Sophos Cloud Optix
When Prince William’s official website released a series of photographs yesterday of a day in his life as an RAF search and rescue helicopter pilot, they probably didn’t imagine that the PR initiative would end up ringing security alarm bells.
As The Guardian reports, some of the photographs had sensitive information in the background.
Making matters worse, the images had already been shared widely with the world’s press.
It only took us a few minutes this morning to find the original images on the internet.
This is one of the original images that we found on the net. Can you spot the username and password?
Here’s a closer look.
The revealing information in this photograph is pinned to the wall.
I have obscured the username and password in the close-up above, but it has to be said that when I zoomed in further I was disappointed to discover that the password was extremely obvious, easy to guess and – frankly – a diabolical choice.
The original pictures have obviously been widely distributed, and the cat has to be considered out of the bag. The only sensible course of action is for the authorities to change the passwords to something much stronger, ensure that stronger unique passwords are used in future, and to take greater care about vetting photographs before publication in future.
As we have explained before, if you are being photographed or filmed at your place of work, it may be sensible to remove any passwords which could appear in the background.
The Ministry of Defence confirmed to the press that four images of the 30-year-old William (known as Flight Lieutenant Wales at the RAF base on Anglesey) had been replaced on the website with amended versions, obscuring potentially sensitive information. Passwords have also been reset as a precautionary measure.
Here’s the new official doctored version of the photograph, with the login information removed courtesy of Photoshop:
Has any harm been done on this occasion? Probably not. But the story is getting lots of attention simply because of Prince William’s involvement.
If anything, some good may come of this. Maybe more people will be wary of what could be in the background when they get photographed or filmed in future.
This proves once again that in the real word, passwords are simply a nuisance and are treated in operational working environments as the hindrance they really are.
Most educated IT users, working in a professional place and using IT at home and at work will have between 20 and 50 passwords to remember (Internet banking, credit card banking, Sky subscription, every single online shopping company, perhaps security door at home or work, home laptop, PINs for debit and credit cards, home alarm system….)
It is not possible to remember them all. And all of the sophisticated systems for associating each one with a different object, or scrambling them up still all require you to memorize both the system you have used, and then the password itself. It's not possible. I can barely remember what I have to do today.
Passwords are over as a security measure. You guys in the IT industry better come up with something else, quick, because the system is already broken.
Us IT guys are one step ahead honey
https://agilebits.com/onepassword
And there are many, many other options available
Yours,
the IT industry
But also the entire notion of passwords is outdated especially with asymmetric encryption keys. People should simply issue certificates and revoke them as and when necessary.
@thermtortoise:
Are you talking about self-issuing certificates? If so, it can work but the whole idea of certificates is to convey trust, why should a self-issued certificate be considered trustworthy?
What happens when you visit a web cafe? How do you get your certificate onto the webcafe machine, then remove it later? Carry your cert(s) on a USB Key? How do you protect that? Also being able to revoke certificates on an immediate basis will require infrastructure that doesn't currently exist.
Passwords are going to be with us for a while yet.
All well and good for websites, but the organisation I work for would not allow the installation of this on their systems, not that an internet browser gets used anyway.
Hi Helen,
Stef is right; we already have come up with something else. Other examples are biometrics, smart cards, token devices and passphrases to name but a few.
Millions of people are in a similar situation to you with many passwords to remember and being unable to do so. I include myself here too. I easily have more than 50 passwords that I use for various online accounts, forums, internet shopping etc.
My solution is to use a reputable password manager (just like Stef mentioned) that reliably encrypts all of my passwords in a secure vault on my PC. I need only to remember 1 master password to unlock them. Even that is not ideal. If I forget this secure password (it follows the correct guidelines), I am locked out and it’s a single point of failure.
For helpful advice about passwords I would suggest listening to the following Sophos podcast:
http://nakedsecurity.sophos.com/2012/03/11/bustin…
I would consider the other authentication mechanisms that I mentioned above somewhat better than passwords but they all have advantages/disadvantages.
I am thankful that I have never had to use such biometric scans such as retina scans or iris scans (although I have used fingerprint readers). While I admit they have advantages they are more intrusive than passwords especially during the initial enrollment phase when multiple scans are needed to build up an accurate image of either the retina or iris.
I wish that many more online accounts would use two-factor authentication since some online accounts only allow short passwords or don’t allow special characters or punctuation to be used. That’s fine but the resulting password is weaker.
As for the RAF, having a generic password on the wall like that is outrageous and any security audit should fail them for that. Obviously they have never heard of the principle of least privilege. Everyone should only have the access they need to do their job, nothing more. Everyone should be identifiable by name so that people are accountable for their actions. E.g. if someone logs in with the username and password on the wall and steals something, how would the RAF know who it was? It’s a generic username. Again an audit should fail them for not enforcing accountability.
