Slashdot Mirror
Hacked Syrian Officials Used '12345' As Email Password
Nominei writes "The Israeli newspaper Haaretz reports that the Syrian President, aides and staffers had their email hacked by Anonymous, who leaked hundreds of emails online. Reportedly, many of the accounts used the password '12345' (which their IT department probably warned them to change when the accounts got set up, of course)."
I've got the same combination on my luggage!
1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!
No zero, sorry
Muchas Gracias, Señor Edward Snowden !
I thought that everyone knew to use at least 123456 as their password. After all that increases its security by an order of magnitude!
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
then the IT guy got taken into the alley and shot in the head for his impudence.
Seriously? People that use such easy to guess (and therefore pointless) shouldn't even have access to anything that needs protection...
Every time I go to pastebin.com and look at the hacked sites the passwords are always weak, extremely weak, virtually no one uses strong passwords.
"If any question why we died, Tell them because our fathers lied."
There are more important things to think about than this irritant.
Really, Why weren't these accounts configured to expire on the first login, like most default passwords? If they were, why didn't they have some sort of policy in place in the system to stop people from using incrementing/decrementing numbers?
...Anonymous posted this themselves.
Israelis use FUD frequently--no anti-semitism here. Anonymous is THE perfect scapegoat for false-flags, and (observation here) after this point, is poking a sleeping beast that has an anti-semetic bent already.
Lemme go check the *chan(s)....
Is this really 'hacking' when you guess the password?
Reminds me of the script-kiddie who 'hacked' into Sarah Palin's email account once he successfully guessed her password was 'popcorn'...
Wonder how he's doing in prison?
Ken
Jesus, as if killing your own people isn't bad enough, you also use one of the worst passwords of all time for (multiple) government passwords. Maybe he wasn't so far off in his Barbara Walters interview; "No government in the world kills its people, unless it’s led by a crazy person” - Assad
When people use such stupid passwords, is it really even considered hacking anymore?
Conversely, does calling this hacking diminish the skills of those who actually know their security inside and out?
I count three prior to your post.
You either need to type faster or reload the page before deciding to comment.
which their IT department probably warned them to change when the accounts got set up, of course
Somebody should have warned IT to have a stronger password policy in place to begin with. 12345, really?? It's fun to bag on users for using something stupid like that, but IT is responsible for the integrity of the system, and allowing passwords like that is nothing less than complete incompetence on their part.
Guessing blind, they probably used numbers for those passwords because the official language is Arabic and a sequence of Roman characters would be hard to memorize.
Reportedly, many of the accounts used the password '12345'
Who gives a flying fuck? There are stupid people everywhere.
The Syrians stole my password for everything! Now I'll have to come up with a new one.
It was just the dept staff. Looked like it was hacked through the webmail portal of mopa.gov.sy. The only thing of note was the exchange re the Barbara Walters visit. The Ministry of Presidential Affairs is basically his marketing department. Whilst one would hope they busted into this despots email, the truth is they did no such thing.
No, 12345 is actually a very complex password for Bashar al-Assad.
Slashdot, fix the reply notifications... You won't get away with it...
I'm curious to know how many hacker just go around typing 12345 and 1qaz into every account out there just to see what they can get.
Oh shit. There goes the planet.
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
Just in case no one bothered to go find it. http://pastebin.com/uaYDfCz0
* And by "change" I mean "shoot."
I agree and since the people they are supposed to be governing clearly need protection....
I had thoroughly convinced myself that the days of people using passwords this stupid was behind us, left to rot in the dark ages of the internet. $faithInHumanity--
Comment removed based on user account deletion
Really. I'm the first person to post this?
You mean besides the first post 45 minutes before your post? No.
Allah will protect my account. Oh wait...
...apparently the launch keys for each and every silo-based ICBM were/are all "0000000000" (ten zeroes). Scary.
Operation Guillotine is in effect.
Apparently nobody bothered to read the IT guy's meticulously prepared memo.
Dudes, He's a DICTATOR. If he doesn't want to change his password, what do you think will happen if you tell him "Mr. Assad, you can't log on until you change your password." a) He says "Oh, yes, thank you for helping me to remember how to protect the information of the Syria Arab Republic. You're a hero of the Republic. Here's your million dollars." b) He says "Screw you, who's the President here, you or me?" And then you find yourself as a street cleaner in Homs wearing safety orange.
