Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Space Agency Records Leaked For Amusement, Attackers Say (csoonline.com)

Posted by Soulskill on from the how-long-until-we-lose-a-satellite dept.

itwbennett writes: A weekend data breach at the European Space Agency (ESA) by hackers calling themselves "Anonymous" has resulted in the release of 8,107 names, email addresses, and passwords of ESA supporters and researchers. "The leaked data highlights a troubling problem with regard to passwords used on the compromised domains," writes CSO's Steve Ragan. "Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.)."

74 comments

  1. Three characters? by U2xhc2hkb3QgU3Vja3M · · Score: 2

    Three characters is not enough for my luggage.

    1. Re:Three characters? by Adriax · · Score: 1

      I think that's the point of this piece. Our rocket scientists still can't match the password length of space fairing societies with planetary scale shielding, mega-ships capable of stripping the atmosphere off a planet in minutes, casual space travel, and speeds that are frankly ludicrous.

      But there is a glimmer of hope. We are at 60%. Over half way there.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    2. Re:Three characters? by Anonymous Coward · · Score: 1

      It's "faring", my good man, not "fairing". A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag. Perhaps this is why all those scientists use three-character passwords; because the doubt their own ability to spell anything longer.

    3. Re:Three characters? by Big+Hairy+Ian · · Score: 1

      It still horrifies me that everyone's ATM Pin is just 4 characters!! Though the article does smack of "Scientists too dumb to use computers"

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    4. Re:Three characters? by Nutria · · Score: 2

      Aren't Europeans supposed to be oh so much smarter than us rube Americans and our "they'll suck up the Sun's rays" idiocy?

      --
      "I don't know, therefore Aliens" Wafflebox1
    5. Re:Three characters? by mwvdlee · · Score: 1

      Yeah, they should atleast require some special characters like numbers and upper case to make it extra safe.
      Nobody will ever guess "E5a".

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    6. Re:Three characters? by Anonymous Coward · · Score: 0

      Three characters is not enough for my luggage.

      Yeah, you're right, especially since those TSA locks are practically impossible to pick, and the master keys would never get leaked or anything.

      Not to mention most luggage zippers can be defeated with a ballpoint pen, so make sure you put a strong deadbolt on that paper door of yours.

    7. Re: Three characters? by Anonymous Coward · · Score: 0

      Your radiation is hard to resist.

    8. Re:Three characters? by Anonymous Coward · · Score: 0

      It still horrifies me that everyone's ATM Pin is just 4 characters!! Though the article does smack of "Scientists too dumb to use computers"

      Scientists use banks and ATM machines too, so I think "humans are too stupid to use bank cards" smacks quite a bit harder against society as a whole.

      And since the average person doesn't actually dial phone numbers anymore, expect humans memory capability to get shittier over time, meaning we can forget about expanding it beyond four. Ever.

    9. Re:Three characters? by Anonymous Coward · · Score: 1

      It simply doesn't matter how long your PIN is because all current ways of stealing your card info include stealing your PIN, too.

    10. Re:Three characters? by Anonymous Coward · · Score: 1

      Like the mega-ships capable of stripping the atmosphere off a planet in minutes, the ESA is surrounded by assholes.

    11. Re:Three characters? by Anonymous Coward · · Score: 0

      How many tries does an ATM give you at entering a PIN?

    12. Re:Three characters? by Adriax · · Score: 1

      Fail on my part. I wrote it as faring first but apparently derped when I rewrote the sentence.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    13. Re:Three characters? by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

      The woosh you're hearing is Spaceballs-1 passing over your head at ludicrous speed.

    14. Re:Three characters? by U2xhc2hkb3QgU3Vja3M · · Score: 1, Insightful

      AFAIK, in Canada, banks require five numbers. It's 25% more secure!

    15. Re:Three characters? by Anonymous Coward · · Score: 0

      You mean "fale".

