Password Security and Hackers:
There is a new Internet group making news for itself called LulzSec. The self proclaimed merry pranksters have brought forth a new level of hacking (PBS, Infragaurd) and lower targets such as websites aimed at “adult entertainment”. What makes these hackers different than other groups out there? They are in it for the “lulz”. They don’t care about who or what they do, as long as they find it funny.
Today they release a list of 25,000 email and password combinations from an adult website. Then using the power of Twitter, they convinced internet users worldwide to create havoc with the list. Many people are now logging into Hotmail, Gmail, and Facebook accounts with the username and passwords provided by LulzSec.
What does this mean to us as IT professionals? This is a good time to remind our clients and users of the importance of password policies. Not only password policies, but also “good password habits”. We too often focus on the basic IT mainline of password complexity, change your password ever X number of days, don’t use your relatives’ names. What are we forgetting when we educate our users on passwords and password polices?
As demonstrated today, password security goes beyond just having a complex password and changing it at a predetermined time. Password security is not using the same password on your work computer as your Facebook account. Use a different password for the different things you do in life. Internet banking, social networking, and your work accounts should all have passwords that are complex, and different from each other. Password reset questions should be carefully chosen, as demonstrated on how Sarah Palins Yahoo account was compromised. If it ask where you went to school, perhaps a nickname, or a street address would be a better choice instead of the name of the school.
Password security is a complex subject. If the CEO of the company uses the same password on Gmail as his work password, and Gmail is compromised, his companies network is now suspect. If the accountant uses their work email address for their Facebook account, and the password is the same as the Facebook password, the whole world could potentially have the accountants OWA password. This is the new age of social engineering. As IT professionals, we need to help educate our clients that they need to protect their networks from attacks like this. Remind them of the acceptable use agreements and that work email accounts should not be used for social networking sites. Inform them of the potential consequences of having the same password for ITunes, Facebook, and the work account.
The responsibility of password security is also on our hands. The ability of these email address and password being released was because the database was stored in clear text. Review your line of business applications. Make sure that you understand the database model and how it stores users and password. Make sure it is SSL secured. Disable SSL 2.0 on your public facing web servers. Verify that all security patches are applied to all applications, especially Internet facing applications. Sony’s database was compromised by a very simple SQL injection script.
This breech was done “for the LULZ”. Password security is not a funny thing. This hacking group has shown that they don’t care about anyone, and no site seems to be immune to their brand of hacking. What site will they hit next? Could it be Gmail of Facebook? Or some smaller site like your local Chamber Of Commerce? Do you use the same password when you registered at the local Chamber of Commerce site? If you did, do you know if they store that user/pass combination in clear text? Is their site secure against cross site scripting? Protect yourself, and your clients. Use strong, complex passwords that are different from each other. Don’t put yourself in a position where if your Twitter account is compromised, that now your Domain Admin password is published on the Internet for all to see.
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals like you.