As the hacker saw much to his horror that the Syrian President's e-mail password was indeed 12345 he tried to break the connection but it was too late. Word had spread and all knew that his most important hack was one that a five year old could have bested. A week later the hacker was found with a gun in his mouth and the numbers "12345" scrawled across his walls. His last e-mail was a simple "Who uses 12345 as a password!" Other hackers said that it was a tragedy that he would be remembered for one lame hack. Word came later that day that the Syrian President had beefed up security by using his son's name as his current password. Hackers world wide turned away in disgust and refused to stoop to hacking some one that lacked even basic internet skills.
Some turned their attention to hacking President Obama's e-mail until it was found he used the password "Romneysucksballs". No hacker would dignify such a password with a hack. Later that day it was revealed that Bill Gates used "stevejobsisaweiner" as his password but most knew this was the case since the late 90s.
I find users change their passwords when I give them difficult passwords :).
This sort of thing is what makes dictators fall (until they die first). They all really are extreme narcissists who don't tolerate dissent at all, therefore ignore good advice, and eventually destroy themselves by their own mistakes. (Unfortunately for the rest of us, this usually does not happen until their country is destroyed as well).
Comment removed based on user account deletion
are now the primary suspect of breaking into Syria's government networks. You obviously have access to privileged information. Prepare to be arrested...
When you hire your father's brother's nephew's cousin's former roommate to be your system administrator.
http://xkcd.com/936/
I know it's preaching to the converted with the above two posters, but it's worth looking at.
The passwords I give users from permutations of a word list make them laugh but they can remember them.
The "default password" should be 30 characters of mumbo-jumbo, so that it's secure by default, but changing it actually makes life easier.
The password doesn't matter if your account is at a place where everything is already readable by the Man.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Uhhhm. The Five Eyes (AU NZ UK US CA) have been routinely intercepting (nearly) all online communications for decades. Do you not know this?
http://en.wikipedia.org/wiki/Echelon_(signals_intelligence)
They also maintain banks of supercomputers to routinely crack whatever crypto they don't already have a backdoor into. They don't need to know any passwords. Get this into your head: all messages sent online are monitored and permanently recorded. Also all (non-local) phone calls are monitored and transcribed. If you want to have a private communication with someone, then use your own extra layer of encryption on it.
You mean he could count .
On most web site including some email account i use as a throw away, my password is something like julie. very weak, because I don't care. But on some stuff like online banking my password is more like Sushi-tAbLe#722915;DeadPan (not the real password, but same similar structure). I have to wonder from those study you are speaking of, if they took into account how much importance the user gave to the service/data protected behind the password.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I wouldn't rely my hacker knowledge if I was in reach of his police. By the way, it's the same way the US protects its currency - just compare the security features of the euro with those of the US dollar (which got slightly better in the last decade). Counterfeiting is prevented in the US mostly by the FBI. No wonder, Hollywood invests more in lawyers and politicians than in better cryptologists to protect their digital goods...
No.
It's cracking. They cracked passwords. Like safe crackers crack safes.
Nice tip but if you are an idiot and use a dumb password like 12345 you should not only be hacked but kidnapped and tortured!! Internet 101 never use your name, birth date, address, child's name bla bla... Always use random numbers and small cap + Large cap letters for "secure" (nothing is secure on the internet tho) passwords. This news article is funny how big of ass can you be?? I want to be the exec of a business now if this is all it takes!!!!!!!!!!!!!!!!
Woosh
So today we learn the value of password policy. More precisely, the value of ENFORCING a password policy.
The simple things we knew about 20 years ago. Screen saver lock + password. Minimum 8 characters alphanumeric, minimum complexity involving upper and lowercase characters, at least one number and a special character. This cannot be a dictionary word, a "1337" word and cannot be too similar to your previous. This password must chance every 3 months. This password cannot be shared or written down, failure to comply will get you in trouble/sacked.
If a password policy like the above s was enforced such things would still happen, but the occurrence of such would go down by an order of magnitude at least.
Considering that with today's technology brute-forcing passwords with some graphics card compute power has taken things to a new level, let's up the game to 12 characters with above mentioned rules. Heck, use a pass phrase with a public key if you can, 2048 bit minimum.
You know all those boring "best practices" that people have spent years writing down, because of hard lessons learned and so on? pay attention to those.
Or this approach for secure passwords. You must make it hard to guess by other people or brute force approachs, not hard to remember .
That's true... and, of course, policies should prevent it being changed to 12345.
"Always use random numbers and small cap + Large cap letters for "secure" "
NOOB!
If you use a pass-WORD you are a fool, a pass phrase with punctuation, numbers and letters of both case.
One_Two-Three&Four 5!
is far more secure asfdgesrgDFS and can easily be remembered.
