The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

You Have Been Hacked!

You Have Been Hacked!  And it's your fault!

Yes, It's your fault and Nick Denton's fault too! 

This article is a follow up on my rant about Gawker, Nick Denton's greed, and your stupidity.

Gawker Media was hacked, and amongst other stuff, a database of user passwords, login, and emails was released in the wild. 1.3 million emails, login, etc ...
It made the great news and created a little wave of panic in the WWW world.

Panic you say? why?  I was not using Gawker, so I am safe!

Are you?
Please, allow me ...  Let's pretend that I am a bad guy.
Saturday night, Dec 11 2010.

The Gawker Hack is released in the wild...
I got the hack and crank up John the Ripper on the Database.
Oh Surprise! Gawker is using an obsolete DES encryption ;-)
After 2 minutes, I have 6,000 emails and passwords. 
After 12 minutes, I reach 82,611 passwords (and my machine is average ) with a miserable single try over only 30% of the database and a very lame Dic file....





The Grizzly Will Eat You! 
Or why you need a stronger password (than the next guy)

Why you should try to avoid having your info on a list like that 


So, you are in a group, and a grizzly is running after you and it's dinner time for him!
 All you need to do to be safe,  is to be able to run faster than the bear, huh?
 -Wrong! 
 The bear does not want to catch the fastest guy, he just wants to catch dinner, and dinner will be the slowest guys of all: the weak and sick.
All you need to do to be safe, is to run faster than the last guys.
The "last guys" are those 82,611 that used so weak and lame passwords that it took me a mere 12 minutes to catch my dinner and I can guarantee you, that's it's going to be a feast....

Picture this: The strongest is your password, the Faster you can run ....

Here is why:
As a bad guy, I am not going to spend 5 hours to catch the last one of you, I have 82,611 other meals waiting for me... Spending 20 hours to try to catch the fastest one is irrelevant, Hackonomically speaking: The sooner I can hack you, the better are my chances.

The "Appetizer"
Yeah! it's only your email, login and password. ~ for Gawker.

As your are part of the "slowest" group, I can tell you that you have used the lamest passwords ever: "Password, 123456, 12345678, monkey, letmein, iloveyou,  etc...
As you seem a little slow, I'll try those passwords with your email address, and I'll gain access to probably 33% of your accounts. Including, but not limited to Twitter, Facebook & AL.
Using such weak password is a sign for me: You are a confident dummy! 

The "Entrée"
 So, using those passwords,  I'll gain access to about 25,000 accounts.  Let the fun begin ...
  • First Step: sucking up your contacts. About 100 contact each ...2,500,000 emails that I can spam in your name ... :-)  
  • Second Step:  Changing your password on your email account. I have access, you don't anymore. By the time you figure out .... 
  • Third Step: Spamming your contacts, in your name, with a genuine email address...
Facebook:  200 friends? ok,  I can send them private messages, spam them, post on your wall, and phish them with juicy "omg! is that you on the video?" and the famous "You need to install a codec" or redirect them to a fake facebook page "You need to log in to view this page"
Even at 5% success rate, that's 250,000 hack. Knowing that the one hacked have also 200 friends... add again (250,000*200)*5%= 2,5 million possible.  Repeat with Twitter and I'll have a blast! 

Fun Fact: Facebook is unable to recognize a hacked link. This is the Koobface Worm.
This account, of a well educated friend of mine, contaminated 16 of his friends that fell for it, about 15% success rate :-) 


  
The "Dessert"
 Now that we own you, me and my hacking little group could go in the Social Engineering fun: They will trust me, sorry, I mean, they will trust you? no?
Just asking for a quick phone call because you need an advice, some help, or that you have something very personal to tell them...  I (you) will just forget to mention the supercharged connection fee for special numbers $9.99 at connection: To hear a voice mail....

Your friends may probably notice it, in 20 days when they'll check the bill. If any...
On my side, we will not forget to re-send an email apologizing for not being able to take their call the first time, please call me back again ASAP.  cha-ching again!

Once we have usurped your identity, the possibilities are endless ....

We could run a script to find if your friends are male or female. If you are a female, a little love letter to your mail friends will probably make them look at it. "The Love App told me that I am 80% in love with you, I think it's wrong: I am 95% in love with you"

Scan your emails for 16 or 15 numbers = Credit Cards. Do you have any bank statements?  Of just for fun, if we can't hack your friends, why not sending a Goatse to all your contacts? with a nasty email.  Not in direct, in reply .... even better
It will be so much fun to explain to your boss or your clients that " his wife is not the whore pictured"  

It could be so much profitable fun....
But you probably think that I am exaggerating, huh?
 
Ok, let's review some fun facts

Fun Facts
  • It took me 12 minutes for 82,000 pwsd.  Duo Security did 190,000 in one hour, and finished with about 400,000 with an 8 core.
  • Almost ALL passwords cracked do not contain a single sign (~95%)
  • Nick Denton's Account (The CEO of Gawker) was hacked, pawned, owned without him having knowledge of it. For a while!  The front page of Gawker was defaced
  • Nick Denton's was using the same weak password for all his accounts.
  • Nick Denton's Flicker was hacked as well as Gawker internal communications. The communications show in clear that Gawker Media was taunting the hackers and provoking them.
  • In the early hours, Gawker (Scott Kiddler) assured users that the passwords were encrypted, hence safe. Gawker Staff account were already compromised, probably for few days. 

Scott Kiddler, director of editorial operations at gawker media








Very Small Edited Excerpt of the loot.  Click to enlarge... 

Twitter/Facebook accounts started to be  compromised just 1 hour after the release


  • The group behind the Worm Koobface is making ~$200,000 a month. Just in case you believe that your account, or the account of your friends  "have no value"
Koobface has infected about  and Koobface can:  (Symantec Report) 
Spread through social networks, Steal confidential information, Inject advertising into web browsers, Redirect web browsing to malicious sites, Intercept Internet traffic, Block access to certain Internet sites, Start a web server to serve as a command and control server for other Koobface infections, Download additional files, such as updates to itself and other pay-per-install software that includes fake security products, Steal software license key, Break CAPTCHAs, Determine if a link is blocked by Facebook, Create new Blogspot accounts and pages, Modify the Hosts file 

No comments:

Post a Comment