European Space Agency Records Leaked For Amusement, Attackers Say (csoonline.com)

← Back to Stories (view on slashdot.org)

European Space Agency Records Leaked For Amusement, Attackers Say (csoonline.com)

Posted by Soulskill on Monday December 14, 2015 @03:17AM from the how-long-until-we-lose-a-satellite dept.

itwbennett writes: A weekend data breach at the European Space Agency (ESA) by hackers calling themselves "Anonymous" has resulted in the release of 8,107 names, email addresses, and passwords of ESA supporters and researchers. "The leaked data highlights a troubling problem with regard to passwords used on the compromised domains," writes CSO's Steve Ragan. "Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.)."

51 of 74 comments (clear)

Min score:

Reason:

Sort:

Three characters? by U2xhc2hkb3QgU3Vja3M · 2015-12-14 03:21 · Score: 2

Three characters is not enough for my luggage.
1. Re:Three characters? by Adriax · 2015-12-14 03:30 · Score: 1
  
  I think that's the point of this piece. Our rocket scientists still can't match the password length of space fairing societies with planetary scale shielding, mega-ships capable of stripping the atmosphere off a planet in minutes, casual space travel, and speeds that are frankly ludicrous.
  But there is a glimmer of hope. We are at 60%. Over half way there.
  
  --
  I don't suffer from insanity, I enjoy every minute of it!
2. Re:Three characters? by Anonymous Coward · 2015-12-14 03:36 · Score: 1
  
  It's "faring", my good man, not "fairing". A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag. Perhaps this is why all those scientists use three-character passwords; because the doubt their own ability to spell anything longer.
3. Re:Three characters? by Big+Hairy+Ian · 2015-12-14 03:37 · Score: 1
  
  It still horrifies me that everyone's ATM Pin is just 4 characters!! Though the article does smack of "Scientists too dumb to use computers"
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
4. Re:Three characters? by Nutria · 2015-12-14 03:37 · Score: 2
  
  Aren't Europeans supposed to be oh so much smarter than us rube Americans and our "they'll suck up the Sun's rays" idiocy?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
5. Re:Three characters? by mwvdlee · 2015-12-14 03:43 · Score: 1
  
  Yeah, they should atleast require some special characters like numbers and upper case to make it extra safe.
  Nobody will ever guess "E5a".
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
6. Re:Three characters? by Anonymous Coward · 2015-12-14 03:54 · Score: 1
  
  It simply doesn't matter how long your PIN is because all current ways of stealing your card info include stealing your PIN, too.
7. Re:Three characters? by Anonymous Coward · 2015-12-14 03:55 · Score: 1
  
  Like the mega-ships capable of stripping the atmosphere off a planet in minutes, the ESA is surrounded by assholes.
8. Re:Three characters? by Adriax · 2015-12-14 04:01 · Score: 1
  
  Fail on my part. I wrote it as faring first but apparently derped when I rewrote the sentence.
  
  --
  I don't suffer from insanity, I enjoy every minute of it!
9. Re:Three characters? by U2xhc2hkb3QgU3Vja3M · 2015-12-14 04:04 · Score: 4, Funny
  
  The woosh you're hearing is Spaceballs-1 passing over your head at ludicrous speed.
10. Re:Three characters? by U2xhc2hkb3QgU3Vja3M · 2015-12-14 04:05 · Score: 1, Insightful
  
  AFAIK, in Canada, banks require five numbers. It's 25% more secure!
11. Re:Three characters? by Anonymous Coward · 2015-12-14 04:17 · Score: 1
  
  A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag.
  Or like, you know, over the payload at the top of a rocket. Like the ESA uses.
12. Re:Three characters? by GuB-42 · 2015-12-14 04:28 · Score: 1
  
  Usually, after 3 failed attempts, the card becomes unusable.
  You also typically don't choose your PIN, the bank picks a random number and mail it to you in a special envelope, separately from the card itself.
  So that's really a 0.03% chance of getting it right. Not that bad considering that you also have to steal the card in the first place, use it before it is declared stolen and rendered unusable, and don't get caught by other safety measures.
13. Re:Three characters? by Quirkz · 2015-12-14 07:50 · Score: 1
  
