Lesson #1 from the Hacking Team hack: Choose strong passwords

Don't make your password P4sswordItaly's controversial Hacking Team, which supplies spyware and surveillance technology to countries and law enforcement agencies around the world, hasn't been having the best of times.

This weekend it was hacked, and the attackers spirited away a reported 400 GB of data including source code, confidential documents, and email archives. In fact, it's hard to imagine what the hackers might *not* have got away with.

Hacking Team's hacked email

Christian PozziOne employee of the Hacking Team directly impacted by the hack is Christian Pozzi, who describes himself on LinkedIn as a senior system and security engineer for the company.

According to reports, the hackers appear to have successfully compromised Pozzi's Firefox browser password store, revealing a slew of poorly chosen login credentials rather than the complex, hard-to-crack, unique passwords that most security professionals would recommend.

The leaked security engineer's list of passwords doesn't make for impressive reading:

UserName : Neo
Password : Passw0rd

UserName : c.pozzi
Password : P4ssword

UserName : c.pozzi
Password : P4ssword

UserName : c.pozzi
Password : P4ssword

UserName : c.pozzi
Password : P4ssword

UserName : c.pozzi
Password : CHP0zz1!

UserName : c.pozzi
Password : P4ssword

UserName : c.pozzi
Password : P4ssword

Oh dear.

Weak passwords may not have been the cause of the successful hack of the Hacking Team, but it seems unlikely that the fact that lousy passwords were in use (and re-used!) will not have helped prevent the situation from becoming much worse for the Italian company.

In the immediate aftermath of the Hacking Team hack becoming public knowledge, Pozzi made a futile attempt at damage limitation, urging people not to download the torrent that hackers had made available of the company's documents and email archives because it contained (he claimed) a virus:

Pozzi warns of virus

The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus.

Nice try, Christian. But the security community on Twitter wasn't buying your story.

Pozzi's @christian_pozzi Twitter account has since mysteriously disappeared. As Steve Ragan at CSO Online, before the account vanished it may have been briefly hijacked by the same hackers who compromised Pozzi's employer, exploiting the stolen passwords.

Pozzi Twitter hacked

My guess is that Pozzi may have renamed or deleted the account as a final act of personal damage limitation.

Anyone following the story on Twitter or in the technology media will be kept fascinated for days, as more revelations bubble up from the massive data dump published by the hackers.

But here's my first piece of advice: get yourself a decent password manager and use it properly to choose strong passwords.

A password manager can make it child's play to generate hard-to-crack, unique passwords for the websites you use, your servers, your applications, and your networking gear. Plus it can do a good job of remembering them for you, and storing them within a secure, encrypted password vault.

Start using a password manager and never again should you find yourself having to make excuses as to why you reused passwords, or chose something as amateurish as "P4ssword" to protect your company's secrets.

Further reading:

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

8 Responses

  1. Anonymous

    July 6, 2015 at 11:33 pm #

    Don't they know that Margaret Thatcher is 110% sexy?

  2. Jamie

    July 7, 2015 at 12:05 am #

    I think it's becoming quite clear that these guys were nothing more than very well compensated script kiddies. Good riddance to this scummy business.

    I just hope the spy agencies of free countries around the world are finally going to start realizing that creating stockpiles of zero-day vulnerabilities for offensive purposes isn't doing anyone any good. We should all be practicing responsible disclosure, and focusing first and foremost on cyber DEFENSE, not cyber OFFENSE, to make everyone safer. Not just safer from spying by repressive regimes, but from the criminal syndicates that are robbing us blind.

    • Coyote in reply to Jamie.

      July 7, 2015 at 12:32 am #

      "I just hope the spy agencies of free countries around the world are finally going to start realizing that creating stockpiles of zero-day vulnerabilities for offensive purposes isn't doing anyone any good."

      Your hope is futile, I'm afraid; even if they were to realise that they make poor decisions (and that is a very big if), they will ignore it anyway (history shows this). Mark my words: it isn't going to get better. I would be surprised if it didn't get worse exponentially given that it has less physical harm (and the old problem of 'everyone else is doing it so why shouldn't we ?'). The cat is out of the (black?) hat and given that countries participate in black markets (therefore giving authors of malware, exploits, etc., an incentive to focus on profit) the cat will not jump back in the hat ('the cat not in the hat'). The thing is they want as much power (in various forms) as they can get and their highest priority tends to be power when it should be protecting themselves and others (and perhaps following the laws that they should be following if they want others to).

      They will make their excuses but that's all it is in the end. Keep in mind that they'll whine if others do it (other countries or private third parties) and you can easily see how it is only an excuse on their part. Ironic, isn't it, that the US and UK want to participate in (cyber) war games (I don't believe for a second that they want to do it only for learning to protect.. and if I am wrong, maybe they could start by behaving themselves instead of attacking other countries/citizens/et al.).

  3. Hitoshi Anatomi

    July 8, 2015 at 2:52 am #

    Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

    In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at
    http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

  4. Dr. Quien

    July 9, 2015 at 7:25 pm #

    Graham: You bring up password manager software again. Question: if one computer creates a strong password with a particular account (say, a joint checking account with my wife), how can a second computer log on to the same joint checking account? It would seem that the second computer can't access the account because it doesn't know the strong password created by the first computer. Am I missing something?

    • Graham Cluley in reply to Dr. Quien.

      July 9, 2015 at 9:21 pm #

      I would imagine you would create a secondary encrypted password vault, shared via one of the popular file sync/sharing services, and only put the passwords you need to share with your wife in that.

      • Stephane Rosa in reply to Graham Cluley.

        July 25, 2015 at 1:16 pm #

        How about using a cloud based password vault like LastPass or the like ? Security in the cloud is as strong as the master passwords chosen by users and used to encrypt private keys which encrypt the vault. Sharing functionality allows to keep complex passwords and share them with e.g. wife, encrypted with her public key. Very simple and transparent

  5. Password RBL

    July 14, 2015 at 4:11 pm #

    Looks like Hacking Team should have used PasswordRBL.com to enforce strong password choices. Of course, we'd never offer our services to them.

    Don't be the next hacked headline!

    www.PasswordRBL.com

Leave a Reply