Stolen Password Analysis Exposes Foolish Choices
Often, neither the companies that harbor user passwords nor the users who create them practice smart security. Tools were available that could have prevented the keylogger theft of almost 2 million passwords from Facebook, Google and other popular sites, suggested security analyst Avivah Litan. Also, analysis of the stolen data showed a great many users chose obvious user-password combinations.
Dec 6, 2013 5:00 AM PT
Cybercriminals recently stole more than 2 million usernames and passwords from several popular sites including Facebook and Google, according to security researchers at Trustwave's SpiderLabs.
Pony, a botnet that logs user keystrokes, captured the information from more than 90,000 websites during the past month and then sent it to a hacker-controlled server. It snagged data from 326,000 Facebook accounts, 60,000 Google accounts and 22,000 Twitter accounts. Two social networks for Russian speakers also featured prominently on the list of compromised data.
A payroll service provider was also in the top 10 domains compromised, suggesting the theft may have had financial consequences for some of the victims.
Machines in the Netherlands, Thailand and Germany were the hardest hit, but the attack spread to more than 90 countries worldwide.
"Pony is a known malware that has been around for about a year," John Miller, security research manager at Trustwave, told TechNewsWorld. "We found just one control server with the compromised credentials. There may be more, so there may be more attacks like this one down the road."
Analysis of the stolen login information revealed that many Internet users still use generic passwords such as "admin," "password" and "123456."
The Trustwave researchers compared their analysis of this breach to data from a MySpace password theft in 2006. They concluded that consumers haven't grown wiser with time. They still choose comfort over security -- that is, passwords that are not only easy to remember but also easy to guess.
"No matter what companies do, there are still going to be a bunch of people that choose those easy passwords," Kati Rodzon, an independent security awareness contractor, told TechNewsWorld. "A lot of companies encourage people to make a stronger one, but it could help users if companies can say, 'here are ways to make a stronger password' and give them some better information about that."
That's because data protection cannot be put entirely in the hands of the consumer, said Avivah Litan, security analyst at Gartner.
"There are several methods of protection available that could have prevented a breach like this, especially with this type of keystroke-logger software," Litan told TechNewsWorld.
"Companies need to wake up and realize they have these protection resources available," she chided, "and that they can't leave it up to consumers. These consumers are going to keep using Google and Facebook and email, and they're expecting measures to be in place to protect that information."
Massive breaches like the Pony botnet are often wake-up calls to companies that they need to put some of those measures in place, said Litan -- but even if a company has acknowledged the importance of it, there are still hurdles before implementation.
"Companies are not nimble. There is a lot of bureaucracy involved with putting more security in place," she pointed out.
"Defenses are getting better, and the good news is that there has been a lot of good technical improvement in security that is making it possible to stay safe," Litan noted, "but you have to be willing to spend money and get these solutions in there. It's an arms race, and these criminals are much more nimble than the huge Internet companies."