    16. Re:Three characters? by Anonymous Coward · · Score: 0

      Yes. Most of those scientists have realized that their work is tax funded and the data supposed to be public property.
      Also that anyone able to understand the data is capable of figuring the stuff out by themselves.
      A three letter password is the compromise between not having a password at all like the scientist wants and some retarded IT staff that thinks that everything has to be secured, even stuff that shouldn't be.

    17. Re:Three characters? by Anonymous Coward · · Score: 1

      A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag.

      Or like, you know, over the payload at the top of a rocket. Like the ESA uses.

    18. Re:Three characters? by GuB-42 · · Score: 1

      Usually, after 3 failed attempts, the card becomes unusable.
      You also typically don't choose your PIN, the bank picks a random number and mail it to you in a special envelope, separately from the card itself.

      So that's really a 0.03% chance of getting it right. Not that bad considering that you also have to steal the card in the first place, use it before it is declared stolen and rendered unusable, and don't get caught by other safety measures.

    19. Re:Three characters? by Anonymous Coward · · Score: 0

      Ugh, "I faled grammer" makes my dyslexia flare up.
      But please, don't blame the scientists at ESA but blame their sysadmins instead. Sysadmins are cut from very different cloth..

      (captcha: disaster)

    20. Re:Three characters? by Quirkz · · Score: 1

      I dunno. When the first four digits of the PIN are 1, 1, 1, and 1, what are the odds that the fifth digit is going to be something else?

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    21. Re:Three characters? by Anonymous Coward · · Score: 0

      One in ten?

    22. Re:Three characters? by Anonymous Coward · · Score: 0

      9 in 10

    23. Re:Three characters? by ChoGGi · · Score: 1

      I'm not sure of the minimum in Canada, but I do know my PIN is 8 chars (and no it doesn't work in the USA).

    24. Re:Three characters? by AntiSol · · Score: 1

      the ESA is surrounded by assholes

      Clearly. I can't even find a shop on the ESA website. I was looking to buy some merchandise.

      They should get into that, it's where the real money is made.

    25. Re:Three characters? by uninformedLuddite · · Score: 1

      You can change your pin in a lot of cases. I did read somewhere once that most people change it to something stupid which enables 30% of cards to be guessed within 3 tries. Apparently only 5% of pins begin with the number 9 so that's a good start. Maybe 9999 would be clever.

      Does GuB stand for Great Uncle Bulgaria?

      --
      The new right fascists are bilingual. They speak English and Bullshit.
    26. Re:Three characters? by RockDoctor · · Score: 1

      While it's not untrue that the passwords in question are 4 or fewer characters long, it is far more significant (about 500 times more significant per digit, not that I've completely memorised my log(10) tables) that they are digits, not general purpose characters.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Why did the system store passwords? by Anonymous Coward · · Score: 0

    There's no excuse in this day and age to store passwords. You only store salted hashes.

    1. Re:Why did the system store passwords? by U2xhc2hkb3QgU3Vja3M · · Score: 1

      And what about the users with high blood pressure?

    2. Re:Why did the system store passwords? by NotInHere · · Score: 1

      Can I use your username as password?

    3. Re:Why did the system store passwords? by mwvdlee · · Score: 1

      I already use your username as my password.

      If it is ever found on an unhashed password list, they'll simply think my password isn't on the list.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    4. Re:Why did the system store passwords? by GuB-42 · · Score: 1

      If your password is "esa", "469" or "123", even the best salt/hash. Script kiddies could crack these in seconds, and that's if you use really strong crypto. With a reasonable hash/salt scheme and advanced attackers, you can get down to microseconds.

    5. Re:Why did the system store passwords? by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Not if you take the time to read my real name.

    6. Re:Why did the system store passwords? by geantvert · · Score: 1

      And the fact that the leak contains so many 3 character passwords is probably a sign that this is exactly what happened.
      The hackers probably got access to a database containing salted passwords.
      The leak is just the output of a password cracker applied to that database.

      What I find more problematic is that people where authorized to use a password with only 3 characters.

      Any system I worked on during the last 20 years would never allow that.

