Last night around 11:30 I received an email from a friend that my Facebook account had spammed him.
On logging, I learned that my account had:
- Created an event: ‘No Fees PS3 Slim for x-mas’
- Invited all my friends to attend the event
- Posted that I was attending the event to my Facebook status
Here is the screenshot of the ‘event’:
It looks like the email went out at 11:05 PM. My friend emailed me at 11:28 PM and I had the event down at 11:42 PM. But there is no pulling back the emails to my friends.
Figuring out how it happened
My first thoughts were that it was a CSRF attack or related to the Gawker hack (I had a barely used account there).
First step was to visit the link using a sandboxed browser. Here were the redirects (I’m skipping a few that were just internal to the sites in the path):
Nothing of much interest in the redirects. It was notable that I didn’t record any requests to Facebook. The nature of this attack was nearly identical to a recent Facebook worm (Sep 2010) that exploited a Cross-Site Request Forgery (CSRF - an attack that simulates requests to a third party site to create some action on that site). Facebook also seems to have consistent problems with CSRF attacks.
Still, the lack of a CSRF request in my one example doesn’t guarantee that it wasn’t a CSRF attack. All of my browsing at the time of the exploit was on very safe sites. CSRF continued to look unlikely.
Weak passwords are lame. Using duplicate passwords is lamer.
I use several low-security passwords on accounts that I generally don’t care about. Gawker’s system was one of them. Most of these accounts I use only a handful of times so I haven’t really been concerned about access to them.
Unfortunately, when I originally signed up for Facebook, I used the same low security password as well. While I quickly changed my facebook password, I found it very difficult verifying that the password was the source of the exploit.
Nothing else in the account had been changed (more indicative of the CSRF attack).
Gmail has this awesome feature that allows you to see which IPs have logged into your account. It is a great way to ensure the integrity of your account. Of course Facebook makes no such data available (and yes it is still uses unencrypted cookies and is vulnerable to Firesheep).
The password was a mostly random string of letters and numbers. However, the fundamental flaw was that it was only 6 characters. That leaves the password vulnerable to a brute force attack.
How Secure is My Password estimates it would take 3 minutes for a desktop PC to ‘crack’ a similar password.
This Slate tool tells you if your email was in the hacked Gawker database. It also tells you if your password has already been cracked. Here was the message it gave me:
Your password was released, and it’s been decrypted. You should change it ASAP.
How was my password cracked?
Gawker states that they store passwords in an encrypted form in their database. The method used by my sites is to store a hash of the password rather than the actual password. The hash is usually a one-way function, so to log you in the site has to generate a hash of the password you entered and then compare it to the stored value in the database.
For example, if my password was ‘davenaff’, the md5 hash would be: 7c074125deb947e96fc7bb8de60c6e17. For a hacker to reverse my password, they would need to generate all possible combinations until they found a hash that matched my password.
There are databases and websites that have pre-calculated a dictionary of md5 hashes to their original values. (These have a cool name - ‘Rainbow Tables’). To counter this approach, many websites use salted hashes. Now, to crack the hash you need to know the salt, but since Gawker source code was hacked the hackers also have the salt (if one were used).
The hackers reportedly obtained 500k emails and as of this morning had decrypted 185K of them. Presumably they (or others) will continue to decrypt more as they build an increasingly larger dictionary of hashes to test against the remaining 315k passwords.
I assume that they at least ran a ‘rainbow table’ attack against all dictionary words and 6-digit passwords. The computation complexity begins to increase substantially as you add characters (from the howsecureismypassword site):
|6 chars||3 mins|
|7 chars||2 hrs|
|8 chars||3 days|
|9 chars||117 days|
|10 chars||11 years|
|11 chars||417 years|
And those stats are just for a desktop PC. Purpose built hardware and algorithms would go much faster.
Anyway, since my password was outted, I’ve started seeing warnings (or messages that could be considered warnings) from people trying to access some of my accounts. For example I got this message from linkedin earlier this evening:
Dear Dave Naffziger,
In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.
We have recently disabled your account for security reasons. To reset your password, follow these quick steps:
Go to the LinkedIn website
Click on “Sign In”
Click on “Forgot Password?” and follow the directions on the website
The LinkedIn Team
Sweet, I wonder how many of those messages I’ll get…
The thing is, I know better than this. But, I guess it was time to relearn a few lessons:
- Regularly consider the password I’m using when I log into sites. Upgrade when necessary
- In all cases, use a password with at least 9 characters. My high security passwords have many more, but I’m certainly willing to type a few extra keystrokes if it means avoiding spamming my friends
- Respond quickly. The lamest thing about this is that I read about the Gawker hack before my facebook account was compromised. AND, I recognized that I probably had a Gawker account AND that the password was the same as my FB account. I literally had strung together all of these thoughts and didn’t take action until my account was compromised.
I think I’ve got all of the formerly ‘low security’ accounts I care about changed. Now, if I can just figure out how to change the password on evite…