Australian Defence Force Academy in stinkingly bad password breach

Australian Defence Force Academy in stinkingly bad password breach

The Australian Defence Force Academy (ADFA) is the latest high-profile organisation to become embroiled in a data breach.

Students at the Academy apply both to the Defence Force and to the University of New South Wales (UNSW), which runs the academic side of ADFA’s operations in Canberra.

It turns out that a hacker calling himself Darwinare breached the UNSW’s servers about a month ago and sucked down a heap of SQL database records, including those of ADFA students.

He then uploaded the data to an anonymous dump site, where interested members of the public can acquire it at will.

Fast-forward four weeks to today, and the breach is starting to attract attention, no doubt because of the connection of UNSW Canberra with the Defence Force Academy.

Darwinare brag-art

It’s certainly a bad look for both the University and the Academy.

It’s not the end of the world, fortunately. No juicy Defence secrets such as troop movements, aircraft plans, coastal patrol schedules, or weapons purchases have been revealed.

And UNSW did the right thing, candidly explaining the breach to those affected the day after it was reported. The breach included student ID, full name, email address and date of birth; similar data about staff was dumped, too.

Nevertheless, it shouldn’t have happened, and there can be no excuses.

Worst of all, the data dump reveals that UNSW was storing usernames and passwords for at least one of its computer systems in plaintext.

To be fair, these passwords were meant just for initial login, and were therefore expected to have a short life. But passwords should never be weak or guessable, or, for that matter, stored in plaintext. And the algorithm for generating the passwords in the dump is like a timewarp back into the 1970s.

They are all just seven or eight lower-case letters long. Many are repeated. All are meant to be pronounceable – surely an unnecessary step for a password that is intended to be typed in once and then changed – which leads to a conspicuous lack of randomness. Only a small set of digraphs (two-letter pairs) is used.

That produces some comic results. One percent of the passwords, for example, end in -poo, making them rather sadly self-descriptive.

Make sure this doesn’t happen to you.

Harden your web services! Bring your password handling into the 1990s, if not actually the twenty-first century! Do it today!

Thanks for listening.

Do you run a web server at home, perhaps for friends and family, or even just for fun? How well protected are you?

Why not try our free Sophos UTM Home Edition?

You get a web application firewall, web and email filtering, IPS, VPN and more for up to 50 IP addresses.

Turn that spare PC into a full-on network security appliance!