People create terrible passwords. As simple as this might sound it unfortunately remains news to millions — if not billions — of individuals who use the Internet. As proof, we’ll take a look at a selection of passwords that were revealed in the Ashley Madison leak.
Regardless of any shortcomings Ashley Madison had in terms of securing their perimeter against breaches, one thing that they did right (to the surprise of many security researchers and disappointment of many black hats) was encrypting their users’ passwords.
The leak contained a database of around 36 million usernames, with bcrypt-hashed passwords. There is no known way to crack all of these passwords before the heat death of the universe, especially assuming that some are truly random, but we can crack the worst ones.
Conveniently, the web is full of known-password lists that anyone can just download. The two we chose for this crack, which are widely available, are the so-called 500 worst passwords of all time (compiled in 2008) and the 14-million-strong password list from the rockyou hack.
Cracking the bcrypt
It should be noted that we did not use the full list of 36 million password hashes from the Ashley Madison leak; we only used the first million. So, that may skew the results towards passwords created near the beginning of the site’s existence, rather than the end. Also, since the system used contains a 6-core CPU and two GTX 970 GPUs, we set the CPU to test the 500 worst list, and the GPUs to test the rockyou list. Because we’re SMRT, we used the same million for both the CPU and GPU cracks, which therefore produced redundant results in our output files. This has the side-effect of being less efficient overall, but allows us to make an apples-to-oranges comparison of the effectiveness of the two password lists, as well as the CPU vs GPU cracking speed.
Before we get into the results, let’s take a quick diversion to explain why this hack was so difficult and only revealed a small number of passwords.
Just about a year after a plethora of celebrities’ nude photos were leaked online, two homes in south Chicago have been raided and investigators have named one of the suspected hackers. As this controversial story and investigation continues to unfold, Avast researchers have come up with a few speculations regarding the origin and motivation behind the initial hack. We’ve discussed the case with one of Avast’s security researchers, Filip Chytry, who has put in his two cents about the situation:
GR: Why might have Apple not flagged or investigated an IP address’ 572 iCloud logins and attempted password resets?
FC: “Putting it simply, Apple just doesn’t have security implemented on this level. Even though they might sound large to us, attempting to track this number of logins and attempts to reset passwords is similar to discovering a needle in a haystack when it comes to Apple’s ecosystem. Read more…
Video gamers dedicate thousands of hours of training and spend their own money for the best systems as well as skins, upgrades, and items that show the world their persona. They need to know that their hard work and monetary purchases are protected.
AVAST is proud to announce our sponsorship of Team FNATIC in the 2014 eSports season. Their professional video gamers are tops in the world competing for millions in prize money while thousands of fans cheer them on. Read more about the sponsorship.
“We are extremely excited to be partnering with FNATIC,” said Ondrej Vlcek, Chief Operating Officer at AVAST. “This partnership goes beyond just sponsoring a team in the rapidly growing eSports field. FNATIC will be collaborating with us on future products too. We’re thrilled to have such a prominent and well-loved team as our first partner in this area.”
On Monday between 17:00 and 18:30 CET, several of the most popular professional gamers on Team FNATIC had their streaming games interrupted by a TeamView attack. Their PC was remotely controlled, and the player was logged out of their gaming client. A notepad file appeared with the words, “You’ve been hacked. Fnatic, this is game over,” and other messages.
Here’s a video of FNATIC player nOtail experiencing the attack (NSFW due to language):
Yesterday, several companies had their websites hijacked by pro-Palestinian hackers. We can confirm that there was also a hacker attempt against the AVAST site – we assume from the same group – but we took immediate steps and therefore were able to contain it.
According to published reports, the hacked companies’ accounts, used to manage their DNS records at their vendor, Network Solutions, have been reset. This allowed the hackers to take control of the websites in question. It’s unlikely that any of the sites that were attacked lost control of any of their own servers, so customer data most likely was not compromised.
“We ourselves received a notification from Network Solutions saying our email had been changed. We knew we had not requested that so we immediately took action and changed our passwords, which protected us,” said Vincent Steckler, AVAST CEO
Stay cyber aware when company accounts get hacked
Hackers have been busy recently– Adobe announced on Thursday that it has been the target of a major security breach in which sensitive and personal data about millions of its customers have been put at risk.
If you get a notification from an online provider that your email address or a password was changed – no matter if it’s from your bank, an online shop, or any other online site – and you didn’t request these changes, you need to take steps to protect yourself by immediately changing your passwords for these sites.
When we attempted to open the URL, it was redirected to dumb.cn.mn which triggered the blocking action. The only content on dumb.cn.mm is one word – GOTCHA!
Senior Virus analyst, Jan Sirmer confirmed the attack when we couldn’t repeat the block. “The site, smcitizens.com, was hacked for sure, and redirects to a black hole site,” he said. “Malicious script on the site is checking visitor’s cookies, which is the reason why you don’t see the warning more than once.” Read more…