Bad Password Allowed Swedish Watergate 248
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
Hmmm... (Score:3, Funny)
I would have thought a snotty-nosed 11-year-old would regard that password as not-so-hard-to-crack. Oh well, nothing to see here, move on please...
Re:Hmmm... (Score:5, Funny)
vs.
snotty-nosed 11-year-old
So, why was this not modded redundant??
Aw, c'mon folks, let's laugh at ourselves once in a while
Re: (Score:2, Funny)
Why not? Everyone else does.
Re:Hmmm... (Score:5, Funny)
Re: (Score:2)
Re:Hmmm... (Score:5, Funny)
Re:Hmmm... (Score:4, Funny)
Perhaps, your password is ok (Score:3)
Re: (Score:3, Funny)
You're good. ^_^
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re:Hmmm... (Score:5, Funny)
Re: (Score:2)
Personally, I'd call it the computing equivalent of picking up the dropped soap in the prison showers. Without a towel.
Incredible! (Score:5, Funny)
Re: (Score:2)
Re:Spaceballs: The Movie (Score:4, Funny)
Effective PW (Score:5, Funny)
uid: schef
pwd: mmborkburdyhurdymurdy
Re: (Score:2)
Many theories about leaked passwords (Score:5, Informative)
Re: (Score:2)
This is a joke, right? If that's true we're in for more drama (and laughs) than should even be legal.
Password (Score:4, Funny)
My next password is going to be Göterborgs-Posten.
Try cracking that.
Re:Password (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
Vöilà!
Nöt that that's a wörd, ör anything.
Re: (Score:2)
Option-u, o.
Option-u followed by any vowel will add an umlaut. Other accents can be created with:
Honestly unsurprising (Score:5, Insightful)
In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.
Re: (Score:2)
Re:Honestly unsurprising (Score:4, Informative)
We're not talking about some small 3 person company here. We're talking a (by swedish standards) large and established political party organisation.
If I was made responsible for running that net/service I'd ask for a security policy established by management and make sure that we followed up on it's use.
The damage that can be inflicted on an organisation like this by one single idiot with access to that net is massive.
If the admin is the only tech savvy enough to understand those issues then it's his or hers frikken obligation to take that issue up with management and explain what could happen.
But should also note in this issue that gaining unathorized access to a private network is illegal, no matter how this access was achieved.
It should be quite obvious to any of the people involved that accessing data from a rival party's internal network is a criminal offence.
Re: (Score:3, Interesting)
The normal reaction from j.random management is "erh? what? sounds good but how should it be written?"
Then it's your problem to provide them with the needed template.
and it has to be understood, as in 'if j random luser can gain access to your account he or she can make you look like a fool and cause severe media damage to our organisation".
Or, "a single idiot downloading a funky screensaver can kill our entire internal network for a days".
An IT security policy must come fro
Re:Honestly unsurprising (Score:5, Insightful)
This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.
Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.
Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.
It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.
Re: (Score:2)
Then, during the review, tell the auditor that you are concerned about your organization's poor use of passwords and want to see it on the final report of findings and recommendations. If you have any other security or training wants/needs that you haven't be
End user password selection (Score:5, Informative)
Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.
Re: (Score:2)
where [mmddyy] is birthday, if you didn't catch that.
Re:End user password selection (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re:End user password selection (Score:5, Interesting)
Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).
Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.
Password changes compensate for other problems (Score:3, Informative)
If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.
Regular password changing adds
Re:End user password selection (Score:5, Insightful)
Re:End user password selection (Score:4, Interesting)
one system I log into at work requires "strong passwords"
ie
* has to be very diffrent from your last 10 passwords
* has to have special chars
* has to change your password every 2 months.
the problem is I login to this system every 6 weeks.
so every! time need to login I
1. Call the IT desk
2. Ask them to reset my password
3. They Email me my password.
4. I login
When the password is reset there is no Idenification of me.
They simply assume that access to my work email is valid enough
By Increasing the level of security They have effectivly reduced the level of security to that of a seperate system (company email).
BTW: company email pollicy is change every 6 months, incrimenal is allowed.
Question:
How many requests of Password resets do you get with your system?
What method of Password distribution do you use?
What method of verification do you use on reseting a password?
Authoritarian mentality vs Education (Score:2)
Are their egos so
The obvious solution is to do some simple training for the employees.
I've read many effective approaches on
This can be incorporated into new employee orientation or annual Data Privacy
updates.
Users are often unhappy with their interaction with corporate IT already. Why be so adversarial?
