Year of the Compromised Password
No, thankfully I have not had anyone rummaging in my email or buying stuff on my Amazon account. But this year really has been the Year of the Compromised Password, in terms both of my clients having problems in this department that I've had to sort out, and in terms of people I know apparently sending me invitations to services of dubious origin.
And I have seen quite a lot of resulting speculation about how the passwords got stolen, so I thought I'd pile in...
The number 1 theory that people seem to come up with is that passwords are being stolen by hackers direct from the services themselves. The reasoning tends to go something like : four people I know have sent me spam. Those four people all have facebook/hotmail/livejournal/deviantart accounts. Therefore, facebook/hotmail/livejournal/deviantart must have been hacked and their passwords stolen!
This is always possible, I suppose - never say hackers can't do anything! But it really doesn't seem the most likely explanation. In general, passwords are not stored in databases in an easily-stealable format. If you view a database containing a bunch of email passwords, you can't read those passwords - each one is encoded using a one-way system that can only be decoded if you already have the original password. This is why if you contact your email provider and say 'I've forgotten my password!' they can't tell you what it is. They have to generate a new one.
If the passwords were all very easy to guess, then perhaps it's more likely that someone just got a list of, say, hotmail email addresses, and ran an attack on them to automatically guess the passwords. This does happen, though it's a lot of work just to be able to send spam - people doing that sort of thing are probably hoping the email address can be used to give access to a bank account.
When groups of people have their passwords stolen, there are likely to be other things they have in common apart from the services they use. If they know each other, then perhaps they attended a conference together, and all used the same wireless network to log in to their services? Wireless communications can be intercepted much more simply than hacking hotmail or Yahoo.
Or perhaps they have all visited the same friend who allowed them to use his computer, or his wireless network, to check their email? If that one systemn is infected, the owner might never know that he's sending all the passwords ever used on it straight to a third party.
Perhaps the most likely scenario is that one member of the group got a password compromised, and that one person infected the others. I think I'm fairly careful and well informed about 'stuff not to click on' - but I admit, if someone that I know that has a good reason to contact me sends me a message with a dodgy link, I'm much more likely to click before thinking. At that point, I'm hoping that my antivirus software will save me from my own idiocy - but no antivirus is 100% foolproof.
Another potential weakness is services that fake logins for more reputable services. We're starting to get used to logging in to services using the same ID - so convenient, to be able to comment on that news story with your Facebook account, or log into that store with your Gmail, and service providers like that approach too - it means they may be able to collect your social media details rather than just your name. But it is very easy to build a login tool that looks like Yahoo, but ain't.
If you try to log in to a site that vaguely interests you to comment with, say, your Yahoo ID, and get a failure message, you would be excused for thinking 'oh drat' and just moving on - not realising that the page you put your password details into has collected them for later use. When your account is compromised three months later, you probably won't even remember that failed login.
I'm looking at my stupid numbers of accounts and passwords (managed via a secure password manager tool) and I'm thinking: 'must be cautious about linking accounts together'. This guy, for example, had his Apple email compromised via information from his Amazon account. I've had my Amazon account since the 90's and I've just realised I've never changed the password, so it was something of an achilles heel. I have now!
And I have seen quite a lot of resulting speculation about how the passwords got stolen, so I thought I'd pile in...
The number 1 theory that people seem to come up with is that passwords are being stolen by hackers direct from the services themselves. The reasoning tends to go something like : four people I know have sent me spam. Those four people all have facebook/hotmail/livejournal/deviantart accounts. Therefore, facebook/hotmail/livejournal/deviantart must have been hacked and their passwords stolen!
This is always possible, I suppose - never say hackers can't do anything! But it really doesn't seem the most likely explanation. In general, passwords are not stored in databases in an easily-stealable format. If you view a database containing a bunch of email passwords, you can't read those passwords - each one is encoded using a one-way system that can only be decoded if you already have the original password. This is why if you contact your email provider and say 'I've forgotten my password!' they can't tell you what it is. They have to generate a new one.
If the passwords were all very easy to guess, then perhaps it's more likely that someone just got a list of, say, hotmail email addresses, and ran an attack on them to automatically guess the passwords. This does happen, though it's a lot of work just to be able to send spam - people doing that sort of thing are probably hoping the email address can be used to give access to a bank account.
When groups of people have their passwords stolen, there are likely to be other things they have in common apart from the services they use. If they know each other, then perhaps they attended a conference together, and all used the same wireless network to log in to their services? Wireless communications can be intercepted much more simply than hacking hotmail or Yahoo.
Or perhaps they have all visited the same friend who allowed them to use his computer, or his wireless network, to check their email? If that one systemn is infected, the owner might never know that he's sending all the passwords ever used on it straight to a third party.
Perhaps the most likely scenario is that one member of the group got a password compromised, and that one person infected the others. I think I'm fairly careful and well informed about 'stuff not to click on' - but I admit, if someone that I know that has a good reason to contact me sends me a message with a dodgy link, I'm much more likely to click before thinking. At that point, I'm hoping that my antivirus software will save me from my own idiocy - but no antivirus is 100% foolproof.
Another potential weakness is services that fake logins for more reputable services. We're starting to get used to logging in to services using the same ID - so convenient, to be able to comment on that news story with your Facebook account, or log into that store with your Gmail, and service providers like that approach too - it means they may be able to collect your social media details rather than just your name. But it is very easy to build a login tool that looks like Yahoo, but ain't.
If you try to log in to a site that vaguely interests you to comment with, say, your Yahoo ID, and get a failure message, you would be excused for thinking 'oh drat' and just moving on - not realising that the page you put your password details into has collected them for later use. When your account is compromised three months later, you probably won't even remember that failed login.
I'm looking at my stupid numbers of accounts and passwords (managed via a secure password manager tool) and I'm thinking: 'must be cautious about linking accounts together'. This guy, for example, had his Apple email compromised via information from his Amazon account. I've had my Amazon account since the 90's and I've just realised I've never changed the password, so it was something of an achilles heel. I have now!