I guess it’s not a bad time to start a security blog.
LulzSec has come out of their Favre-like “retirement” to announce their latest exploits. This time they have hit News International (The Sun, News of the World).
For all the mayhem they’ve created, LulzSec has provided a great service.
They offer an excellent “what-not-to-do” blueprint.
We are going to assume that the information being released is accurate. If that is the case we have two big issues. Besides the fact that they allowed their server to be rooted in the first place.
1) It’s nice that you have used a salt for your passwords. Next time, please generate a random salt. Utilizing the username as the salt is barely better than not bothering to salt at all.
2) Password restrictions: have you heard of them? A 5 digit number should never have been allowed as a password in the first place. Any password cracker will get that from the hash in a matter of SECONDS.
Postscript: I initially wrote this up on July 19th. I’m publishing it on the 21st, and it seems there’s been a hack against NATO now. Waiting for more details before I add any commentary.