The combination of malware keystroke loggers and a business model based on credentials sales is a real threat to financial services organizations today. It is not a misty theory or something only security professionals need to care about. Credentials, typically a set of strings we call a username and password, are the only layer of protection for most of our business web applications. Many, if not most of our industry’s systems cannot detect then an unauthorized party uses a given user’s credentials.
Yesterday Trustwave researchers announced that they found another cache of roughly two million stolen credentials on an active botnet controller.
1.580,000 general web site login credentials
318,000 Facebook credentials
70,000 Gmail, Google+ and YouTube credentials
60,000 Yahoo credentials
22,000 Twitter credentials
9,000 Odnoklassniki credentials (a Russian social network)
8,000 ADP credentials (ADP says it counted 2,400)
8,000 LinkedIn credentials
The attackers appeared to start their operation around October 21 and drove it until November 17.
There are a few important issues associated with the data they found.
First, while press reports often highlight social networking credential thefts, ‘real’ businesses are also targeted. In this case, ADP. Also, it is a certainty that there are lots of ‘real’ businesses in that 1.5M ‘web site’ credentials in the first category above.
Second, 46% of the roughly 2M passwords included in this cache were 10 characters or longer. It seems rational to assume that as businesses rachet up password length requirements, a material percentage of humans just use that same (or similar) ‘long’ password at all their sites. That is an elevated risk behavior that we need to have all members of our workforce resist.
Finally, weak passwords are still an important problem. Do not use them! What were the top 11 tolen passwords in this collection?
“Look What I Found: Moar Pony!” 12-03-2013