Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/12/2008
01:24 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Password Crackers For Hire

Earlier this week we wrote about how attackers are selling bogus security software suites to not only rip unsuspecting Web surfers off, but also infect their systems with malware. Now, an IBM researcher says many of those Webmail online password "recovery" services may actually be hackers for hire.

Earlier this week we wrote about how attackers are selling bogus security software suites to not only rip unsuspecting Web surfers off, but also infect their systems with malware. Now, an IBM researcher says many of those Webmail online password "recovery" services may actually be hackers for hire.Imagine you want to snoop on your wife, girlfriend, employees, or whomever: a good place to start would be reading their e-mail. Consider the case of the Philadelphia KYW-TV news personality was busted for allegedly reading his co-worker's e-mail.

Turns out, if his co-worker had of caught on that her e-mail was being snooped on, and changed her password, any number of services on the Web are available to crack someone's Webmail account. This is from Tim Wilson's story today on Dark Reading, quoting Gunter Ollmann, chief security strategist at IBM's Internet Security Systems unit:

For between $300 to $600, a hacker can find a full suite of Webmail cracking tools on the 'Net, complete with the ability to do brute-force "guessing" of simple passwords and enhanced tools for penetrating the CAPTCHA authentication methods used on Webmail services, he notes.

And now those capabilities are being turned into hack-for-hire services, Ollmann says. Such services have been around for about two years, he notes, but today's CAPTCHA-breaking methods have become so effective that for about $100, the service provider can not only promise to give you the password to a specific Webmail account, but it can also promise to give you subsequent passwords if the legitimate owner should change passwords.

"These services can essentially give you a 'lifetime service contract' that you will always know the password to that account," Ollmann said.

So whether it's bogus software suites, scare ware, or hacking someone else's Webmail account as-a-service - the bad guys are changing tactics. When I first started writing about security, more than a decade ago, a hacker either had to guess someone's password, or install keystroke loggers or a sniffer on their network or system. Today, it's just outsourced.

Here's Ollmann's original blog, it's an eye opener.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...