Cyber criminals crack ‘password patterns’ with surprising ease

Even security professionals too often use predictable, risky log-in credentials

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Com­put­er users have some­thing new to wor­ry about in the cat-and-mouse game with hack­ers. You prob­a­bly use “pass­word pat­terns” to cre­ate easy to remem­ber, but hard to guess, pass­words. Well, the crim­i­nals are on to you. Their abil­i­ty to detect such pat­terns may have fig­ured promi­nent­ly in the recent high-pro­file attack on a secu­ri­ty professional.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of msnbc.com

Com­put­er secu­ri­ty pro­fes­sion­als know they have a tar­get on their backs. When you hunt hack­ers for a liv­ing, the hack­ers hunt back. Even pro­fes­sion­als with impres­sive cre­den­tials some­times fall vic­tim to such attacks.

Relat­ed info­graph­ics: How phish­ers har­poon ‘whales,’ i.e. top executives

A stark reminder of this risk came last week when Adi Peretz, a senior threat intel­li­gence ana­lyst at promi­nent secu­ri­ty firm Man­di­ant, saw his lap­top and social media account com­pro­mised and exposed by a group of hack­ers. The group said it was begin­ning a cam­paign called #Leak­The­An­a­lyst against secu­ri­ty pro­fes­sion­als they say are chas­ing after their inter­net tracks. As ret­ri­bu­tion, they will begin track­ing their adver­saries on social media with the stat­ed goal of “Trash(ing) their rep­u­ta­tion in the field.”

Man­di­ant con­firmed the attack in an email to me, but said it was lim­it­ed to Peretz’s lap­top and social accounts.

We are inves­ti­gat­ing this sit­u­a­tion, and have tak­en steps to lim­it fur­ther expo­sure,” the firm said in a state­ment. “While our inves­ti­ga­tion is ongo­ing, there is cur­rent­ly no evi­dence that Fire­Eye or Man­di­ant cor­po­rate sys­tems have been com­pro­mised. … To date, we have con­firmed the expo­sure of busi­ness doc­u­ments relat­ed to two sep­a­rate cus­tomers in Israel, and have addressed this sit­u­a­tion with those cus­tomers direct­ly. … We will do our best to keep you up to date.”

Hack­ers rec­og­nize patterns

The state­ment did not sug­gest how the attack occurred. But in their announce­ment of the hack, the crim­i­nals specif­i­cal­ly men­tioned they had found Peretz’s “favorite pass­word patterns.”

The state­ment also point­ed to a large data dump of stolen files and emails. A file includ­ed in the dump has an entire sec­tion devot­ed to reveal­ing these pat­terns, said Dan Clements of Insedia.com, a secu­ri­ty firm. The file reveals pass­words for var­i­ous Peretz accounts, show­ing their sim­i­lar­i­ties. Some are reused, or are just slight vari­a­tions of one anoth­er. Many include the word “fire,” echo­ing the name of the firm—FireEye—which acquired Man­di­ant in 2014.

Inse­dia has a data­base it calls Pitch­fork that includes more than 4 bil­lion records con­tain­ing details from most high-pro­file data­base breach­es from the past 20 years. The records are col­lect­ed from under­ground forums; all of them are essen­tial­ly “pub­lic.” Clements uses that data­base to find pass­word pat­terns, too.

He says that Peretz’s LinkedIn account details made it into Pitch­fork from the under­ground, per­haps as the result of LinkedIn’s big hack in 2012. That ini­tial­ly was thought to include about 6 mil­lion vic­tims, but last year, hack­ers claim­ing to have records on 117 mil­lion LinkedIn users tried sell­ing the data online.

Not too hard to guess

LinkedIn forced users to reset their pass­words after the leak, but Peretz’s old pass­word might have pro­vid­ed a hint to unlock his account, par­tic­u­lar­ly if it fol­lowed a pattern.

In its dump, the hack­ers also revealed what appears to be a pass­word at an Ama­zon account belong­ing to Peretz. A check of Insedia’s data found the same pass­word linked to a Gmail address.

To Clements, all these pat­terns indi­cate hack­ers would have had sev­er­al hot leads for try­ing to gain access to var­i­ous accounts owned by Peretz.

It’s not at all clear that pass­word man­age­ment had any­thing to do with Peretz get­ting hacked. But it is clear the crim­i­nals were look­ing for pass­word pat­terns; con­sumers who use them place them­selves at risk.

Secu­ri­ty pros in cross-hairs

Mean­while, the inci­dent is a reminder that secu­ri­ty pro­fes­sion­als make mis­takes, too. The prob­lem for folks in the secu­ri­ty space is the greater risk they face from the wrath of com­put­er criminals.

From the “announce­ment” of the attack, it seems clear that the hack­ers had some­thing per­son­al against Peretz.

Nobody under­stands the amount of ded­i­ca­tion it takes to break into a high­ly secured net­work, to bypass every state of the art secu­ri­ty mea­sure installed to make a tar­get­ed net­work unbreak­able, to code and hack not for the mon­ey but for the plea­sure of being some­where no one can be in, to be addict­ed to pain,” the group said in a state­ment. “From time to time there is a know-it-all secu­ri­ty pro­fes­sion­al who tries to read your sick mind and blow your breach plan up to hell. … For a long time we – the 31337 hack­ers – tried to avoid these fan­cy ass “Ana­lysts” whom try­ing to trace our attack foot­prints back to us and prove they are bet­ter than us. In the #Leak­The­An­a­lyst oper­a­tion we say … let’s track them on Face­book, Linked-in, Tweet­er, etc. let’s go after every­thing they’ve got, let’s go after their coun­tries, let’s trash their rep­u­ta­tion in the field.”

Giv­en the seem­ing grudge against Peretz, per­haps the hack­ers’ #Leak­The­An­a­lyst “cam­paign begins and ends here. But that’s not a safe bet. Greater aware­ness around bad pass­word pat­terns is, however.

More sto­ries on pass­word security:
Pass­words becom­ing passé—and it can’t hap­pen soon enough
Hack­ing risk doesn’t stop most Amer­i­cans from being care­less with their passwords
The cost of com­pro­mised cre­den­tials creeps up


Posted in Featured Story