Sophos Cloud Optix
The Australian Defence Force Academy (ADFA) is the latest high-profile organisation to become embroiled in a data breach.
Students at the Academy apply both to the Defence Force and to the University of New South Wales (UNSW), which runs the academic side of ADFA’s operations in Canberra.
It turns out that a hacker calling himself Darwinare breached the UNSW’s servers about a month ago and sucked down a heap of SQL database records, including those of ADFA students.
He then uploaded the data to an anonymous dump site, where interested members of the public can acquire it at will.
Fast-forward four weeks to today, and the breach is starting to attract attention, no doubt because of the connection of UNSW Canberra with the Defence Force Academy.
It’s certainly a bad look for both the University and the Academy.
It’s not the end of the world, fortunately. No juicy Defence secrets such as troop movements, aircraft plans, coastal patrol schedules, or weapons purchases have been revealed.
And UNSW did the right thing, candidly explaining the breach to those affected the day after it was reported. The breach included student ID, full name, email address and date of birth; similar data about staff was dumped, too.
Nevertheless, it shouldn’t have happened, and there can be no excuses.
Worst of all, the data dump reveals that UNSW was storing usernames and passwords for at least one of its computer systems in plaintext.
To be fair, these passwords were meant just for initial login, and were therefore expected to have a short life. But passwords should never be weak or guessable, or, for that matter, stored in plaintext. And the algorithm for generating the passwords in the dump is like a timewarp back into the 1970s.
They are all just seven or eight lower-case letters long. Many are repeated. All are meant to be pronounceable – surely an unnecessary step for a password that is intended to be typed in once and then changed – which leads to a conspicuous lack of randomness. Only a small set of digraphs (two-letter pairs) is used.
That produces some comic results. One percent of the passwords, for example, end in -poo, making them rather sadly self-descriptive.
Make sure this doesn’t happen to you.
Harden your web services! Bring your password handling into the 1990s, if not actually the twenty-first century! Do it today!
Thanks for listening.
Do you run a web server at home, perhaps for friends and family, or even just for fun? How well protected are you?
Why not try our free Sophos UTM Home Edition?
You get a web application firewall, web and email filtering, IPS, VPN and more for up to 50 IP addresses.
Turn that spare PC into a full-on network security appliance!
There's some beauts there too…
acheepoo
gooyepoo
likeepoo
minipoo (!)
noobepoo
shovipoo
…you're welcome.
I was intrigued to notice that "minipoo" is doubly self-descriptive, since it is both a poor choice and shorter than all the others.
Why do these need to be pronounceable? Like as not, they're gonna be copied and pasted from a verification email (which is also not particularly secure, but that's another matter). That said, it seems to me this is more effort than just doing it right, especially given that there are free, open source tools that'll do it for you.
any word on how the breach actually happened? My guess is, based on the lack of sophistication in the password database, that it was either an unchanged vendor password or cleartext embedded password in a code file
From the format of the raw data in the dump, it looks like a SQL injection was used. (That's where you add raw SQL commands to an online query and they get passed to the server and executed as code, not consumed as data).
On a scale of 1 to 10 how good do you think this peice of work was?