Passwords...

Updated: Aftonbladet themselves now write about the hacking. Their article is in Swedish, so let me summarize here in English. They say the hackers managed to get access to the intranet (whatever that is) at Aftonbladet and decrypt passwords. The access to the email was because users had the same passwords for email as they had for the intranet and to some Facebook accounts. Access was possible for 50 minutes before the mail server was closed down. They point out there is a risk some material that is protected by law because it involves communication with a journalist might have leaked, but there is so far no sign of that. The incident is reported to the police, and the police, Aftonbladet and a security company is working on looking at the details of the incident.


One of the more interesting IT related news stories today in Sweden is that the newspaper Aftonbladet have got their mail hacked. The hack is described in the IDG news article, but the first announcement was at Flashback, in one of their forums. You can see one screen dump of a mailbox here. As you can see, they use Communigate Pro email server. More about that software later.

Oscar Edholm, CIO at Aftonbladet, say say in Sydsvenskan that it is not the mail server that has been hacked, but an access mechanism to their internal network, but as many people have the same username/password to this box as the email, hackers can use the username/password to also the email.

A lot of pople (Mary, Per and Joakim for example) write about password management here, and let me comment a bit on what they write.

First of all, reusing the same password for many services is not a good idea. It seems according to the comments from Aftonbladet that that is how the hackers could access so much information. Of course many people do reuse passwords. Why? Simply because not enough services are designed to be easy to use for the end user. The password management system is not user friendly. And, if it is, it is normally by use of a shared database with passwords (in LDAP for example) so the same credentials can be reused anyway. The solution? As Joakim writes, make sure different services that in reality belong to different security realms reuse the same credentials. If one of the services are cracked, that must not have impact on the other.

Secondly, the passwords themselves can not be too simple. If they are simple, then either one can guess them by dictionary attacks. Mary writes that one should not have the password on a post-it note on the monitor. I claim that is in many cases much safer and more secure than not having it there (and instead have a too simple password). Her reason for it was an incident at a hospital where staff had passwords on such notes. At least Mary thought it was passwords (because I do not think she tried…). Passwords should be changed of course, but forcing people to change passwords will force them to come up with a new password when they are not mentally prepared. That way the strength of the password will be lower than if they have time to think about a good one. A password can also be generated of course, and that is the best mechanism. And because of that, I think the post-it note password storage system is not so bad. Better is of course a local storage in the client that can store the passwords. Encrypted of course, and if they by the user can be decrypted, the password for that decryption feature should be something different of course. The best solution is of course to mix a password with some hardware encryption feature like the usb key from Youbico that is much easier to use than other one time password systems like SecurID from RSA (also good, but more complicated).

Third, there must be a plan for what can happen if the system is cracked. If one manage to get access to a system, will one be able to access the database with the passwords? Can one install a wiretap on a host and see the passwords in clear text? Are the passwords logged (as part of the logging that in turn is passed via some syslog facility to another computer)? Communigate Pro (that Aftonbladet use) have as default the passwords stored in clear text for the accounts, although the directories can be secured using normal file system security (and with Communigate, that can be tightened up completely). Passwords can be stored after being encrypted/hashed using some one way mechanism. Downside is of course that the users can never get to know from the system what the password is. They can only get a new one. But this is a much more secure system than having the password in clear anywhere at all.

What is for me interesting in this story, is the piece that talks about the fact DNS information has been changed by some claimed access to data at Domaininfo. And some rumors claim that is how Aftonbladet was hacked in the first place. The hack can of course happened by some change of the DNS for the webmail of aftonbladet, but that is not a hack at Domaininfo, but instead a hack of the authoritative DNS servers:


aftonbladet.se.		4815	IN	NS	ystad.dns.swip.net.
aftonbladet.se.		4815	IN	NS	ns.aftonbladet.se.
aftonbladet.se.		4815	IN	NS	ns2.ip-only.net.

It can of course also have been a cache poisoning of some resolver out there on the net. Some IP address changed that fool people to go to the wrong website, they give their username/password and voila, the party that installed the man in the middle web proxy have the data. When the username/password to the correct username/password is fetched, then the data at Domainfo could possibly have been changed as authorization can have been via email. Or, by the fact that the same username and password was used at Domaininfo as for email?

These kind of DNS attacks that DNSSEC together with some X.509 based mechanism protect against.

What is important is of course that Aftonbladet (and others) learn by this incident and tighten up their systems. Divide their services in realms, and ensure that even if a system in the security perimeter of the organisation is hacked, the damage is minimized. To learn, we all must get information on what really happened, and I hope Aftonbladet will disclose this when they know it themselves. Too many crackers claim they have cracked this and that, when in reality they might have cracked this, and that lead to ability to access that. The difference between those two series of events is important.

Now go home, change your password (different passwords for different services) and write them on a post-it note. Then you have better control over who can actually know your password, because you know where you store the post-it note. It might not have to be on the monitor…

Updated: Mary has in a comment pointed out that she know it was the password on the post-it note because she asked the nurse. That is of course the wrong usage (storage) of post-it note based password storage systems. But it is very easy for people to understand that it is wrong, and why. The why part is often the most important btw. If people understand why they will often find a solution themselves. Education is better than instructions.