How do those hackers do it?

Factual Questions
1

I’ve been in software development for over 25 years but I’ve never delved into hacking. I was mildly astonished to read in this article (freely available until at least 9/21/09)how easy it must be to hack into an email account.

The only thing I can think of is either they have hacked into the user databases, or use software to iterate through all possible passwords. The latter seems like the targets would develop a defense against this early on, since such an effort would be rather transparent if you’re looking for it. I know there are programs you can use to hack a password for a Word document, for example, but that runs on your own computer taking its sweet time. When you have to hit a web page every time you try a new password, that could take a long damn time.

I am not asking for information about how to break the law, or do anything unethical. I am just curious as to the general strategy these guys use that make it so easy. Do not post any “how to” tutorials here, or even links to hacker web sites.

2

I don’t know for sure, of course, but I would guess the attacker(s) used one of the following tactics:

[ol]
[li]phishing: sending an email designed to look like it came from the email provider, and requiring the user to “update their account”.[/li][li]DNS poisoning: planting malware on the victim PC so that when the victim tries to go to a webmail page, it really goes to a page controlled by the attacker, where the attacker harvests the password.[/li][li]Keylogger: planting malware on the victim PC that records every keystroke, then later retrieving the keystroke log and parsing it for passwords.[/li][/ol]

I suppose there may be other ways, but those are the first ones that jump to mind. If I were betting, I’d bet on the keystroke logging Trojan.

3

Lucky guess. Most people use their own name and a password they find easy to remember. I admit to using a password I find easy to remember, but I never use my real name on-line except in closed groups where I am known anyway. She hacked her boyfriend? She had probably seen him use the account, knew what name it was under and had a very good idea of what pass he would use. He might have even told her. I’ve helped to email accounts up and hacked into them to see what’s going on. I would never do it for harm (the ‘boyfriend’ and I were checking for if she was playing him along playing silly-buggers with her son’s father-in-law), but it’s rarely as much a computer problem as it is a simple psychological one.

4

With a short password there are not that many combinations especially if you leave out special characters. It would not all that difficult to brute force a lot of passwords. Sure they don’t crack the guys with pass words like 8jE%53jZ but not many people have good passwords. If the service is really $100 then it needs to be pretty automatic. If a person needs to spend more than a couple of days full time for each password it becomes uneconomical.

I can see people with access to a botnet being able to try and brute force passwords or any of the things Bayard suggests with just a few minutes of their time and a week to a month for the brute force, fishing or malware attack to finish up automatically.

5

I don’t know if AOL uses it, but it’s often easy to crack if the site uses those security questions to display or reset the password.

Email site: “What is your favorite sports team?”
Hacker: “Lemme just check their myspace page…”

6

E-mail is really, really insecure and always has been. It is based on a standard that is decades old and what it is used for now was never anticipated. I am not sure how to read someones e-mail without their password but sending e-mail from someone else’s account is fairly trivial and someone can do bad things with it.

7

This is an excellent point. Facebook has also been criticized for using “security questions” that have answers which people usually post on their Facebook pages. Since many people use the same password for multiple sites, that could be another way to get to the email password.

8

This is also a good point. Some people are seeing slow motion brute force attacks, where multiple login attempts are made from multiple source IPs over a long enough time period not to trip the automatic account lock threshold. It’s seen more often against FTP servers and such, but there’s no reason why it couldn’t be used against email accounts. As gazpacho indicates, it would work against simple passwords, but it would be impractical against stronger passwords.

9

You could probably sniff out a fair fraction of passwords just by knowing the name of the person’s pets and a few significant dates (anniversary, birthday, relatives’ birthdays). Most people just don’t pick very good passwords.

10

A brute password search would be my guess. Very rarely do coders actually check for malicious activity (like an incorrect password being tried more than 20 times in a row), so you can just keep attacking it endlessly.

11

There are tons of security holes in any OS. You can patch most of them, but it’s very
easy to miss one, even an old one.

Hackers can then simply run a suite of tools against your machine that looks for fifteen zillion different well known exploits, and then it acts once it finds one—kind of the blackhat inverse-version of antivirus software.

For example, if it detects a certain port open and gets a particular response from pinging that port, the software package might determine you are missing MS patch XYZ and it will simply use a well known exploit against your machine.

12

I’m not seeing brute working, even if we ONLY consider case sensitive letters and numbers that gives us 52 characters. Out of 52, we choose 8 (8 w/ a requirement of 2 numbers is a common base case, I think Google uses it for instance), order matters, repeats allowed and that gives us…

53459728531456 possible permutations*. Now yes, computers can do a lot of instructions, but with a lockout timer how many computers do you think it would take to make a reasonable crack at it? Obviously you can cut down SOME by inputting some obvious ones first like “password”<00-99> of varying cases, random strings with concatenated names of pets and automated anagrams (both actual anagrams and random letter smears) of such with random 1337 substitutions and the like.

