Common Passwords

Security companies sometimes get to analyse real people’s passwords and create interesting reports. Imperva has just done that, analysing 32 million passwords used on the Rockyou.com site (which was recently hacked).

Below is a summary of their findings. Why is this important to you? Because it means that statistically, you probably have a weak password that can be guessed.

The ten most common passwords were:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

If you use any of these as your password then change it now, it’s too easy to guess, especially now that everyone can see this list.

For tips on how to choose a good password read our previous article. And here are some tips on testing how good your password is.

Imperva’s complete report is here. It’s full of interesting technical details on what they found and what the risks are.

January 22, 2010 | Filed Under General, Security, Statistics | Leave a Comment 

Inside The Password Stealing Business

McAfee, a large anti-virus company, has published a report called “Inside the Password Stealing Business: the Who and How of Identity Theft”. It goes into the details of password stealing programs and explains the “industry” driving it.

It’s quite detailed and at 17 pages it won’t take too long to read – it’s not very technical.

Password stealing is when a program gets installed on your PC that catches every stroke of your keyboard and sends it back to a criminal. The idea is that it’ll record all your passwords as you type them, no matter how strong they are. It’s a sophisticated piece of technology and a very large problem worldwide. If you’re not constantly upgrading your anti-virus software, web browser and OS then you’re at high risk.

These passwords are then sold off and used to steal money from your bank account or to commit other crimes. Even if you don’t use online banking you still have something to lose – someone can apply for a credit card under your name and use it to make expensive purchases, then you’re left to deal with the credit card company and convince them it wasn’t you (this happens every day).

So click on this link and have a read of the report.

September 27, 2009 | Filed Under Fraud, General, Identity Theft | Leave a Comment 

Spam Sentences

A quick post about spam. Some of the most common sentenced used in spam are:

In similar news, Norton has published a list of what they consider the top 100 most dangerous web sites. I won’t copy & paste the names here because my site and newsletter will no doubt be blocked by filters everywhere. You can have a look here to get an idea of what they consider to be highly dangerous web sites.

August 25, 2009 | Filed Under General, Statistics | Leave a Comment 

Four Corners Episode on Security

An Australian investigative program called Four Corners will feature an episode on the scope of online crime in Australia. If you have access to this program it’ll be worth watching. They’ll go over how identity theft works, how online crooks have attacked businesses, and how unsecured wireless networks are hacked.

Monday 17th August, 8:30pm, ABC1. And a repeat on Tuesday 18th August, 11:35pm, ABC1.

ABC will also provide this program online if you have a fast internet connection, on their iView application.

Update: Part of the episode featured federal police raiding a hacker group. The hacker group has attacked a federal police network in retaliation. Interesting.

August 17, 2009 | Filed Under General | Leave a Comment 

GFI Backup

GFI Backup is a simple backup program for Windows. It has enough features for most home users, and it’s free. If you haven’t thought about your own backup strategy this would be a decent program to start with (for Windows users).

For more backup tips read here.

July 6, 2009 | Filed Under General, Software | Leave a Comment 

Hacking Wireless Networks

A while back I wrote about wireless network security, click here to see the article. Basically you have 4 ways to set up a wireless network (at home or at the office):

  1. No wireless security
  2. WEP
  3. WPA
  4. WPA2

No wireless security means just that, anyone can connect to it and use your internet. If you’re wondering why this is a problem have a quick read of this article.

WEP is a very old security system. It doesn’t work.

WPA and WPA2 are still good, as long as you use a long (20 character) password. Read here to learn more about WPA.

Below is a tutorial video that has step by step instructions on how to hack into a WEP protected network. The point is: it’s easy to hack into a wireless network protected with WEP. WEP doesn’t work.

July 6, 2009 | Filed Under General, Security | Leave a Comment 

Vodafone Uses Incorrect Marketing Tactics

Today I received from someone claiming to be from Vodafone (a local phone company), offering me a new phone and new plan. Fair enough, I’m a Vodafone customer and my contract’s close to renewal.

