|Fallout from the Christmas hack of Stratfor|
|Wednesday, 04 January 2012 17:57|
Let this be the day that you change your password practices. On December 24th, 2011, Anonymous, the group of hackers that includes anyone who chooses to adapt that label, announced that they had broken into the servers of the defense intelligence organization Stratfor. Despite Anonymous’ belief in a vast military-industrial-government conspiracy, Stratfor is merely a think tank that researches and reports on global hot spots and events.
It is very important for everyone reading this to re-learn security 101. Anonymous has posted complete credit card records of those who subscribe to Stratfor’s publications, and 28,517 email addresses and cracked passwords. Reading through those lists is very educational. Well known security experts, executives at major networking companies, industry analysts, and government contractors have all had their passwords published on the text-file sharing site pastebin.com.
A cursory glance reveals the corporate email addresses and simple passwords from :
The passwords revealed are an abject lesson in password strengths. Do you really think adding a number to the end of a word makes it a better password? optimus2, compaq23, Satellite1, kate29, magic78, chance10 were all easily cracked. Not to mention those that used: password, stratfor, chickens, bamboo, mentor, fishhead, trophy, chicago, or the lovely “kisses” or the beguiling “lovecakes”.
What about non-words like “1qaz2wsx” ?(type it, you will see the easy to remember pattern on your keyboard) Those do not work either.
What about number substitution for vowels? Easy to crack, as the guy who used n0m3ncl8tur3 has discovered.
How about special characters? Slav85! ,stratfor!, Cal!985, Godzilla!, Sith31!, redsox#1, 1q2W#E, all fail.
1. It is no longer even remotely OK to use simple passwords. Even so called “throw-away” accounts can lead to embarrassment for you or your organization. Do you really want your co-workers and the press to know that you used your birthday/pet’s name/football team as your password? ( I experienced this when Gawker was hacked in a similar event in 2010. Look it up to see my stupid password.)
Now for those that collect credit cards and account information on their Internet facing servers.
Lessons for web site owners re-learned from Stratfor:
1. Use a password for your databases. Apparently Stratfor had no password protection for their SQL database.
2. Do not use the default password hash algorithm that comes with your CMS or Unix library. There are vast dictionaries of hashed passwords online. Once a hacker has stolen your password list they can look up any hash in these dictionaries or run simple tools to brute force them. Research and deploy salted hash algorithms. They make the job a lot more difficult for the hacker. Best practice: encrypt those passwords! And secure the keys.
The most painful lesson the Stratfor hack is about to demonstrate is the importance of email security. The Anonymous member who appears to be taking the lead in this attack against Stratfor has already posted to reddit.com that they will be recruiting volunteers to analyze the 3.3 million emails they stole from Stratfor. These emails have the potential for embarrassment and real harm that could equal the infamous State Department leak.
One last point. A quick scan of the 28,517 leaked email addresses reveals the conspicuous absence of any addresses belonging to .gov and .mil. Were there none, or does Anonymous have plans for those?
My only prediction for 2012: it is going to be a very interesting year.
Dazzlepod has posted a search tool to determine if your own email address is in the leaked Stratfor database. You can also search by domain.
On December 29, Anonymous posted 859,311 email addresses, 68,063 credit card numbers, 50,618 addresses, and 50,569 phone numbers. Analysis posted here by IdentityFinder.
The latest list of leaked Stratfor emails does include .mil and .gov addresses.
Jan 3 update: Dazzlepod has added all 860,000 leaked accounts to their searchable database.
Steve Ragan at the Tech Herald has cracked and analyzed 10% of the passwords.
Listen to this week's
For bulk orders send me an email