Last night the Anonymous collective breached the security of one of the websites run by the Department of Foreign Affairs. In a statement to the Journal.ie a spokesperson the department confirmed the breach. Anonymous announced the breach at about 21:30 last night (1st February 2012) via Twitter using an account that has been associated with the attacks last week against other Irish government sites;
The website is the Irish Aid website which is used to support countries in the developing world. Anonymous appear to have obtained a list of usernames and associated passwords belonging to staff with email addresses in the Department of Foreign Affairs. A list of up to twenty such accounts were subsequently posted onto the pastebin website.
This is the current state of the Irish Aid website;
A quick look at those passwords shows that despite repeated warnings users still use insecure passwords. Three of the accounts had “password” as their password with one other being more advanced at having “password1″. So clearly some user education needs to be done for those users or better alternatives to authorise users are needed.
But before we start pointing fingers at the Department of Foerign Affairs and the weak passwords of those users, we should not forget that they are the victim of this attack. There are no winners in this particular situation but I urge people to view it with a clear head and realise that no matter what vulnerabilities were used to breach the website, the Department and the affected users are victims of a crime. Even if the vulnerabilities used to breach the website turn out to be known issues that should have been addressed, they are still victims no less than the home owner leaving a window open only for a burglar to climb through.
I would also ask those acting on behalf of Anonymous what benefit to their cause, which many are pursuing through more legitimate means, does forcing a website offline that helps those in developing countries bring? What benefit to their cause does exposing individual’s passwords do apart from causing them some embarassment and placing their accounts with other systems at risk?
Victimising individuals to promote your own cause in the end only serves to undermine you and your cause. As Friedrich Nietzsche postulated;
“Battle not with monsters, lest ye become a monster, and if you gaze into the abyss, the abyss gazes also into you.”
One of my favourite security tools, L0phtCrack, is back and available for download. L0phtCrack is an excellent password auditing tool which allows you to determine whether or not there are weak passwords on your network. L0phtCrack first came out in 1997 and it is a sad reflection on the information security industry, that twelve years later we still depend on passwords to protect our key information assets.
I remember giving a presentation on information security in 1998. As delegates entered the room we had them enter in a secure password into a Windows laptop. While I gave my presentation I had L0phtCrack audit the passwords on the laptop. At the end of the presentation, which lasted about 40 minutes, I then displayed the results from the audit. It was telling the shock and amazement on the delegates faces when they saw their “secure” passwords displayed on a screen within such a short period of time. I am willing to bet that if I ran that same test today there would still be a large number of people who would enter passwords into the test machine that would be quickly cracked.
I recommend strongly that you download L0phtCrack and have a look at how strong your own users’ accounts are. But be warned make sure you get permission of your senior management before doing so.
More details available as to how the breach occurred at Heartland resulting in potentialy the biggest breach ever of nearly 100m credit card transactions. Investigators discovered that a piece of malware was hillden in an unallocated portion of disk on one of the Heartland servers.
What puzzles me though is;
- How did a user have the rights to install the malware on the system? Was it an administrator that was duped into loading the malware?
- Why did the monitoring of the logs on the servers not detect any strange behaviour?
- Where was the pilfered data being sent to? If external to Heartlands network surely egress filtering or monitoring of outgoing traffic would have flagged the suspicious behaviour?
The CEO of Heartlands has also said that if other payment processors who had previously suffered breaches had shared their experiences then maybe Heartland would have been better prepared to prevent this type of attack. It will be interesting to see if he live up to his own statement and publishes details of this attack so others can learn from it.
Do take the time to read the article as it is a fascinating read into how the breach occurred.
Thanks to Gary Warner more details of how criminals hacked into the TJX network have come to light. It makes very interesting reading.
I was interviewed this morning on the Loose Talk show on LMFM Radio to discuss the recent chargesagainst eleven individuals for hacking into TJX’s networks and stealing over 40 million credit card details. The focus of the chat was on wireless networking and why it is so important to ensure it is set up securely.
A lesson learnt by this poor gentleman in India who first knew his wireless network was insecure when police raided his house and arrested him on suspicion of being a terrorist involved in the recent Mumbai bombings. Apparently the terrorists had used his open wireless network from which to send an email claiming responsibility for the attack.
The biggest mistakes we see when analysing companies wireless networks;
- Have Wireless enabled by default without knowing it.
- Do not have security enabled on the Wireless Access Point enabling anyone to connect to the network.
- Implementing weak encryption settings such as WEP to secure the wireless network.
- Not segmenting the wireless network from the core network using a firewall.
- Not employing VPN technology to secure access over the Wireless network.
- Not monitoring network traffic to spot suspicious activity.
- Not monitoring the network to detect unauthorised Wireless Access Points
- No security set up on the wireless clients to ensure they only connect to authorised networks.
Wireless technology is very useful and beneficial but you should ensure that you deploy it correctly and securely.