Should we be laughing with the now infamous hacker group LulzSec, or shaking in our boots about what they, and others, could do to us? Maybe a little bit of both.
This group apparently includes some very experienced computer users and security experts. I can tell they have been around the cyber-scene for as long as me because I recognize the cutesy style pirate ship logos that they use to tag their work. They were common in the mid-1980s in the heyday of BBS. They look like this:
_.--| LOL |: <____|.----|| .---''---, The ;..__..' _... Lulz ,'/ ;|/..--'' \ Boat ,'_/.-/': : _..-'''/ / | \ \ _|/| \ /-./_ \; \ \,;' \ ,\ / \: `:\ \ // `:`. ,' \ /-._; | : : :: ,. . ,' :: /`-._| | | || ' : `.`.) _,' |;._:: | | | | `| : `' ,' `. / |`-:_ ; | | | : \ `--. ) /|-._: : | \ \ / / :_| ;`-._; __..--'; : : / ( ;|;-./_ _/.-:'o | / ' | / , \._/_/_./--''/_|:|___|_,' | : / `'-'--'----'---------' | | : O ._O O_. O ._O O_. ; ; : `. // // // // ,' / ~~~`.______//____//____//____//_______,'~ // //~ // // ~~ _// _// _// ~ _// ~ ~ / / / / / / / / ~ ~~ ~~~ ~~~ ~~~ ~~~
Many view their activities as a form of protected political protest. See Wikipedia article:
LulzSec draws its name from the neologism “Lulz,” (from LOLs) which often signifies laughter at the victim of a prank, and “Sec,” short for “Security”. The Wall Street Journal has characterized its attacks as closer to internet pranks rather than serious cyber-warfare.
So far they have not caused damages, just exposed security flaws in what you would expect to be secure Internet websites, including the CIA’s public site and Sony’s PlayStation Gaming Network where the information of 100,000,000 users was compromised. Sony waited days to report the breach, but when it finally did, Sony offered free credit monitoring, identity-theft insurance and free games. It says that 90% of customers have resumed using its gaming network. See the Wall Street Journal article: Firms Come Clean on Hacks.
LulzSec claims to be white or at least grey-hat hackers. I sure hope so, because they seem capable of defeating very high security precautions.
Does Your Stated Password for a Website Somehow Relate to the Theme of the Website?
As a result of recent LulzSec hacking thousands of secret user names and passwords have been revealed. Studies of this now public data are uncovering some interesting patterns. See PC Pro’s Darien Graham-Smith analysis of the passwords stolen. The study:
… gives a fascinating glimpse of some other people’s lives. And it gives an interesting insight into the way people choose their passwords: in this case, apparently, on a theme that reflects the nature of the site they’re visiting.
Another article on rafekettler.com includes a statistical analysis of the 62,000 Administrator User Names and Passwords that were stolen and published by LulzSec. It showed that the top ten passwords on one large writer oriented site were:
123456 was used 558 times
123456789 was used 181 times
password was used 132 times
romance was used 88 times
102030 was used 68 times
mystery was used 67 times
tigger was used 62 times
shadow was used 61 times
123 was used 55 times
ajcuivd289 was used 55 times
You would think a group of 62,000 Administrators of a writer oriented site would be more creative, but one entry is mystifying: “ajcuivd289”.
Anybody know why so many people choose the above password?
I used to manage a web portal used by 47,000 Texas lawyers. I did an analysis of their passwording habits once and was astounded by how weak and repetitive their choices were.
I would have guessed that ajcuivd289 was composed of the first letters of a mnemonic phrase and a date, but I think it’s more likely to have been selected because of the ease with which it can be typed on a standard keyboard. A and J represent the leftmost fingers for a touch typist, and the other letters (C and U, I and V) are each a like movement of fingers on the keyboard. Not a compelling guess, but as good as any other perhaps.
It would be worth checking if there are any Russian words or names with significance. You may safely assume that the repetition of this password doesn’t indicate 55 different users but, more likely, a single user creating 55 alias accounts.
The analysis by Rafe Kettler, the person who first ran the password histogram, shows that ajcuivd289 (and the capitalization variant AjcuiVd289 which turned up 7 more times) are almost certainly associated with a single person who created 62 accounts. The pattern of associated emails are too similar for any other hypothesis.
[…] Does Your Stated Password for a Website Somehow Relate to the Theme of the Website? Who Knows Your P… […]