Feeds

back to article Syrian Electronic Army slurps a MILLION reader passwords from Forbes

Forbes.com has become the latest media outlet to fall to an attack by the Syrian Electronic Army (SEA) with the account records of more than a million people swiped. A database containing email address and password combinations for 1,071,963 accounts was dumped online by the hacktivisits – including the records for Forbes …

COMMENTS

This topic is closed for new posts.

As well as having a salt value for each record they should be aware that these will be stolen in any db compromise. They should in addition have a long random salt that is appended to every password that is within the code and so not viewable via a db attack. eg if they appended

Dhgnd87€QAa!Po89'rndns

To each password plus record salt before hashing, it would make a brute force attack much harder assuming this string wasn't known by the attacker as it wasn't in the db.

Also a 6 byte salt per record seems a bit short.

4
0
Silver badge

Astonishing?

Why is it astonishing that Forbes staff used forbes(xxxx) as a password? I would actually be shocked if that wasn't the case.

It doesn't matter how well you protect/defend a resource (computers, giant piles of non- sequential $50 bills, gold, whatever) if you're going to let a general audience diddle with your defenses from the inside. Users, household staff, refrigeration contractors and horny teenagers have destroyed more fortified things, by accident, than all the hostile/expansionist attacks in history.

The enemy outside your walls generally isn't nearly as dangerous as the dumb/stupid/ignorant/insane people that live inside your walls. The easiest way to deal with the problem is to have all your users and household staff executed, and send the teens off to a same sex boarding school in Mongolia. Alternatively, you can huck the undesirables inside your walls at the enemy outside the walls. They'll never see that shit coming. They'll probably just leave.

You could also try to educate users. Good fucking luck. It isn't that users are stupid, necessarily, but as a rule, the computer is just the thing they sit in front of while they figure out how to leave work early. Just like most IT folks wouldn't be remotely interested in modifying certain parts of the sales funnel to even out revenue, most not IT people give exactly zero shits about any computer that isn't their property.

Just get used to it. If your desk has one of those file cabinet drawers, most brands of wine in a 5 liter box will go right in behind the files.I recommend that. You aren't going to get users fixed (although, a lot of them should be I suppose).

4
3
Linux

Re: Astonishing?

"The enemy outside your walls generally isn't nearly as dangerous as the dumb/stupid/ignorant/insane people that live inside your walls. "

Great sentence ... It's a has to be a premise for a book about the 'technolgy revolution' of the 21st century. About the 'smart phones' for dumb people. About how people have no clue about the world they live in. Or as the late Carl Sagan said so wonderfully:

'We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.'

4
1
Gold badge

Re: Astonishing?

lambda_beta,

No. Don't get into that arrogant, childish, thing about how the IT literate are an elite, and everyone else is stupid. It's not really what Don Jefe said anyway. Admittedly the IT literate are an elite, when it comes to IT - those are the skills you've chosen to have after all.

The problem is that most users don't give a fuck about computers. It's not that they can't understand, it's that they're busy doing other stuff with their lives. Also they come up against a particular computer problem maybe once a year, so are bound to forget the answer. Skills you don't regularly use get rusty.

I have a friend, who's the perfect candidate to be good at computers. He's got good maths and engineering skills - a decent memory, and an organised mind. But he's a designer. He likes to think in terms of space, aesthetic and colour. He can look at a problem from unusual angles, and is able to translate a client's vague, inexpert ramblings into a stunning piece of hand-built furniture. Or re-design the interior of a house. Last time I fixed his computer and tried to explain how to solve the problem he said, "don't talk to me about that technical stuff - I understand wood."

Yet, if you give him a complex, interlocking problem involving esoteric fixings, weird shapes and mechanical loadings in order to make his pretty wooden stuff work - he's up for the technical challenge. He's happy with plumbing, or fixing a motorbike. He came round to dinner at my new flat, and was able to solve the space problem in my kitchen / living room in about ten minutes of me failing to describe exactly what I wanted. Simultaneously coming up with the idea, describing it to me and sketching 2 new bits of furniture upside down, so I could read it from the other side of the table.

My Mum is similar. A dangerous incompetent in charge of a computer. Uninterested by why it went wrong, just wanting email to work now. But she has a masters degree in her subject and her skills are still in demand, as she's just started a new consulting gig at 75. Can she remember her password? Maybe, maybe not. Can she help solve the behavioural problems of disabled kids and pilot their parents through the hideously complex legal and bureaucratic minefield of the education, legal and social security systems? Very probably. Society is far better served by her spending her time doing that (or just being a granny), and me fixing her pooter.

6
0
Bronze badge

Re: Astonishing?

"Why is it astonishing that Forbes staff used forbes(xxxx) as a password? I would actually be shocked if that wasn't the case."

You'd be even less shocked if you knew the format of the password that was assigned to you when you first had a contributor account set up.....

2
0
Silver badge

Re: Astonishing? @ Spartacus

That's it exactly! I guess you said it better than I. People, generally, just don't care about things that aren't directly connected to their work or family. I certainly wasn't trying to imply users are dumb and IT people are smart. I've been around long enough to know those generalizations aren't remotely accurate.

Many professional adults not in IT, particularly those higher up the food chain, often look at computers as a, sometimes, helpful tool but they don't actually need it to do their jobs. The second it becomes any sort of inconvenience they will act to remove the 'problem' and get on with their work.

In the late 1990's the company I worked for did a fairly large study of 200 big firms, and their staff, and found, among other things, that people were far, far more security aware with their home computers than they were with company computers. As well as the reasons why. I'll tell you what we found then address the broader point.

Staff, generally don't value corporate data because they don't know how the company works, or business in general actually. They know what their company makes, kind of, but don't understand how that actually turns into a paycheck for them, just that it does. For example, which of the following things would cause the most damage to your company if it were stolen?

a) Customer details, including bank and credit card info, home addresses, email address & account password.

or

b) Customer pricing schedules.

The answer is (b), but the breakpoint was really interesting. General and technical staff almost always say (a), and management, sales & marketing say (b). You can fix (a), whereas (b) may very well put you out of business and will certainly have you in court for years. Those lawsuits won't go anywhere, pricing parity isn't a legal requirement, but you'll still have to deal with them.

That isn't a 'fault' on anyone's part, it's just that those without vested interests in maximum company performance don't care and/or don't understand what's actually important. While that is a perfectly understandable, and valid, way to feel about 'the man' you work for, it presents a whole mess of security concerns. In life or death situations, people on the same team have a really good reason (a bunch of them actually) to make sure everyone is doing as they should. If it's just a paycheck people have a different value system and contrary to popular belief, salary doesn't mean anything. Security issues aren't significantly impacted by money either way. Maybe all staff should carry guns! Keep everybody fresh!

Contribution valuations do cause problems though. It makes no difference who you ask, that persons role is the lynchpin that keeps the entire company going. Obviously, that isn't remotely accurate, I've yet to see a successful company that would collapse simply because you disintegrated 50% of the staff. That's not to say what people are doing is useless, not at all. That's to say what they're doing isn't as crucial as they think. Before anyone gets defensive, the same is true of the senior management (if you disintegrate them the company might collapse, but more from shaken investor concerns, not because the CEO knows the business so well).

There's nothing much to do about any of that. You can't make people care, or understand how things work and where their paycheck actually comes from. People all the time say 'I would care more if they paid me more' and they think they mean that, but they don't. I've been through an IPO and everyone in my department was suddenly a millionaire and not one fucking thing changes except the level of drama created by an angry employee who is suddenly rich. They'll stay logged in to everything, they'll put sensitive stuff on USB drives and leave them in a prostitute and they'll print out a list of all their passwords/usernames and leave it in the suite your Russian sourcing guy arranged for them.

It's just Human nature. They don't care. I've found it easier and cheaper to accept that and roll with it than try to change people's behaviors. You can't change them actually, only they can do that. Don't get your hopes up on that.

1
0
Linux

Re: I ain't Spartacus

I think you've missed the point. This is not an issue about IT or it's people. It's about today's society. It's about how everything has become so complex (by purpose) that people have given up. It's about black boxes and technological hocus pocus. Ask anyone who texts on their phone, 'Why is the there a limitation on the number of characters?' and they don't know. But sad thing is they DON'T CARE! It's all part of the wizardry of technology and there is no curiosity.

And you're correct we are too busy to learn. That's because:

The average time spent watching television (U.S.) is 5:11 hours per day.

The number of hours per year the average American youth watches television is 1,200 compared to 900 hours per year spent in school.

Americans spend an average of 13 hours per week playing video games.

And again the quote from Carl Sagan

'We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.'

0
1

This hasn't been about Syria

in a long time, has it?

2
0
Silver badge

Re: This hasn't been about Syria

Hell, Syria hasn't been about Syria for a couple of generations.

2
0
Silver badge
Joke

I made the Forbes list !!!!

Oh...

6
0
Gold badge
Happy

Re: I made the Forbes list !!!!

So own up then. Was your password, "password"?

0
0
Silver badge

Re: I made the Forbes list !!!!

Ahhhhh nooooo, it's secret.....

(geddit?)

1
0
Gold badge
Facepalm

Re: I made the Forbes list !!!!

Ooops-oh-dear. Whooosh! *ahem* Nothing to see here!

0
0
Silver badge
Happy

Re: I made the Forbes list !!!!

Read it again..think about it.

Whoosh indeed.

0
0
Silver badge

hunter2

Wonder if someone's password ended up being that?

0
0
Anonymous Coward

"We have notified law enforcement. "

In Syria?

0
0
Silver badge
Boffin

Password safety

I've been (un)pleasantly surprised by the daft security concerning user/password registries. Years ago, while I was still at college, I had mostly figured out that DB-stored user/password combos were insecure, even if a one-way hash was used, but especially if MD5 or crypt was used. Having on-server encryption or code-hidden keys to encrypt the stuff was also useless as someone 0wning the box would also get the keys. I found better theft-dampening solutions by having LDAP as a user registry. This is because that LDAP could reside somewhere else (read: not the web server that is going to be eventually owned) and by smart ACL crafting, the hashes wouldn't be available for someone to dump off. Adding to this having the hashes themselves as SSHA, you should have a fairly hard to dump-to-crack-later user registry on your hands.

Come on, even Apache supports LDAP authentication. Why haven't all these sites moved to this?

0
0
Bronze badge
Holmes

Are they REALLY so utterly clueless?

Just got an email claiming to be from Forbes, but two of the three domains mentioned are not forbes.com. I'd like to think that all new domains including "forbes" are being watched carefully, but there are lots of nice-to-think things that aren't the way things actually are.

I think the real blame is mostly with Forbes itself. The spammers are just helpless sociopathic criminals doing what comes naturally. In contrast, Forbes has helped defined the rules of the game under which the criminals flourish. To facilitate their own cancerous money-uber-alles business models (extended to all the big corrupt companies that bribe the cheapest politicians), they have created economic models that fundamentally support spammers and their cancerous business models.

If the biggest companies were actually liable for the negative ramifications of their software and systems, you can be assured that they would design and implement their products differently. Of course Microsoft is the superstar here. They certainly create lousy and buggy software, but no matter what happens to you because of Microsoft's products, there is nothing you can do about it. Just check your "friendly" EULA if you don't believe me. (However, I actually realized ow bad it was in conjunction with Adobe stuff, though they are the much smaller sinner. Microsoft might claim to have some substantive defense in that their software does a lot of important stuff, whereas almost everything Adobe's software does is just for the sake of flashier presentations.)

0
0

screen out stupidity?

MD5 has been broken for a long time. They should shift to SHA1 at a minimum with less rolls needed. As another person commented, Forbes salt methodoloy is also woefully week. You mean to tell me that Forbes' password setting program cannot screen out passwords with the strings "forbes", or "sebrof"? What you do is either lower-case or upper-case everything to find the match any place in the password and reject that password with the reason it won't be accepted. It goes without saying upper and lower case should not be equivalent for passwords.

Each of your account logins should have its own password with no two being alike. Use a password keeping program if you need to.keep track of them.

But partly what is responsible are old out-dated passwords policies. A sequence of one after another weak passwords every 2-4 months isn't nearly as good as passwords that are strong to begin with even though they last 6 months to a year. Over 95% of people have a hard time creating good passwords and an even harder time remembering them.

I give general tips for people to create good passwords and it flies right past them. They concentrated on my example password rather than the techniques - numbers as words or letters, miXed c8sE, etcetera. I think I could teach 5-8 year old children but by age 9 education has stamped out all creativity. But they say "I can't remember that password." They miss the whole point. I told them to pick something THEY could remember. They should see my super-long OpenPGP pass-phrase. I also need muscle memory to remember it.

0
0
This topic is closed for new posts.