It’s been reported that around five million Gmail email addresses were released on to a forum early on in the week. In the file, next to each email address, was a password. These email addresses and passwords appear to have been collected over a few years from multiple web site sources, not from a compromise of Gmail/Google.  The Google security team have done their analysis on the credential dump and alerted the two percent of those in that list they determine were at risk [1]. 

A fair number of researchers, academics and the curious will analyze, collate and build a number of models showing the most common and most amusing passwords and it’s probably something most of us have seen before. So what else can we gain from these types of credential dumps and can we make it worth out time reviewing them?


Here are a few suggestions to make use of these types of dumps in a more positive manner.

1) Showing non-security staff (i.e. the rest of the world) the top fifty most common passwords, with the number of people that use that same password, to provide a bit of user education on why not to use common passwords on their accounts, personal or work, or how reusing the same passwords across multiple sites can cause problems [2].

2) Providing you can get access to the full list, checking your email address isn’t there, and it would be nice to also check that people you know aren’t in the dump either.

3) A more business-focused approach, as long as you have permission, would be to compare all those email addresses against any Gmail registered user accounts, as an example any customers registered for your newsletters, logins to web sites or applications using Gmail accounts. If you do find any accounts that are linked to a listed Gmail email address from the dump, some possible options are:

  • Notify said users that their email address and a passwords has appeared on a credential dump
  • Force a password reset on that account
  • Audit and Monitor the accounts to see if unusual has occurred 

4) Another step after that would be to check your logs to see if there is any automated login attempts using the Gmail accounts against any of your systems, as this is well documented behaviour by various adversaries that fellow Handlers have reported upon previously [3]. 


If the information is out there, our adversaries are going to be using, so we should strive to ensure we have our incident response plans have how to deal with these external events quickly and with the minimum effort. 


[1] http://googleonlinesecurity.blogspot.com.au/2014/09/cleaning-up-after-password-dumps.html

[2] http://www.securingthehuman.org/blog/2012/07/30/guest-post-limits-of-password-security-awarneness

[3] https://isc.sans.edu/diary/Tales+of+Password+Reuse/17087 


Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

InfoSec Book Club: What's On Your Fall Reading List?
Dark Reading
Dark Reading community members share the books that inform and inspire their decisions and interactions as security professionals. Previous. 1 of 11. Next. I don't know about you but when I see the yellow school buses rolling and the days start getting ...

Beware, scammer!
Aurich Lawson

Tech support scams are nothing new—we first went in-depth almost two years ago on "scareware scammers" who cold-call unsuspecting victims and try to talk them into compromising their computers by installing remote control applications and handing the keys over to the scammers.

We even managed to engage with one for a protracted length of time, with deputy editor Nate Anderson playing the role of a computer neophyte and recording the entire mess. But one developer has taken things a step further, producing a tool that will enable you to fight back if targeted—if you don’t mind a bit of bad acting yourself.

Matt Weeks is one of the developers who contributes code to the open source Metasploit Project, a sprawling and continually updated security framework that functions as a repository for software vulnerabilities and is frequently used as a Swiss Army Knife for penetration testing. Weeks has published a long report on his site detailing how he was able to reverse-engineer the encrypted communications protocol used by Ammyy Admin, one of the most popular remote control apps used by tech support scammers, and then use that knowledge to ferret out a vulnerability in the Ammyy Admin application.

Read 8 remaining paragraphs | Comments

IBM RLKS Administration and Reporting Tool CVE-2014-3079 Authorization Bypass Vulnerability
IBM V7000 Unified CVE-2014-4811 Security Bypass Vulnerability
OpenOffice CVE-2013-4156 Memory Corruption Vulnerability
A screenshot used as proof that an unknown person has taken control of the e-mail address of bitcoin creator Satoshi Nakamoto.

Messages demanding payment in order to out details about mysterious Bitcoin creator "Satoshi Nakamoto" have proliferated in the few days since an unknown person took control of the e-mail address historically used by the reclusive cryptographer.

By Friday, at least seven messages on Pastebin threatened to release information, or "dox," taken from Satoshi Nakamoto's e-mail account on gmx.com, the address used in Nakamoto's original Bitcoin paper. The messages used at least five different Bitcoin addresses and demanded varying amounts of Bitcoin in order to reveal Nakamoto's true identity.

