Sophos Cloud Optix
A group of hackers calling themselves Lulz Security have gained access to a server belonging to the Fox Broadcasting network, and published details of hundreds of employees usernames and passwords on the net.
The hackers, who claim to have also been responsible for stealing personal information about X Factor contestants from the TV network earlier this month, posted a message on the internet that didn’t disguise their dislike for Fox:
Dear Fox.com,
We don't like you very much. As such, we cordially invite you to kiss our hand-crafted crescent fresh asses.
Remember that time we leaked all your X-Factor contestants? [LINK]
Well now we're leaking some more of your junk. We invite the Internet to ravage the following list of emails and passwords (from a database within Fox.com) - Facebook, MySpace, PayPal, whatever you can get your hands on. Take from them everything. Remember to proxy up, or tunnel like a pro!
In addition, Lulz Security gained access to the Twitter accounts of some Fox affiliates, presumably using the stolen password information, and posted embarrassing messages:
Furthermore, some Fox employees found that their LinkedIn pages had been defaced:
Clearly, it’s important for Fox employees to change their passwords if they haven’t already done so. But more than that, this hack’s impact underlines the importance of using different passwords on every website that you access, and making sure that your passwords are not dictionary words or easy to crack or guess.
About a third of computer users are using the same password for every website they access according to research conducted by Sophos.
Once one password has been compromised, it’s only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain.
Watch a video I made about how to choose a more sensible password:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Of course, Fox employees might not have to be changing their passwords quite so urgently if their details had been better secured in the first place with encryption and layered security systems.
Let’s not forget, it’s not just individuals’ corporate identities which have been put at risk by this hack, but also their personal online and financial lives too.
Though yes, one should put up defenses, there was no mention of how hackers can really get past a lot of security measures if they wanted to.
Hmm. Normal practice for authentication systems is to store the hash (MD5 or other) of a user's password rather than the password itself. At authentication time, a hash of the entered password is compared with the stored hash. It's done this way specifically to avoid passwords being stored as plain text in databases (as in the hashed passwords stolen in the Sony incident).
Which begs the question – why did Fox deliberately avoid industry best practices and store passwords as plain text? The more cynical amongst us might wonder if it has anything to do with the fact that most people use the same password for multiple web accounts.
Another day, another attack. I used to be in the "use a few passwords" group, but the security breaches over the last couple of years finally convinced me to do something proactive.
After researching various password applications, I decided on a program called 1Password by AgileBits (http://agilebits.com/). I can generate strong passwords for each site I use, and I don't have to remember any of them. I only have to remember one strong master password. In addition, I can synch the data file through Dropbox to my iOS devices so that I have access to my login info no matter where I am. The 1Password data file (keychain) is encrypted, so even if Dropbox can decrypt user accounts, they should not be able to decrypt my data file.
This is not an ad for AgileBits. There are several excellent alternatives in the market. Regardless of which one you chose, Graham's article highlights the danger of not doing something to protect against a hacker learning one of your passwords and then being able to access every site you use the same password on. Thanks for the great article!
It makes the mind reel… Where are the "good guys" at Fox, the guys that are supposed to be protecting them from this sort of attack?
This is just another incident highlighting the importance of building and maintaining information security in all companies and verticals. Whilst obvious for all security minded IT professionals, the awareness of secure password management practices and signs of social attacks clearly need to be addressed with special attention and become a subject of constant re-education.
Another critical factor is the business culture and their perception of how relevant computer security is to their environment. I would take a look at the corporate governance regarding computer security to see what policies were in place to dictate the type of protection required for the Fox network and then see if their architecture coincided with defined policy. If there is no policy or the policy is weak due to the fact it is out-dated because it does not consider current technological advancements and threats then we know where the problem originated.
Is LulzSec a leftwing outfit?