Fallout from the Christmas Hack of Stratfor
Let this be the day that you change your password practices. On December 24th, 2011, Anonymous, the group of hackers that includes anyone who chooses to adapt that label, announced that they had broken into the servers of the defense intelligence organization Stratfor. Despite Anonymous’ belief in a vast military-industrial-government conspiracy, Stratfor is merely a think tank that researches and reports on global hot spots and events.
It is very important for everyone reading this to re-learn security 101. Anonymous has posted complete credit card records of those who subscribe to Stratfor’s publications, and 28,517 email addresses and cracked passwords. Reading through those lists is very educational. Well known security experts, executives at major networking companies, industry analysts, and government contractors have all had their passwords published on the text-file sharing site pastebin.com.
A cursory glance reveals the corporate email addresses and simple passwords from :
Cisco: 5 employees - including a high ranking executive who used a date for his password.
Juniper: Only 1
Gartner: 4 industry analysts
IBM: 8 employees
Microsoft: 3
Raytheon: 12 employees
SAIC: 15
The passwords revealed are an abject lesson in password strengths. Do you really think adding a number to the end of a word makes it a better password? optimus2, compaq23, Satellite1, kate29, magic78, chance10 were all easily cracked. Not to mention those that used: password, stratfor, chickens, bamboo, mentor, fishhead, trophy, chicago, or the lovely “kisses” or the beguiling “lovecakes”.
What about non-words like “1qaz2wsx” ?(type it, you will see the easy to remember pattern on your keyboard) Those do not work either.
What about number substitution for vowels? Easy to crack, as the guy who used n0m3ncl8tur3 has discovered.
How about special characters? Slav85! ,stratfor!, Cal!985, Godzilla!, Sith31!, redsox#1, 1q2W#E, all fail.
Lessons re-learned:
1. It is no longer even remotely OK to use simple passwords. Even so called “throw-away” accounts can lead to embarrassment for you or your organization. Do you really want your co-workers and the press to know that you used your birthday/pet’s name/football team as your password? ( I experienced this when Gawker was hacked in a similar event in 2010. Look it up to see my stupid password.)
2. Change the password to your email account on Google, Yahoo, Hotmail, today. Make it really strong.
3. NEVER reuse a password. Sorry but it has come to this. Yes, you will have to write them down or store them in a digital safe on your computer or phone. Only a truly determined hacker (or your spouse/boyfriend/teenage kid) will attempt to hack that.
4. Turn on two factor authentication with your email provider. Google and Yahoo provide a service that uses SMS messages to your phone to log into your account from a new computer. Use it.
5. Only do online banking with banks that provide strong two-factor authentication.
Now for those that collect credit cards and account information on their Internet facing servers.
Lessons for web site owners re-learned from Stratfor:
1. Use a password for your databases. Apparently Stratfor had no password protection for their SQL database.