-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the crunch down on the data Carl. I've not had time to analyze the list myself but that's the exact information I would have been after.
Cheers! Sûnnet Beskerming wrote: > Where did it all come from? The prevailing theory is that the 'Tom' > account was successfully phished / breached (note - the real Tom has > a separate account) and used to send out a Bulletin to all Friends > (almost all users on MySpace) with the malicious link contained. > From there it was a matter of waiting for the clicks to roll in. > > Claimed evidence of the hack of 'Tom' is provided across several Digg > stories (http://www.digg.com/security/ > MySpace_s_Tom_s_Profile_Hacked_Sending_Links_to_Phishing_Website) > (http://digg.com/security/Myspace_Tom_gets_hacked_PIC) from the 2-3 > days prior to the list being pushed to F-D. Although screenshots can > be faked, the examples that have been posted do correctly reflect how > a Bulletin-based attack would appear. With the numerous current > active XSS vulnerabilities present on MySpace, it is reasonable to > believe this chain of events. > > Basic analysis of the list (which I believe is a much better source > than the one Bruce Schneier commented on [http://www.schneier.com/ > blog/archives/2006/12/realworld_passw.html]) throws up some > interesting output: > > - A little more than 2% of the full list is abuse directed at the > site operator (more when duplicate records are removed), including > some basic ASCII porn mixed in with the results. > > - For too many users, if the login didn't work the first time, > nothing was going to stop them from try, try, trying again (I'd > regard those records as excellent live data). Removing duplicate > logins takes the list from 56k records to 41k. > > - Even better, some of the repeated attempts are users correcting > mistakes from the first time they tried to enter their details. > > - It's a family thing. It appears that some users (who only tried > 5-6 times to login) convinced family members to try and login to the > site themselves (or family were caught the same way). > > - An obscure email address is not an effective means of hiding > identity, especially if the user then spells out their full name in > their password. > > - While not the exclusive domain of Hotmail (15162/11360) / AOL > (7137/5448) / MSN (1449/1069) / Gmail (825/620) / Yahoo (16562/12168) > account holders, the list is heavily biased towards them (orig list/ > duplicates removed). > > - Approximately 25% of the results for each of the main email > domains is the result of multiple attempted logins (surprisingly > consistent across each domain). > > - At least one request from a user to target a specific myspace > account. > > - Password strength is fairly weak for most users. A simple > dictionary attack will capture most of the passwords available. > Repeated login attempts appear to be associated with weaker > passwords. Variations to standard dictionary words seems to be > restricted largely to adding a number before and / or after the word. > > > Carl > > Sûnnet Beskerming Pty. Ltd. > Adelaide, Australia > http://www.beskerming.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFr4HOnBEWLrrYRl8RAlQJAJ9pGym0pFI9f24Bsh5thbo5I9be9gCcD07q VIUyRY/VR5poxoLOxgr4nd8= =aqiF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
