In case you needed a reminder of the constant presence of threats on the Internet, here are some interesting recent hacks and breaches:
According to the message sent to affected users (including myself):
between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network… we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
Ok, just gamer stuff, no big deal? Actually, because of inevitable password reuse and the sheer volume of user data, it is a big deal. Also, they go on to say maybe your credit card data was exposed too. Ouch.
More recently, they revealed that some subscription-based gamers’ accounts, credit card and direct-debit bank info definitely was compromised. In response they took PSN offline again. That is a pretty serious move. Imagine being Sony. People who already bought PS3 games can no longer play them online, new downloadable games and content aren’t being sold, and the stable revenue base of your subscriber-gamers is wondering why they are paying you. Fair to say, the entire PS3 enterprise is in jeopardy.
Sony Online Entertainment, their PC game division was also hit, so now when I say “sheer volume,” I mean 102 Million.
In December, around 1.5 million accounts from the many sites in the Gawker family were compromised and posted to Pirate Bay, including ultimately crackable password hashes. The analysis from Duo Security is valuable, even showing the commands they used to examine the data. But you won’t need those to read their list of 250 most commonly used passwords. Here’s the Top 11 (with counts):
2516 123456 2188 password 1205 12345678 696 qwerty 498 abc123 459 12345 441 monkey 413 111111 385 consumer 376 letmein 351 1234
This is a telling snapshot of how users really behave, but it’s not just “the public” that lack security-consciousness. I have been issued and discovered accounts on .gov servers with some of these same very poorly chosen passwords. (I am surprised that so many people use “consumer” though.) I won’t reprint them here, but for extra irony compare #22 and #23 on Duo’s list.
So what does this let a hacker do? Other than post acai berry spam on gizmodo boards, it lets them get started on users’ other accounts. The emails are in there. Do you think the same users that pick “password” are going to be fastidious against password reuse with their other accounts? Then once you have access to email, you know pretty much everything about them. For example, you can find billing statements from their bank, and try out credentials at that bank’s site. Or just build a catalog of additional credentials and sell those to another more malicious group of hackers. And if you really want to, you could reset passwords on many other accounts in the middle of the night, receive the reset emails, and briefly use them as your own. Besides ATM use, this is why your bank assigns you an additional bank PIN.
That’s right, the same people who build the most widely used webserver on the internet also had their own infrastructure attacked last year. The victim was their JIRA, Bugzilla and Confluence host. Apache’s account is useful because they detail exactly how the attack took place, involving insecure application setup, cross-site scripting, users trusting a plausible but unprompted password reset email, password reuse and svn credentials caching. The attack is incremental; each step sets up the next, but ultimately the attacker obtains system root.
Perhaps more useful, the account also says what worked and what they changed: lessen JIRA runtime privileges, require one-time-passwords for sudo, use Fail2Ban, disable SVN password caching. It is somewhat numbing to realize that even the web’s own experts get owned, but before you go thinking that maybe it’s because of their distributed nature or volunteer composition and that a single commercial corporation would have more control…
RSA is amongst the top, if not *the* top commercial encryption/security firm, having major institutions around the globe as clients. They have pushed multi-factor authentication including the SecureID fob/generator for a very long time, but the idea seems to have newfound popularity recently. (Care to guess why?) Therefore it was particularly distressing to see RSA’s system itself was breached and SecureID generation itself can legitimately be considered compromised.
It’s a good time to change passwords, especially if you are a PSN or Gawker account holder, but the widespread, repeated incidents should suggest that the problem is also an architectural one. When your account is accessible with static data, and data “spillage” and retransmission are endemic, maybe it’s time to add another level of security. In my next post, I’ll show one simple thing you can do protect yourself: free two-factor authentication for Gmail.