  I dunno. When the first four digits of the PIN are 1, 1, 1, and 1, what are the odds that the fifth digit is going to be something else?
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
14. Re:Three characters? by ChoGGi · 2015-12-14 08:04 · Score: 1
  
  I'm not sure of the minimum in Canada, but I do know my PIN is 8 chars (and no it doesn't work in the USA).
15. Re:Three characters? by AntiSol · 2015-12-14 13:59 · Score: 1
  
  the ESA is surrounded by assholes
  Clearly. I can't even find a shop on the ESA website. I was looking to buy some merchandise.
  They should get into that, it's where the real money is made.
16. Re:Three characters? by uninformedLuddite · 2015-12-15 09:03 · Score: 1
  
  You can change your pin in a lot of cases. I did read somewhere once that most people change it to something stupid which enables 30% of cards to be guessed within 3 tries. Apparently only 5% of pins begin with the number 9 so that's a good start. Maybe 9999 would be clever.
  
  Does GuB stand for Great Uncle Bulgaria?
  
  --
  The new right fascists are bilingual. They speak English and Bullshit.
17. Re:Three characters? by RockDoctor · 2015-12-15 14:42 · Score: 1
  
  While it's not untrue that the passwords in question are 4 or fewer characters long, it is far more significant (about 500 times more significant per digit, not that I've completely memorised my log(10) tables) that they are digits, not general purpose characters.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Re:Why did the system store passwords? by U2xhc2hkb3QgU3Vja3M · 2015-12-14 03:23 · Score: 1

And what about the users with high blood pressure?
Re:Why did the system store passwords? by NotInHere · 2015-12-14 03:33 · Score: 1

Can I use your username as password?
Sometimes security isn't desired. by Anonymous Coward · 2015-12-14 03:45 · Score: 1

Before you get all hysterical over weak passwords, please consider that three letter passwords are usually open secrets. In these cases security isn't desired, but because of policy, still needs to paid lip service. It happens at EVERY organization.
The question is whether the policy is reasonable and necessary.
1. Re:Sometimes security isn't desired. by __aaclcg7560 · 2015-12-14 04:03 · Score: 1
  
  Most of the Fortune 500 companies I've worked at that had a shared user account still required a password with a minimum of eight characters, one upper character, one lower character, and one symbol. The ESA examples shows no minimum requirements whatsoever.
2. Re:Sometimes security isn't desired. by mlts · 2015-12-14 05:08 · Score: 1
  
  Even operating systems have a minimum character password demand for over a decade. Windows Server 2008 and newer have always required password complexity rules (uppercase, lower case, number, symbol), and at least 8 characters by default. Similar with non-root users and Linux.
Re:Why did the system store passwords? by mwvdlee · 2015-12-14 03:46 · Score: 1

I already use your username as my password.
If it is ever found on an unhashed password list, they'll simply think my password isn't on the list.

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Low opinion of ESA? by Crowd+Computing · 2015-12-14 03:51 · Score: 3, Funny

Perhaps more damaging is the claim it was done for amusement: "Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest."
ISIS and Trump at least deserved some sort of mass attack.
1. Re:Low opinion of ESA? by Solandri · 2015-12-14 06:26 · Score: 5, Insightful
  
  ISIS and Trump at least deserved some sort of mass attack.
  ISIS deserves to be hacked because they are out there killing innocent people.
  
  Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.
  
  The acid test for supporting the First Amendment isn't whether you'll stand up to defend the right of people you agree with to speak their opinion. It's whether you'll stand up to defend the right of people saying things you find reprehensible to speak their opinion. When I was growing up, the concept behind the First Amendment was often summarized as, "I disagree with what you say, but I will defend to the death your right to say it." At some point this has morphed into, "I disagree with what I say, and I will do everything I can to stop you from saying it as long as I don't get in trouble for it." That's a very dangerous slippery slope to start sliding down.
2. Re:Low opinion of ESA? by rahvin112 · 2015-12-14 08:46 · Score: 1
  
  Trump, for all the stupid things he's said, has not committed a crime.
  Lol, yea right. He's committed crime, lots of it. He's just never been convicted for any of it.
3. Re:Low opinion of ESA? by fahrbot-bot · 2015-12-14 09:31 · Score: 1
  
  Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.
  
