Hall of Shame

Big or small, mighty or meek. Here is our list of notable hacking incidents. Please remember that this is only the tip of the iceberg, as many hacks remain un-announced, and anyway, the Open Security Foundation has much more data on global intrusions. If you have any further information, or news, please let us know.


 

efinancialcareers.com – February 18, 2011

What happened? According to an email to subscribed users, efinancialcareers.com “detected illegal access of the eFinancialCareers database which compromised our users’ information. We believe that our registered users’ names, email addresses, registered countries and encrypted passwords have been accessed.” There is precious little other information.

Who said what? Finextra reported the story, as did Nick Kalikajaros. But overall, there was very little information and coverage.

PasswordGear’s View: It is a reasonable assumption that either social engineering, more probably, an unpatched server was the cause of the vulnerability. Either way, efinancialcareers.com had inadequate security. The passwords were encrypted, which is something, but it is unclear how well encrypted they were. The really shocking thing is the fact that so many finance professionals will have had resumes or CVs stored there, some of which will have contained personal information.

  • Don’t trust highly personal information to online databases.
  • If you must use sites like efinancialcareers.com, then consider how much information you need to give up front, and how much can be reserved for direct contact with bona fide employers.

 

HBGary – February 7, 2011

What happened? HBGary is a cyber security specialist, with the motto “Defeating Tomorrow’s Malware Today”.  HBGary Federal CEO Aaron Barr claimed to have identified some leaders of the Anonymous hacker collective, and intended a public unmasking. Attack being the best form of defence, Anonymous ripped HBGary’s internal and external systems to shreds. They started with a SQL injection of an unpatched server at hbgaryfederal.com, and then worked on the user database. Because the passwords were hashed with a rudimentary implementation of MD5, rainbow tables were very effective. As is often the case, senior people had weak passwords which were discovered quickly. And these senior people also reused their passwords for key functions such as email, Twitter and LinkedIn. Very quickly, HBGary’s internal systems were accessed and purged. Email contents provided enough background information for social engineering via a hacked email account, and further vandalism of rootkit.com, another related website.

Who said what? Ars Technica has some of the most exhaustive and well researched material. ComputerWorld talks about how it relates to openness. Sophos summarises it quite well.

PasswordGear’s View: HBGary’s slogan should be changed to “Defeating Yesterday’s Malware Tomorrow”. But seriously, there are a load of take-home lessons here.

  • Senior executives often represent the biggest risks: System Admins rarely dare to tell them what to do or question them, they typically have amongst the highest permissioning, and their personalities and behaviour is often geared more towards image, sales and clients than the minutiae of internal admin.
  • We’ve known web designers who are too busy to update their own web sites. Sometimes it is easier to advise others on best practice than do it oneself. But when it comes to online security, there should be no compromises.
  • If you haven’t read The Art of War , then read it. If you have read it, do it again. The book is notable as much for how cyber-warfare different to traditional war, as it is for the similarities.
  • Patch servers and workstations immediately. And make a contingency plan for zero-days.
  • Use passwords that are AT LEAST 8 character mixes of upper/lower/numbers.
  • Use different passwords for different systems, or types of system.
  • Use public key or multi-factor authentication if possible, and especially for critical systems.
  • Never communicate passwords by email.
  • Don’t always assume that an email is really from the person it looks like it came from.
  • If you stick your head above a parapet, you had better be wearing more than a tin hat.

 

Gawker Media – December 12, 2010

What happened? With titles like Lifehacker, Gawker Media is surely a mighty player which was brought low by their intrusion. According to Mediaite, Gawker was targeted by a mysterious group calling itself “Gnosis”. Apparently, Gnosis was piqued and challenged by comments by Gawker executives suggesting they were infallible. Around 1.5 million usernames and passwords were taken and released onto ThePirateBay, along with plenty of internal code and documents.

Who said what? Gawker’s own comments are here. And here‘s another pretty useful article from VillageVoice. Check if you were on the list. PCWorld’s view. CMS Wire’s view.

PasswordGear’s view: We don’t know how the intrusion happened, which may mean that it was a proprietary zero-day exploit that has still not been patched. Determined and clever hackers can usually find their way into anything, although increasingly, a large proportion of hacking is by social engineering.

The revealed password database threw up some shockingly weak passwords and repetition across systems, as well as some questionable attitudes to customers and security within Gawker. No doubt Gawker have already implemented stronger password policies and server security, and we have all been reminded that you have to assume the the butt of any chat or email will see the item in question. Users need to be using stronger passwords.


 

RockYou.com – December 14, 2009

What happened? RockYou.com suffered a SQL injection breach, and it turned out that their password file was stored in plain text, unencrypted. 32 million user accounts with passwords were released onto the open internet, demonstrating mind-bogglingly insecure password practices amongst RockYou.com users. For example, 290,731 users had “123456″ as their password.

Who said what? Most commentators concentrated on the password usage. Tom’s Hardware made a list of the top 20 passwords. RegHardware comments on the ability to analyse the new data. Imperva released their analysis, having warned RockYou about the exploit just before it happened. SC Magazine covered it too. TechCrunch had some more information about how the hack happened.

PasswordGear’s view: RockYou’s security was pretty shoddy, with cleartext passwords and naive password strength requirements – and limitations.

The release of the information was a wake-up call for many people, and today serves as positive proof that most people need to improve their attitude to passwords.