It’s been a while since one of the hacktivist groups made a big splash, but this week, an Anonymous spin-off has claimed to make a huge hit that involved NASA and other aerospace organizations, as well as a few other companies, including a defense contractor.
The group’s name, Team GhostShell, seems more fitting for Halloween than Christmas time. However, because Team GhostShell’s attack resulted in the leak of 1.6 million accounts and records, it does equal the cold-hearted ruthlessness and spitefulness of Scrooge and Marley. According to ZDNet, most of the records were likely obtained through a SQL injection and include files that contain email addresses, home addresses, passwords and defense-related materials.
Team GhostShell has allegedly said this will be its last “project” of what was a busy 2012. The group has been linked to hacks of thousands of college records and millions of records from the Russian government. But you can be sure that this group or another has something planned for the new year.
So what gives? As the hacktivists show, organizations — particularly those involved with the security of the country — are too easily broken into. HD Moore, chief security officer for Rapid7 and chief architect of Metasploit, gave me a reason for that, using this particular attack as his example:
This breach highlights poor password storage mechanisms across a wide range of organizations. In many cases, passwords were stored in clear-text, without even the modest protection of a hashing function such as SHA1, let alone a cryptographic salt. One issue that makes this breach unique is that in addition to passwords, some of the dumped tables include the secret questions and answers. This exposure is much more significant, as these answers are much harder to change than a password for a web site. For example, your mother is unlikely to change her maiden name.
In other words, the organizations have made it easy to be hit. Intruders will always look for the easiest way in, whether it is a burglar wanting to rob your home or a hacker wanting to rob your data. If you provide them with an unlocked door or a chunk of data stored in plain text, you are practically inviting them to come in.
Since this is the time of year for making resolutions, wouldn’t it be great if all companies would resolve to take just one step to better protect their data, even if that one step is to encrypt passwords? One extra layer of protection makes it that much harder for the bad guys to walk in.