8

In the last several months there have been several publicized data breaches and public website defacements done by several different hacking groups (which the media loves to group under a single domain - "anonymous") most recently some attacks on BART and affiliated organizations following a controversial move by the transit agency.

Its conceivable that some public facing websites (effectively billboards) aren't well secured (like the CIA "hack" a two months ago) allowing someone with some blackhat experience to be able to get in and mess with and deface the website (as well as release some inconsequential details about the FS organization and other stuff). However, every once in a while they release some more private details, like plain-text lists of usernames-passwords from various database servers that were in the attack.

What I'm confused is how they get such a large list of passwords. Are these servers so badly configured that passwords for web-services are stored plain-text? Is "anonymous" brute forcing some hash-list and releasing the low-hanging password fruit (this skews the number of passwords that look simplistic)? Are they setting up base on the hacked servers and logging all the passwords?

It seems a little unnerving to me that web services associated with legitimate organizations would be storing password information in such a way that it is easily retrievable to anyone with some hacking scripts.

crasic
  • 541
  • 3
  • 7

3 Answers3

7

Yes, a lot of these sites are so badly configured that they store the passwords in plain-text.

Or, when passwords are stored as encrypted hashes, the hackers are releasing easily decrypted passwords. Actually, only in the case of the NewsCorp hack did Anonymous decrypt the passwords, other than that, they've simply been publishing the password hashes: the mainstream news gets confused, though, and describes this as releasing passwords. In practice, it's pretty trivial to decrypt hashes. For example, people were able to decrypt 40% of the passwords in the Booz-Allen dump.

No, they aren't intercepting passwords. They are largely just dumping everything on the server, defacing the site, then moving on.

I don't know why you are unnerved: most sites that you give your password to on the Internet will store it in plain-text. Only the very security conscious, those who tend to secure themselves from hacking in the first place, will worry about hashing the passwords.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14
  • "the mainstream news gets confused, though, and describes this as releasing passwords" Well, technically they are releasing passwords... they're just in an 'unusable' format ;) – emtunc Aug 18 '11 at 07:13
  • 1
    Although technically, the majority are in a usable format - just with a little extra effort and time:-) – Rory Alsop Aug 18 '11 at 07:56
  • 2
    "most sites ... will store it in plain-text"? Is there any reference for this? I find it hard to believe. – Stefano Palazzo Aug 18 '11 at 10:32
  • @StefanoPalazzo, look at the hacks over the last year. See how many were usings no hashing or encryption for the passwords, or extremely low quality encryption. It has amazed me. Most might be over stating it though. – m4tt1mus Aug 18 '11 at 15:53
  • 1
    Yeah, there weren't any news about the sites that hadn't been hacked. Of course I agree that it's a huge problem none the less. – Stefano Palazzo Aug 18 '11 at 17:08
  • @Stefano from my experience, it is the majority of sites that either store it in plaintext, or very weak obfuscation. (I'm not even counting those that hash incorrectly...) – AviD Sep 05 '11 at 06:47
4

As I understand it, the majority of the compromises from LulzSec, Anonymous, etc. are SQL injection. HBGary, Sony, Apple... they all fell because of SQL injection flaws in their web apps. http://www.google.com/search?q=anonymous+sql+injection

Sometimes the passwords are plaintext, sometimes they are hashes that are pre-cracked by the group, and sometimes they just post a torrent of all the hashes and let the world figure it out.

Also, a good infosect hint: don't give your web apps permission to query passwords. Use a stored procedure to compare them. That way, even if you are an SQL injection victim, nobody can dump the password hashes.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • The principal of defense in depth applies here. Now you have to have a misconfiguration application that exposes access to the underlying database AND an underlying database that exposes passwords despite an intent to disallow that access. I consider it a fantastic mitigation method that should be applied, much like hashing passwords. "Why worry about hashing passwords correctly if you can't code it properly to prevent somebody from reading them over the Internet?" – Jeff Ferland Aug 18 '11 at 16:51
0

Try following Troy Hunt's blog with for example this article. The worst part of having one site hacked and account info (with plaintext passwords) stolen means there is a security risk for other sites, as people tend to reuse passwords.

Cheers, Wim

Wivani
  • 101
  • 2