Let this be the day that you change your password practices. On December 24th, 2011, Anonymous, the group of hackers that includes anyone who chooses to adapt that label, announced that they had broken into the servers of the defense intelligence organization Stratfor. Despite Anonymous’ belief in a vast military-industrial-government conspiracy, Stratfor is merely a think tank that researches and reports on global hot spots and events.
It is very important for everyone reading this to re-learn security 101. Anonymous has posted complete credit card records of those who subscribe to Stratfor’s publications, and 28,517 email addresses and cracked passwords. Reading through those lists is very educational. Well known security experts, executives at major networking companies, industry analysts, and government contractors have all had their passwords published on the text-file sharing site pastebin.com.
A cursory glance reveals the corporate email addresses and simple passwords from :
Cisco: 5 employees – including a high ranking executive who used a date for his password.
Juniper: Only 1
Gartner: 4 industry analysts
IBM: 8 employees
Raytheon: 12 employees
The passwords revealed are an abject lesson in password strengths. Do you really think adding a number to the end of a word makes it a better password? optimus2, compaq23, Satellite1, kate29, magic78, chance10 were all easily cracked. Not to mention those that used: password, stratfor, chickens, bamboo, mentor, fishhead, trophy, chicago, or the lovely “kisses” or the beguiling “lovecakes”.
What about non-words like “1qaz2wsx” ?(type it, you will see the easy to remember pattern on your keyboard) Those do not work either.
What about number substitution for vowels? Easy to crack, as the guy who used n0m3ncl8tur3 has discovered.
How about special characters? Slav85! ,stratfor!, Cal!985, Godzilla!, Sith31!, redsox#1, 1q2W#E, all fail.
1. It is no longer even remotely OK to use simple passwords. Even so called “throw-away” accounts can lead to embarrassment for you or your organization. Do you really want your co-workers and the press to know that you used your birthday/pet’s name/football team as your password? ( I experienced this when Gawker was hacked in a similar event in 2010. Look it up to see my stupid password.)
2. Change the password to your email account on Google, Yahoo, Hotmail, today. Make it really strong.
3. NEVER reuse a password. Sorry but it has come to this. Yes, you will have to write them down or store them in a digital safe on your computer or phone. Only a truly determined hacker (or your spouse/boyfriend/teenage kid) will attempt to hack that.
4. Turn on two factor authentication with your email provider. Google and Yahoo provide a service that uses SMS messages to your phone to log into your account from a new computer. Use it.
5. Only do online banking with banks that provide strong two-factor authentication.
Now for those that collect credit cards and account information on their Internet facing servers.
Lessons for web site owners re-learned from Stratfor:
1. Use a password for your databases. Apparently Stratfor had no password protection for their SQL database.
2. Do not use the default password hash algorithm that comes with your CMS or Unix library. There are vast dictionaries of hashed passwords online. Once a hacker has stolen your password list they can look up any hash in these dictionaries or run simple tools to brute force them. Research and deploy salted hash algorithms. They make the job a lot more difficult for the hacker. Best practice: encrypt those passwords! And secure the keys.
3. Do a complete security review. Things have changed since you set up your Internet presence in 1995 or 2005.
The most painful lesson the Stratfor hack is about to demonstrate is the importance of email security. The Anonymous member who appears to be taking the lead in this attack against Stratfor has already posted to reddit.com that they will be recruiting volunteers to analyze the 3.3 million emails they stole from Stratfor. These emails have the potential for embarrassment and real harm that could equal the infamous State Department leak.
One last point. A quick scan of the 28,517 leaked email addresses reveals the conspicuous absence of any addresses belonging to .gov and .mil. Were there none, or does Anonymous have plans for those?
My only prediction for 2012: it is going to be a very interesting year.
Updates: More analysis of the leaked data provided by Mike Lennon at SecurityWeek, thanks to Identity Finder.
Dazzlepod has posted a search tool to determine if your own email address is in the leaked Stratfor database. You can also search by domain.
On December 29, Anonymous posted 859,311 email addresses, 68,063 credit card numbers, 50,618 addresses, and 50,569 phone numbers. Analysis posted here by IdentityFinder.
The latest list of leaked Stratfor emails does include .mil and .gov addresses.
Jan 3 update: Dazzlepod has added all 860,000 leaked accounts to their searchable database.
Steve Ragan at the Tech Herald has cracked and analyzed 10% of the passwords.