    7. Re:Why did the system store passwords? by mlts · · Score: 2

      Use nonces instead of salts for less sodium?

    8. Re:Why did the system store passwords? by cheater512 · · Score: 1

      To be fair, salted hashes provide no additional benefit if the password is 3 characters long. A brute force would still get them pretty much instantly.

    9. Re:Why did the system store passwords? by Anonymous Coward · · Score: 0

      the fact that the leak contains so many 3 character passwords is probably a sign that this is exactly what happened.

      So TFS is ridiculous. We don't know how seriously to take this without knowing how many accounts didn't have their passwords cracked.

    10. Re:Why did the system store passwords? by SharpFang · · Score: 1

      They wouldn't find the generated 24-char ones.
      Either the passwords were stored in plaintext or easily crackable crypt (unlikely), or the hackers hijacked the login system and collected the passwords as they were used for login.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    11. Re:Why did the system store passwords? by sims+2 · · Score: 1

      Yeah even netflix requires 4 characters. You can even use 0000 as a password if you want.

      --
      Minimum threshold fixed. Thanks!
  3. THESE ARE WORDS IN ORDER THAT MAKE NO SENSE by Anonymous Coward · · Score: 0


     

    1. Re:THESE ARE WORDS IN ORDER THAT MAKE NO SENSE by Anonymous Coward · · Score: 0

      That is the most fascinating and insightful comment I've ever seen on /.

  4. Sometimes security isn't desired. by Anonymous Coward · · Score: 1

    Before you get all hysterical over weak passwords, please consider that three letter passwords are usually open secrets. In these cases security isn't desired, but because of policy, still needs to paid lip service. It happens at EVERY organization.

    The question is whether the policy is reasonable and necessary.

    1. Re:Sometimes security isn't desired. by __aaclcg7560 · · Score: 1

      Most of the Fortune 500 companies I've worked at that had a shared user account still required a password with a minimum of eight characters, one upper character, one lower character, and one symbol. The ESA examples shows no minimum requirements whatsoever.

    2. Re:Sometimes security isn't desired. by mlts · · Score: 1

      Even operating systems have a minimum character password demand for over a decade. Windows Server 2008 and newer have always required password complexity rules (uppercase, lower case, number, symbol), and at least 8 characters by default. Similar with non-root users and Linux.

  5. For bonus points... by __aaclcg7560 · · Score: 0

    My college instructor for Linux Admin informed the class that the password to his Redhat Linux server was 26 characters long, doesn't start with the letter 'a' and doesn't end with the letter 'z'. Bonus points for creating an algorithm that prints out all the possible variations with permissible characters. Automatic expulsion if anyone attempts to login into server. During his ten years of teaching Linux, only one student took him up on the challenge to write an algorithm and his password was in the resulting printout.

    1. Re: For bonus points... by mistr · · Score: 1

      But after paying the cost of the printout, the student went bankrupt and had to quit his studies

    2. Re:For bonus points... by Anonymous Coward · · Score: 0

      Was his password baaaaaaaaaaaaaaaaaaaaaaaaa? Because the number of passwords that are 26 characters long is so long that it would still be attempting to print it out for centuries. For it to be in the output it must have been early on in the sequence.

    3. Re: For bonus points... by __aaclcg7560 · · Score: 1

      The student submitted his algorithm and the resulting printout in text files on a floppy disk. No trees were sacrifice for this academic exercise.

    4. Re:For bonus points... by __aaclcg7560 · · Score: 1

      The characters didn't repeat, which narrows down the number of possibilities. Thanks for reminding me. The algorithm and printout were submitted as text files on a floppy disk.

    5. Re:For bonus points... by Anonymous Coward · · Score: 0

      I'm going to guess it was 'zyxwvutsrqponmlkjihgfedcba'. (Why yes, I do have most of that sequence memorized. It's just the m-g part that still gives me trouble.)

    6. Re:For bonus points... by wile_e_wonka · · Score: 1

      From TFA: "Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database."

