THE STUDY JUNE 30, 2011
-
Read Later
READ LATERAvailable only to subscribers. SUBSCRIBE TODAY
-
Listen
ARTICLE AUDIO
- Font Size
Computer security researchers made a startling and alarming announcement this week: A highly-advanced botnet which controls over 4.5 million personal computers might be “indestructible.” A “botnet” is a collection of machines which have been infected with malicious software (usually designed to steal information) and are controlled by a third party. (In fact, your computer could be surreptitiously operating as part of a botnet right now. Computers that are being used as parts of botnets, unbeknownst to their users, are called “Zombie machines.”) Researchers at Kaspersky labs report that a botnet they’ve been studying, known as TDL-4, is exceptionally advanced: It encrypts communications between machines operating within the botnet, infects computers so deeply that it can’t be detected by anti-virus programs, and even deletes other malicious programs which could be noticed by anti-virus programs and reveal its existence on a machine. How can botnets spread so quickly, and how can users defend against them?
A team of eight researchers at UC Santa Barbara provided insight into this problem in a 2009 paper. The authors were able to “hijack” the notorious Torpig botnet—essentially, they redirected its activity to an analysis server—and observe its activity for a period of ten days. During that time, they witnessed the botnet steal sensitive information (including financial data) from over 180,000 machines. It stole nearly 300,000 unique username-password combinations and more than 8,000 user credentials for various online financial institutions. The authors were also able to identify over 1,600 seized credit and debit card numbers, prizes which bring in lots of money to cybercriminals: “A report by Symantec,” they write, “indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000. If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83K and $8.3M.” If you’re wondering how to defend yourself from this kind of attack, the authors have simple advice: give yourself a complex password to sensitive websites. Most victims, they write, are “users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites.”
3 comments
The problem is worse that that. A lot of sites don't actually allow very complex passwords. Passwords that might include (^ & ! +) to demonstrate a few of the characters that can help make passwords more complex, aren't accepted when you try to use them. Many of the sites I use reject these characters in passwords. Don't worry, I've complained. And it shouldn't be so hard. The old CompuServe dial in bulletin board service wouldn't allow passwords that weren't long, didn't have the cap/small letter mix, and one or more of the above characters when I was using it. It was run by real geeks who understood the value of paranoia. Until today's website administrators step up and upgrade security systems to allow more than just a mix of capital and small letters, and numbers, we're stuck with weak passwords even if we want something stronger.
- jet
June 30, 2011 at 6:07pm
Meant to start with 'The password problem is worse than that.'
- jet
June 30, 2011 at 6:08pm
Today's sign that civilization is on the verge of collapse. Guess I will go and feed the chickens.
- skahn
June 30, 2011 at 9:03pm