Cyber criminals crack ‘password patterns’ with surprising ease
Even security professionals too often use predictable, risky log-in credentials
By Bob Sullivan, ThirdCertainty
Computer users have something new to worry about in the cat-and-mouse game with hackers. You probably use “password patterns” to create easy to remember, but hard to guess, passwords. Well, the criminals are on to you. Their ability to detect such patterns may have figured prominently in the recent high-profile attack on a security professional.
Computer security professionals know they have a target on their backs. When you hunt hackers for a living, the hackers hunt back. Even professionals with impressive credentials sometimes fall victim to such attacks.
Related infographics: How phishers harpoon ‘whales,’ i.e. top executives
A stark reminder of this risk came last week when Adi Peretz, a senior threat intelligence analyst at prominent security firm Mandiant, saw his laptop and social media account compromised and exposed by a group of hackers. The group said it was beginning a campaign called #LeakTheAnalyst against security professionals they say are chasing after their internet tracks. As retribution, they will begin tracking their adversaries on social media with the stated goal of “Trash(ing) their reputation in the field.”
Mandiant confirmed the attack in an email to me, but said it was limited to Peretz’s laptop and social accounts.
“We are investigating this situation, and have taken steps to limit further exposure,” the firm said in a statement. “While our investigation is ongoing, there is currently no evidence that FireEye or Mandiant corporate systems have been compromised. … To date, we have confirmed the exposure of business documents related to two separate customers in Israel, and have addressed this situation with those customers directly. … We will do our best to keep you up to date.”
Hackers recognize patterns
The statement did not suggest how the attack occurred. But in their announcement of the hack, the criminals specifically mentioned they had found Peretz’s “favorite password patterns.”
The statement also pointed to a large data dump of stolen files and emails. A file included in the dump has an entire section devoted to revealing these patterns, said Dan Clements of Insedia.com, a security firm. The file reveals passwords for various Peretz accounts, showing their similarities. Some are reused, or are just slight variations of one another. Many include the word “fire,” echoing the name of the firm—FireEye—which acquired Mandiant in 2014.
Insedia has a database it calls Pitchfork that includes more than 4 billion records containing details from most high-profile database breaches from the past 20 years. The records are collected from underground forums; all of them are essentially “public.” Clements uses that database to find password patterns, too.
He says that Peretz’s LinkedIn account details made it into Pitchfork from the underground, perhaps as the result of LinkedIn’s big hack in 2012. That initially was thought to include about 6 million victims, but last year, hackers claiming to have records on 117 million LinkedIn users tried selling the data online.
Not too hard to guess
LinkedIn forced users to reset their passwords after the leak, but Peretz’s old password might have provided a hint to unlock his account, particularly if it followed a pattern.
In its dump, the hackers also revealed what appears to be a password at an Amazon account belonging to Peretz. A check of Insedia’s data found the same password linked to a Gmail address.
To Clements, all these patterns indicate hackers would have had several hot leads for trying to gain access to various accounts owned by Peretz.
It’s not at all clear that password management had anything to do with Peretz getting hacked. But it is clear the criminals were looking for password patterns; consumers who use them place themselves at risk.
Security pros in cross-hairs
Meanwhile, the incident is a reminder that security professionals make mistakes, too. The problem for folks in the security space is the greater risk they face from the wrath of computer criminals.
From the “announcement” of the attack, it seems clear that the hackers had something personal against Peretz.
“Nobody understands the amount of dedication it takes to break into a highly secured network, to bypass every state of the art security measure installed to make a targeted network unbreakable, to code and hack not for the money but for the pleasure of being somewhere no one can be in, to be addicted to pain,” the group said in a statement. “From time to time there is a know-it-all security professional who tries to read your sick mind and blow your breach plan up to hell. … For a long time we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say … let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field.”
Given the seeming grudge against Peretz, perhaps the hackers’ #LeakTheAnalyst “campaign begins and ends here. But that’s not a safe bet. Greater awareness around bad password patterns is, however.
More stories on password security:
Passwords becoming passé—and it can’t happen soon enough
Hacking risk doesn’t stop most Americans from being careless with their passwords
The cost of compromised credentials creeps up