The Wide, Wide World of Hacking

Michael From our Perspective

Hackers are continuing to have a field day, as evidenced by the latest notable hack: the hacking of password manager LastPass.

On Monday, 16 June, LastPass notified its users via its blog that the website that holds millions of customers passwords had been compromised. According to arguably the most popular online password manager, email addresses, encrypted master passwords, password reminders, server per user salts (a tool that makes passwords harder to guess, making the hacker gain access to each encrypted master password individually), and authentication hashes were accessed by the hackers.

Due to the robust system of LastPass this hacking seems to be mostly useless. Passwords are hashed multiple times before reaching their servers then hashed an additional 100,000 times before being stored, making reverse engineering the password essentially impossible.

The biggest weak spot for LastPass customers would be their own user created password hints: where some users simply use a variation of their password.

However, Lastpass is still urging its users to change their master passwords immediately.

Everyone Deals with Hacking

The goldmine for hacking that LastPass potentially is (think millions of people’s passwords to banking, social media, email, etc. in one spot) has not been the only recent target.

In late May, the IRS announced that upwards of 100,000 tax accounts had been breached in a man-hour intensive hack that had begun in February. The information stolen included social security numbers, dates of birth, and street addresses.

The hackers got into the system by using the “Get Transcript” application via the IRS website by using information on people attained by other sources.

Rob Roy, chief technology officer of HP Enterprise Security Products said the hackers, “appear to have hired an army of people to submit over 200,000 queries into the IRS site over a period of four months. Not exactly a quick and easy operation.”

The IRS is offering free credit monitoring to all of the hacked taxpayers.

Another recent hacking announced on June 5 was against the Office of Personnel Management where hackers gained access to 4 million federal workers’ information. (as of July 15th, the number stands at 21.5 million)

The government suspects the hack originated in China. But in a hearing held by the House Congressional Oversight and Government Reform Committee Director Katherine Archuleta remained tight lipped on what kind of information was accessed, the type and number individual’s data was accessed, and the implications of the information.

In the same hearing she claimed that the outdated systems, some written in COBOL, were simply not feasible to add modern encryption and multi-factor authentication.

And when I said everyone, I meant everyone, deals with hacking.

Baseball has gotten into the act as well.

Earlier this week the New York Times broke the news that evidence had been recovered by the FBI that showed that the St. Louis Cardinals had ‘hacked’ into the Houston Astros’ database. They essentially used a previous password used by the former General Manager Jeff Lunhow, that he reused after going to the Astros. This enabled them to retrieve information about trades, proprietary statistics, and scouting reports as early as 2013.

Investigators believe that Cardinals personnel, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Lunhow and other officials [that he took with him when he left the team] when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

–Michael S. Schmidt New York Times

Industrialized Hacking

It seems that Russia has taken the next step in hacking, by creating an agency aimed at internet manipulation, controlling the thoughts of its citizens, and even driving bogus news events in the US.

I’m talking about a group known as the Internet Research Agency. I mentioned in an earlier post how the agency created a bogus story in St. Mary Parish, Louisiana about a chemical plant explosion. This came complete with text alerts to residents, doctored videos, and hundreds of twitter accounts.

Other bogus stories also included an Ebola scare in Atlanta with the hashtag EbolainAtlanta that trended on twitter for a while. They used the same twitter accounts used in the Louisiana scare. They also fabricated the story of an unarmed black woman being shot by police in Atlanta. The Ebola scare came complete with its own complete set of doctored images and videos including a YouTube video showing a team in hazmat suits removing a ‘victim’.

The Internet Research Company seems to be bankrolled by Evgeny Prigozhin, who has close ties to Vladimir Putin with whom he has several lucrative contracts. He pays his employees, or trolls, quite handsomely by Russian standards.

This group even held an art exhibition ‘Material Evidence’ in New York that the author of the New York Times article, Adrian Chen attended.

The Take-Away

Believe half of what you see, none of what you hear. If you aren’t already, you should be especially vigilant while browsing the web. It’s easy to believe that Russia isn’t the only perpetrator of mass trolling.

And as far as passwords: be smart. Don’t reuse passwords across multiple sites, change them often, and make them difficult to guess. The verdict is still out on LastPass as we await the full scope of the fallout. But for now, it seems that they have shown great transparency and their faith in their own encryption is not unfounded; just be sure to change your master password and enable multi-factor encryption.

feature image courtesy of flickr user George Thomas

Don't Forget to Share this Post