Analysis of Forbes Passwords Dumped by the SEA

SEA Forbes

Recently the Syrian Electronic Army (SEA) hacked the news site Forbes and publicly dumped more than a million records from their WordPress site. As usual we will take a look at this dump with the analysis program “Pipal”.

This password dump was a little different than the ones that we have seen in the past. As explained on Sophos’ Naked Security site, the passwords were stored encrypted in the PHPass Portable format as seen below:

You can see from this example picture from Sophos that the passwords are stored in an encrypted hash, and that each account also includes what is called a “salt”.

The hashes that we have looked at in the pass didn’t have a salt – Basically a random number used when creating the hash to make sure each hash is unique.

This makes decrypting the passwords a lot more time consuming, as before all we needed to do was crack the hash and we would be able to crack other hashes that used the same password very quickly.

Not so with a salted password, each password will be unique, so we have to crack each and everyone individually.

So, to attempt to crack the entire million plus password hashes would have taken something like 10 years. So, for time, and sanity sake, I pulled about 20,000 hashes randomly from throughout the dump.

It still took several hours to work through this list.

As I have seen cracking speeds in the thousands per minute when cracking non-salted hashes, this time it averaged about 15 per minute!

So, without further ado, here are some of the results:

Top 25 passwords

millenium = 761 (4.32%)
123456 = 597 (3.39%)
password = 351 (1.99%)
q1w2e3r4 = 266 (1.51%)
123456789 = 142 (0.81%)
abc123 = 97 (0.55%)
12345678 = 92 (0.52%)
qwerty = 91 (0.52%)
987654321 = 76 (0.43%)
111111 = 68 (0.39%)
0 = 59 (0.33%)
sunshine = 56 (0.32%)
letmein = 51 (0.29%)
password1 = 48 (0.27%)
passw0rd = 44 (0.25%)
baseball = 43 (0.24%)
monkey = 42 (0.24%)
1qaz2wsx = 41 (0.23%)
abcd1234 = 41 (0.23%)
123123 = 40 (0.23%)
success = 38 (0.22%)
Password1 = 35 (0.2%)
welcome = 34 (0.19%)
1234567 = 34 (0.19%)
maggie = 33 (0.19%)

Password length (length ordered)

1 = 61 (0.35%)
2 = 2 (0.01%)
3 = 5 (0.03%)
4 = 125 (0.71%)
5 = 246 (1.4%)
6 = 7075 (40.13%)
7 = 3421 (19.41%)
8 = 4283 (24.3%)
9 = 1913 (10.85%)
10 = 390 (2.21%)
11 = 99 (0.56%)
12 = 9 (0.05%)

Length and Complexity

One to six characters = 7514 (42.62%)
One to eight characters = 15218 (86.32%)
More than eight characters = 2411 (13.68%)

Only lowercase alpha = 13198 (74.87%)
Only uppercase alpha = 7 (0.04%)
Only alpha = 13205 (74.9%)
Only numeric = 1862 (10.56%)

Conclusion

Granted we only cracked a small portion of the list due to time restraints (because they were salted), but the results look very similar to what we have seen in the past.

The top 25 passwords used, length and complexity still seem very consistent with other password dumps that we have analyzed.

The majority of passwords used were 6 to 9 characters in length and used only lower case letters.

For better security, use long complex passwords incorporating random Upper and Lowercase letters, numbers and symbols. Also, use a different complex password for every server or website that you use, in case passwords are compromised as in this case.

Advertisements

Obama’s Facebook and Twitter Compromised by Syrian Hackers

Barack Obama

The Syrian Electronic Army (SEA), a Syrian based hacker group known for redirection and denial of service attacks on media and political targets, briefly altered links from Obama’s social media sites to point to videos created by the SEA.

The attack was made possible not by hacking the websites, but by compromising the link shortening service that the President’s campaign team used on several websites.

According to the SEA’s twitter feed, for a while Twitter eventually blocked the links all together and visitors saw this:

Barack Obama 2

In a series of e-mails to news site Mashable, allegedly the SEA hackers claimed they compromised BarackObama.com by attacking one of the site’s administrators:

“In a follow-up email, the SEA provided screenshots that show how it altered the links in Obama’s social media posts. The group appears to have hacked the email address of Suzanne Snurpus, one of the administrators of BarackObama.com, and it gained access to a control panel for the site.”

For more information see the Mashable website.

Syrian Hacker Group (SEA) claims to be able to Hack any Website

A video has surfaced this week showing an alleged interview with the commander of the Syrian based hacker group “Syrian Electronic Army” (SEA). In the video the speaker claims that the SEA hacker group can hack any website that posts false information about Syria within just a few hours.

The SEA has gained notoriety by hacking several western news company websites and social media outlets. One of their favorite tactics to gain access seems to be via social engineering. From reports, the group sends very believable e-mails containing booby trapped links.

Though most of the attacks seem to be more nuisance type attacks, the SEA did successfully defaced a US Marine Corps recruiting site last month. I doubt they are on the top list of targets for retaliation by US Cyber Command, as our forces are more concerned with attacking military and infrastructure type targets. But messing with the Marines probably isn’t the wisest thing to do.

What I am curious of though is if the US would ever escalate to kinetic attacks on hacker group leaders. Earlier this month one of Iran’s cyber commanders was executed, presumably by Israeli forces.

Time will tell I guess…

The SEA takes a swipe at the US Marines, or was it the Russians?

As things continue to heat up in Syria and Obama waits to hear from congress as to whether or not to launch a missile strike, looks like the Syrian Electronic Army (SEA) has struck first. And what a target.

The SEA, known for website defacement and infiltrating social media and news sites, apparently have set their sites quite a bit higher. Yesterday they temporarily redirected the US Marine recruiting website Marines.com to one that contained the message in the image above.

The webpage contained images of people in (most likely bogus) American uniforms holding up signs saying that they would not fight for Al-Qaeda in Syria.

A lot about this doesn’t sit very well with me.

First up, and to clear the air, no it wasn’t the official US Marines military site (marines.mil) that was redirected. Marines.com is a recruiting site owned by the marketing company J Walter Thompson. And the site was only redirected for a short period of time.

bogus Syria Supporter

Secondly, the SEA had to have the mugshots of those bogus American Syrian Army supporters before they redirected the page.

Quite a coincidence, unless…

Russia is involved.

Remember Russia is backing the Syrian government and does not want America there. How hard would it be for them to work with the SEA and create a little Psy-Ops propaganda?

Russia has a very capable cyber team and if they were not involved with this little fiasco, chances are they will be if America directly attacks Syria.

But no matter how you slice it, messing with US military sites (especially the Marines!) is a whole different ballpark than just hacking newspaper sites. Expect America cyber teams to respond, if they aren’t all ready.

And I doubt they will respond with web defacements and redirections…