Tuesday, October 20, 2009

Rather useful E-Book

Those of you readers who occasionaly do pentests, vulnerability checks or network analyses might be interested in this E-Book. Unlike most other free ebooks there is no advertising stuff and not the 101th description of nmap-switches, but a bunch of (imho) genuine and up to date information about few not so well known tools and methods. 316 colored Sites packed with information. Definitely a recommendation.


Tuesday, October 13, 2009

My hotmail-account is hacked. And now?

You're lost.
Not really. Microsoft set up a form to regain access to your inbox. I just tried to find it - took me (and I consider myself to be a routined google-hacker) about 5 minutes to find.

I doubt that a normal user would find it (btw: it's here: https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1).
Now I'm curios what yahoo did to enable users to reclaim their inbox. Any hints or links? - Post a comment if you can help.



due to massive media-echo on our check of compromised accounts serversniff is currently almost non-avaiable. slashdotted. twittered. heised. media-ddos. bear with us, times will get better and serversniff will be respond again when the massive load (traffic is currently >100 times over average) will decrease.


Saturday, October 10, 2009

Check for compromised account

I hacked a quick check together to check a mailaccount if it is compromised. All you have to enter is the first part of the mailadress - no password, no complete mailadress.


Friday, October 09, 2009

Is your mailaccount compromised?

I got quite a few questions to look up peoples mailaccounts in the list of compromised accounts.
I created a lookup-interface for anybody to look up if a mailaccount belongs to the compromised accounts, i'll set this live on serversniff in a few hours.



Thursday, October 08, 2009

How security-teams deal with leaking passwords

Finally: I have "The List" - I even posted where it is to find, for what I read was, that the security-teams of the major providers affected did their work properly deactivating all the affected accounts.

This is currently, three days after (early October 9th) NOT true. I removed the links from the previous posting, even if it is not so hard to find the lists using your favorite searchengine.

First of all, a bit of statistics:
The one BIG list is around 24.530 lines long, hosting a few double accounts. A quick check reveals (amongst many others):
  • 592 gmail.com-accounts with password
  • 22 googlemail.com-accounts with password
  • 13.098 hotmail.com-accounts with password
  • ~800 other hotmail-tld-accounts with password
  • 477 msn-com-accounts with password
  • 3.717 yahoo.com-accounts with password
  • 971 aol.com-accounts with password
  • 347 comcast.net-accounts with password
  • 41 facebook-accounts with password
  • 2 amazon-com accounts with password
  • 6 ebay-accopunts with password
A phishing-scam is likely to be the source, lines like
Not Telling! michelle!
indicate that at least a few victims were clever enough not to enter their real mailadress.

The bad guys obviously checked the at least some of the victims inboxes and extracted facebook, amazon, ebay and bulletinboard-stuff manually to put it on the list. This is very incomplete and only done for a handful of the listed accouts.

Tonight I took some time to dig deeper, i couldn't resist to check a few accounts. I found the results quite interesting:

Google did a fine work. None of the gmail-accounts checked did work. And i checked quite a few.
Surprisingly Ebay did a fine work too. All checked ebay-accounts had either the password changed or the account locked. This looks like this:

I checked further. Major media told that microsoft did suspend or otherwise protect the affected hotmail-accounts.
This is obviously not completely true, for i found a few of the hotmail-accounts still working, funny enough many of them swedish!
Hence whats to be found in the inbox of the poor guys:

A security-warning with account-suspension from facebook.com. Good guys, too. But ugly, if the warning is sent to a Mailaccount that is also compromised.

I got really disturbed when i checked the yahoo-accounts: A huge load of them is working.

Many of these InBoxes are stuffed with password-resets, security-hints or abuse-reports from other sites: Onlineshops, Bulletin-Boards, Web20-stuff. This leads to the conclusion that the accounts are circulating and actively exploited: Not only the mails, but also all other accounts depending on these inboxes. Password-Reset-Mails get sent there...

Yahoooooo. Wakeup-Call. Any security or customer service-stuff left at your offices?

I censored the links in my earlier blogposting, for i realized that so many accounts still work.

To sum it up:
Some, even if not really affected, acted fast and complete: Ebay suspended the accounts. Facebook sent warnings. Google seems to have fixed all accounts listed.

Security-guys over at Microsoft did a rather incomplete work, while the company pretends to have blocked all of the accounts listed.

Yahoo seems to have done nothing. (Did anybody at yahoo do anything in the last 2 years??)

Compliments go to google, facebook and ebay: I admit that i don't like the whole trio, but they silently did a fine job where others failed.

Note: This data is only gathered by examining ONE of the two lists mentioned by the bbc-article.
The second list has 10.030 lines and is also still publicly available. It hosts accountnames in alphanumeric order starting with A and B (ending with blan____13@hotmail.com:an_____ey) - this leads to the suggestion that there must be more HUGE lists containg accounts with C to Z.


List of passwords for Gmail, Hotmail & co

As told in the previous posting: the passwordlists start to leak ...

~25.000 hotmail/gmail & others here: self-censored

Others here: self-censored

More locations to be found up to your imagination.

This list mentioned here will disappear at the mentioned location and pop up elsewhere. Dissapear there and pop up somewhere else. The internet won't ever forget. Welcome, you arrived in modern times.



Passwords on the Web

Somebody tried to post some 10.000 mailaccounts with passwords to pastebin.com. Bad idea, the post was truncated after ~ 10.000 lines, making the alphanumerically sorted list ending with B***.

Paul Dixon, aka Lordelph, the owner of pastebin.com (great idea for a website, btw) posted a blogentry about this here: http://blog.dixo.net/2009/10/07/pastebin-com-and-password-lists, you might get the rest of the story out of major media coverage.

While i really like the pastebin-concept i also like making fun of users contents: Doing a google-search for mailaccounts or password does reveal quite a few posts hosting passwords of different origins: There is are bulletin-boards complete userdatabase-dump, published by hacker-kids dissing other hacker-kids. There are gmail-accounts with passwords stored in scripts using the account for automatically sending emails or attachments.

I found a working facebook-account in another script.

And finally i found that google is not only indexing, but also caching the pastebin-entrys. So if you tag your pastebin-text with a lifetime of one day, or if you delete your pastebin-entry it is rather likely that searchengines have already indexed and cached your entry, thus totally subverting the TTL-concept of pastebin.

Seems like pastebin.com and its sisterprojects in other tlds (Thanks Paul for making the source available!) would be a nice place to spend the next procrastrinated afternoon.

Back to work now.