Windows Watch

RSSSubscribe to this blog
About Author

Richard is Computerworld’s Junior Content Manager and occasional reporter and blogger, responsible for making sure the site is full of the latest and greatest technology news from around the world. Richard joined Computerworld from the world of PR, which he likes to think of as like leaving the Empire to join the Rebel Alliance. Richard is interested in open source, new technology and science, and the world of mobile. He’s also partial to all things geek, happiest when discussing the finer points of science fiction or playing a video game or two. Catch up with him lurking on Computerworld’s Facebook page.

Contact Author

Email Richard

Twitter Profile

Linked-in Profile


The Sun's password policy sucks

Rupert Murdoch's empire continues to suffer indignities

Article comments

The break-in at The Sun by hackers using the social networking accounts of LulzSec (who may or may not be our favourite Lulz lizards riding the waves again) caused an awful lot of red faces at Wapping.

It's stretching credulity to claim that it's a coincidence the audacious assault took place on the day that News International chief Rupert Murdoch and son James were due to testify before a committee of MPs about the phone hacking scandal.

The hacking attack seems to have been accomplished using a known vulnerability in a microsite relating to the switchover between the old Times website and the new paywalled version, completed last year. The site itself, new-times.co.uk, was functionally obsolete, and it seems to have been a pretty severe security oversight to have left it running, especially with active links to infrastructure in other parts of the media empire.

The AnonymouSabu account on Twitter, often used in the past as a mouthpiece for LulzSec, also posted claims that hackers had gained access to a database of user names and passwords used by staff at The Sun. "Sun/News of the world OWNED. We're sitting on their emails," the account trumpeted.

Capture.PNG

As proof, the pseudonymous hacker offered an excerpt from the database, the login details of one Rebekah Wade. This Wade is, of course, the same Rebekah Brooks who recently resigned as Chief Executive of News International, although the use of her maiden name indicates these details may date from the period when she edited The Sun itself.

What this should point out to any security professional (aside from the ludicrous step of using your first name as a password salt), is that your passwords are only as secure as the network they are stored on. If hackers are determined enough to gain access to as big an enterprise as News International, then your carefully mandated length and character set requirements become meaningless.

However, it doesn't appear that NI required a great deal of password security from their staff. As spotted by The Geek Atlas author John Graham-Cumming, Brooks' password is the number of The Sun's tip line, displayed prominently on their site.

The astonishing thing is that this lapse in judgement is the least interesting part of the whole story.

Email this to a friend

* indicates mandatory field






ComputerWorldUK Webcast

ComputerworldUK
Share
x
Open