  Like the things Trump has been saying about and proposing to do with/to Mexicans and Muslims? Or was that your point?
  
  --
  It must have been something you assimilated. . . .
4. Re:Low opinion of ESA? by rtb61 · 2015-12-14 12:43 · Score: 1
  
  As 'Anonymous' can be anyone who chooses to act in an activist sense, anonymously, in the name of 'Anonymous'. It could just be a pissed off security BOFH https://en.wikipedia.org/wiki/..., always having to work extended hours due to crappy passwords. Seriously, how hard are three word passwords, no spaces and minimum word length of four characters and with varying length words, as a nonsense string preferable eg 'crankyBOFHgoesnuts' is good. When anyone can be 'Anonymous', all sorts of interesting and often very worthwhile shenanigans will occur ie a very public reminder on security that could not be otherwise carried out.
  
  --
  Chaos - everything, everywhere, everywhen
5. Re:Low opinion of ESA? by bmo · 2015-12-14 13:44 · Score: 1
  
  The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.
  So you mean that TRUMP saying that we should "take out" the families of suspected terrorists is a bad thing, right?
  
  "I would do my best, absolute best â" I mean, one of the problems we have or one of the reasons we're so ineffective, you know, they're trying to, they're using them as shields. It's a horrible thing," the real estate tycoon said.
  "But we're fighting a very politically correct war. And the other thing is with the terrorists, you have to take out their families," Trump added.
  "When you get these terrorists, you have to take out their families. They care about their lives, don't kid yourself. But they say they don't care about their lives. You have to take out their families."
  Yeah, promoting war crimes is defensible.... not.
  http://thehill.com/blogs/ballo...
  --
  BMO
The account owners with simple passwords by maroberts · 2015-12-14 03:57 · Score: 1

..were obviously not rocket scientists.
Oh, wait.....

--
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Re: For bonus points... by mistr · 2015-12-14 04:00 · Score: 1

But after paying the cost of the printout, the student went bankrupt and had to quit his studies
Re:Why did the system store passwords? by GuB-42 · 2015-12-14 04:01 · Score: 1

If your password is "esa", "469" or "123", even the best salt/hash. Script kiddies could crack these in seconds, and that's if you use really strong crypto. With a reasonable hash/salt scheme and advanced attackers, you can get down to microseconds.
Re:Why did the system store passwords? by U2xhc2hkb3QgU3Vja3M · 2015-12-14 04:06 · Score: 1

Not if you take the time to read my real name.
Re: For bonus points... by __aaclcg7560 · 2015-12-14 04:13 · Score: 1

The student submitted his algorithm and the resulting printout in text files on a floppy disk. No trees were sacrifice for this academic exercise.
Re:For bonus points... by __aaclcg7560 · 2015-12-14 04:18 · Score: 1

The characters didn't repeat, which narrows down the number of possibilities. Thanks for reminding me. The algorithm and printout were submitted as text files on a floppy disk.
Anonymous by Noah+Haders · 2015-12-14 04:21 · Score: 1, Insightful

European Space Agency Records Leaked For Amusement, Attackers Say

Bruce Wayne: Targeting me won't get their money back. I knew the mob wouldn't go down without a fight, but this is different. They crossed the line.
Alfred Pennyworth: You crossed the line first, sir. You squeezed them, you hammered them to the point of desperation. And in their desperation, they turned to a man they didn't fully understand.
Bruce Wayne: Criminals aren't complicated, Alfred. Just have to figure out what he's after.
Alfred Pennyworth: With respect Master Wayne, perhaps this is a man that *you* don't fully understand, either. A long time ago, I was in Burma. My friends and I were working for the local government. They were trying to buy the loyalty of tribal leaders by bribing them with precious stones. But their caravans were being raided in a forest north of Rangoon by a bandit. So, we went looking for the stones. But in six months, we never met anybody who traded with him. One day, I saw a child playing with a ruby the size of a tangerine. The bandit had been throwing them away.
Bruce Wayne: So why steal them?
Alfred Pennyworth: Well, because he thought it was good sport. Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.
Re:Why did the system store passwords? by geantvert · 2015-12-14 04:31 · Score: 1

