October 23, 2014

In Brief: Facebook fixes serious password reset vulnerability

facebook-logo-300x300(LiveHacking.Com) –  Facebook has fixed a serious vulnerability in its password reset mechanism after Sow Ching Shiong, an independent vulnerability researcher, discovered the flaw which allows hackers to change the passwords of accounts they had compromised without knowing the user’s current password.

Normally, an authenticated Facebook user needs to enter their current password when using the change password page. This prevents an unauthorized person from changing the password without the user’s knowledge. However Ching Shiong  that it was possible to change a user’s password without knowing the old one by first accessing the URL “https://www.facebook.com/hacked”. This page then automatically redirected to the compromised account recovery page where the previous password was not needed.

Facebook has now addressed this issue and users are prompted to enter their old passwords before setting a new one. Sow Ching Shiong has been added to Facebook’s list of white hats. 

“This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report,” wrote Sow Ching Shiong on his blog.

Skype moves quickly to fix account hijacking flaw

(LiveHacking.Com) – The last 36 hours have been a bit manic for Microsoft’s Skype business. A vulnerability, that was discovered three months ago, went public when its details were shared on news discussion site Reddit. The flaw allowed malicious users to reset the password for any account without having access to the target account’s email address. Skype’s first move was to disable the password reset function.

To exploit the flaw a new user account needs to be created using an email address that’s already associated with an existing Skype user. If a password change is then requested using the target’s username the “Password token” notification also appears in the Skype client. Clicking a “more info” button for this notification provided the attacker with the password reset link. Visiting the password reset link led to a page on the Skype website that allows for the password to be changed. There is no need for the attacker to have access to the target’s email account.

Dmitry Chestnykh, who is credited with originally finding the bug, has posted a record of a chat conversation with Skype Live Support where he points out to them that he received a Welcome email for a Skype account he didn’t create. It was Skype’s failure to verify email addresses that led to the discovery of the password reset vulnerability. The chat log is from August and if this is true it means that Skype’s password reset mechanism was vulnerable for several months.

After suspending the password reset service, Skype issued a statement in which it said, “This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution.” It then worked to fix the flaw and said it has made “updates to the password reset process today so that it is now working properly.”

Skype says that it believes only “a small number of users” may have been affected by the security vulnerability and that it is reaching out to users who may have been impacted to assist as necessary. It also offered the mandatory we care about security statement, “Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”

 

What were the 25 worst passwords of 2012

(LiveHacking.Com) – This year has seen many high profile data breaches, including Yahoo and LinkedIn, where user information, including passwords, has been taken from supposedly secure servers. The humble password remains the single most used method of authentication and is used for a whole range of services including email, online payment systems and online shopping. The problem is that there is still a large portion of people who don’t take passwords seriously.

SplashData has published its annual “25 Worst Passwords of the Year” list and unsurprisingly last years top three passwords, “password,” “123456,” and “12345678,” still hold the top spot in 2012. These aren’t imaginary passwords or passwords to unlock a screen saver on the kids PC, these are real passwords compiled from files of stolen passwords posted online by hackers.

There are however some new entries in the top 25 this year including “welcome”, “ninja”, “mustang” and “password1″. But they only continue to show the lack of imagination people have when creating a new password.

According to howsecureismypassword.net a modern cracking system can break an 8 letter password made up of lowercase letters in less than a minute. Where as a 10 character password made up of uppercase letters, lowercase letters, symbols and numbers would take 58 years!

Therefore I recommend that you use passwords of at least 10 characters with mixed case,digits and symbols. The perfect 10 character password would be something like sKy12get33% however that can be hard to remember. An easier to remember password which fulfills these criteria might be something like gon3%Home!

You should always avoid using the same username and password combination for multiple websites. This year when LinkedIn was hacked, the biggest danger was not unauthorized access to LinkedIn (as it quickly forced users to change their passwords) but rather if the same username and password was used elsewhere then cyber-criminals could gain access to email accounts or services like eBay.

Here is the full top 25 list of passwords you should definitely avoid!

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)

 

 

8 million passwords posted online from German gaming website Gamigo

(LiveHacking.Com) – The German gaming website Gamigo was hacked in February and over 8. million e-mail addresses and passwords were stolen. The passwords, which were hashed, were dumped on to crypto-cracking forum InsidePro. Now, four months later, underground crypto analysts have broken the hash.

A user on the forum, who claims to have cracked the one-way hash, has decrypted 94% of the passwords. PwnedList,  a tool that allows people to check if their online accounts have been compromised, told Forbes of the decrypted password which contains a huge 8.2 million unique email addresses. Of the 8.2 million, 3 million are from the USA , 2.4 million from Germany, and 1.3 million from France.