You need to stop watching the Movie "Hackers" as your knowledge about the "internet" is incredibly out of date to the point that it's highly quaint.
There, you have been schooled by someone that knows a lot more than you do. Feel better now? Want to go and hack the Gibson?
Can you call the access to an account which password is "12345" hacking? To make an analogy, can you call yourself a lock-picker if you open an unlocked door?
So say we all
My current IT department use month of arrival as the default password for a new account. So someone starting today would get a password of "Feb12". So every time they type it in, you get reminded of how long they haven't changed it. Certainly better than 12345.
Consciousness is an illusion caused by an excess of self consciousness.
Even Slashdot has given up on trying to save the word "hacking"...
The problem with that is that most password-parsing stuff stops reading when it hits whitespace.
correct-horse-battery-staple
we have bigger problems.
I can't could the number of times I've heard this lately by alleged "architects" who refuse to spend any attention on internal security., who leave complete access to backup environments for everyone, who use the same administrator passwords in the monitoring systems in plain text, who allow admins to use permanent passwords, and who generally leave themselves vulnerable to the *SAME DAMN PRACTICES* that caused the Morris Worm to take down so much of the Internet 20 years ago.
They don't learn. They don't want to learn. And they pretend that marking off the checkboxes on their security checklists actually does security work when they know everyone just changes their passwords 13 times in a row to bring it around to their original password and gets on with their job.
Maybe 12345 is really complicated in Arabic. Like MMMMMMMMMMMMCCCXLV.
"The cost of freedom is eternal vigilance." -Thomas Jefferson
I actually try that xkcd password now on any word list I use. First...;-)
That approach is Diceware, BTW,
http://world.std.com/~reinhold/diceware.html
http://happycattech.com/book/security-applications-0 (MS Excel and OpenOffice Calc implementations)
The most important part of that comic is that you use a passphrase, not a password. Passwords are insecure, and trying to make them secure requires using lots of special characters, which as pointed out are hard to remember. Unfortunately, most of the web doesn't allow passphrases, they have pretty short limits on character length. 25 Characters? Good luck finding websites that allow that.
*sigh*, we could make everything more secure, AND easier to remember, but we're too busy trying to force grandma to use 1337 in her password. Smart.
GCS/MU/P d- s:- a-- C++++$ UL++ P+ L++ E+ W++ N o K- w--- O M+ V- PS+++ PE Y+ PGP t+ 5- X R++ tv+ b++ DI++ D++ G+ e++ h-
I can't find any reference in the article, but from the formulation in the summary it sounds like the IT department set up new accounts to have the 12345-password as default (without expiration), and then asked the users to change the password.
If that's the case it sounds like a terrible idea to me. Better to generate default-passwords as complex random strings. Then it'll be in the users' interest to change their passwords because they're hard to remember and type. And if they don't, even better!
So every time they type it in, you get reminded ...
Every time they log in you get a message containing their cleartext password? Doesn't sound secure to me. Unless you're looking over their shoulders, which doesn't sound good either.
Noob. Once you go to the pass phrase there is no need to complicate things with extraneous caps and numbers. .... Fuck it.
There. Now you have been schooled by
Why is it so hard to only have politicians for a few years, then have them go away?
The reason password lengths were limited is because people were retarded and storing the password in a database. Now, good policy dictates that you never store a password, only its hash and salt. The only reasons to limit length is to limit the bandwidth required in case someone decides to use the unabridged works of Shakespeare as his pass phrase.
If the IT department was simply handing that out rather than an initial random password, they are just as wrong. I particularly love how my 401K access was initially first initial, last name, last 4 of the sssn.
With the enormous amount of passwords and logins we must remember, I feel that passwords are a technical solution to a social problem.
The problem is that the majority (if not all) IT people look at it as if their system is the only one that needs to be protected. So they will implement a very secure system. They leave out only one not so unimportant element: human behavior.
Don't fight for your country, if your country does not fight for you.
Look, I like XKCD, but do we have to post a comic in every goddamn thread?
We are eternal, all this pain is an illusion.
The German air raid that almost destroyed Coventry was an example of this, The Brits knew it was coming but they also knew that the Germans were beginning to get suspicious. As a result, the British government felt that they had to let this air raid occur even though they knew many people would be killed.
Yes, I believe you have happened over a bit of sarcasm. Note the distinguishing language, such as the use of 'of course'
Yes.
Any other questions?
Ignorance killed the cat. Curiosity was framed.
correcthorsebatterystaple
correct_horse_battery_staple
I'm sure that phrase already was added to all password cracking tools :-)
The Tao of math: The numbers you can count are not the real numbers.