To think that such mistakes are being made by our defense forces upon which we entrust national security to is absolutely no joke.
Thanks.
"As for the RAF, having a generic password on the wall like that is outrageous and any security audit should fail them for that."
MilFlip, the system shown is (according to a quick Google) Military Flight Information Publications.
Sounds like a generic information system, so requiring individual passwords serves only to boost the user population for no gain. The more users on a system, the harder it is to assure it (so it makes it less secure). Not only that, it would be another needless password (no doubt with different rules for length and complexity from all the other ones they have) to have to remember.
And, being part of an official system, user installed software is an absolute no no, so no password manager software.
Hi Alasdair,
I take your points on board but there are better solutions to the problems that you mention.
For example, if MilFlip is indeed a generic information system, it could be integrated with ADFS (Active Directory Federation Services) (http://technet.microsoft.com/en-us/library/cc736690(v=ws.10).aspx )
By integrating it with Active Directory, a Windows NT token (http://technet.microsoft.com/en-us/library/cc784956(v=ws.10).aspx ) could be used for authentication allowing each person to authenticate transparently to the system without using a password for that system (they would only need to know their logon for their Windows account).
I use such integrated services almost all of them in work and they are great (for the internal systems that don’t have this feature, we are gradually migrating them to use it). They uniquely identify every user and each user has a defined level of access and you don’t need to remember another password.
All of the above assumes that the RAF are using Windows Server’s Active Directory to provide an identity and access (IAD) solution for its members.
As for the password manager, it could be safely installed and use if the Windows Applocker feature was used to whitelist while also blacklisting applications such as Instant Messaging, Skype, file sharing etc. Again however, Windows 7 or above is require to use this.
I don’t see how your approach of an “official system” where no user software is allowed could work. Are you telling me that you do not have any 3rd party software installed on your corporate PCs?
A more realistic approach would be to install some applications into one master Windows image and deploy that image across the business. Giving users admin access on their PCs is a security risk but unfortunately some applications still require admin access in order to update. Again Applocker could help here by blocking unauthorised applications.
Thanks for your input.
Biometrics are not even close to being an answer for authentication.
A password may be a pain to remember but if it's leaked, you can change it. Changing your fingerprints / retina is not possible. As soon as you leave your fingerprints on a glass, someone can grab a copy, make the appropriate rubber mould to fool the scanner in question and then authenticate as you…
Iris scanners have been beaten by printed images already. I admit fooling a retina scanner is harder but it's not impossible.
Then there's the lovely scenario where you cut your finger, burst a blood vessel in your eye or similar – and now you can't log in to anything.
Strangely it is possible. I have 150 people in my company and I know all of their passwords (windows) as well as all the passwords for all of things that I do online. One of the other IT guys here also has all of the users passwords memorized.
I almost threw up when I read this. Nobody should ever know anyone else's password, and the fact that people in IT think it's OK makes me sick.
I.T Snafu related nausea, a truly horrible ailment. you have my greatest sympathies.
I agree though, The only person that should know a users password is the user. It's simple security. If an I.T sysadmin can't work around that, then I worry that he might be slightly inept at his role.
If you are getting physically ill simply from reading what another person says, maybe you should reevaluate your presence on the net. Stick your head in the sand and plug your ears, that way you never have to feel ill again.
Seriously, that was one of the more exaggerated pieces of hyperbole I have read in a while.
@rjr175:
I agree with InfoSecOff and Tim. If your company is ever audited for security compliance e.g. PCI you would fail that audit since employee passwords are to be robust. Since you and your IT staff know your users passwords, you would fail since a password is not robust if someone else knows it.
What you are doing goes against every belief and security standard that many others and I stand for.
If I was your manager, I would dismiss you and all of those offending IT staff immediately for breaching security regulations and abuse of your positions.
If I was your boss I would also have to resign since I would have failed in my duties to secure the company’s data and assets by letting such a violation of security to have happened and to go unpunished for such a long time.
My advice, CEASE what you are doing and allowing to happen immediately.
Another very good password manager is Lastpass.
It stores all your web based usernames/passwords in an encrypted store. It is great to use as it injects the correct username and password into the logon page of the various websites when you visit them. You only have to remember the master password. I also allows you can use two factor authentication using Google Authenticator to make this single password harder to get past.
What about using tools like Keepass to keep hundreds of secure 20+ long passwords??? If you are really a professional you do know that passwords need to be encrypted, right?
Actually it's very EASY to remember them all, just devise a system.
