AntiSec’s latest hack shows law enforcement agencies need stronger password policies.
A Security Management review of the passwords revealed by AntiSec's hack of local law enforcement domains shows that insecure passwords were not hard to find. It takes only one weak link from a user with an easily cracked password to give a hacker the opportunity to gain access to a network and wreak havoc.
Seventy different law enforcement domains were hacked and 300 email accounts were listed. The majority of users had passwords with letter and number combinations, as recommended, but many passwords were just name and birth year combinations. Some passwords were first and last names, addresses, or simple words like “apple,” “hardcore,” “Ironman,” and, “Master.”
Security experts say there’s really no excuse for not knowing how to make secure passwords.
“One of the things that LulzSec and Anonymous are doing is exposing the simplicity of security. We’ve been discussing password strength and saying to use different passwords for account for literally decades now. People are doing things that at this point and they should know better,” Bit9’s Chief Technology Officer Harry Sverdlove, told Security Management.
Sverdlove says the average user has 27 online accounts, but the average user doesn’t have 27 different passwords because he or she doesn't have a good system for keeping track of all of those passwords. “We all tend to choose the most obvious things, which make it that much easier for hacktivist organizations who don’t use very sophisticated techniques,” he said.
How's this for obvious: Two people at one sheriff’s office both used the word “police” as their password. Multiple people used the word “glock,” a common pistol used in law enforcement, and also in the top 5,280 most used passwords.
An online tool to check password security from Small Hadron Collider indicates that it would take a computer program less than one second to guess the password "police," so passwords like these are a hacker’s best friend.
“If it's a dictionary word, it could be hacked very quickly,” the site states. The two most common ways passwords are broken are dictionary-based attacks and attacks using a tool called a rainbow table.
A dictionary-based attack uses a text file with thousands of common words. “Even a very simple hacker could write a script that goes through this dictionary file,” Sverdlove said. The program continually guesses the password based on these words until it eventually figures them out. A rainbow table works like a digital Rosetta Stone to crack encrypted passwords after they’ve been extracted from an existing database.
Several agencies listed by AntiSec appeared to use one password or a variation of the same password for multiple employees. Everyone at the Prairie County Sheriff’s Department in Des Arc, Arkansas was shown as having the same password, according to the leaked list. When contacted, Sheriff Gary Burnett acknowledged that the email addresses listed in the dump were valid, but he questioned the validity of the passwords. He also doubted that the department had been hacked and said that he would have their computer tech look into it.
Three other agencies contacted by Security Management said they didn’t have an official password policy (and that it was up to the users to make sure they picked secure passwords). Others said they had users change their passwords regularly, but declined going into detail about past and present policies because of the recent hack.
“There isn’t anything I could or couldn’t do to prevent it [the server being hacked], but we took this opportunity to review our own policies and procedures and security measures because the issue was brought to light. We will be making some changes,” Baxter County Sheriff John Montgomery told Security Management.
In another instance, LulZec broke into one company after discovering the CEO’s personal email password was the same as his company email password.
“They’re [hacktivists] shining a very big light saying ‘Nobody is safe.’ If you’re dealing with anything that you remotely consider confidential, you need to be thinking about security,” Sverdlove said.
Check out 10 tips for making a hacker-resistant password from Privacy Rights Clearinghouse here .
photo by stevendepolo from flickr