Most-used stolen Yahoo password was 123456

I mean, seriously now. That’s the kind of thing an idiot would have on his luggage.

According to Anders Nilsson, security expert and chief technology officer of Scandinavian security company Eurosecure, 1,666 of the 450,000 stolen Yahoo passwords were “password,” and 780 used the word “password” in their password. ”Welcome” appeared in 534 passwords.

There are lots more fun details about how poorly we choose passwords for ourselves in Nilsson’s excellent analysis, which can be found here.

Update: The human race is slightly less stupid than CNNMoney initially believed. I first read Nilsson’s figures as 38% of people used “password” as their password, when it was actually 0.38%. As always, I’m the stupid one. -David

How my e-mail was spoofed

image

I didn’t send that e-mail, even though Gmail says I did.

It was sent by Eric Fiterman, a former FBI Special Agent and founder of Rogue Networks. He helped us show how easy it is to spoof an e-mail address

To go phishing, first an attacker needs to get access to a virtual Linux server. Easy enough — you can do this for a 14-day free trial on cloudshare.com.

Then the attacker needs to set up the server to send mail using whatever e-mail address he or she wants to use. That’s as simple as entering that e-mail address into a field.

That’s the easy part. After that, phishing schemes can be very complex or incredibly simple. Simple schemes include sending e-mails to a user’s friends and family (easily found on Facebook), asking them to wire money, send their passwords, or give them their social security numbers.

Complex schemes involve setting up fake websites or coding keylogging malware into PDF files.

Take these for example…

image

image

Okay, so Eric was being funny and these aren’t the most convincing phishing e-mails (especially considering Pelosi is in the House, not the Senate). But with some more convincing language, you can see why someone might open the attachment.

So how do you know if it’s a phony?

It’s not always easy. If you look at the source code (achieved in Gmail by clicking the arrow next to the reply button and selecting “see original”), you’d see this:

 

Received: by 10.220.74.204 with SMTP id v12cs140747vcj;
        Thu, 2 Jun 2011 14:29:34 -0700 (PDT)
Received: by 10.229.73.80 with SMTP id p16mr971468qcj.57.1307050174673;
        Thu, 02 Jun 2011 14:29:34 -0700 (PDT)
Return-Path: <root@ericmethodvuecom.vpslink.com>
Received: from ericmethodvuecom.vpslink.com ([xx.xxx.x.xxx])
        by mx.google.com with ESMTPS id d18si2139076qcs.32.2011.06.02.14.29.34
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 02 Jun 2011 14:29:34 -0700 (PDT)
Received-SPF: neutral (google.com: xx.xxx.x.xxx is neither permitted nor denied by best guess record for domain of root@ericmethodvuecom.vpslink.com) client-ip=xx.xxx.x.xxx;

So clearly this was sent from Eric, not Nancy or Ted. But that’s a level most people aren’t willing to go to. -David