Re: [Full-disclosure] Grab a myspace credential

[Troy Cregger <tcregger@xxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the crunch down on the data Carl. I've not had time to
analyze the list myself but that's the exact information I would have
been after.

Cheers!

Sûnnet Beskerming wrote:
> Where did it all come from?  The prevailing theory is that the 'Tom'  
> account was successfully phished / breached (note - the real Tom has  
> a separate account) and used to send out a Bulletin to all Friends  
> (almost all users on MySpace) with the malicious link contained.   
>  From there it was a matter of waiting for the clicks to roll in.
> 
> Claimed evidence of the hack of 'Tom' is provided across several Digg  
> stories (http://www.digg.com/security/ 
> MySpace_s_Tom_s_Profile_Hacked_Sending_Links_to_Phishing_Website)  
> (http://digg.com/security/Myspace_Tom_gets_hacked_PIC) from the 2-3  
> days prior to the list being pushed to F-D.  Although screenshots can  
> be faked, the examples that have been posted do correctly reflect how  
> a Bulletin-based attack would appear.  With the numerous current  
> active XSS vulnerabilities present on MySpace, it is reasonable to  
> believe this chain of events.
> 
> Basic analysis of the list (which I believe is a much better source  
> than the one Bruce Schneier commented on [http://www.schneier.com/ 
> blog/archives/2006/12/realworld_passw.html]) throws up some  
> interesting output:
> 
>   - A little more than 2% of the full list is abuse directed at the  
> site operator (more when duplicate records are removed), including  
> some basic ASCII porn mixed in with the results.
> 
>   - For too many users, if the login didn't work the first time,  
> nothing was going to stop them from try, try, trying again (I'd  
> regard those records as excellent live data).  Removing duplicate  
> logins takes the list from 56k records to 41k.
> 
>   - Even better, some of the repeated attempts are users correcting  
> mistakes from the first time they tried to enter their details.
> 
>   - It's a family thing.  It appears that some users (who only tried  
> 5-6 times to login) convinced family members to try and login to the  
> site themselves (or family were caught the same way).
> 
>   - An obscure email address is not an effective means of hiding  
> identity, especially if the user then spells out their full name in  
> their password.
> 
>   - While not the exclusive domain of Hotmail (15162/11360)  / AOL  
> (7137/5448) / MSN (1449/1069) / Gmail (825/620) / Yahoo (16562/12168)  
> account holders, the list is heavily biased towards them (orig list/ 
> duplicates removed).
> 
>   - Approximately 25% of the results for each of the main email  
> domains is the result of multiple attempted logins (surprisingly  
> consistent across each domain).
> 
>   - At least one request from a user to target a specific myspace  
> account.
> 
>   - Password strength is fairly weak for most users.  A simple  
> dictionary attack will capture most of the passwords available.   
> Repeated login attempts appear to be associated with weaker  
> passwords.  Variations to standard dictionary words seems to be  
> restricted largely to adding a number before and / or after the word.
> 
> 
> Carl
> 
> Sûnnet Beskerming Pty. Ltd.
> Adelaide, Australia
> http://www.beskerming.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFr4HOnBEWLrrYRl8RAlQJAJ9pGym0pFI9f24Bsh5thbo5I9be9gCcD07q
VIUyRY/VR5poxoLOxgr4nd8=
=aqiF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/