    7. Re:For bonus points... by geantvert · · Score: 1

      Hardly! 25^26 = 2.2e+36 is only a bit smaller than 26^26 = 6.1e+36

      If all characters were different then the number of possibilities would still be in the range of 26! ~= 4e26
      This is quite smaller but still too large to fit on a floppy or on a modern HD (or even on the whole internet)

      A program running on a 10Ghz CPU that would enumerate one solution per cycle would need 1.26 billion years to complete.

      So there was probably more restrictions.

    8. Re:For bonus points... by Anonymous Coward · · Score: 0

      Assuming an alphabet of 26 lowercase characters, still 25*24*24! = 3.7e+26 possible permutations. A standard floppy disk has 1.44e+6 bytes. That's some good compression algorithm that student must have used.

    9. Re:For bonus points... by __aaclcg7560 · · Score: 1

      That probably explains why only one student ever attempted to write the algorithm.

    10. Re:For bonus points... by Anonymous Coward · · Score: 0

      Yeah, I'm less smooth around there. I get to 'i' without much trouble, and I'm in the clear when I hit 'e'.

      Uncanny, might want more data. A nice example for you fucks who get obnoxious about "nominal patterns that brains are biased for"; they're perfectly valid to prompt surface investigation, then spending increasing resources to confirm the metrics for REAL statements.

    11. Re:For bonus points... by narcc · · Score: 1

      I think you were sold a bill of goods. My guess? Your instructor lied about the attempt to trick his math-challenged students in to wasting a lot of time.

      --
      Required reading for internet skeptics
    12. Re:For bonus points... by __aaclcg7560 · · Score: 1

      You're probably right. Most of those math-challenged students became Java programmers.

    13. Re:For bonus points... by Gr8Apes · · Score: 1

      You're probably right. Most of those math-challenged students became Java programmers.

      The rest post on /.

      --
      The cesspool just got a check and balance.
  6. Low opinion of ESA? by Crowd+Computing · · Score: 3, Funny

    Perhaps more damaging is the claim it was done for amusement: "Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest."

    ISIS and Trump at least deserved some sort of mass attack.

    1. Re:Low opinion of ESA? by Anonymous Coward · · Score: 0

      This was clearly the "real" Anonymous (and not the wannabees from Reddit that we hear from these days), because they actually Did It For The Lulz.

    2. Re:Low opinion of ESA? by Anonymous Coward · · Score: 0

      They would have, but Trump and ISIS have better password policies...

    3. Re:Low opinion of ESA? by Solandri · · Score: 5, Insightful

      ISIS and Trump at least deserved some sort of mass attack.

      ISIS deserves to be hacked because they are out there killing innocent people.

      Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

      The acid test for supporting the First Amendment isn't whether you'll stand up to defend the right of people you agree with to speak their opinion. It's whether you'll stand up to defend the right of people saying things you find reprehensible to speak their opinion. When I was growing up, the concept behind the First Amendment was often summarized as, "I disagree with what you say, but I will defend to the death your right to say it." At some point this has morphed into, "I disagree with what I say, and I will do everything I can to stop you from saying it as long as I don't get in trouble for it." That's a very dangerous slippery slope to start sliding down.

    4. Re:Low opinion of ESA? by rahvin112 · · Score: 1

      Trump, for all the stupid things he's said, has not committed a crime.

      Lol, yea right. He's committed crime, lots of it. He's just never been convicted for any of it.

    5. Re:Low opinion of ESA? by fahrbot-bot · · Score: 1

      Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

      Like the things Trump has been saying about and proposing to do with/to Mexicans and Muslims? Or was that your point?

      --
      It must have been something you assimilated. . . .
    6. Re:Low opinion of ESA? by rtb61 · · Score: 1

      As 'Anonymous' can be anyone who chooses to act in an activist sense, anonymously, in the name of 'Anonymous'. It could just be a pissed off security BOFH https://en.wikipedia.org/wiki/..., always having to work extended hours due to crappy passwords. Seriously, how hard are three word passwords, no spaces and minimum word length of four characters and with varying length words, as a nonsense string preferable eg 'crankyBOFHgoesnuts' is good. When anyone can be 'Anonymous', all sorts of interesting and often very worthwhile shenanigans will occur ie a very public reminder on security that could not be otherwise carried out.

