A weekly roundup of all the things that go bump on the net

A weekly roundup of all the things that go bump on the net

A weekly roundup of all the things that go bump on the net

This Week InSecurity - Russian Hackers, Bored Teenagers, Global Credit Card Fraud

bored teenagerIt will undoubtedly go down as one of the most spectacular data heists ever. Or at least until the next big one. Which is probably not far off. I'm talking about how researchers in Milwaukee discovered a treasure trove of more than 1.2 billion stolen passwords and usernames, along with half a billion email addresses, on the servers of a group of Russian hacking buddies.

While many focused on the need for almost everyone on the planet to immediately change their passwords, I found a couple of things in the story to be even more troubling. It was all about how easy the entire heist was. The hackers were apparently able to break into more than 400,000 websites around the world because security on those websites was just so lax.

And the hackers were able to find and target all those websites by using a botnet – a network of thousands of hijacked personal computers. And how were they able to hijack so many personal computers? Because security on those computers was just as lax as the security on the exploited websites.


1.2 Billion Password Hacker Haul Exposes The Creepy Side Of Consumer Security

creepyBy now you've probably heard about the massive haul of 1.2 billion user credentials discovered on the servers of a group of young Russian hackers (if you haven't heard of it, then welcome to the planet and sorry for the mess).

Just to remind you, a tiny and virtually unknown security company in Milwaukee Wisconsin called Hold Security gained instant global fame when they announced in early August that for months they had been monitoring a young group of hackers that had amassed more than 1.2 billion stolen usernames and passwords, and nearly half a billion email addresses, that they were using for spamming and other crimes.

Even more disturbing, the hackers had stolen the information from nearly half a million compromised websites. And the hackers had attacked those websites by hijacking thousands of poorly protected personal computers.


The Top 10 Most Common Identity Theft Myths

giftEvery year around this time we see the same experts dole out the same identity theft prevention tips. And yet, identity theft keeps getting worse. Maybe it's because we have to take a step back, and start by exposing some of the myths that can lead to consumer apathy about identity theft. If we help consumers to better understand the reality of identity theft, they might better appreciate these tips and apply them more often.

So here goes:


2 Million Hacked Passwords and the Troubling Truth About Keyloggers

safesurfingAs security researchers uncovered a stash of more than 2 million hacked passwords on a hacker's server in the Netherlands last week, from users of Facebook, Google, LinkedIn and Twitter, most of the focus was on just how many people are still using awful, and awfully weak passwords. But did all the commentators miss an even bigger story connected to the hack?

Researchers from security firm Trustwave revealed how they discovered the kidnapped passwords on a hacker server in the Netherlands, and how a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we're not explaining the whole concept of passwords properly.

But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there's a good chance that your antivirus software won't catch it. While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that's the stuff that can do the most harm.

But there was more relevant news. On the very day that media oulets around the world were railing at how bad the passwords were, a security firm in San Francisco called OPSWAT quietly revealed even worse news. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers won't.


The Evolution of the Super Thief

superthiefGive a man an inch and he thinks he's a ruler. Keep ignoring identity thieves and you end up with a generation of Super Thieves that are skilled, cocky and almost impossible to catch.

I've worked with thousands of victims of identity theft, and hundreds of police departments and other law enforcement agencies. The biggest complaint I hear from victims is not about thieves but about law enforcement.

As most victims of identity theft will tell you, law enforcement are typically not very sympathetic to the crime or its victims. I'll occasionally come across a cop who really gets it - that identity theft can be a life-altering crime and that even if there's not much law enforcement can do to investigate, at least a sympathetic ear can go a long way.

But such cops are as rare as bull's milk. Things got so bad in California that the legislature actually had to introduce legislation requiring law enforcement to take reports from identity theft victims, because so many police and sheriff's departments simply refused to.

And it's that indifference that has helped to create Super Thieves. Super Thieves are everywhere, in almost every community. More than four years ago, law enforcement in the city of Oakland California admitted to me that they had identified more than two dozen local identity gangs who operated in the city with almost complete impunity. And while most of these gangs started at the very bottom, they didn't linger there long.

Super Thieves are professional identity thieves who started out as anything but. They are usually criminals to start with, though a little petty, and often as a result of drug dependence. Their venture into the business of identity theft usually starts with the most basic of ground-floor crimes, like mail theft, check forgery, or dumpster diving. When they realize (a) it's very easy, (b) it's very lucrative, and (c) nobody seems to be chasing them, they get confident and even a little cocky. It's simply human nature. If you commit a crime that's easy and pays well, and realize that not only are cops not looking for you but they don't really seem to care at all about what you're doing, you're just going to keep doing it.

Subscribe to this RSS feed