I know that most people don’t try very smart passwords, but even one unconsidered case and you’re stuck with a worst-case O(n) search (which, again, you can IMPROVE by trying actual words first and starting near clusters of commonly used letters). Maybe I’m underestimating the ingenuity of these searches, but brute force seems highly unlikely to me, even with 100 comps with a unique IP running every time lockout clears. And that’s not even including the cases where he has more than the minimum characters (except for the initial “try the obvious” stuff).

I’m guessing that finding a security hole or the aforementioned phishing/keylogger/etc is much more likely.

  • I didn’t feel like doing the math for the fact that you only choose 10 for at least two characters, but I don’t think it changes odds too considerably.
13

Missed Edit: Okay, the updated permutations with the thing in my footnote above is 19770609764 if I did it right(52 and 6 + 10 and 2), much better odds, but still not too likely imo.

14

Jragon, What is the vocabulary of the average person? 20,000? Multiply by 20 for kwell misspellings then by 10 for random capitalization. That is 4,000,000 sure you don’t get the strong passwords but so what.

15

Can you brute force an AOL account? Seems like they would have enough security to know to put an account on hold after the 1000th failed password in 30 seconds.

Also, if the story is true, they may have only needed to do any real work on one account. If they got the boyfriend’s AOL password, that could have been the primary account which was able to access the wife and kid’s passwords and could be used to send malware to the girlfriend who wouldn’t have suspected it. For something like that, once you get a foot in the door, things can become much easier.

I’m somewhat skeptical of this being a successful group of professional hackers operating a black business. I imagine them ripping off more customers than they satisfy.

16

Yeah, but don’t these email servers lock you out for hours at a time if you get it wrong like, what, five times or so? Or at least make you type in an CAPTCHA after a small number of incorrect logins? I can’t see brute force being an option unless you access to the password hash, or however it’s stored at these places. I’d bet on social engineering (phishing and the like) or keylogging being much more likely options.

Edit: My Hotmail makes me type a CAPTCHA after 10 incorrect logins.

17

For this reason, I have a set of standard fictional answers for the most common “security” questions instead of using any real answers.

18

Brute force attacks don’t work because after a certain number of tries the site quits looking.

So if you have an email account say after five tries it won’t let you try anymore. A brute force attack would not work.

As a system admin the biggest thing I found was people use the same password over and over.

So for instance, the people at the Straight Dope know my password. It would be very easy for them to log into say Wells Fargo and try the username Markxxx with my SD password and see if it works. Of course I know better, but most people don’t.

This is why you never use the same password for any important accounts like banks.

Did you ever go to a site and it asks you to register to read? In many cases they just want your password. Since most people use the same login name.

Phishing is the easiest way. When I worked at a temp agency they sent me to a bail bondsman. If we needed to locate someone I’d take the picture, (They always take pictures when they agree to bond you out) then put it on MySpace and sure enough someone always contacted ME thinking I was him. And it was very easy form that point on to locate someone.

If you’re really interested in learning to hack you need to learn how to code. For instance, MySpace is very easy to hack certain things, 'cause cold fusion is a very simple language to learn. MySpace often simply uses the command invisible to hide things. Well just copy the profile and change it to visible.

BTW MySpace has closed all the good hacks like viewing private pics with that so I wouldn’t waste much time trying it but it’s still good for seeing who a private profile has as a friend etc.

If you want to hack, learn to code. Once you see HOW they did it, you can see how to get around it. The thing about the Internet is it is designed to make information available to you. So it’s hard to hide things effectively, though certainly not impossible. The problem is the more security you use the longer the page waits to load and the less traffic you’ll get.

But social hacking is the easiest, you’d be shocked what your friends will reveal about you without even realizing they are doing it.

19

I’ve seen 15 minute lockouts mostly, but even then, 4 times an hour for 24 hours. Using my example above of 100 computers (which seems like a high, if reasonable number for a place dedicated to this stuff, granted having 100 unique IPs is probably trickier) I’m getting 48000 times a day, that’s 83 days to get that worst-case of 4 mill. And that assumes it controls login attempt blocks at the IP level and not the account level.

20

Ok I will buy into the idea that brute forcing will not work on the big email sites because of the CAPTCHAs after a few failed attempts. It looks like gmail makes you pass the turing test after a smallish number of failed logins.