For those that aren’t familiar with Gamigo, it is a Massively Multiplayer Online Role-Playing Games (MMORPGs) publisher with a repertoire of 14 client games and five browser-based games. And obviously, it has over 8 million users worldwide.

After the original hack, back in February, Gamigo sent an email to its users which confirmed that there “was an attack on the Gamigo database in which user information, such as alias usernames and encrypted passwords were stolen.” All passwords were then reset for all Gamigo games.

While the decrypted passwords are unlikely to work on the Gamigo site, because of the forced password resets, users should check that they aren’t using the same username and password on any other sites.

In terms of size, this is the biggest cache of passwords stolen this year. Previously this unwanted honor fell to LinkedIn who had over 6 million passwords stolen.

Yahoo! fixes security holes which let hackers in but password list still available online

(LiveHacking.Com) – Yahoo has fixed the flaws in its Yahoo! Contributor Network  that allowed hackers to steal details for over 450,000 accounts and publish them online. According to a post, published on Yahoo’s corporate blog, Yahoo confirmed that the stolen data was in a  standalone file that contained approximately 450,000 email addresses and passwords belonging to writiers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo!.

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users.  In addition, we will continue to take significant measures to protect our users and their data,” wrote Yahoo.

The hack was performed by a group going by the name of ‘d33ds’. The hackers got the details from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com using, it is thought, a SQL injection. The passwords extracted were in clear text. The details were posted, for a short time,  on the the groups’ website, however due to the massive traffic generated the servers went offline. The group has now moved the archive to other 3rd party servers and the file is still available.

An analysis of the credentials showed that the most common passwords were: 123456, password, welcome, ninja, abc123, 123456789, 12345678 , sunshine, princess and qwerty.

For users who joined the then Associated Content before May 2010 and used a Yahoo! email address, Yahoo! is recommending that they log in and answer the series of authentication questions to change their password.

Over 450,000 Yahoo accounts hacked and published online

(LiveHacking.Com) – A group going by the name ‘d33ds’ has reportedly taken details of 450,000 accounts from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com.  It is thought that a SQL injecton was used to extract the account information from a Yahoo! database. The passwords extracted were in clear text. The details were posted online on the the groups’ website, however that now appears to be offline.

Before the list went offline, security researcher Anders Nilsson was able to run an analysis using  the password analyzer Pipal to discover which were the most common passwords and domains. The full password analysis is on Pastebin. The top 10 passwords were: 123456, password, welcome, ninja, abc123, 123456789, 12345678 , sunshine, princess and qwerty.

Other interesting stats from the analysis show that most passwords were 6 to 9 characters long (over 71%) and that half of the passwords used only lowercase alpha numeric characters. One third only used lowercase letters for the passwords.

Stratfor Site Still Down as Password Analysis Reveals Weaknesses

(LiveHacking.Com) – Stratfor.com, the website of global intelligence-analysing firm Strategic Forecasting Inc., remains offline after the Christmas Eve hacker attack. The site currently says that Stratfor is investigating the security breach and is working diligently to prevent it from ever happening again! Stratfor will only restore the website once its security review is finished.

In the mean time, the nearly one million records stolen by the hackers have been published online and The Tech Herald has examined the list of passwords hashes and started cracking them with surprising results. The passwords which were stored as MD5 hashes are cracked using a variety of methods including dictionary attacks and brute force attacks. Using the Hashcat password recovery tool (together with GPU processing) the Tech Herald team managed to crack 81,883 of the 860,160 published password hashes in under 5 hours. That’s 270 password per minute. Why? Due to the weaknesses in the password. And when I say weak, I mean stupidly weak. One account even had the password ****** – yes, six asterisks.

By just using a set of small word lists, made up of common passwords, names and words from the King James Bible, the teams decoded nearly 26,000 passwords in 7 minutes. The team then went on to use larger and larger word lists including words and phrases from other languages (like Russian and Italian), surnames and common keyboard combinations (eg. 123ewqasd).

Some of the interesting passwords found include:

  • 111222333444
  • 12345stratfor
  • blackberry
  • blockbuster
  • globalization
  • hello123
  • qwerty
  • password
  • mypassword1
  • stratfor
  • Password123
  • washington

Worm Tries to Crack Weak Passwords on Remote Desktops Connections

(LiveHacking.Com) – Microsoft has published details of a worm called Morto which attempts to break into remote servers which use the Windows Remote Desktop. The worm attempts to compromise the systems by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted.

As with all accounts (both local and remote) it is essential for users and system administrators to set strong passwords. According to Microsoft the worm tries the following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Microsoft are reporting that although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable.