Bad Password Allowed Swedish Watergate

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

Many theories about leaked passwords

[pipatron]

There are atleast three ways this password could have been found. a) My brother lives in the town where these passwords were leaked, and he said that their office use unencrypted WLAN. b) The guy who presumably leaked it is in the office right next to the guy called 'Sigge'. c) As the article thinks: The password was very easy to crack. The latest rumour is that the guy who leaked the password (the left party) had a homosexual affair with the guy who *used* the password (the right party).

End user password selection

[trazom28]

This is all too common in many places. One company I worked for, about.. 1/3 to 1/2 of the users used some form of their name, and a number incrementation. I freaked out one who was *-18 asking him.. "so, you've been here a year and a half?" He had no idea how I did the math on that one.

Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.

Seriously

[Psionicist]

This is non-news. What happened was a member of the Social Democrats youth section _gave_ a username and password to a former member in the Liberal Party (which are not liberal at all BTW) youth section, around 2005! Of course, as the Social Democrats are about to lose the election (september 17th) they use this "news" to spread some primitive form of political FUD about the opposition.

Re:Seriously

[hdw]

Well, first off all.
The story that he was given the password has gone a bit dry now, since it's more than one password that has been used and the alleged giver denies the fact and has sued him for defamation.

But lets assume that that peice of story is true.

Then handing the information over to other members of his new party isn't very smart.
And using this information to access a rival party's internal network to download internal information several times over 9 months, and passing this information on to senior members of the party can't be seen as anything else than a criminal offence.

Also note that SAP didn't initially go public with this, they filed a complaint to the police.
But late the same evening one of the press agencies caught wind of it and issued an article, then SAP decided to host a press conference since the news was out.

And I've got hard to see how it can be regarded as FUD when at least one has admitted that he has commited a criminal offence and used the information to gain internal info and several others within the party organisation have admitted that they knew about this.

Sure, they (SAP) could have been aware of this for a long time, and waited to call the cops until it was a good time. But Seriously, if that was the case, then why wait until just 14 days before the election?
This is so serious that media will wallow in it for months (covering police inquires, court actions, and all other legal blabla).

And just for the recored, I've never in my life voted for SAP or even considered it, but I've got 20+ years in IT security and is fairly well versed in swedish IT law. // hdw

Not only bad password.

[Lussarn]

From what I understand (having trouble understanding the laymensterms of daily tabloids) it was also a completely open wifi network.

newspaper name

[freddej]

Just to be "picky", Göterborgs-Posten should read Göteborgsposten" after the Swedish town Göteborg.

Re:Honestly unsurprising

[hdw]

Well the it admin/manager _should_ catch heat for it.

We're not talking about some small 3 person company here. We're talking a (by swedish standards) large and established political party organisation.

If I was made responsible for running that net/service I'd ask for a security policy established by management and make sure that we followed up on it's use.

The damage that can be inflicted on an organisation like this by one single idiot with access to that net is massive.

If the admin is the only tech savvy enough to understand those issues then it's his or hers frikken obligation to take that issue up with management and explain what could happen.

But should also note in this issue that gaining unathorized access to a private network is illegal, no matter how this access was achieved.

It should be quite obvious to any of the people involved that accessing data from a rival party's internal network is a criminal offence. // hdw

Great Password Website

https://www.grc.com/passwords.htm

Password changes compensate for other problems

[Beryllium+Sphere(tm)]

If a password gets written down, buried in a pile of paper, and thrown into the dumpster six months later, then regular password changing will prevent a breach. It will also cover up the real problem.

If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.

Regular password changing adds friction to the marketplace of shared passwords. The password that A told to B to let B do one job will be invalid when B tries it long after the job is over.

It's really hard to assess the benefit of periodic password changes unless you need them for regulatory compliance, in which case the benefit is avoiding fines rather than improving security.

Using passwords is so inherently broken, though, that nothing's ever going to be really satisfactory.

Re:Password changes compensate for other problems

[Architect_sasyr]

If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.

Ours usually go crazy because of the IT Adminisitrators... they leave of their own accord :D That said, we have a policy in place where once a month (over a weekend) we fire up john the ripper on a couple of Quad Xeon servers. Any password that is cracked at the end of the weekend is reset to something unintelligable and the user is warned.

With the threat of having a password that looks like line noise the users have stopped picking stupid passwords. We still run the cracking process, but we have less of a reason too now. It is rare that we even check its logs at the end of the run now. Soon we'll be able to just get back to Prey or F.E.A.R. or (in my case) NetHack and not have to worry about our passwords. Fear will keep the local users in line. Fear of this perl script. http://insecure.org/stc/sti