And the fact that the leak contains so many 3 character passwords is probably a sign that this is exactly what happened.
The hackers probably got access to a database containing salted passwords.
The leak is just the output of a password cracker applied to that database.
What I find more problematic is that people where authorized to use a password with only 3 characters.
Any system I worked on during the last 20 years would never allow that.
Re:For bonus points... by wile_e_wonka · 2015-12-14 04:45 · Score: 1

From TFA: "Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database."
Re:Why did the system store passwords? by mlts · 2015-12-14 04:51 · Score: 2

Use nonces instead of salts for less sodium?
Re:For bonus points... by geantvert · 2015-12-14 04:53 · Score: 1

Hardly! 25^26 = 2.2e+36 is only a bit smaller than 26^26 = 6.1e+36
If all characters were different then the number of possibilities would still be in the range of 26! ~= 4e26
This is quite smaller but still too large to fit on a floppy or on a modern HD (or even on the whole internet)
A program running on a 10Ghz CPU that would enumerate one solution per cycle would need 1.26 billion years to complete.
So there was probably more restrictions.
Re:For bonus points... by __aaclcg7560 · 2015-12-14 05:11 · Score: 1

That probably explains why only one student ever attempted to write the algorithm.
Re:Why did the system store passwords? by cheater512 · 2015-12-14 05:43 · Score: 1

To be fair, salted hashes provide no additional benefit if the password is 3 characters long. A brute force would still get them pretty much instantly.
Re:For bonus points... by narcc · 2015-12-14 07:17 · Score: 1

I think you were sold a bill of goods. My guess? Your instructor lied about the attempt to trick his math-challenged students in to wasting a lot of time.

--
Required reading for internet skeptics
Re:For bonus points... by __aaclcg7560 · 2015-12-14 07:44 · Score: 1

You're probably right. Most of those math-challenged students became Java programmers.
Examples by dohzer · 2015-12-14 08:50 · Score: 2

Does anyone have some more examples of three letter passwords? I'm having trouble understanding the concept.
Re:Why did the system store passwords? by SharpFang · 2015-12-14 09:09 · Score: 1

They wouldn't find the generated 24-char ones.
Either the passwords were stored in plaintext or easily crackable crypt (unlikely), or the hackers hijacked the login system and collected the passwords as they were used for login.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Re:For bonus points... by Gr8Apes · 2015-12-14 09:11 · Score: 1

You're probably right. Most of those math-challenged students became Java programmers.
The rest post on /.

--
The cesspool just got a check and balance.
Password length = data protected by justcauseisjustthat · 2015-12-14 10:48 · Score: 1

I've used 4 digit passwords on sites that store nothing besides my email, name, corp address and nothing of true significance. On the otherhand I'll use the maximum allowed digits for banking and commerce sites. What blows my mind, is a site that doesn't allow unicode character set and more than 12 digits.
Re:Why did the system store passwords? by sims+2 · 2015-12-15 09:19 · Score: 1

Yeah even netflix requires 4 characters. You can even use 0000 as a password if you want.

--
Minimum threshold fixed. Thanks!
Publicly funded by RockDoctor · 2015-12-15 14:51 · Score: 1

The ESA is publicly funded - as are most of it's collaborating institutions. Quite likely a significant number of the people intended to have read-write access to their data systems are aware that they information they contain are the property of the people who paid for the data. i.e., everyone. So the only sensible reason for using passwords is to prevent vandalism of the databases. and nobody in their right mind is going to be interested in vandalising a "public good" such as the records that may help our species become a multi-ecosystem species.
It speaks of a slightly worrying degree of optimism about human nature, but nothing worse than that.

--
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"