The Shared Password Strikes Again!

One of the most intriguing cyber-security stories ever is the recent hack and public smearing of information security from HB Gary by hacker group Anonymous. The incident relates to the WikiLeaks scandal, and the ongoing fear that major corporations might be the next victims of embarrassing document leaks. Tech writers Michael Riley and Brad Stone provide a detailed account of the entire episode in Bloomberg Businessweek.

But in a story packed with egos, headline-grabbing hacks, political connections, law firms and finger-pointing, one of the most interesting facts was buried deep in the details: What could have been a relatively harmless hack turned into a PR nightmare because the executives of HB Gary failed to follow one of the most basic information security policies – Don’t share passwords between systems.

The shared-password is becoming like the germ that killed the invading Martians in War of the Worlds. The tiny, invisible bug is able to quickly spread a vulnerability in one system to many others. Here is a group of established security professionals, with stellar credentials and capabilities to hack into complex systems with ease. And yet when it comes down to a simple rule like not sharing userids and passwords between two systems, they are just like the rest of us. Convenience trumps security.

Over a year ago, we published an updated policy in our PolicyShield library that went something like this: “Users must not reuse company login credentials on social networking sites.”

This security policy was basically an extension of a much older policy (prohibited sharing of passwords between systems) into the realm of the internet. The basic premise is that reverse engineering a password was much easier using all of the information available on social networking sites like Facebook. Indeed, within a few months after we published the policy a real incident happened where a compromised Facebook account led to a network intrusion.

The take of HB Gary and Anonymous worked in reverse. By hacking into a web-based application, Anonymous was able to gain access to userids and passwords that were re-used on social networks sites like Twitter – enabling Anonymous to send fake tweets and other offensive messages posing as the team from HB Gary.

So is there a lesson in this? It might be that when it comes to information security policies – we really do have to sweat the small stuff. We always need to be on the lookout for the newest, most complex threats. But we still cannot forget the basic foundations of information security.