http://arstechnica.com/tech-policy/2012/11/petraeus-affair-offers-unintentional-lesson-on-password-reuse/ By Nate Anderson Ars Technica Nov 12 2012 Paula Broadwell, the biographer and reported mistress of CIA director David Petraeus, appears to have been a subscriber to the "private intelligence" firm Stratfor—and that means that her Stratfor login account and its hashed password were hacked and released last year by Anonymous. The Stratfor hacker, who the US government says was Chicago-based Jeremy Hammond, obtained a complete roster of all corporate client accounts. These were released online in a massive file called stratfor_users.csv. Inside that file appear the details for one paulabroadwell_at_private, whose hashed password is listed as "deb2f7d6542130f7a1e90cf5ec607ad1." It's not clear whether the leak was meaningful—Broadwell's Stratfor password and her actual Yahoo e-mail password might have differed—but the prevalence of password reuse raises the possibility that hackers could have accessed her Yahoo e-mail or perhaps even the Gmail account she allegedly used to correspond with Petraeus. BuzzFeed speculated that this might have happened and that Anonymous might have had access to Broadwell's Yahoo account, at least. Security researcher Robert David Graham casts a skeptical eye on the story, though, noting that Broadwell's password was a good one that resisted obvious dictionary attacks. Graham had broken it, however, using a brute-force attack that simply tried every letter and number combination in existence, running 3.5 billion combinations per second against the password until he found it. [...] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.orgReceived on Tue Nov 13 2012 - 02:07:05 PST
This archive was generated by hypermail 2.2.0 : Tue Nov 13 2012 - 02:19:34 PST