Monday, September 7, 2009

Password Hackers are Slippery to Collar

Here's an interesting article in this morning's Washington Post:

Password Hackers are Slippery to Collar.

It relates to the conversation we had in class on Thursday regarding password security. As you'll read in the story, there are firms out there that as their "business" will hack into web-based e-mail accounts and provide the customer with the password.

Obviously, this is illegal, but it is also very difficult to track. We'll discuss the reasons why in more detail when we cover incident handling toward the end of the semester, but most of these companies are located in other countries where authorities do not have good working relationships with the United States.

Despite being profiled in the newspaper, this website is still in business today. They boast:

"We Hack Passwords for $100 USD
We Crack all major web based emails
This include Hotmail, Yahoo! AOL and Gmail
We Provide Proofs Before payment."

Interesting. What are your thoughts?
Posted by Mike Chapple at 9/07/2009 07:53:00 AM

4 comments:

  1. LlontopSeptember 7, 2009 at 3:56 PM

    It is unsettling and just down-right creepy to think that people can easily access your private accounts by just providing a fee to have someone else crack your password. I guess it's not very surprising that such a service has developed, but as the article said, it would be near impossible to stop, as most of these hackers are likely providing their services from overseas (where you are a lot less likely to be get caught). I suppose that the only thing that one could do to try and avoid getting "broken into" would be to create a *very* strong password, as we discussed in class.

    This sort of service reminds me of this one website that I found out about while in high school, hackthissite.org. It's apparently a legal site that allows users to "test" their hacking skills in a "legal and safe network". It's an interesting site, though I am a little surprised that it hasn't been closed down, since it has drawn some disapproval for possible being a "hacker training ground". I mean, no one is paying for a service, though this site sort of provides practice to at least begin developing those skills.

    ReplyDelete
  2. Mike ChappleSeptember 7, 2009 at 4:05 PM

    Ah, but there's the rub. What's the difference between a site that teaches hackers how to hack and a site that teaches security professionals how to secure a website?

    Also, there's a first amendment issue at stake as well. Take a look at this book, for example. Is it a guide for criminals or security experts? Either way, it's protected speech.

    ReplyDelete
  3. ASeptember 10, 2009 at 1:06 AM

    I was not able to access the article online. However, I wonder what the actual success rate of these companies is when it comes to breaking strong passwords. What type of equipment and personnel are they using? Although these companies may be difficult to regulate, could internet service providers and the government take the initiative to persecute the customers paying for these passwords. I am not sure if hiring a hacker is legally the same offense as hacking.

    ReplyDelete
  4. RonMexicoSeptember 10, 2009 at 1:27 PM

    It does not matter whether someone is hired to hack or not. The issue at hand is the intent behind hacking. As we discussed in class, it is very difficult to prosecute a hacker and determine if they are a white, black, or grey hat hacker.

    As for prosecuting customers of this site, wouldn't the government already be cracking down on people using these services if they could do something about it? I'm sure there are legitimate customers that are paying these sites to access email accounts where they forgot their password and do not remember the answers to their security questions for resetting their password.

    It will be interesting to see how the government responds to these hacking and phishing websites.

    ReplyDelete

Subscribe to: Post Comments (Atom)