Re: (Score:3, Insightful)
And when simple training doesn't work, you just end up beating people over the head anyway. What sense would it make to teach someone corporate policy and then not enforce it?
"Please try to keep your password complex. Yes, I know the system allows you to set it to your puppy's name every other month, but don't, mmkay?"
Re: (Score:2)
Re: (Score:2)
In defense of weak passwd (Score:2)
The security of any authentication system is the product of many factors. A "tight" [unbypassable] system facing brute-force has two main factors: the strength of the pw and the cost of bad guesses. ATM PINs can be very weak because the cost of bad guesses is high -- eaten card.
More along these lines should be done for computer systems so security doesn't rest on strong secrets. Incre
Re: (Score:2)
Other passwords of note. (Score:5, Funny)
President Nixon: iam!acrook
President Clinton I: hopemyhusbanddoesntfindoutaboutthepassword
President Bush I: anybodybutmysons
President Clinton II: wishmyhusbandtoldmemonicawasbi8yearsago
President Bush II: 12345
President Quayle I: potatoe
Don't blame me for that last one. My password was "colbertstewart2012".
Password? (Score:5, Interesting)
Seriously (Score:5, Informative)
Re: (Score:3, Informative)
The story that he was given the password has gone a bit dry now, since it's more than one password that has been used and the alleged giver denies the fact and has sued him for defamation.
But lets assume that that peice of story is true.
Then handing the information over to other members of his new party isn't very smart.
And using this information to access a rival party's internal network to download internal information several times over 9 months, and passing this information on to sen
Re: (Score:2)
Its perfectly timed!
Re: (Score:2)
And timing or no timing doesn't change the fact that the crime has been commited over several months, nor does it change that several senior people within the party knew about it for several months but failed to act.
Nor does it change the fact that the party leader knew about it from sunday evening, yet spent two days of public interviews stating that he didn't.
Re: (Score:2)
And the solution is easy (Score:2)
Stig-Olof "Sigge" Fribergs (Score:2, Interesting)
Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter.
Translation:
He don't think he's been careless with his login info.
Hasn't anyone explained to him yet how stupid and careless this was?
Re:Stig-Olof "Sigge" Fribergs (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Keyboard Patterning - at least it makes them think (Score:5, Interesting)
Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.
While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.
for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.
Does anyone know if brute-force methods take into account keyboard patterning?
by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it!
Re:Keyboard Patterning - at least it makes them th (Score:3, Interesting)
This would (I imagine) wind up being significantly more secure to outside attacks (those who can't see the postit) while still being moderately secure to inside attacks (joe shmo trying to login on his console)....
thoughts?
Re:Keyboard Patterning - at least it makes them th (Score:5, Interesting)
One day I hope to catch someone other than a janitor trying to surf porn. =P
Re: (Score:2)
Re: (Score:2)
Re:Keyboard Patterning - at least it makes them th (Score:2)
I remember readily available dictionaries containing only what you expect to see in an off the self dictionary 15-20 years ago then slowly they added star trek references then all sifi/film/book references.
The dictionaries are being updated with actual passwords, so coming across you example and deviations is not as low as you think.
Failing that brute forcing 8 characters is getting easier as CPU time becomes cheaper.
Re: (Score:3, Insightful)
If the account requires an adminstrator to unlock it after three failed attempts, nothing is gained from requiring a strong password. Any password that
Re: (Score:2)
I think you hit the nail on this one. I wish I'd have mod points right know. There is way too much effort going on trying to get people to use obscure passwords. The simple fact is that limiting the number of possible login tries would basically render any bruteforce attacks unusable, which is why we have to have complex passwords in the first place. If you see more than ten attempts, you can be pretty sure it is a bruteforce attack. It could be the user him/herself trying to remember the password or it co
password tips (Score:5, Funny)
Re:password tips (Score:5, Funny)
I also have small reproductive organs!11!
Re: (Score:2)
Could've been worse... (Score:2)
Re: (Score:2, Funny)
Wouldn't that have been more appropriate for Windows Me systems...
Swedish passwords (Score:5, Funny)
"sigge", a duosyllabic password, is an indication that the user was a member of the upper strata of Swedish society, with Abba and Ace of Base.
(NB: I can handle pissed off Swedes, but not moderators lacking the humor gene)
Re: (Score:2)
Most likely since it sounds snappier.
Compare "Microsoft sucks" and "MS (emmess) sucks".
Not only bad password. (Score:4, Informative)
Re: (Score:2)
There is (at least) two different issues at hand.
One is that local party office in Umppa Lumppa somehere had, at least for a while, an open Wlan network.
