Improving Passwords

Troy Hunt, a Microsoft MVP, has done some terrific analysis of the passwords people use. Unfortunately, what has made this possible is the recent trend in hacktivism whereby it is common for hackivists to post the spoils of their attacks online to generate publicity and shame the company being attacked. While this has been bad news for the companies and their customers, it has provided a rich data set for researchers to analyze. The results from Troy’s research are pretty interesting. Rather than rehash the results here, I’ll let you read them yourself:

What struck me while reading the blog is how much we know about what kind of passwords people create and how little we’ve been able to make practical use of any of this knowledge. Sure we all run off and write blogs about how people need to make their passwords harder to crack. I don’t want to insult anyone’s blogging skills, but so far this hasn’t produced a lot of progress.

I think there is a way we can drive benefit, and better security, from this data. And the responsibility to do that falls back to those of us responsible for creating security solutions. Where it should be.

Here’s the situation: websites all seem to have rules about what characters to use for a password. They have rules about the length of the password. And they enforce those rules. I can’t create a password for the site if I don’t follow the rules. Although these sites ought to make sure these rules are aligned to best practices of length and character usage, this isn't always the case. But that’s not where I see the biggest opportunity. I'm sure they keep the password length low to help prevent forgotten passwords or to keep from just annoying users, so I'll save discussion of those practices for another day. 

Here is an easy to implement solution to forcing users to create better passwords: since the account creation program is checking my password for the wrong number of characters and the right mix of numbers and letters, why can’t it check for the use of passwords that hackers have in their database of common passwords?

Here is the list of the top 25 most used passwords from Troy’s research: seinfeld, password, winner, 123456, purple, sweeps, contest,princess, maggie, 9452, peanut, shadow, ginger, michael, buster, sunshine, tigger, cookie, george, summer, taylor, bosco, abc123, ashley, bailey.

I went to a couple of websites and set up new accounts. I created one account using purple (the fifth one in the list above) as a password. The site told me it was a weak password, but let me use it anyway. At another site, it would not allow purple, not because it was a common password, but because it was too short. So back I went to Troy Hunt’s blog. He listed a couple of passwords found in password dictionaries. They were “1qazZAQ!" and  “dallascowboys.” I tried those. I was again told it I was using weak passwords, but because they met length rules the site didn’t prevent me from using either one.

Here’s my proposal. These password dictionaries are not hard to get. Why don’t websites add these as a check, and not allow their customers to use common passwords. Sure, a few Dallas Cowboys fans might not be happy, but they have bigger problems with the team’s recent on-field performance.  Don’t think of it as annoying or limiting customers. Think about it as educating them. Oh yeah, and you’ll be protecting them, too.

Cybercriminals Catch the Olympic Fever Early On

There is no doubt that athletes all around the world are training hard to compete at the London Olympics in 2012, but cyber criminals seem to be gearing up for the event as well. Even with over 400 days still to go until the Olympics, we have already started seeing search terms related to this event returning a large number of poisoned links. As we have observed with search engine optimization (SEO) poisoning in the past, these poisoned links redirect to rogue antivirus sites.

The following are the top 10 poisoned search terms:

We have also found dozens of other poisoned search terms related to Olympics tickets, mascots, offers, and so on. Below is a screenshot of the search results for the term “london 2012 stadium diagram”; Norton Safe Web indicates that all of the first 10 links are malicious:

These URLs redirect to malicious content only when you click on the link from the search engine result page—a benign page is presented when you navigate to these links directly. We found the fake pages created by scammers to contain Olympic-related text, images, and links to other fake pages. These pages are presented to the search engine bots for indexing, and all of these images are hot-linked from reputable news sites. The presence of images on these pages suggests that these sites are being used to poison image searches as well.

