Bad Password Allowed Swedish Watergate 248
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
Many theories about leaked passwords (Score:5, Informative)
End user password selection (Score:5, Informative)
Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.
Seriously (Score:5, Informative)
Not only bad password. (Score:4, Informative)
newspaper name (Score:2, Informative)
Re:Honestly unsurprising (Score:4, Informative)
We're not talking about some small 3 person company here. We're talking a (by swedish standards) large and established political party organisation.
If I was made responsible for running that net/service I'd ask for a security policy established by management and make sure that we followed up on it's use.
The damage that can be inflicted on an organisation like this by one single idiot with access to that net is massive.
If the admin is the only tech savvy enough to understand those issues then it's his or hers frikken obligation to take that issue up with management and explain what could happen.
But should also note in this issue that gaining unathorized access to a private network is illegal, no matter how this access was achieved.
It should be quite obvious to any of the people involved that accessing data from a rival party's internal network is a criminal offence.
Great Password Website (Score:1, Informative)
Re:Seriously (Score:3, Informative)
The story that he was given the password has gone a bit dry now, since it's more than one password that has been used and the alleged giver denies the fact and has sued him for defamation.
But lets assume that that peice of story is true.
Then handing the information over to other members of his new party isn't very smart.
And using this information to access a rival party's internal network to download internal information several times over 9 months, and passing this information on to senior members of the party can't be seen as anything else than a criminal offence.
Also note that SAP didn't initially go public with this, they filed a complaint to the police.
But late the same evening one of the press agencies caught wind of it and issued an article, then SAP decided to host a press conference since the news was out.
And I've got hard to see how it can be regarded as FUD when at least one has admitted that he has commited a criminal offence and used the information to gain internal info and several others within the party organisation have admitted that they knew about this.
Sure, they (SAP) could have been aware of this for a long time, and waited to call the cops until it was a good time. But Seriously, if that was the case, then why wait until just 14 days before the election?
This is so serious that media will wallow in it for months (covering police inquires, court actions, and all other legal blabla).
And just for the recored, I've never in my life voted for SAP or even considered it, but I've got 20+ years in IT security and is fairly well versed in swedish IT law.
Password changes compensate for other problems (Score:3, Informative)
If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.
Regular password changing adds friction to the marketplace of shared passwords. The password that A told to B to let B do one job will be invalid when B tries it long after the job is over.
It's really hard to assess the benefit of periodic password changes unless you need them for regulatory compliance, in which case the benefit is avoiding fines rather than improving security.
Using passwords is so inherently broken, though, that nothing's ever going to be really satisfactory.
Re:Password changes compensate for other problems (Score:2, Informative)
Ours usually go crazy because of the IT Adminisitrators... they leave of their own accord
With the threat of having a password that looks like line noise the users have stopped picking stupid passwords. We still run the cracking process, but we have less of a reason too now. It is rare that we even check its logs at the end of the run now. Soon we'll be able to just get back to Prey or F.E.A.R. or (in my case) NetHack and not have to worry about our passwords. Fear will keep the local users in line. Fear of this perl script. http://insecure.org/stc/sti [insecure.org]