I'm not surprised, once after scanning our office for illegal Wlan gates I shoved my laptop with dstumbler running in my backpack and biked home thru Stockholm.
When I got home I had a list of 40+ wide open nets, several for large comapanies and public organisations (identifed by tags).
The other is that a number of unathorized indivuals gaine
newspaper name (Score:2, Informative)
Solid Pasword examples (Score:2, Interesting)
Re: (Score:2)
A little joke (Score:5, Funny)
choosing good passwords (Score:4, Funny)
All Your Swedes (Score:5, Funny)
Captain: You know what you doing.
Captain: Move 'sigge'.
Captain: For great justice.
Seasoned Slashdot readers probably use zig:zig on BugMeNot and other "social" logins. I guess it just translates different in Sweden, kinda cute even... mental images [savethechildren.org.uk] of the Swedish Chef singing AYB.
Re: (Score:2)
Ohhhh... I hope the ruling party is the culprit! (Score:2)
Re:Ohhhh... I hope the ruling party is the culprit (Score:3, Interesting)
An unlocked or even missing door doesn't save you from that.
A web page with "Click here for access to internal informantion (don't click if you're not authorized)." is enough to bring criminal charges for unathorized access.
There are other things that are more questionable.
If I'm handed a link that bypasses security (and the message) then it can be hard to state that I've commited anything illegal, ie someone has to prove that I knew that I wasn't athorized.
But b
Re: (Score:2)
You don't secure your WiFi network and someone uses it. No hacking, because it is quite possible that you deliberately keep it open. You allow anonymous FTP access to your server. Not illegal to use it, same reason.
Might be different in less free countries, but here, that's the law. Unless it does require you to bypass some kind of security mechanism (though the law does not specify just what actually IS a security mechanism. Is user: "anonymous" pass:(yourmailaddress) already a security mech
Re: (Score:2)
Connecting to a beaconing, unprotected Wlan and use it to surf the net make it very hard to prove that it was unauthorized access.
I have that prob with one of me sons computers, it prefers to connect to the unprotected gateway in the apartment below instead of the one he should, which is painful when they want to play LAN games.
But using such a connection to scan the internal network for login and passwords is illegal.
It's hard to say that you just happened to park your car outside an opposing party
Bad passwords and bad users are everywhere (Score:2)
However, after talking a bit with them, you find out that:
1. they gave away their password for some unknown reason (and the "hacker" simply logged in and changed their password)
2. they installed maphack or some other shit (which can also include some other things, i.e. a keylogger)
3. they used a weak password (such as, oh, I dunno.... "password" <g>)
This, my friend, can give a bad name to ANY operating syst
Bait (Score:4, Interesting)
Ugly indee and not very democratic.
Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..
*sigh*, of course. (Score:3, Insightful)
I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.
You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.
Quick and ugly partial translation (Score:2)
Everything began in Skövde [Swedish city]
In the eye of the storm is social democrat Stig-Olof Friberg. His password was the key to the FP-scandal: [FP = Folkpartiet, the "cracker party"]
"I'm enraged. Tough election tactics are ok, but they must be fair".
"In what school can you learn computer hacking that you're so good at?" - the question's asked by a longhaired boy in the class at Rudebeck school in Tidaholm, where the youth movements hold
Rest of the translation (Score:2)
The evening sun throws long shadows over the pink facade of the FP in the center of Skövde. It's half past five, and the atmosphere in the office is lättsam[??], despite the circumstances. A quickly called meeting with the [local?] workgroup is just about to begin as Göteborg-Posten [article is in this paper] tells the news that Niki Westerberg has been charged[?] with a crime.
Christer
Technical term (Score:2)
Is that the technical term?
Ob. Eddie Izzard (Score:2)
From Glorious [eddieizzard.com]...
"Oh. Password protected. Billion possible chances."
"Er..."
"Jeff."
"Hey!"
"How did you know it would be Jeff?"
"I knew there'd be a back door."
In films, the guy who made the software has always left a back door,
so he could get back in when he wanted and look at all the missiles and go, "Ooh".
And put one on his head.
"And the guy who made the software was called Jeff Jeffety Jeff, born on the first of Jeff, Nineteen-Jeffety-Jeff."
"So I put in Jeff and hey."
What may not be obvious to foreign readers (Score:2)
It is a SOOOO not-so-hard-to-crack-password that . (Score:3, Funny)
But then again, that would make it a password that is not so not-so-hard-to-crack-password
Re: (Score:3, Interesting)
Re: (Score:3, Funny)