Below is a sample page presented to the search engine bot for indexing:

Once a user clicks on the search result link, he or she is redirected to a fake online scanner that asks the user to download rogue antivirus software:

In this case, the user is tricked into installing the rogue antivirus XP Total Security 2011, which pretends to scan the system and shows a huge list of threats to be "fixed":

During the course of the year leading up to the big event, we expect to see many more Olympics-related search terms being used by cybercriminals to push rogue antivirus software. We have already found over 300 compromised sites used in this campaign over the past week. We recommend that users stick to legitimate news sites, and keep a look out for domain names that appear to be unrelated to the news being searched for. Symantec customers are already protected from this attack with IPS, AV, and Safe Web technologies.

Too Many Hoaxes

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page that disputes the hoax is not enough. Rather than give a man a fish, I needed to teach them how to fish.
So, I sat down and wrote an email explaining how to spot a virus hoax. It took a little longer than just forwarding a link, but I think it will be more effective. Plus, I can now just cut and paste this email as a response the next time someone forwards a hoax email to me.
If you want to give what I’ve done a try, I turned my email into a template that you can use. (See below.) The next time someone forwards a hoax email to you, just cut and paste this into a reply. I’m optimistic that we can educate people—we just need to adjust and adapt when things don’t work.


Dear [fill in friend’s name],
As you know, I work at [Company Name] in the group that covers computer security. I see my fair share of viruses. I also see quite a bit of hoax email. The email you forwarded is a hoax.
It is true that miscreants are sending email with attachments and making posts to people’s Facebook pages with links that lead to malware. They use high profile events or interesting sounding videos to get you to click on the attachment or link. The goal is always the same, to get you to click and become infected. It is only the come-on that changes.
But, the thing is, any warning that comes in via email is almost always a hoax. They are never about real malware. Sometimes they tell you to do things that could actually damage your computer. (Hoaxers have a strange sense of humor.)
There are five easy ways to tell if the email you’ve received is a hoax:
1.    Snopes verified it.
The email you forwarded to me is confirmed by Snopes as a hoax. The hoaxers only tell you Snopes has verified it as true so you will not check for yourself.
2.    It’s the worst virus Symantec has ever seen.
Even if it truly existed, it would not be the worst virus ever seen. Trust me. Unless it will force cylinders used for uranium enrichment to spin out of control, it is not the worse virus ever seen.
3.    It does irreversible harm to your computer.
People who write malware are crooks, not vandals. They try to steal your information. They need your machine to stay functioning to do that.
4.    A reliable person forwarded the email.
Being reliable and being a good judge of hoaxes are two completely different skills.
5.   You are to forward the email to everyone you know.
Good-hearted people try to warn others of impending disasters. Hoaxers tell people to forward an email to everyone they know. Thanks for being so concerned—it speaks well of you as a person. But, next time, please just delete the email.
[Your name here]

Cyber Crooks All Set to Crash the British Royal Wedding

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a "limited edition Buckingham Mint Royal Wedding Commemorative Coin" at a discounted rate is being observed:

The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain—created on January 14, 2011—before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:


Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir <[email protected]>
From: Sovenir [email protected]
From: "Timeless Royal Ring" <[email protected]>
From: "British Heirloom Ring" <[email protected]>

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos“ and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at provide a detailed threat report for sites rated red or yellow:

Here are some other search terms currently returning poisoned links:

•    william and kate movie cast
•    prince charles age
•    princess diana death facts
•    prince harry last name
•    william and kate movie on lifetime
•    royal wedding guest list bush
•    royal wedding guest list snubs
•    prince charles siblings
•    the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques—such as keyword stuffing, cloaking, and link farming—to "game" the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp://<domain name>/<random 2 character string>-<search keyword>

Most of these poisoned links redirect (307 Temporary Redirect) to domains that host rogue antivirus software. We came across 11 different domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec's multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.


Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below—as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.
* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and—shockingly—that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.


Note: This blog has been researched and written by Symantec's Suyog Sainkar, Nithya Raman, and Helen Malani.