The Sun's password policy sucks

The break-in at The Sun by hackers using the social networking accounts of LulzSec (who may or may not be our favourite Lulz lizards riding the waves again) caused an awful lot of red faces at Wapping. It's stretching credulity to claim that it's...

Share

The break-in at The Sun by hackers using the social networking accounts of LulzSec (who may or may not be our favourite Lulz lizards riding the waves again) caused an awful lot of red faces at Wapping.

It's stretching credulity to claim that it's a coincidence the audacious assault took place on the day that News International chief Rupert Murdoch and son James were due to testify before a committee of MPs about the phone hacking scandal.

The hacking attack seems to have been accomplished using a known vulnerability in a microsite relating to the switchover between the old Times website and the new paywalled version, completed last year. The site itself, new-times.co.uk, was functionally obsolete, and it seems to have been a pretty severe security oversight to have left it running, especially with active links to infrastructure in other parts of the media empire.

The AnonymouSabu account on Twitter, often used in the past as a mouthpiece for LulzSec, also posted claims that hackers had gained access to a database of user names and passwords used by staff at The Sun. "Sun/News of the world OWNED. We're sitting on their emails," the account trumpeted.

Capture.PNG

As proof, the pseudonymous hacker offered an excerpt from the database, the login details of one Rebekah Wade. This Wade is, of course, the same Rebekah Brooks who recently resigned as Chief Executive of News International, although the use of her maiden name indicates these details may date from the period when she edited The Sun itself.

What this should point out to any security professional (aside from the ludicrous step of using your first name as a password salt), is that your passwords are only as secure as the network they are stored on. If hackers are determined enough to gain access to as big an enterprise as News International, then your carefully mandated length and character set requirements become meaningless.

However, it doesn't appear that NI required a great deal of password security from their staff. As spotted by The Geek Atlas author John Graham-Cumming, Brooks' password is the number of The Sun's tip line, displayed prominently on their site.

The astonishing thing is that this lapse in judgement is the least interesting part of the whole story.

"Recommended For You"

Sony music label website hacked The Sun readers’ details posted by hacker all over the web