Hacked Email Accounts - The State of Affairs in 2012

Tue, 04/24/2012 - 16:23 -- darryl

I run an email list and also act as amoderator and/or webmaster on several sites.  In the last few months, there has been a big rash of email accounts, especially those on the big name free email providers, getting hacked.  Today there were two members of my email list sending spam mail from their hacked accounts, so I sent a brief request to my listers to change their passwords, use upper and lower case, and make their passwords long.  I got a private reply from a member:

From: Pat ...
Sent: Tuesday, April 24, 2012 2:06 PM
To: Darryl Richman
Subject: Capitalization
Hi Darryl,

Because the capital version of each alpha character is simply 30 units displaced from the non-cap version in ASCII, seems to me that automated code  breakers might  routinely check both cap and non-cap versions of each alpha character, thereby nullifying any advantage in mixing cap and non-cap.

Right or wrong?

With best wishes,
Pat ...

Well, that kind of unleashed the dogs, and poor Pat got nearly this exact long winded reply, which he fortunately took in good nature:

Technically, you’re right (although the displacement is actually 32).  In a brute force attempt to break a password, a mixed capital/lower case password would get checked at nearly the same time as one with normal capitalization and one with all lower case.  The problem with a brute force attempt is that it takes time to try each password.  So, passwords are like door locks; if yours looks more difficult to break, then the thief will go to somebody’s house with an easier lock.  (Actually, the thief gives up on yours after a while because it is more efficient to break someone else's easier password.)
The way the bad guys go about it is that they have built dictionaries of “likely” passwords.  The entries come from several sources.  A common one are real passwords obtained from entire user databases that have been stolen from various legitimate companies.  Another source are all the keyloggers out there collecting passwords on hijacked PCs.  To these "collected in the wild" real passwords, real words and names from real dictionaries are added.  Then they are salted with multiple variations (like adding 1 and 2 digits to the end or even l33t-izing them with digits and punctuation). 

The password dictionaries, for efficiency sake, are ordered by what their creators think is most likely to least likely.  People don’t naturally put caps in the middle of their words, so these less likely variants end up towards the back.  They also tend to go from shortest to longest (which is a proxy for most likely to least likely, because as you add more characters, the “real” passwords get diluted by random noise passwords that no one will ever use -- read about Cantor's use of "diagonal construction" in his famous 1891 Theorem).  

I have read that the current metric is being able to break 1% of passwords in a week’s time.  This is roughly the limit for what is worthwhile.  I’ve read that the bad guys can try out all their 6 letter combos in this time and perhaps many of their 7 letter passwords.  When you have a botnet of thousands or even tens of thousands of PCs hitting Yahoo, AOL, Hotmail, GMail and so on, you can try a lot of passwords.  The accounts they try are likely to be real because the addresses are harvested from mailing lists, address books and websites.  
Because all those big services have dispersed server farms, there’s no one place that sees all of these hits to correlate that someone is trying to get in.  And if there were, the bad guys would do it in rotation, so that it might take a couple months to break any one account, but they’d be working on even more accounts all at once.  (Maybe they're already doing that.)
Also, I note that, from what little I have seen, the recent spate of email break-ins and resulting spam mails follow a single pattern.  Likely, there’s one guy offering this service, and only a few spammers paying for it.  If it really worked for the spammers, there would be a lot more of this going on. 

The advantage of this approach is twofold:  1) people receive the spam from others they likely know, and so might be more inclined to act on it, and 2) it’s hard for anyone to stop them because they are sent from the very servers that most people use for their own email (via the hacked accounts). 

But these spam mails have really been poorly executed from a social engineering viewpoint (see the example below).  They hardly begin to make use of the advantage they have.  Assuming that some bad guy can convince some spammers that this is still a great idea, expect that the next time around they will figure out a much better social engineering “campaign”.  That could be particularly nasty. 

-----Original Message-----
From: myemaillistserver [mailto:myemaillistserver] On Behalf Of Raymond ...
Sent: Tuesday, April 24, 2012 10:52 AM
To: heidi ...
Subject: FWD:

wow this is crazy you should look into this http:// www. nb15news. net/biz/?page=9749841