1.2 billion stolen password

1,2 billion passwords stolen, but does it affect me?

You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit.

First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important.

Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice.

  1. Alice signs up for a mail account at Google. She’s lucky, alice@gmail.com is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters.
  2. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts alice@gmail.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords?
  3. Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for alice@gmail.com on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all.
  4. It’s obvious that alice@gmail.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites.
  5. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too.
  6. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples.

So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no.

But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember.

Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key.

But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens!

If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site.

 

Safe surfing,
Micke

 

More posts from this topic

Facebook, I love you, newsfeed

How to take control of your Facebook News Feed and feel less ‘unloved’

You should know that Facebook can play with your emotions. If you're reading this you're probably aware that your Facebook feed doesn't simply serve you the latest posts from the friends and pages you follow. Given that most of us follow hundred -- if not thousands -- of people, places and brands, a real-time feed would dramatically  change the Facebook experience. And it would likely greatly reduce engagement, which is the site's life force. But if you do know this, you may be in the minority. A new study from a team of researchers from University of Illinois at Urbana-Champaign, California State University, Fresno and the University of Michigan found that most of a group of 40 Facebook users, 62.5 percent had no idea that their feed is filtered by the world's largest social network. And not knowing that actually seemed to have negative affects on users' psyches. “In the extreme case, it may be that whenever a software developer in Menlo Park adjusts a parameter, someone somewhere wrongly starts to believe themselves to be unloved,” the researchers wrote. The study used a tool to create an unfiltered feed that showed them what they'd been missing. While they weren't thrilled how Facebook decided which friends posts they'd see, "[m]ost came to think that the filtering and ranking software was actually doing a decent job," Fusion's Alex Madrigal writes. In 2014, Facebook partnered in an academic paper that revealed it had manipulated users feeds to adjust how many positive and negative posts they saw. It found that moods were contagious. Positive feeds led to positive posts and vice versa. Users agree to such manipulation in Facebook's terms and conditions -- which you clearly know by heart -- but the revelation still led to a huge backlash. In the recent study, participants found that being aware they were being fed stories by Facebook's algorithm "bolstered overall feelings of control on the site" and led to more active engagement. So if you didn't know a formula was guiding your interactions before you probably already feel better. But there's more you can do if you want to make sure Facebook is showing you the things you actually want to see. 1. Be proactive. Go directly to the pages of the people, companies and artists you want to see more of then engage. Like posts or comments. Comment yourself. Share posts. Facebook's motivation is to keep you on the site as long as humanly possible--and it's very good at it. If it's not showing something you'd enjoy seeing, it probably would like to. So let it know. 2. Choose "Most Recent" posts.     In the left column of your home page, click on the arrow next to "News Feed". If you select "Most Recent", your experience will likely be less filtered. Though you still should not to expect to see every post that ends up on the site. 3. Go to News Feed Preferences. Click on the down arrow that's on every Facebook page and select News Feed Preferences. The goal here is to unfollow anything you're sick of seeing so you get more of what you do want. Or re-follow people or things you've missed. 4. Tell your feed what you like.         Facebook wants you to take an active role in adjusting your algorithm. That's why every post in your feed has a dim down arrow that you can select. If something really bugs you, tell Facebook you don't want to see and Unfollow the person or page. If you really love it, you can "Turn on notifications" which guarantees that every future post ends up in your notifications -- that little globe on the top navigation. Your notifications can act as a secondary newsfeed to make sure you don't miss posts from your favorites. 5. Switch to Twitter and Tweetdeck. If you want complete control over your newsfeed, you're never going to get it on Facebook. Even Twitter is moving away from this method of feeding content for a pretty simple reason, it needs more engagement. Given that Facebook and Twitter employee dozens if not hundred of programmers and experts paid to make their sites captivate you, they figure they're better at it than you. If you want to prove them wrong, Twitter's Tweetdeck app, which works in your browser, still offers unmediated newsfeeds so you can feed your own brain. Twitter isn't quite as personal or ubiquitous as Facebook -- but it is the next best thing. Try it out and see if you feel more loved. Cheers, Jason [Photo by Geraint Rowland | Flickr]

Mar 31, 2015
BY 
Online Surfing in Different Countries

POLL: What country do you want to use for your online surfing?

