Posted 10/07/09 at 12:00:02 PM by Paul Lilly

Over 10,000 Hotmail email accounts were leaked to the web earlier this week as the result of a massive phishing scam, which may not have taken a whole lot of effort. After all, if you're going to choose "123456" as your password, compromising your account is like shooting fish in a barrel.

In this case, there were 64 said fish in a barrel full of over 10,000 compromised Hotmail accounts, making it the most commonly used password of the bunch, according to a researcher who combed through all the posted accounts.

About 42 percent of the passwords consisted of lowercase letters from "a" to "z," and just 6 percent secured their email accounts by mixing alpha-numeric characters. And almost 2,000 passwords were only six characters long (the longest was 30 characters).

An interesting side note - a bunch of the top 20 passwords were Spanish names, which might suggest that the victims were of Spanish origin or lived in Spanish-speaking communities, Wired.com reports.

Read More

Posted 03/17/09 at 02:54:54 PM by Andy Salisbury

Comcast has frozen more than 8,000 users names and passwords for Comcast email addresses, a full two months after they were uncovered on the document-sharing site, Scribd.

Scribd reportedly has removed the list thanks mostly to The New York Times’ Brad Stone, who told them once he caught wind of the matter. Stone, who was contacted by one of the customers on the list, writes, “The list on Scribd was one of four results, and it also included his password, which was a riff on his love for a local sports team. Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times.”

Comcast claims that the accounts information ended up on the list through a series of phishing attacks on users, and that it wasn’t an internal leak.

Read More

Posted 03/13/09 at 09:15:46 AM by Paul Lilly

Password. Letmein. Asdf. Blahblah. Monkey. 1234. These are just some of the most commonly used passwords being used around the web, but even worse than using a boneheaded password is using the same one for every registered website. Nothing new, right?

Apparently it is, at least for one-third of respondents who participated in an online survey conducted by security outfit Sophos. According to Sophos, only 19 percent of respondents said they never use the same password for multiple websites. Almost half admitted to using a few different passwords, and 33 percent fessed up to using the same password all the time.

To state the obvious, using a single password for multiple websites makes it easy for hackers to wreak more havoc should the password become compromised. But obvious as basic security may seem, it's not being practiced by many. Recent examples include high profile Twitter account hijackings, including the ones belonging to President Barack Obama, Britney Spears, and Fox News, and the discovery that the population at large continues to use unimaginative passwords, such as selecting their first name.

Read More

Posted 02/18/09 at 03:00:00 PM by Josh Kampschmidt

More likely than not, you’ve been asked in the past to help fix one of your friend’s or relative’s computers. Most of the time, the problems you’ve been brought in to remedy are basic malware or virus infections that you can address by grabbing the appropriate diagnostic and software removal tools stored in your trusty USB toolkit. But once in a while, you’ll be faced with a novice struck with the most basic and frustrating of problems: forgetting their Windows administrator login password. With no way to get into the system, you can’t even perform basic maintenance, let alone a thorough tune-up. Formatting is always an option, but we consider that a last resort. (Plus, guess who’s going to have to help reinstall all the programs lost after a wipe?) But all hope is not lost. There are a few ways to actually retrieve a lost Windows account password. Read on and we’ll show you the light.

Read More

Posted 01/29/09 at 10:00:04 AM by Paul Lilly

Google's rap sheet when it comes to goofy exploits gives us pause to wonder if the company might be spending too much time concentrating on Cloud computing and not enough on security fundamentals. Back in July of last year, a SecurTeam blog exposed a Google Calendar flaw which made it possible to expose any Gmail user's real name with minimal effort. More recently, an exploit in Gmail allowing hackers to redirect your email was discovered. Now someone has stumbled onto an interesting vulnerability in Google's Chrome browser.

When you visit a site with an http password protected directory -- or try logging into your router, such as 192.168.1.1 for Linksys owners --  an Authentication Required pop-up appears asking for your for your login credentials. Your password should look something like ••••••••, but according to NeoBlog user tekmosis, if you let Chrome save your credentials to auto-fill the form, the next time you log in, copying and pasting the hidden password into a plain text application will reveal the actual ASCII characters.

We put tekmosis' discovered exploit to the test and as it turns out, you don't even need to have Chrome save anything. We tried logging into our router, typed our password, and it was immediately revealed when we copied/pasted it into Notepad.

While it might take a little work on the part of a hacker to take advantage of this vulnerability, it's one that should never have existed in the first place. You could make an argument that all exploits should never have existed, but this one just seems like a particularly glaring oversight.

Read More

Posted 01/27/09 at 08:40:36 AM by Pulkit Chandna

Leading jobs portal Monster.com has warned its users against a fresh instance of private information theft, which happens to be the second such case in the past 18 months. The security breach has not only tarnished its security record further but also dealt a heavy blow to the trust that users have posited in it.

It issued the warning on its website, in what appears to be a less-frequented section, and opted against directly contacting the users. The company began its statement by downplaying the security breach: “as is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database.”

It claims to have taken the necessary “corrective steps” immediately after discovering the security breach. It has asked users to reset their passwords on their own, though they will eventually be forced to make the change. The company says that the exposed data includes user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. Resumes and sensitive data is said to be safe.

Monster.com has also advised users that they need to be more vigilant and watch out for specious emails claiming to be from the company.

Read More

Posted 01/07/09 at 09:22:09 AM by Pulkit Chandna

A hacker who uses the pseudonym GMZ accepted responsibility for the recent Twitter hack in an IM interview to Threat Level on Tuesday. He divulged little personal details except that he is an 18-year old student on the East Coast. It is also known that he is a member of the online forum for hackers called Digital Gangster; forum members had claimed that GMZ was responsible for the hack even before the hacker owned up.

He revealed that he successfully gained access to the account of a female Twitter staffer named “Crystal.” He had serendipitously stumbled upon her account and had no idea that she was a Twitter staff member with administrative control. He then proceeded to hack her account using a dictionary attack.

The program didn’t have to break a sweat as she was using the password “happiness.” Her flimsy password coupled with Twitter’s primeval security, which allows rapid-fire log-in attempts, led to several high profile Twitter accounts, including the ones belonging to President-elect Barack Obama and Fox News, being compromised.

Read More

Posted 09/02/08 at 08:30:18 PM by Pulkit Chandna

A computer worm primarily targeted at online gamers has found a very odd prey in form of the International Space Station. NASA confirmed last week that a computer worm had boarded the International Space Station and infected at least one laptop. Fortunately, though, none of the mission-critical systems were affected by the password-grabbing worm. NASA hasn’t revealed the name of the worm, but a website says that it is W32.Gammima.AG. Most of you might find the entire episode quite surprising and amusing, but the folks at NASA seem to be inured to computer worms aboard the ISS because this is not the first such instance.

Read More