programming4us
programming4us
SECURITY

Password Hacks (Part 2) - Criminal activity

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
8/11/2012 11:07:53 AM

Criminal activity

So who is behind all this? Well, passwords are usually obtained by criminals, although there have been attempts to link such activities with political groups too. The hacking group Anonymous, for example, has been involved in a number of denial-of-service attacks on high profile companies including Master-card and Visa, which was in response to both firms withdrawing support for Wiki-leaks, which had begun publishing 250,000 leaked diplomatic cables.

Description: The hacking group Anonymous

The hacking group Anonymous

“There is, it seems, a lot of value to be had in acquiring those passwords, with the financial rewards good enough to make it enticing for criminal gangs it”

However, it has always claimed not to be financially motivated. Indeed, Anonymous was linked to the Sony hack, although it denied suggestions by Sony in a letter to American Congress officials that it was. The group released a statement distancing itself from the breach, saying: “Anonymous has never been known to have engaged in credit card theft." The group added, “Public support is not gained by stealing credit card info and personal identities, we are trying to fight criminal activities by corporations and governments, not steal credit cards."

Description: Stories of hacking make the national news such is the impact it can have on people
Stories of hacking make the national news such is the impact it can have on people

According to Jonathan Krause, who has 12 years' experience in IT security and runs Forensic Control, the motivations for theft vary wildly depending on how widespread and deep the breach actually is. He said personal data and passwords are highly sought after by spammers, blackmailers, whistle-blowers, corporate espionage players, suspicious partners looking for evidence of infidelity, fraudsters, unscrupulous journalists and private investigators, and they can get it via a variety of methods.

There is, it seems, a lot of value to be had in acquiring those passwords with the financial rewards good enough to make it enticing for criminal gangs.

"Email addresses and passwords are of value because the bad guys know people use those same usernames, email addresses and passwords on multiple websites," said Dave Whitelegg who runs the website ITSecurityExpert.co.uk. “So the amount of data they can potentially grab is huge and if they can gain access to webmail accounts like Hotmail or Google-mail, they can perform password resets on other sites and access them, blocking out the original user."

The theft of LinkedIn and eHarmony passwords could have far-reaching consequences. Since a lot of personal information is posted on these sites, people with access will be able to quickly build up a profile of millions of individuals. “A lot of data can be used in identity theft for fraud or to assist with general fraud," said Whitelegg. “This kind of breach tends to be done individually rather than en masse, but that's not to say it doesn't happen. If you consider the typical password reset questions too, they are mostly based on personal information, as well as mother's maiden name, date of birth; I've even seen profiles which include a person's pet name. There's a lot of information floating about there can be of great use to a criminal."

The theft of LinkedIn and eHarmony passwords could have far-reaching consequences. Since a lot of personal information is posted on these sites, people with access will be able to quickly build up a profile of millions of individuals

Description: The theft of LinkedIn and eHarmony passwords could have far-reaching consequences. Since a lot of personal information is posted on these sites, people with access will be able to quickly build up a profile of millions of individuals

The theft of LinkedIn and eHarmony passwords could have far-reaching consequences. Since a lot of personal information is posted on these sites, people with access will be able to quickly build up a profile of millions of individuals

Whitelegg said there are no borders with cybercrime. He also claims that there are divisions of labor within this globalized, sophisticated community. "Generally speaking, Russians tend to write the malware and you can pay them to write malicious code," he said. "Eastern Europeans tend to launder the stolen money and the Far East tends to control botnets, hiring them out to deliver mass attacks. Hackers who steal these types of information rarely go on to commit the fraud; they tend to sell it on. Where they have lots of records, they break them down into small pieces, just like a jewelry thief would do."

In the case of LinkedIn and eHarmony, it appears that the passwords were taken via a data breach by Russian hackers. They were posted on a Russian hackers' website in order for people to help crack them, so those behind it were certainly after doing some damage. Some pundits suggested that the numbers mentioned were just the tip of the iceberg and that more passwords had been breached. The theory was that the hackers were only posting the encrypted files of trickier passwords online because they'd already worked out the easier ones. Throughout all of this, there was uncertainty at how the password file ended up on a public forum or exactly which site the passwords originated from, but signs indicated that hackers had breached the servers of eHarmony and LinkedIn.

Description: The dating website eHarmony fell prey to password thieves

The dating website eHarmony fell prey to password thieves

It led to accusations that the passwords weren't properly protected. Imperia, an American security firm, said LinkedIn, in particular, did not salt its passwords. “Salting, in layman's terms," said a spokesman, “complicates the process of a hacker cracking a password. Not only do you encrypt the password, but you append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook."

All of this seems to put the onus on the user. Claus Villumsen, CTO at Bull Guard, said internet users need to look after their own interests rather than relying solely on the security measures of a third party. “We'd all like to believe that our personal details and sensitive data are being kept safe from prying eyes when signing up to a service from reputable companies such as those affected," he said. “The reality today, unfortunately, is that this is not the case. Hackers are renowned for moving quickly to find ways around modern security measures, and consumers should be vigilant to these concerns and always assume that the first step towards keeping sensitive data safe lies with them."

“More than three billion malware attacks are reported annually with, on average, 260,000 identities exposed per data breach”

Close to home

With these sorts of breaches, there's little that the individual can do other than ensure they change their passwords regularly enough to keep one step ahead. With so many different accounts held by individuals, though, that's no easy task and it takes a considerable amount of time to keep on top of them all.

Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
programming4us
 
 
programming4us