Last night the Anonymous collective breached the security of one of the websites run by the Department of Foreign Affairs.  In a statement to the Journal.ie a spokesperson the department confirmed the breach.  Anonymous announced the breach at about 21:30 last night (1st February 2012) via Twitter using an account that has been associated with the attacks last week against other Irish government sites;

The website is the Irish Aid website which is used to support countries in the developing world.  Anonymous appear to have obtained a list of usernames and associated passwords belonging to staff with email addresses in the Department of Foreign Affairs.  A list of up to twenty such accounts were subsequently posted onto the pastebin website.

This is the current state of the Irish Aid website;

A quick look at those passwords shows that despite repeated warnings users still use insecure passwords.  Three of the accounts had “password” as their password with one other being more advanced at having “password1”. So clearly some user education needs to be done for those users or better alternatives to authorise users are needed.

But before we start pointing fingers at the Department of Foerign Affairs and the weak passwords of those users, we should not forget that they are the victim of this attack.  There are no winners in this particular situation but I urge people to view it with a clear head and realise that no matter what vulnerabilities were used to breach the website, the Department and the affected users are victims of a crime.  Even if the vulnerabilities used to breach the website turn out to be known issues that should have been addressed, they are still victims no less than the home owner leaving a window open only for a burglar to climb through.

I would also ask those acting on behalf of Anonymous what benefit to their cause, which many are pursuing through more legitimate means, does forcing a website offline that helps those in developing countries bring?  What benefit to their cause does exposing individual’s passwords do apart from causing them some embarassment and placing their accounts with other systems at risk?

Victimising individuals to promote your own cause in the end only serves to undermine you and your cause. As Friedrich Nietzsche postulated;

“Battle not with monsters, lest ye become a monster, and if you gaze into the abyss, the abyss gazes also into you.”