Friday, 3 January 2014

Like Dominoes they Fall One by One

Recently i received an email from my wife asking to help her as she was having financial problem in Norway. The moment i saw that, i knew it was a Spam. However, when i looked closer, i realized that when i clicked 'Reply', it was addressed to my wife's yahoo email address. I took a snapshot and sent it to my wife and informed her to quickly change her password. That's when my wife told me that she couldnt log in to her email account. Something was fishy.

The next thing i know, people started calling and messaging her on Facebook. According to the private messages, she was asking people in her friendlist for help and money. She got bombarded with calls of concern. To make matters worse, she could not log in to her Facebook as well as her Hotmail account.

30 minutes later, we realized that she was hacked! And she was not the only one. Over the last few weeks, i received news on my newsfeed how my other friends got their email accounts hacked and unable to log in as well. 

Thus, i went into a hunt for the hacker... (but this will be another story to post)

So i asked her whether her passwords were the same as the other accounts to which she replied No. All her 3 accounts have 3 different set of passwords which is a good thing. Then i asked her about the complexity of her passwords. With that i know why. 

Surprising Find

I went on a recon to find other victims to which the accounts were hacked. To my shocking surprise, i saw THOUSANDS of Yahoo, Hotmail, Gmail, Facebook accounts with passwords leaked out in the deep web! And they all have one thing in common: simple passwords! 

These are some of the accounts that was leaked.


I looked closely at the passwords combination used and i could tell that these passwords are easily guessed, simple combinations of alphabets and numbers. This is what we in the security community as WEAK passwords. 

10 years ago, a complex password would be at least 8 characters with a combination of alphabets and numbers. At that time, the technology for password cracking isn't as awesome and as fast as now hence the previous requirements was sufficient. But now, 8 characters is easily cracked especially when it is not complex enough. Another mistake that most of us make is using the same password for all other accounts. Thus it is not surprise when one account is hacked after another by using a single password. 

How Did the Hackers Hacked Then?

There are many ways a hacker could hack into our accounts. One of the ways i know is by collecting email addresses gathered by automatic scavengers tool and save it into a database. Once all these email addresses are collected, the hacker will run a cracker against a huge dictionary file or by other sophisticated crackers. All the hacker needs to do is to play the waiting game. Once the accounts are hacked, the hacker will publish it online, in forums and if they want to make a profit out of it, sell them to potential buyers and scammers. These scammers will then use the compromised account and start their phishing emails to the contacts in the email's address books. 

So How Can we Prevent this?

1. Use at least 16 characters long! Remember, the longer the better!
2. Raise the complexity of the passwords by using words that only YOU will know and not from the dictionary.
3. Use Uppercase and Lowercase alphabets
4. Use numbers
5. Use special characters such as &^%
6. Use different password for each account
7. Do not login to sites from public Wifi networks or LAN 
8. Do not provide your passwords from emails asking you to provide.
9. Provide contact number to the account for password reset. This is very important and a secure way to do password reset as only YOU would have your mobile phone/number and not the one in Nigeria.

A good example of a password is : UzuM@k!@P0C@l%p$3



No comments:

Post a Comment