I have one pass-phrase I use for everything bracketed by the first and last two letters of the sites name.
You only have to remember one phrase and can work out the other 4 characters based on the site. Pretty much anyone is capable of doing this and thus having unique passwords for each site. Making the phrase have no obvious boundaries will also help, hopasswordil for hotmail is easy to spot, ho1t4hr6k8il not so much.
(Please note that isn't my actual algorithm but I do use a similar one)
And as soon as one of those sites is hacked and your password retrieved, anyone who spends a little bit of time can work out your system and then log in as you anywhere.
See the recent Adobe hack where the morons actually encrypted passwords instead of hashing them. If (when?) someone works out the encryption key used, every password for millions of users will be revealed in one go. It's not your fault Adobe were incompetent – but your system makes you very vulnerable.
Who posts a user name and password on the WALL! Anyone walking in the room could see it, the photographer, the reporter, the cleaner, delivery person…… DUH!
actually posting a password on a wall isnt that big of a deal. The point of the password is to keep out the rest of the world. When in use in a authorised environment with only authorised people in it then it being on a piece of paper really isnt the security risk.
Publishing it outside of that environment is.
I accept that is somewhat counter intuitive but its just how many people fail to appreciate what the actual attack vector is.
Why was a password posted on the wall in the first place?
it's the military…
..what.. you think they're all really smart?
Not to mention that it is bad form to have passwords posted in plain sight to begin with!
100% agree. Although the Military Flight Information Publication is hardly a secure system as it uses Adobe Acrobat reader.
However the average third world intelligence agency might find it useful information. (If their budget can cover monthly payments to an ISP)
RAF… amateurs
Obviously a highly secure password but even if "minor" bad habits lead to a continuation when they really do need to be secure.
What a disappointment from the RAF!
I know I expected more from the RAF! Basic security, don't have a list of passwords under the keyboard. I read about this issue in my local newspaper. I just shook my head. Hopefully the CIA and Pentagon have better security!
Can’t wait till Steve Gibson talks about this one! I use LastPass.
I only came here because it had naked in the URL 🙁 Ain't no-one naked here though 🙁
Maybe you need a better quality monitor. We do occasionally receive reports from disgruntled readers who haven't yet found naked photos on our site. Typically, upgrading your screen resolves the issue. Let us know how you get on.
Quick, someone grab that nuclear armaments password off the wall before the photographer arrives!
Managing a large number of secure passwords can be easy. Use Keepass (Google: Keepass). I only need to remember three: Dropbox, Gmail and Keepass.
Won’t be long before chip implants are the only way to ensure privacysecurity. The writing has been on the wall for centuries…
And all you so-an-so’s pooh-poohing the RAF…. shame on you!
The details were for MilFlip.com This is a site for ordering aviation documentation., such as airfield approach limits, weather limits and navagation aid details. ALL of wich are OPEN source freely available on the Internet. Those login details were simply how the Squadron orders more aviation documents. This “Jouranlist” should stop being a sensationalist little twat and making a mountain out of nothing. Why not report on what actually matters, rather than making up complete tosh like this.
Perhaps they want people to use that username and password so that they'll find information they want them to find….
Try to use a password manager like KeePass or LastPass.
Really, never give your password to anyone?
Lets challenge this for a minute.
How sensitive is your data? I trust my wife implicitly with my children. I have no issues sharing sensitive information that allows her to access my data or bank account, at least not from a trust viewpoint.
This is a faux-pas, there is no question about it, but if this systtem is classified low, maybe authentication should not even be necessary as each use of authentication data exposes it to compromise.
It's all about risk/business benefit which is why credit/debit cards are merely protected with a 4 digit PIN with no expiry. The worst loss is the daily limit of the ATM until the fraud is detected.
@cybersecurer.
"what should we do with these nuclear launch codes?"……"I KNOW!! lets post them on the wall for all too see!!!"…….."thats a great idea!!!"
To be fair, as an events professional, I routinely post passwords on the wall of control rooms – the site wi-fi (usually only there for the event, and pretty much any member of staff can have the "internet only" SSID password), the laptop BIOS & OS user/pass (because most staff on-site need to get into them), and anything else useful.
James Bond, he's not…
The password isn't the only security vulnerability by the looks of things, have you seen what OS they are using? I've heard they use IE6 too!
Why.. on the wall, seriously? Just about anyone could walk in, look at the password, and BOOM! Computer hacked.
And also, why were they looking at and zooming into pictures of prince-i-cant-remember-right-now? Sounds like somebody has alot of time on their hands..
The moral of the story: the wall is not a place to hang passwords. And also search every picture of everyone you know for passwords hanging on walls. *mental note*