Lazy to Hack: Analysis of Stratfor Site Breach Reveals Weak Passwords, Poor Enforcement

04 January 2012

Analysis of Stratfor Site Breach Reveals Weak Passwords, Poor Enforcement

Update from Hacked and discredited: Anonymous takes down Stratfor

Stratfor’s clients include the U.S. Army and Air Force and the Miami Police Department, and a report released by Identity Finder, an identity theft and data loss prevention company in New York, stated that personal information about Stratfor’s subscribers with first names starting with A to M were already released. Information about those with first names beginning with N to Z are believed to be soon released in the coming week, along with 2.7 million email copies.

Information obtained from the hack so far released include:

50,277 unique credit card numbers (9,651 not expired)
86,594 e-mail addresses (47,680 unique)
27,537 phone numbers (25,680 unique)
44,188 encrypted passwords (50% can be cracked with ease)

While users need to select stronger passwords to access on online services, enterprises also need to enforce strong security policies for the Web sites and applications.

As Stratfor continues rebuilding its Website after the cyber-attack in which email addresses of its subscribers and other personal details were leaked, the company is coming under fire for its weak passwords and security policies.

Using a group of lists containing common passwords, names of people in Congress, words from the King James Bible, various computer jargon and programming phrases, previously dumped lists from Gawker and other sites and other lists, Hashcat was able to crack 25,690 passwords. A more extensive list that used words and phrases from various languages as well as common 3- and 4-character passwords, among others, yielded 21,933 additionally cracked hashes. It took Hashcat less than an hour to crack over 47,000 password hashes, according to the analysis.

The list of cracked password showed a high degree of passwords that used birthdates, names of family members, or something with a personal reference (such as 'ford1996'). Unlike "throwaway" passwords, such as '123456' and 'qwerty,' these personal passwords are more likely to be re-used on other sites because they are easier for the user to remember.

Detailed analysis here.

= Disclaimer =

The author is not responsible for the actions, content or accuracy of the opinions expressed in Lazy2Hack, nor for privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information. The views, conclusions, findings and opinions of the author are solely those of the author and do not necessarily reflect the views of the government of the author's local precinct or any other organization which the author may represent.

This website/blog includes links to other sites operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. The author has not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of Lazy2Hack.

The author reserves the right to edit, remove or deny access to content that is determined to be, in his sole discretion, unacceptable.

Lazy to Hack

::Trend Micro Threat Resource Center::

04 January 2012

Analysis of Stratfor Site Breach Reveals Weak Passwords, Poor Enforcement

= Why =

:: Twitter Feed ::

= Latest Virus Alerts =

= Safe Web Browsing Tips =

= Daily Reads =

= On the go =

= Archives =

Labels

= Disclaimer =