Keylogger Credential Theft Still A Business Threat

December 3, 2013

The combination of malware keystroke loggers and a business model based on credentials sales is a real threat to financial services organizations today. It is not a misty theory or something only security professionals need to care about. Credentials, typically a set of strings we call a username and password, are the only layer of protection for most of our business web applications.  Many, if not most of our industry’s systems cannot detect then an unauthorized party uses a given user’s credentials.

Yesterday Trustwave researchers announced that they found another cache of roughly two million stolen credentials on an active botnet controller.

These included:

1.580,000 general web site login credentials
318,000 Facebook credentials
70,000 Gmail, Google+ and YouTube credentials
60,000 Yahoo credentials
22,000 Twitter credentials
9,000 Odnoklassniki credentials (a Russian social network)
8,000 ADP credentials (ADP says it counted 2,400)
8,000 LinkedIn credentials
and more…

The attackers appeared to start their operation around October 21 and drove it until November 17.​

There are a few important issues associated with the data they found.

First, while press reports often highlight social networking credential thefts, ‘real’ businesses are also targeted. In this case, ADP. Also, it is a certainty that there are lots of ‘real’ businesses in that 1.5M ‘web site’ credentials in the first category above.

Second, 46% of the roughly 2M passwords included in this cache were 10 characters or longer. It seems rational to assume that as businesses rachet up password length requirements, a material percentage of humans just use that same (or similar) ‘long’ password at all their sites. That is an elevated risk behavior that we need to have all members of our workforce resist.

Finally, weak passwords are still an important problem. Do not use them! What were the top 11 tolen passwords in this collection?

  1. 123456
  2. 123456789
  3. 1234
  4. password
  5. 12345
  6. 12345678
  7. admin
  8. 123
  9. 1
  10. 1234567
  11. 111111



“Look What I Found: Moar Pony!” 12-03-2013


Browser As Your Company’s Outer-Most Application Edge

January 6, 2009

Rich Internet Applications deliver increasing functionality, and with it, increasing amounts of sensitive information, out to end-user’s browsers.  Too often this is a browser and client-platform wasteland without control or consistency. How can we protect our information assets and brand?

More and more regulated personal or health-related information, more valuable intellectual property, more corporate secrets, are reaching our browsers.  As more of our application infrastructure is extended into end-user browsers, demonstrating a threshold level of due diligence is getting more complicated.

Remember when the threshold seemed to be the presence of a top-tier firewall at your Internet perimeter?  Or when a DMZ was enough?  Then hardened web servers, SSL encryption, infrastructure to provide increasingly sophisticated authentication schemes and session management, and more…  The latest battle-ground has been the applications themselves.

Browse the resources at or google ‘web “application security” vulnerabilities 2008‘.  Application-layer vulnerabilities are consuming a greater percentage of the active Internet attack surface.  Microsoft recently reported that 90% of vulnerabilities discovered by researchers were in applications.  They also report that nearly 50% of all vulnerabilities are now rated HIGH severity or higher.

As we extend more of our application functionality, and more of our sensitive and valuable information out of the enterprise into end-user browsers, how are we dealing with the risks associated with that environment?  The “Browser Security Handbook,” written and maintained by googler Michal Zalewski, is an extensive and exhaustive resources for your application architects, designers, coders, quality assurance personnel, along with your application security engineers and assessment staff [more than 75 pages of lucid, often spartan text].  When control matters, the many differences along the many facets of browser technology need to be effectively dealt with. There is no magic to save us.  This is, and is going to continue to be really hard work.  The additional challenge will be to find ways to wring competitive advantage and profits out of these investments in application security.

I believe that this handbook stands alone.  Contrary to what most of us would assume, much of this resource is simply excellent writing.  No waste, some beautiful sentences and paragraphs — even when writing about “Document Object Model” or “Browser-side Javascript.”  Michal Zalewski’s work is a joy to read.  Because this resource now exists, we all have one less excuse to avoid the inevitable slog through application security enhancements and upgrades, quality/vulnerability testing, and financing the whole endeavour.

— References —

Open Web Application Security Project.

Microsoft Security Intelligence Report volume 5 ( January – June 2008 )

“Browser Security Handbook.”

%d bloggers like this: