Analysis of Stratfor Site Breach Reveals Weak Passwords, Poor Enforcement
As Stratfor continues rebuilding its Website after the cyber-attack in which email addresses of its subscribers and other personal details were leaked, the company is coming under fire for its weak passwords and security policies.
Attackers breached Strategic Forecasting and stole over 200GB of data belonging to individuals and organizations who registered to have access to its publications for global intelligence analysis on Dec. 24. More than 860,000 password hashes from the registration database has been dumped since.
The Tech Herald analyzed the leaked files and was able to crack 81,883 password hashes in less than 5 hours using common brute-force tools and basic equipment.
"The system doing the cracking isn't the most powerful on the block, but it does the job nicely," Tech Herald's Steve Ragan wrote. The password lists were cracked using a free CPU-based hash-cracker called Hashcat and various dictionary lists available online.
Using a group of lists containing common passwords, names of people in Congress, words from the King James Bible, various computer jargon and programming phrases, previously dumped lists from Gawker and other sites, and other lists, Hashcat was able to crack 25,690 passwords. A more extensive list that used words and phrases from various languages as well as common three- and four-character passwords, among others, yielded 21,933 additionally cracked hashes. It took Hashcat less than an hour to crack over 47,000 password hashes, according to the analysis.
There was "nothing original" about the techniques used by The Tech Herald to try to crack the password hashes and "most likely very similar to what the bad guys will use," Rick Wanner, a technical analyst at SaskTel, wrote on the SANS Institute's Internet Storm Center blog. The analysis highlighted the weakness of relying on passwords, Wanner said.
"The weakest link in security is the user," Wanner said, noting that there needs to be user education in good password creation and management.
The list of cracked passwords showed a high degree of passwords that used birthdates, names of family members or something with a personal reference (such as "ford1996"). Unlike "throwaway" passwords, such as "123456" and "qwerty," these personal passwords are more likely to be reused on other sites because they are easier for the user to remember.
The reuse of passwords across multiple accounts is a well-recognized phenomenon, according to Jay Heiser, a research vice president at Gartner. It is increasingly difficult for users to remember complex passwords because of the growing number of applications that require them and frequent changes.
"Instead of telling users not to write down their passwords, ask them to treat passwords as carefully as they treat their own money," he said.
While enterprises can't reliably track whether users are reusing passwords from their personal accounts on corporate applications, they should ensure all the corporate passwords are strong and unique and require regular password changes to avoid reusing passwords, Heiser said.
The companies and government agencies they represent are generally part of the intelligence community and should be considered fairly savvy about authentication. "Given the professional profile of the people using the Stratfor website I find it disheartening to see that many were using simple and easy to guess passwords," security consultant Brian Honan wrote in the SANS Institute's newsletter.
Stratfor's policy recommends users select passwords that are six characters, with at least one number. However, Stratfor clearly did not enforce the recommendation, as the Herald found a handful of users who had selected a single character as their password.
The Stratfor incident should be a "reminder" to revisit the password complexity and update frequency policy, said Cameron Camp, a security researcher at ESET.
According to a scam alert published Dec. 29 by the Internet Crime Complaint Center, the 25 most common passwords are still weak and generally aren't mixed case or using a combination of numbers and letters. The alert was based on data compiled from law enforcement sources and user complaints submitted to IC3. "Users have prioritized convenience over security when establishing passwords," IC3 wrote, noting that people are creating passwords that are easier to remember and freely sharing passwords with others.
Stratfor's Website has been down since the attack as the team rebuilds the site and deploys security measures.
"We are currently investigating this unfortunate event and are working diligently to prevent it from ever happening again. As a result, we have delayed restoring our website until we can perform a thorough security review," Stratfor told eWEEK in an email.