It’s unfortunate when anyone is the victim of a hack or data compromise, but put the moniker ‘hacker’ or ‘security expert’ in your name and you’re sure to identify yourself as a target. Italy’s Hacking Team was such a target. One of the first security “laws” that you learn from security courses is that strong passwords are your first line of defense against attacks. The second law is that passwords aren’t secure. Strong passwords are passwords that aren’t dictionary words nor are they significant dates or numbers that someone could find out by knowing a few details about you and your life. The Hacking Team incident proves that everyone is a potential target. The lesson is, “Don’t make it easy for them.”
Hackers recovered approximately 400 GB of Hacking Team data and exposed it. Team member passwords were part of that recovered and exposed data. Specifically, Christian Pozzi, one of the company’s security engineers had his passwords exposed as part of the hack. Some of his obviously poor choices are:
“It’s almost depressing that security personnel at a hacking specialist firm cannot be bothered to secure access to their systems properly. It’s too easy to be hacked if you are only using a password to authenticate access, even if you are an educated, aware employee in a highly sensitive industry. Everyone can become a target of hackers and you cannot effectively protect yourself with passwords alone. Malicious actors are doing everything in their power to circumvent security, so organizations big and small have to use multi-factor authentication to secure access to business apps and cloud services.” Claus Kotasek, CEO, SMS PASSCODE
Anyone who’s taken an online security class required by his or her job knows that passwords that include the word ‘password’ are bad. A simple dictionary-based attack could reveal those. And it’s common practice to substitute long-standing replacements for some letters with numbers and alternate characters such as:
@ for a
3 for e
! for i
0 for o
$ for s
Security professionals know that such simple passwords are easy prey for even the newest hacker on the Net. They’re the low-hanging fruit that you think of when you’re building a honeypot system as bait for a hacker. They’re not the kind of passwords that you want to use for real security.
Any good security professional will tell you that strong passwords consist of a long word or phrase that’s at least eight characters long, easy to remember, and difficult to guess. Very strong passwords also use or include alternate spellings, mixed upper and lower case letters, numbers, and alternate characters. And for websites that don’t allow alternate characters such as, !@#$%, and use a password of maximum length for the site and never reuse a password. You should also change your social networking passwords regularly and enable two-factor authentication on sites that offer it. For example, Paypal offers a two-factor authentication that includes a password and an SMS message to your phone before you can login.
Remember that strong passwords deter hackers looking for low-hanging fruit. Cracking passwords with a dictionary-based attack is one of the easiest and quickest methods of security compromise. The return on investment of reward vs. time and effort is very high. The Hacking Team members have learned a valuable lesson from this experience: Use stronger passwords.