Friday, November 14, 2014

When You're The FBI's Most Wanted Cybercriminal...

Jeremy Hammond hacked into defense contractors, law enforcement organizations, and the websites and computers of people he disagreed with politically. He encrypted his personal computers with an unbreakable encryption system. He was a master criminal, the FBI's most wanted, when he was arrested they took him down with SWAT tactics. Still, his systems were encrypted at the time of his arrest.

 He's in prison serving 10 years for attacking Stratfor, a security intelligence firm. He stole their client database and published it online. 60,000 names, addresses, and credit cards. The information was used to run up $700,000 in fraudulent charges.

And how did the FBI manage to get into Jeremy's computer? Turns out Jeremy had a cat. He loved his cat. He named his cat Chewy. When it came time to give his encryption system a password did he use a strong password of random characters and symbols, like WhR8(#^8fHx4~4kD? No. Jeremy, the evil mastermind, like most of us, made his password something he could remember. His password was Chewy123.

 There's a lesson here. Your dog's name, your anniversary/birthday/wife's birthday/kid's birthday, your address, and any dictionary word are bad passwords.

There's actually a secondary lesson. That security intel firm he hacked, Stratfor? They were keeping all their records unencrypted on an open server. So they did Jeremy one better. They had no password at all.


Borepatch said...

Look who's securityblogging!

Actually, he had a space between the name and the numbers, but yeah - this was bone headed.

Anonymous said...

This is a copy of what I commented at Robb's place this AM:

Whenever I encounter such a low intelligence level that I think that we've finally reached bottom I'm proved wrong.

I take that as impirical evidence that infinity exists on both sides of zero.

It's still correct.

Rick C said...

It's even worse--remember a few months ago when Ars Technica did a story about password crackers? They can find, not just words, but combinations that are based on regular patterns. Think qweqwe123123 is safe? Wrong.

John Balog said...

I prefer this school of thought for passwords.