lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <45AF81CE.5030604@kennedyinfo.com>
Date: Thu, 18 Jan 2007 09:18:54 -0500
From: Troy Cregger <tcregger@...nedyinfo.com>
To: Sûnnet Beskerming <info@...kerming.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Grab a myspace credential

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the crunch down on the data Carl. I've not had time to
analyze the list myself but that's the exact information I would have
been after.

Cheers!

Sûnnet Beskerming wrote:
> Where did it all come from?  The prevailing theory is that the 'Tom'  
> account was successfully phished / breached (note - the real Tom has  
> a separate account) and used to send out a Bulletin to all Friends  
> (almost all users on MySpace) with the malicious link contained.   
>  From there it was a matter of waiting for the clicks to roll in.
> 
> Claimed evidence of the hack of 'Tom' is provided across several Digg  
> stories (http://www.digg.com/security/ 
> MySpace_s_Tom_s_Profile_Hacked_Sending_Links_to_Phishing_Website)  
> (http://digg.com/security/Myspace_Tom_gets_hacked_PIC) from the 2-3  
> days prior to the list being pushed to F-D.  Although screenshots can  
> be faked, the examples that have been posted do correctly reflect how  
> a Bulletin-based attack would appear.  With the numerous current  
> active XSS vulnerabilities present on MySpace, it is reasonable to  
> believe this chain of events.
> 
> Basic analysis of the list (which I believe is a much better source  
> than the one Bruce Schneier commented on [http://www.schneier.com/ 
> blog/archives/2006/12/realworld_passw.html]) throws up some  
> interesting output:
> 
>   - A little more than 2% of the full list is abuse directed at the  
> site operator (more when duplicate records are removed), including  
> some basic ASCII porn mixed in with the results.
> 
>   - For too many users, if the login didn't work the first time,  
> nothing was going to stop them from try, try, trying again (I'd  
> regard those records as excellent live data).  Removing duplicate  
> logins takes the list from 56k records to 41k.
> 
>   - Even better, some of the repeated attempts are users correcting  
> mistakes from the first time they tried to enter their details.
> 
>   - It's a family thing.  It appears that some users (who only tried  
> 5-6 times to login) convinced family members to try and login to the  
> site themselves (or family were caught the same way).
> 
>   - An obscure email address is not an effective means of hiding  
> identity, especially if the user then spells out their full name in  
> their password.
> 
>   - While not the exclusive domain of Hotmail (15162/11360)  / AOL  
> (7137/5448) / MSN (1449/1069) / Gmail (825/620) / Yahoo (16562/12168)  
> account holders, the list is heavily biased towards them (orig list/ 
> duplicates removed).
> 
>   - Approximately 25% of the results for each of the main email  
> domains is the result of multiple attempted logins (surprisingly  
> consistent across each domain).
> 
>   - At least one request from a user to target a specific myspace  
> account.
> 
>   - Password strength is fairly weak for most users.  A simple  
> dictionary attack will capture most of the passwords available.   
> Repeated login attempts appear to be associated with weaker  
> passwords.  Variations to standard dictionary words seems to be  
> restricted largely to adding a number before and / or after the word.
> 
> 
> Carl
> 
> Sûnnet Beskerming Pty. Ltd.
> Adelaide, Australia
> http://www.beskerming.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFr4HOnBEWLrrYRl8RAlQJAJ9pGym0pFI9f24Bsh5thbo5I9be9gCcD07q
VIUyRY/VR5poxoLOxgr4nd8=
=aqiF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