the similarity of signals.
Line-of-sight on the laptop is needed, but it works through a glass window, they said. Using an infrared laser would prevent a victim from knowing they were being spied on.
The only real way to mitigate against this type of spying would be to change your typing position and mistype words, Barisani said.
In the second attack method, the researchers were able to spy on the keystrokes of a computer which was using a PS/2 keyboard through a ground line from a power plug in an outlet 50 feet away.
"Information leaks to the electric grid," said Barisani. "It can be detected on the power plug, including nearby ones sharing the same electric line" as the victim's computer.
The researchers used a digital oscilloscope and analog-digital converter, as well as filtering technology to isolate the victim's keystroke pulses from other noise on the power line.
Their initial test, which took about five days to prepare and perform, enabled them to record individual keystrokes but not continuous data such as words and sentences, though they expect to be able to do that within a few months, Barisani said.
In addition to being used to sniff a neighbor's keystrokes in a nearby room, the attack could be used to sniff data from ATM machines that use PS/2 or similar keypads, Barsani said. The attack does not work against laptops or USB keyboards, he said.
The attacks are similar to other recent research that involves sniffing keystrokes through a wireless antenna.
And of course there is the big daddy of these types of remote sniffing attacks, TEMPEST, which allows someone with a lot of expensive equipment to sniff the electromagnetic radiation emanating from a video display.
The new attacks are easier and can be accomplished at lower cost, the researchers said.
A list of 700 usernames and passwords for Comcast customers was removed from document-sharing Web site Scribd on Monday, two months after it was posted there.
Scribd removed the list of what initially looked like thousands of passwords and usernames after being contacted by Brad Stone at The New York Times. Stone wrote that he was contacted by a Comcast customer who happened across the list after doing a search on his own e-mail address on search engine Pipl.
Comcast spokeswoman Jennifer Khoury told The New York Times that the list was probably compiled from phishing or some other related type of attack and not from inside Comcast.
Comcast is freezing the e-mail accounts of customers whose data was exposed and is contacting them, she said.
"We have scrubbed the list that was on ScribD and have found that about 700 names are user ID's that are for Comcast customers, not 8,000," a Comcast spokesman said in an e-mail later. "The other names on the list are either not customers, duplicates or older inactive accounts (no e-mail address currently)."
Despite detailed demonstrations that the security of its Veriface face recognition technology can be manipulated to gain unlawful access, Lenovo is keeping current notebook models equipped with it.
In an e-mail interview with ZDNet Asia, a Singapore-based Lenovo representative said the company has "no plans to pull affected models." However, the PC maker does plan to continue to upgrade the face recognition technology.
The technology's vulnerability was demonstrated in December by the Bach Khoa Internetwork Security (BKIS) center in Hanoi, Vietnam.
At the Black Hat security conference last month, researchers Nguyen Minh Duc and Bui Quang Minh presented a paper (PDF) that detailed Veriface's face authentication and the bypass.
According to the paper, tests were performed on Asus, Lenovo, and Toshiba laptops fitted with 1.3-megapixel cameras. The bypass model illustrated that a person was able to log in to the Windows Vista machines using photos or videos to initiate a face recognition process.
"All the applications tested are of their latest versions and are set to Highest Security Level," the researchers wrote in the paper. The technologies were identified as Asus SmartLogon V1.0.0005, Lenovo Veriface III, and Toshiba Face Recognition 2.0.2.32.
Nguyen and Bui added: "Veriface is in fact the least secure of the (three applications) as we can log into the account using a plain image of the owner without much effort."
Lenovo, its representative noted, offers face recognition technology "as an alternative security option for consumers who would like the convenience of not having to remember yet another password." Within the region, Veriface technology is available in Lenovo's IdeaPad notebooks and Netbooks as well as its IdeaCenter desktops.
He added: "Like all technologies, early adoption reveals initial issues that are improved over time and Veriface, which is only used in our consumer range of notebooks, continues to be upgraded. Our advice to concerned consumers is to take basic safety measures to limit their vulnerabilities--store your notebook securely."
Asus and Toshiba did not respond to similar queries from ZDNet Asia.
Asus, Lenovo and Toshiba are said to be the only three vendors offering face recognition technology in the region. Hewlett-Packard announced last year that HP Labs had developed facial recognition technology in collaboration with Tsinghua University in Beijing. However, a Singapore-based representative confirmed that there are no HP products with face recognition technology in the region.
Vivian Yeo of ZDNet Asia reported from Singapore.
Google on Thursday offered administrators of its Premier version of Google Apps more control over the passwords their users choose to access data in Gmail, Docs, and other hosted applications.
Google Apps administrators can now set a minimum password length and will be able to see how strong each user's password remains over time. They can then suggest that users change them if the passwords become weakened. Password strength degrades as the words and names on which they are based become more common and more subject to dictionary attacks.
"Customers were asking for (this) and looking for better visibility" into their end users' security choices, said Eran Feigenbaum, director of security for Google Apps.
The experience for end users will not change. Users of the premier version, typically corporations and educational institutions, are able to see a visual gauge of the strength of their passwords when they create them, as users of the free consumer Google Apps can.
More information is available on the Google Enterprise Blog. Google password tips are here.
Experts say stronger, more secure passwords are longer, have little resemblance to a common word, and have more upper-case and special characters.
Usable Security Systems announced here at DemoFall on Monday a new service that will let people use one password on any site on the Web.
Basically, you will only have to remember one codeword for all the sites you log into, once the UsableLogin service launches in early 2009, says Rachna Dhamija, CEO and founder of Usable Security Systems.
The authentication service strengthens the codeword you choose by cryptographically combining it with additional random bits of data. The additional data is different for each site accessed and is dispersed on your PC and on Usable Security servers. That renders the codeword impossible for anyone else to guess but easy for you to remember.
Usable Security doesn't store or save the codeword, and it isn't displayed to Web sites.
The service allows you to view log-in activity across all your accounts through one dashboard. You can personalize your log-in with images you supply or pick from options so that you are assured that you are at the legitimate log-in. The service can be configured so that you can use it on different computers, such as at home and at work, but still remember only the on codeword.
Consumers will be able to download a browser extension that displays a UsableLogin box for free. It works with any site that accepts passwords and works with any operating system or browser.
Web sites will be able to offer the authentication service to their customers, for a fee that has yet to be determined, Dhamija says. The sites will be able to insert a snippet of JavaScript on their sites so the log-in box will be displayed.
In the future, the service will allow browsers to automatically remember the codeword for each session, she says.
On average users have about 25 accounts and users log in about eight times a day, she said in her demo.
Updates with announcement taking place.
