Research

US Hacking Investigations & UK Password Leaks

Malicious actors do not need to be skilled in hacking techniques anymore. They can simply analyse unknowingly leaked information from the victim's Twitter account. Not optimal.

First Published 7th September 2016

US Hacking Investigations & UK Password Leaks

If you really must tweet a pic of your office whiteboard, please make sure your server credentials aren't written on it.

4 min read  |  Reflare Research Team

In this week's briefing, we will cover two separate topics: The continuing fallout from government-related cyber attacks against the US and an inadvertent leak of access credentials by a UK politician.

The leak of DNC emails continues to escalate and will likely remain in the news until the US general election in November. Both political parties have chosen to utilize the cyber attacks and leaks for their own purposes with the Republicans casting the Democrats as careless and thus threats to national security and the Democrats casting the Republicans as stooges of Russian interests.

As we already covered last week, US authorities are formally investigating the attacks and expected links to Russian hackers. Several press releases were made this week but no claims of hard proof have been expressed. Several press releases even explicitly point out that no hard proof has been uncovered.

This is to be expected. The anonymous nature of cyber-attacks means that finding solid proof will be virtually impossible even for skilled forensics experts as long as the attackers are careful and skilled.

We expect the rhetoric to continue to escalate but very few additional facts to emerge unless new attacks or leaks occur.

A completely different, much less sophisticated and much more common incident has occurred in the UK. Labour party politician Owen Smith's campaign recently tweeted a picture of a policy meeting. This behaviour has become a somewhat normal strategy for connecting with younger voters.

Unfortunately, the picture contained a whiteboard on which the address, username and password for a server used by the campaign were written.

Twitter users were quick to spot and point out the credentials which have since been replaced.

It is unclear at this point whether any damage has been done to the system.

This incident illustrates several points that are vital for any organization to understand:

1) The fast-paced nature of social media means that contents are less thoroughly vetted than they would be in traditional PR channels. While this can help to establish an authentic image, it also means that the leakage of sensitive information can occur more easily.

2) The fact that credentials to what is ultimately a government-related system were shared between staff is worrying but not unusual. Shared credentials mean that incidents such as sabotage can not clearly be traced to a specific person. They also mean that revoking access when a member of the team leaves is cumbersome. Organizations are advised to issue individual user accounts for all team members that require access to a system.

3) The password used was "Survation". A regular word appearing in a dictionary is not suitable for use as a password. While it is uncertain if this particular leak caused any damage, even without it the system would have certainly been compromised by a brute-force attack. Strong passwords should be a chain of at least 8 completely random letters and symbols or alternatively a sentence containing more than 8 random words.

Subscribe by email