In what is arguably the largest-scale security breach so far in Sweden that didn’t come in the form of a parliamentary decision, a leak of 93,678 password-email combinations became public today. The accounts belong to all the top reporters, politicians, and bloggers in Sweden.
Somebody trolled the entire establishment with gleeful precision in using this data. William Petzäll, a high-profile defected Sweden Democrat (Sverigedemokrat) who is now an independent Member of Parliament, started tweeting an apparent revenge on his former party this morning.
Petzäll claimed that the leadership of the Sweden Democratic party (“SD”) had had access to most reporters’ and competing politicans’ email accounts for years, and that this was how they navigated their way into Parliament last year. To prove his point, he tweeted a number of MD5 password hashes and matching email addresses. As pretty much the entire political press was already paying attention to his tweets, this sent off an earthquake, followed by several confirmations dropping in quickly that the passwords were correct.
The biggest political scandal to ever hit northern Europe was escalating quickly.
My password was among the ones listed — I was specifically mentioned as a target by Petzäll in his tweets since I had been party leader for a competing party during the last two elections. Five seconds after this hit Twitter, my cellphone went crazy with all national media asking for comments, and I had not even had a chance to verify the MD5 sum tweeted. Once I had, I knew that this was indeed one of my passwords, but a weak garbage password that I had used years ago for untrusted, insensitive trash sites. No data had been leaked. None. From me, at least.
Others were not so lucky, and had practiced heavy password reuse between trusted, untrusted, sensitive, and insensitive systems. Reporters, in particular, were coming on in a steady stream, reporting that their email systems had been compromised all over the country and from all the major newspapers and TV stations.
Then, confusion hit for real. William Petzäll was discovered to be locked away on nonvoluntary drug rehabilitation without access to net connectivity.
So who had been tweeting the passwords, then? Had the SD leadership had access to the email accounts or not? Was it all just made up? Or not?
One plausible explanation was near at hand — it was not unrealistic that somebody was sitting on a pile of large passwords including Petzäll’s, who had been reusing it for his Twitter account, and this somebody had decided to troll the entire political establishment while sending everybody on a wild goose chase and panic all at once. Masterful trolling, indeed. Illegal as a kite is high, but still masterful.
It wasn’t until two hours later that the actual source of the leak surfaced — a blog ranking site known as Bloggtoppen (closed as of today) that had been breached through a SQL injection and had its users table dumped, with combinations of MD5′d passwords and emails, and uploaded to a hosting site. 93,678 rows of email/password combinations. This being a blog ranking site, pretty much everybody involved in the competition of building public opinion had accounts there: reporters, politicians, bloggers. Not your average XBox gamer: your average suit and tie running the country.
However, news of that leak and the complete dump was posted one full month ago to the board Flashback. Anybody could have discovered it in the meantime and just waited for the right moment to troll the living daylights out of every newsroom in the country.
The person or people using the leaked credentials to tweet in Petzäll’s name remain unknown, as does the extent to which decisionmakers and reporters have had data compromised.
What do we learn from this?
First, understanding of information hygiene is crucial. When you choose a password on a site, you give that password to the site’s administrator. People, not machines, stand behind every website. If you have used that password somewhere else, the administrator can now impersonate you there.
Therefore, as a user, always silo off passwords. You don’t need unique passwords for every site. But you do need unique passwords for every site where you can’t afford to be impersonated by somebody with hostile intent. In this case, Bloggtoppen was a site where somebody logged in as me would be able to download a blog badge which, when displayed, boosted my blog’s rankings. Yeah. Yawn. Big deal. But if I had used the same password as on the Pirate Party’s admin systems, an attacker would have had complete control of the party’s finances, projects, mail, membership and activist rosters, and communications. That would have been bad.
Second, as a website designer, defend in depth. Assume a breach will happen, and that the code you’re writing at the moment is the last piece of code standing. This was a SQL injection that gave read access to the database. Fair enough; even under strong security protocols, a user impersonated under a SQL injection will have read access. The passwords were MD5-hashed, which is a better practice than Sony had when hacked by LulzSec, but they were not salted. People having the MD5 hashes could, in many cases, find the cleartext password just by googling the hash. A much better practice would have been to salt the password with some small component, which would at least make it ungooglable. Better yet, make the salt user-dependent to follow proper security practices and disable the prospect of a rainbow attack.
Third, some very real whistleblowers were identified today due to bad security hygiene on behalf of reporters in a country with the strongest whistleblower protections in the world. This compromises those whistleblowers beyond repair, and could potentially put them in harm’s way. This shows very clearly that strong legislation is not enough to protect transparency and privacy against corruption; applied technology to protect sources is also necessary, combined with understanding of that technology.