Friday, January 2, 2009

About that password thing...

I re-twitted this alarming post from @JennKim last night regarding a Twitter scam site


@JennKim Think twice before leaving your Twitter password http://tinyurl.com/7wq2gt


From the article linked above...


Twply, the Twitter site that promised to email your replies to your inbox while protecting your password, appears to have tweeted a promotional message for the service on your account even if you opted out of this option. To add insult to injury, the site was sold today on Sitepoint for $1200, just one day after launch. The site, which required you to enter your Twitter password, has now sold that confidential data to the winning bidder - site user worldbuyer.


Sucks! Also I'm sorry if you are reading this and were burned by this service. BUT, yeah, never trust anyone with your passwords.


This is the new face of the electronic security compromise. People don't put the importance of security on their online passwords as they do with, say, the PIN number for their bank cards.


If you spend a lot of time online, you really, really should. Why?

  • People use the same passwords for multiple sites.

    It is unfortunate but it's a reality that won't change as long as we are human. The password system does sort of suck, but it's what we have now until the populace gets comfy with digital keys. You don't have to have a different password for every occasion, but I try to have three or four rotating strong passwords I use at different sites. The bad news on this front is some places (often financial firms) won't let you use strong passwords with characters like @ # $ % or & in them. Dumb but true. So what ends up happening is that people will pick the weakest but most compatible password they can remember and they'll use it everywhere.



    We also use the same login for multiple sites.. more on that below.



    Fix: Generate 3 good passwords and try to use a password manager with your PDA or phone. You don't have to use the password manager every time, but it can help jog your memory when you forget.



  • Website security is always much worse than you think.
    Take it from an insider; if a website wants your username and password so that it can access another website on your behalf, it is going to store that username and password in a database in PLAIN TEXT, no encryption and with the most basic of protections.



    It is only marginally better, often, if you are submitting your username and password to a forum. The passwords might be encrypted, but that encryption can be reversed as well. It's worth it to a hacking group to decrypt a series of passwords, and they always have the horsepower to do it (think Storm Botnet).



    Fix:Don't trust any of these places. Even Facebook! I couldn't believe Facebook wants me to input my GMail username and password so that it can scrape my address book for friends. The audacity... Sure it works, but now your GMail account and password are on record in a Facebook database somewhere, for EVAR. When the Badguys get into that database, they have your account and password info.


  • Badguys will compromise your accounts, even if you think they aren't important.
    So now a website is hacked, let's say via SQL injection or a straight buffer overflow. No matter how, the Badguys now have access to your username and password. What can they do with it?



    1. Cross-reference your username with a domain-name database to see what you have registered. yourname.com is now a target of domain jacking.
    2. Try your username and password combo at places like GMail and Hotmail. If you signed up to twitter as exampledude, and your hotmail account is exampledude@hotmail.com.
    3. They read your e-mail to find out what banks and online financial institutions you use. Paypal, etc. They are now closer to having access to your money.
    4. They scrape your e-mail accounts for users and send them viruses, personalized, from you. They send you viruses from your friend's addresses. Personalized Phishing may be on the horizon as well.
    5. If they have access to your e-mail accounts, they can take your domain. If that domain has e-mail accounts associated with it, they now own those too and the cycle repeats.


    I could keep going like this. tl;dr it's a domino effect. The badguys get one compromise, and they can keep going with that unless you've used good username and password hygiene.


    There's a lot of excitement around social networking and mashups right now. There's a great sense of community and optimism towards anything to do with it. It's refreshing, but I think in that atmosphere people drop their guard a bit in the hopes that everyone intends only good.


    But, this is still the Internet.

    • Posted by at
    Labels: , ,

    5 comments:

    1. kurt wismerJanuary 2, 2009 at 3:57 AM

      people re-use passwords and it won't change as long as they're human? hmmm that seems to suggest i'm not human, since i use a different randomly generated password on each site (thank you passwordsafe, and thank you bruce schneier for creating it in the first place)...

      so what should those of us who've evolved beyond humanity call ourselves? cybermen sounds good but i believe it's already been taken...

      ReplyDelete
    2. scarrJanuary 2, 2009 at 4:10 AM

      We're IT people, we don't count :)

      ReplyDelete
    3. bobJanuary 3, 2009 at 1:04 PM

      Hi nice site thanx

      ReplyDelete
    4. garryJanuary 4, 2009 at 12:48 PM

      I guess it's time I changed my password.

      ReplyDelete
    5. The Devlab Blog » Blog Archive » Twitter attack wave; real site-cracking edition.January 5, 2009 at 8:39 AM

      [...] As smart as security people are, the crooks are just as capable. tl;dr .. We’re back at That Password Thing… Change your twitter password as soon as you can. I doubt the public outside of Twitter will know [...]

      ReplyDelete

    Subscribe to: Post Comments (Atom)