"Satoshis [sic] dox, passwords and IP addresses will be published when this address has reached 25 BTC," stated one demand.

Read 10 remaining paragraphs | Comments

HttpFileServer 2.3.x Remote Command Execution


Tool developed that hacks those evil Windows support phone scammers
Here's a tip to anyone out there that's thinking about running a Windows tech support phone scam. Don't target an InfoSec pro's family, because he's liable to dream up a very geeky way to get back at you. Matthew Weeks is the director of emerging ...

and more »

Swiss Infosec feiert
Der Surseer Security-Spezialist Swiss Infosec feiert dieses Jahr sein 25-jähriges Bestehen. Das Unternehmen wurde 1989 von Reto Zbinden gegründet und fokussiert auf Informationssicherheit, IT-Sicherheit und Datenschutz. Aktuell arbeiten 30 Spezialisten ...
Happy Birthday Swiss Infosec AG! (VIDEO)ptext.ch (Pressemitteilung)

all 5 news articles »
Mozilla Firefox/SeaMonkey CVE-2014-1502 Security Bypass Vulnerability
Mozilla Firefox/SeaMonkey CVE-2014-1480 Security Vulnerability
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Security Report Summary
Cisco Unified Communications Manager Web Framework Cross Site Scripting Vulnerability
[SECURITY] [DSA 3023-1] bind9 security update
[SECURITY] [DSA 3024-1] gnupg security update
NEW VMSA-2014-0009 VMware NSX and vCNS product updates address a critical information disclosure vulnerability

UK.gov's flagship infosec program ISN'T DELIVERING - but all's still well, say ...
The UK's National Cyber Security Programme is not yet delivering on its much-vaunted economic benefits but is still a worthwhile exercise, according to a report by government auditors. An update by the National Audit Office for Parliament's Public ...

and more »

Posted by InfoSec News on Sep 12


By Aliya Sternstein
September 11, 2014

Defense companies that manufacture parts with three-dimensional printers
using metal powders might want to heed forthcoming government-issued
standards for preventing hacks.

Not only can attackers steal proprietary designs by breaching the
machines’ data files – but they can also...

Posted by InfoSec News on Sep 12


By Rachel King
Between the Lines
ZDNet News
September 11, 2014

Following up Yahoo's "win for transparency," Dropbox published its latest
transparency report revealing the number of user data requests it receives
from government agencies.

The cloud storage company said it received 268 requests for user
information from law...

Posted by InfoSec News on Sep 12


By Kelly Jackson Higgins
Dark Reading

Two Chinese cyber espionage gangs known for targeting very different
industries and working out of different regions of the nation actually use
some of the same or similar tactics, tools, and resources in their spying
operations, researchers found.

Such collaboration and resource...

Posted by InfoSec News on Sep 12


By Lucian Constantin
11 September 2014

A critical vulnerability in a popular e-commerce extension for the Joomla
content management system allows malicious users to gain super-admin
privileges to sites that run the software.

The VirtueMart extension, which allows users to set up online shops on

Posted by InfoSec News on Sep 12


By Grant Gross
IDG News Service
Sep 11, 2014

A recent data breach at retailer Home Depot and a leak of celebrity nude
pictures from Apple's iCloud service raise questions about the companies'
data security practices, two U.S. senators said Thursday.

Sens. John "Jay" Rockefeller, a West Virginia Democrat, and Claire...

Posted by InfoSec News on Sep 12


By Lee Kyung-min
The Korea Times

Three men were indicted for buying hacking programs from North Korean
agents to use for online gambling, prosecutors said Wednesday. .

The programs were allegedly used for the North's cyber attack against
Korean firms and government agencies last year.

The three told investigators that they were planning to sell the software...

Posted by InfoSec News on Sep 12

Forwarded from: jackie (at) sdiwc.info

Universiti Sultan Zainal Abidin (UniSZA), Kuala Terengganu, Malaysia
October 8-10, 2014 | infosec (at) sdiwc.net

All registered papers will be included in the publisher's Digital Library.

The conference aims to enable researchers build connections between different
digital applications....
Internet Storm Center Infocon Status