Adam LaFave- Security in the News
NullCrew hacks MoD – leaks thousands of plaintext credentials

Possibly to mark the anniversary of Guy Fawkes Day, a hacker group known as “NullCrew” was able to steal over 3400 emails and passwords from the UK Ministry of Defense. These hacked accounts came from Hotmail, Google, and .gov servers. These credentials were then posted in plaintext to the global internet. The hack used by NullCrew was a SQL injection, which is not considered an advanced technique. This tells IT security experts that the Ministry’s security is out-of-date. In addition, security researchers claim that other simple to detect, yet still serious, vulnerabilities exist on their site. Luckily for the Ministry, none of the information posted appears to be sensitive to national security. Most of the posted accounts were from the UK Hydrographic office, with a large number coming from two particular cities, Portsmouth and Plymouth, that had new naval centers. An analysis of leaks coming from the Portsmouth office revealed that many of the passwords were weak and there was no policy in place regarding password length or complexity. Officials are concerned that people with hacked passwords will now be vulnerable in other places due to password reuse. There is also fear of “copycat” attacks in the near future.

The first issue raised in the article was how easy it was for the hacker group to gain access to the to the password list. A SQL injection attack is a method of “confusing" or modifying a poorly coded database by giving it an additional SQL inquiry in order to make it give up information that it should be keeping secret. The fact that a SQL Injection is a simple and well-known attack technique means that the Ministry of Defense should have guarded against it. A good way to guard against the SQL injection is to use existing database subroutines, known as stored procedures to sanitize (remove unacceptable characters that could manipulate the database) and validate (check expected data type, characters, or format) any incoming queries.

A second issue is that of passwords. A password should be sufficiently complex so that it can not be easily cracked. However, in the city of Portsmouth, the article cites several passwords of only three characters and one of only one character. With modern computing technology, passwords this short can be cracked in seconds, making security about the same as having no passwords at all. A good way to guard against simple passwords is for management to have rules about password length, complexity, and longevity. However, it seems that this office had no password standards in place. Other protection methods such as salting or threshold cryptography storage could keep passwords safer. Many of the passwords also had to do with boating (this was a naval office). This may give hackers some insight into the psychology of how those within naval department make passwords, thus narrowing down dictionary wordlists and making passwords easier to hack in the future. A final point on passwords was the fear that those with hacked passwords used them in other places. Password reuse is a large problem and can be avoided by using a unique password for each unique account. Using a password management program can make this easier and safer than trying to remember a multitude of passwords or writing them all down.