Blogs

RSS FeedBlogs

Windows Watch

Richard Plant

RSS FeedSubscribe to this blog
About Author
Richard Plant

Richard is Computerworld’s Junior Content Manager and occasional reporter and blogger, responsible for making sure the site is full of the latest and greatest technology news from around the world. Richard joined Computerworld from the world of PR, which he likes to think of as like leaving the Empire to join the Rebel Alliance.

His Computerworld UK blog is Windows Watch

The Sun's password policy sucks

Rupert Murdoch's empire continues to suffer indignities

Article comments

The break-in at The Sun by hackers using the social networking accounts of LulzSec (who may or may not be our favourite Lulz lizards riding the waves again) caused an awful lot of red faces at Wapping.

It's stretching credulity to claim that it's a coincidence the audacious assault took place on the day that News International chief Rupert Murdoch and son James were due to testify before a committee of MPs about the phone hacking scandal.

The hacking attack seems to have been accomplished using a known vulnerability in a microsite relating to the switchover between the old Times website and the new paywalled version, completed last year. The site itself, new-times.co.uk, was functionally obsolete, and it seems to have been a pretty severe security oversight to have left it running, especially with active links to infrastructure in other parts of the media empire.

The AnonymouSabu account on Twitter, often used in the past as a mouthpiece for LulzSec, also posted claims that hackers had gained access to a database of user names and passwords used by staff at The Sun. "Sun/News of the world OWNED. We're sitting on their emails," the account trumpeted.

Capture.PNG

As proof, the pseudonymous hacker offered an excerpt from the database, the login details of one Rebekah Wade. This Wade is, of course, the same Rebekah Brooks who recently resigned as Chief Executive of News International, although the use of her maiden name indicates these details may date from the period when she edited The Sun itself.

What this should point out to any security professional (aside from the ludicrous step of using your first name as a password salt), is that your passwords are only as secure as the network they are stored on. If hackers are determined enough to gain access to as big an enterprise as News International, then your carefully mandated length and character set requirements become meaningless.

However, it doesn't appear that NI required a great deal of password security from their staff. As spotted by The Geek Atlas author John Graham-Cumming, Brooks' password is the number of The Sun's tip line, displayed prominently on their site.

The astonishing thing is that this lapse in judgement is the least interesting part of the whole story.

Share:

Comments

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open