First published: 01st September 2007
Swedish security researcher Dan Egerstad has published a list of one hundred passwords of Government-related email accounts, including Legislative Council members. Egerstad claimed he was able to get the passwords because users of the accounts were misusing a common security application in a way that allowed him to perform a man-in-the-middle attack. He said that the vendor of the software provided ample warnings against using it in that manner.
Apart from inadvertantly mis-using a security application, the passwords reveal a range of knowledge or attitudes to password choice. For example, tinyan at the Hong Kong Liberal party uses '12345678', which is possibly better than miriamlau's '123456'.
But at least we can expect the Democratic Party to benefit from the advice of their LegCo member for the IT Functional Constituency, and therefore choose more secure passwords? Apparently not, as twk has chosen 'password'. Perhaps this is not too surprising, as Sin Chung Kai, the LegCo member in question, has a password consisting of his wife's name and what might be a date. At least we known when to send his wife birthday cards.
The list contains nineteen Hong Kong-related addresses and passwords, mostly for political parties and LegCo members, though there is one for the Hong Kong Goverment Information Service Department.
Owners of these accounts should check that their procedures for accessing them are in accordance with the application vendor's security advice, and then change their passwords immediately. The organisations concerned should review their policies and how they are being enforced.
Please remember that accessing the accounts without authorisation is a criminal offence.
Updated: 04th September 2007
We have been informed that the affected organisations in Hong Kong have been contacted, and a report has been made to the Hong Kong Police.
The incident must be especially embarrassing for Hon. Sin Chung Kai because his newsletter to IT Functional Constituency voters on 31st August went out under the headline, "More education on information security is needed". We hope he signs up for a course very soon.
Updated: 30th September 2007
On the 5th September 2007, Hon. Sin Chung Kai issued a statement strongly condemning the actions of the Swedish researcher in a special issue of his newsletter. Sin noted that the actions were likely in breach of Hong Kong law, such as the Telecommunication Ordinance (Chapter 106) Section 27A Unauthorized access to computer by telecommunications; and the Crimes Ordinance (Chapter 200) Section 161 Access to computer with criminal or dishonest intent, and stated that the Hong Kong Police had his full cooperation on the matter. In fact, the stated intent of the researcher was not criminal or dishonest, but it remains to be seen whether there is evidence otherwise.
Our Chief Consultant, Allan Dyer, felt there were wider issues to be addressed and sent Hon. Sin the following email:
"I think your statement leaves out some very important issues, and I think a
fictional scenario might help to illustrate this. Suppose a person walked into
an unlocked bank-vault, picked up the largest gold bar they could find and then
dropped it in the middle of the bank, in front of all the customers, shouting
"look what I've done". The person has done something wrong by entering the
vault and moving the gold without permission, but they have highlighted a
security problem and haven't actually stolen anything. It would certainly be
appropriate for the police to investigate, and search them, to see if they had
other valuables from the vault in their pockets, but customers would want to
know why the vault was unguarded, what valuables were at risk and what the bank
was doing to improve its security. The bank should be accountable for the poor
security.
Your statement does not address the accountability issue. You have made clear
the illegality of the security researcher's actions, now let us hear about the
Information Security Management of you and your office, specifically:
- Why were you and your staff using an insecure method to access your mail?
POP3 with simple authentication sends passwords in the clear, the APOP
extension is better because it sends the MD5 hash of the password and a
timestamp code, although recent research suggests attacks are still possible
(see references below). The best solution is probably to tunnel the POP
connection over an encrypted session, SSH or SSL (personally, I was tunnelling
POP3 over SSH on Windows 3.1, that was a long time ago).
- Although the attack did not involve password guessing, it did reveal how
weak some of the passwords are, for example, your staff using 'password', and
you using your wife's name. What password policy did you have in place?
- What types of information were at risk? Were these email accounts used for
personal correspondence, party business, or Government business? Were any
sensitive messages ever stored in these accounts?
- What are you doing to improve the security? Apart from improving your
policies and procedures, you should consider regular testing: security audits
and penetration tests, give someone the job of looking for these problems
before a bad guy does it for free... without telling you!"
As of the date of publication, a response has not been received from Hon. Sin. Perhaps voters in Hong Kong's IT Functional Constituency can learn about their representative's commitment to practicing what he preaches from this incident.