Sony hackers LulzSec group defaced the website of FBI affiliate Infragard, stole user database and posted them online. The daring attack gives a glimpse of hackers' tentacles reaching for ‘up-hanging’ fruits like the country’s vaulted police force. It also passed on a minor lesson -- in password security.
The hack ate tack revealed that many FBI staff who were on members of Infragard did not follow mandatory password security norms and guidelines.
The LulzSec found it by testing the stolen passwords against other websites. They found that many members, including FBI agents, were probably using weak passwords. And more importantly, they were reusing passwords on other web sites, which caused severe flaws in data security. Moreover this was in blatant violation of official guidelines.
The LulzSec's F**k FBI Friday attack was followed up with the publication online of as many as 180 usernames, hashed passwords, plain text passwords as well as real names of Infragard members and email addresses.
One interesting feature of the attack was that not all passwords were hacked. A report in the nakedsecurity.com points out that LulzSec didn’t crack the passwords of members who users probably used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn't be bothered to crack them, the report says.
And LulzSec tested out the passwords against other services. The findings were interesting -- Many were reusing passwords on their sites, compromising security. LulzSec singled out one of these users, Karim Hijazi, who used his Infragard password for both his personal and corporate Gmail accounts according to the hackers, the report says.
Meanwhile, a twist in the tale emerged on Saturday with Hijazi, who runs botnet-tracking company Unveillance, alleging that the LulzSec had threatened to post information stolen from on Infragard if he didn't pass on security information about botnets.
Earlier, LulzSec had alleged that Hijazi had offered them money to hack into his competitor’s website and to stay silent about his own database, when they informed him that his personal communication including that through Gmail has been compromised.