Lessons from the Hookers.nl breach: cracking 57% of the passwords in three days

Dutch website Hookers.nl — used by prostitutes, escorts and their customers — had been hacked. The site’s user database was stolen and is actively being traded in the underground, and sold for about 2 Euros. The dump contains data of — among others — employees of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement. Since data is now within virtually anyone’s reach, we expect scams to blackmail users soon.

Hookers.nl publicly stated that passwords were not stolen. Strictly speaking this is true: the database does not contain plain text passwords but hashed passwords. Scattered Secrets was able to crack 57% of the password hashes in three days. This is our story.

Door |2024-07-25T14:36:27+00:00oktober 31, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Lessons from the Hookers.nl breach: cracking 57% of the passwords in three days

How to crack billions of passwords?

All kinds of online services get hacked. This includes services that you might be using. Scattered Secrets is a password breach notification and prevention service. We continuously collect publicly available hacked databases and try to crack the corresponding passwords. Verified account owners can access their own information and take appropriate action to keep their accounts safe and prevent against account takeovers. At the time of writing, our database includes nearly four billion — yes, that is with a B — plaintext passwords. Users occasionally ask us how we can crack passwords on such a large scale. To answer this, first we need to look at the basics.

Door |2024-02-17T11:04:28+00:00september 19, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor How to crack billions of passwords?

Crime, ransomware and defence

“I rob banks because that is where the money is”, is a famous quote attributed to (in)famous bank robber Willie Sutton[1]. It is also known as Sutton’s Law. Suttons law still holds true for many things, including modern (cyber)crime. If you want to earn money from your crimes, focus on what people value most.

Ransomware is an example of just this. Criminals target what is most valuable to organisations and individuals, their data or memories.

Door |2024-02-17T06:32:39+00:00juli 25, 2019|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor Crime, ransomware and defence

EFAIL: detection and prevention

In our previous blog posting we discussed the EFAIL "Generic exfiltration" attack on S/MIME and suggested how such an attack may be detected.

Even though the CipherMail gateway is not directly vulnerable to EFAIL (see EFAIL: which is vulnerable? PGP, S/MIME or your mail client? for more details), if your email client is configured to automatically download external resources, your email client may leak your decrypted email.

The main issue with the EFAIL "Generic exfiltration" attack is that an encrypted message can be modified by an attacker without being detected. This is a general S/MIME problem and can only be solved by fixing the S/MIME standards.

Door |2024-09-30T07:42:09+00:00juni 28, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor EFAIL: detection and prevention

The cost of business vs the cost of crime…

If you live in The Netherlands you probably noticed that a series of DDoS attacks caused quite some uproar in our little corner of the world. One of the questions I get asked regularly is why we still cannot deal with these types of attacks.

We are at un unfair disadvantage, or more accurately phrased, the criminals have an unfair advantage. The cost, in terms of money, time, lost functionality, etc., of preventing a crime or attack are often higher than those the criminal or attacker needs to make to actually commit his deed.

Door |2024-02-17T12:55:40+00:00februari 15, 2018|Article, Artikel, Engels, Nederlands|Reacties uitgeschakeld voor The cost of business vs the cost of crime…
Ga naar de bovenkant