But things turned ugly when the person on the phone asked for my account password, so that he could verify he’s talking to the right person. I refused.

I explained that I received an unsolicited call, I don’t know who I’m really speaking to, and that I’m not prepared to give a random stranger my account password.

He’s probably heard this several times so he said he understands, and I could give a few other personal details instead. I refused again. Confused, he put me onto his team leader, or at least someone claiming to be his team leader – I have no way of knowing who I’m speaking to. If I had been the one to initiate the call then I know I’m speaking to the right company. If I receive a call then I don’t know. There’s a fundamental difference here.

The team leader tried to explain they need to confirm who they’re speaking to. She claimed to understand my position, but wouldn’t change her argument. I continued refusing to give my password to a random stranger just so I can hear about new phones.

So we agreed to end the conversation. I wrote Vodafone a complaint using their website, explaining the situation. I’m not sure if the complaint went through because their web page took me to an answer’s and questions page after I’d typed everything out.

It’s not completely the cold-calling people’s fault, they’re doing what they’re paid to do. It’s Vodafone’s problem that they came up with this procedure. They’re giving their customers an expectation that it’s normal for strangers to call them and ask for their passwords.

And if you haven’t worked out the problem yet, look at it this way. I now know that Vodafone customers must be used to receiving unsolicited calls and giving out their passwords. So if I call 20 random people in Australia, chances are at least one will be a Vodafone customer. I just have to say I can offer them a new phone plan if they can give me their password. Then I can call up Vodafone, confirm my identity using that password, change my mailing address, and order a new phone and ask for it to be sent to my residence. I wouldn’t actually do it this way but you get the idea. It’s called identity theft.

I’ve written about the same problem before in 2007, it seems nothing’s changed in the past 2 years.

June 30, 2009 | Filed Under General, Identity Theft | Leave a Comment 

Where Does Spam Come From?

The technology spammers use is always changing. A report released by MessageLabs in June 2009 shows that 83% of spam is currently being sent from botnets. Now let’s explain what a botnet is.

There are people out there who hack into people’s home PCs (the PCs of ordinary people like you and me). They usually write a virus to do this, or pay someone to write the virus. Then when they’ve hacked into a home PC, they add it to a list.

After a few days they can get about 500,000 home computers on their list (yes, they work very fast). So once the hacker has hundreds of thousands of computers on their list, he writes a program that can control them all at once.

Now keep in mind that most home users won’t know their PC has been hacked. Everything still looks normal.

The hacker then sells this list of PCs to a spammer. The technical word for this list of controlled PCs is called a botnet.

A spammer buys this list of hacked computers and the program that controls them all at once. He uses also buys an email list from someone else (a list with millions of people’s email addresses). He presses a button, and all of the home PCs he’s controlling start sending out spam.

Again, home users don’t know their PC is now being used to send out spam. They might notice their internet go a little slower but most people don’t have the technical skill to work out why. It just gets ignored.

The spammer then sits back, relaxes after doing his 5 minutes of work. If anyone gets caught for sending spam it’ll be the home user, not him. The home user is ignorant of what’s going on. The hacker made his money and will do it again. And the cycle repeats again after a few days.

botnet percentageSo how much spam are we talking about?

The largest botnet in operation in June 2009 is sending 74 million spam emails a day, all of this from people’s home computers. That’s a lot of spam.

 

What can you do?

Don’t let your own computer become part of a botnet. Use a good antivirus product, scan for malware, and fix up any problems.

June 30, 2009 | Filed Under General, Malware, Software | 1 Comment 

Lenovo Laptops With Adware?

Some of Lenovo’s laptops have been shipped with adware installed, and it wasn’t an accident. Lenovo thought it would be a good idea if their new laptops showed popup ads to convince you buy more Lenovo products.

It’s bad form, a new computer shouldn’t be popping up ads without your consent. Lenovo generally build good quality machines but this move is ethically wrong.

Click here to see a screenshot of the ad.

June 29, 2009 | Filed Under General | Leave a Comment 

Next Page →