      --
      Chaos - everything, everywhere, everywhen
    7. Re:Low opinion of ESA? by bmo · · Score: 1

      The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

      So you mean that TRUMP saying that we should "take out" the families of suspected terrorists is a bad thing, right?

      "I would do my best, absolute best â" I mean, one of the problems we have or one of the reasons we're so ineffective, you know, they're trying to, they're using them as shields. It's a horrible thing," the real estate tycoon said.

      "But we're fighting a very politically correct war. And the other thing is with the terrorists, you have to take out their families," Trump added.

      "When you get these terrorists, you have to take out their families. They care about their lives, don't kid yourself. But they say they don't care about their lives. You have to take out their families."

      Yeah, promoting war crimes is defensible.... not.

      http://thehill.com/blogs/ballo...

      --
      BMO

  7. The account owners with simple passwords by maroberts · · Score: 1

    ..were obviously not rocket scientists.

    Oh, wait.....

    --

    Donte Alistair Anderson Roberts - hi son!
    Karma: Chameleon

  8. i'm guessing by Anonymous Coward · · Score: 0

    european space agency jokes rate right up there with french military prowess and "the english army just won the war".

  9. Anonymous by Noah+Haders · · Score: 1, Insightful

    European Space Agency Records Leaked For Amusement, Attackers Say

    Bruce Wayne: Targeting me won't get their money back. I knew the mob wouldn't go down without a fight, but this is different. They crossed the line.

    Alfred Pennyworth: You crossed the line first, sir. You squeezed them, you hammered them to the point of desperation. And in their desperation, they turned to a man they didn't fully understand.

    Bruce Wayne: Criminals aren't complicated, Alfred. Just have to figure out what he's after.

    Alfred Pennyworth: With respect Master Wayne, perhaps this is a man that *you* don't fully understand, either. A long time ago, I was in Burma. My friends and I were working for the local government. They were trying to buy the loyalty of tribal leaders by bribing them with precious stones. But their caravans were being raided in a forest north of Rangoon by a bandit. So, we went looking for the stones. But in six months, we never met anybody who traded with him. One day, I saw a child playing with a ruby the size of a tangerine. The bandit had been throwing them away.

    Bruce Wayne: So why steal them?

    Alfred Pennyworth: Well, because he thought it was good sport. Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.

  10. Just to confirm what we already knew by Anonymous Coward · · Score: 0

    "Anonymous" is nothing if not a bunch of vandals, delinquents and terrorist sympathizers. They must be hunted down without mercy. It should not prove to be too difficult because they're also a bunch of pussies: every single time one is caught, he immediately snitches on anyone he knows. Time to police the Internet for good.

  11. Examples by dohzer · · Score: 2

    Does anyone have some more examples of three letter passwords? I'm having trouble understanding the concept.

  12. Password length = data protected by justcauseisjustthat · · Score: 1

    I've used 4 digit passwords on sites that store nothing besides my email, name, corp address and nothing of true significance. On the otherhand I'll use the maximum allowed digits for banking and commerce sites. What blows my mind, is a site that doesn't allow unicode character set and more than 12 digits.

  13. scientists by Anonymous Coward · · Score: 0

    I work in IT security with them scientists: rather than about security they care about sharing.
    They're like children (in a good way).

  14. Publicly funded by RockDoctor · · Score: 1
    The ESA is publicly funded - as are most of it's collaborating institutions. Quite likely a significant number of the people intended to have read-write access to their data systems are aware that they information they contain are the property of the people who paid for the data. i.e., everyone. So the only sensible reason for using passwords is to prevent vandalism of the databases. and nobody in their right mind is going to be interested in vandalising a "public good" such as the records that may help our species become a multi-ecosystem species.

    It speaks of a slightly worrying degree of optimism about human nature, but nothing worse than that.

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"