Online surfing has been around for a while now, and it keeps getting better as technology continues to improve. Websites are better, responsive to different devices, more interactive, and feature a more diverse range of content. All in all, online surfing has managed to stay cool for a very long time. In fact, during a recent interview, Mikko Hypponen specified online surfing as the thing that he’d miss the most if the Internet were to suddenly disappear. The Internet may not suddenly disappear tomorrow, but it is in danger of slowly eroding. While technologies have been steadily improving what people can see and do online, other interests have been trying to develop new ways to regulate and control people’s behavior. Questions about what you can see and do online used to face technical constraints, but now these are transitioning to issues about what other people want you to see and do. Noted anthropologist and author David Graeber recently remarked in an interview with the Guardian that control has become so ubiquitous that we don’t even see it. Geo-blocking is a regulative measure that seems to confirm Graeber’s views. PC Magazine concisely defines it as the practice of preventing people from accessing web content based on where they are (determined by their IP address). Geo-blocking and other types of regional restrictions are used by both companies and governments, and for a variety of purposes (for example, enforcing copyright regimes, running regional sales promotions, censorship, etc.). Freedome is a user-friendly VPN that gives people a way to re-assert control over what they can see and do online. It encrypts communications, disables tracking software, and protects people from malware. It basically gives people the kind of protection they need to surf the web while staying safe from the more prominent forms of digital threats. It also helps people circumvent geo-blocking by letting them choose different “virtual locations”. Virtual locations let people choose where they want to appear to be when they’re surfing online. So if a user selects Canada as their location, the websites they visit will think they are located in Canada. If they select Japan, websites will think they’re in Japan. I’m sure you get the idea. Choosing different virtual locations lets web surfers bypass these geo-blocks so that their access to content remains unrestricted. They can watch YouTube videos reserved for American audiences, access Facebook or Twitter when vacationing in a country that blocks those services, and avoid other measures that attempt to prevent them from enjoying their digital freedom. Freedome recently added Belgium and Poland as new choices, giving Freedome users a total of 17 different places to surf from. But the list needs to keep expanding to keep the fight for digital freedom going, so the Freedome team wants to know: where do you want to do your online surfing? [polldaddy poll=8754876] [Image by Sari Choch-Be | Flickr ]

Mar 27, 2015
BY 
MikkotalksCeBit

5 things you need to know about securing our future

"Securing the future" is a huge topic, but our Chief Research Officer Mikko Hypponen narrowed it down to the two most important issues is his recent keynote address at the CeBIT conference. Watch the whole thing for a Matrix-like immersion into the two greatest needs for a brighter future -- security and privacy. [youtube https://www.youtube.com/watch?v=VFoOvpaZvdM] To get started here are some quick takeaways from Mikko's insights into data privacy and data security in a threat landscape where everyone is being watched, everything is getting connected and anything that can make criminals money will be attacked. 1. Criminals are using the affiliate model. About a month ago, one of the guys running CTB Locker -- ransomware that infects your PC to hold your files until you pay to release them in bitcoin -- did a reddit AMA to explain how he makes around $300,000 with the scam. After a bit of questioning, the poster revealed that he isn't CTB's author but an affiliate who simply pays for access to a trojan and an exploit-kid created by a Russian gang. "Why are they operating with an affiliate model?" Mikko asked. Because now the authors are most likely not breaking the law. In the over 250,000 samples F-Secure Labs processes a day, our analysts have seen similar Affiliate models used with the largest banking trojans and GameOver ZeuS, which he notes are also coming from Russia. No wonder online crime is the most profitable IT business. 2. "Smart" means exploitable. When you think of the word "smart" -- as in smart tv, smartphone, smart watch, smart car -- Mikko suggests you think of the word exploitable, as it is a target for online criminals. Why would emerging Internet of Things (IoT) be a target? Think of the motives, he says. Money, of course. You don't need to worry about your smart refrigerator being hacked until there's a way to make money off it. How might the IoT become a profit center? Imagine, he suggests, if a criminal hacked your car and wouldn't let you start it until you pay a ransom. We haven't seen this yet -- but if it can be done, it will. 3. Criminals want your computer power. Even if criminals can't get you to pay a ransom, they may still want into your PC, watch, fridge or watch for the computing power. The denial of service attack against Xbox Live and Playstation Netwokr last Christmas, for instance likely employed a botnet that included mobile devices. IoT devices have already been hijacked to mine for cypto-currencies that could be converted to Bitcoin then dollars or "even more stupidly into Rubbles." 4. If we want to solve the problems of security, we have to build security into devices. Knowing that almost everything will be able to connect to the internet requires better collaboration between security vendors and manufacturers. Mikko worries that companies that have never had to worry about security -- like a toaster manufacturer, for instance -- are now getting into IoT game. And given that the cheapest devices will sell the best, they won't invest in proper design. 5. Governments are a threat to our privacy. The success of the internet has let to governments increasingly using it as a tool of surveillance. What concerns Mikko most is the idea of "collecting it all." As Glenn Glenwald and Edward Snowden pointed out at CeBIT the day before Mikko, governments seem to be collecting everything -- communication, location data -- on everyone, even if you are not a person of interest, just in case. Who knows how that information may be used in a decade from now given that we all have something to hide? Cheers, Sandra  

Mar 23, 2015