Memo to feds: Stop using the same passwords for personal and work accounts

[InfoSec News <alerts () infosecnews org>]

http://www.nextgov.com/nextgov/ng_20111229_4856.php

By Aliya Sternstein
NextGov.com
12/29/2011

Recent and future government victims of the hacker collective Anonymous 
may want to stop using agency passwords on nonwork websites, say 
officials with the Arizona Department of Public Safety, which learned 
that lesson the hard way.

During the weekend, hacker activists purportedly from Anonymous leaked 
the apparent passwords and some credit card data of federal subscribers 
to intelligence publisher Stratfor, according to the attackers' online 
messages. It is unclear whether the clients, whose government email 
addresses also were revealed, were using any of the passwords for 
federal government systems. But in Arizona, Anonymous allegedly unlocked 
state government systems by stealing and reusing the passwords officers 
used to access their personal email accounts and nonwork websites, said 
Officer Carrick Cook, spokesman for the police department.

"People were using the same password for a lot of different things," he 
said. "Cops are kind of silly when it comes to that and using the same 
password twice."

A former Anonymous member said some of the functioning passwords came 
from pornography websites. Jennifer Emick, who became a security 
consultant after abandoning the group's antics, said the police had 
registered on the elicit sites using their government e-mail addresses 
and government passwords. The attackers, who either operated the porn 
sites or hacked them, entered the customers' passwords into their 
corresponding government accounts to see if that would open department 
databases, she said. It worked, current Anonymous members confirmed.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn