Cracks widen in ABC website security
More than half of the "hashed" passwords exposed in a breach of about 50,000 accounts on the ABC's website have been cracked by an Australian security researcher.
The database exposed early on Wednesday morning was a sub-domain site on abc.net.au that hosted content concerned with the highly popular Making Australia Happy TV series, which aired in late 2010. The website asked users to submit personal information to gather what made them happy.
Sydney security researcher Troy Hunt – who was able to crack 53 per cent of the exposed hashed passwords in 45 seconds – labelled in a blog post on Wednesday evening as "woefully inadequate" the type of cryptography used by the ABC to store the passwords. Had he spent more time cracking the passwords, Mr Hunt wrote, it would have yielded more results.
Illustration: Cathy Wilcox
Hashing a password masks it by using a secure hash algorithm. But many types of hashes can be cracked using computers that use a dictionary of millions of passwords per second to crack, or guess, them.
The cracking comes as security website risky.biz cited strong circumstantial evidence suggesting that criminals may have had access to the database since October 2011.
That evidence has to do with a criminal on an underground forum asking hackers to crack the hashed password for the administrator email@example.com account used for the Making Australia Happy website. The cracked password of the developer who made the website was also requested and a hacker took up the offer after payment of $3 per password was offered.
Australian security researcher Troy Hunt.
When a user entered their information into the Making Australia Happy website they were advised not to provide their real name in the nickname field and also told that the information they provided (minus email address and password) would be displayed on a public map of Australia.
Information submitted included a user's nickname (user name), email address, password, age range, gender, postcode and the text of what they said made them happy. Other information was also collected by the website behind the scenes, which included a user's IP address and estimated latitude and longitude.
But now that the information collected by the ABC has been hacked and published - including email addresses and passwords, which can be cracked - anyone looking at it online is able to link the information back to many of the users' real names just by using their email address.
Furthermore, a criminal could use the information to steal someone's identity. As many people use the same password across many sites (a very bad but convenient practice), a criminal could make use of a user's password being exposed and log in to something like their Gmail.
In a blog post entitled "Lousy ABC cryptography cracked in seconds as Aussie passwords are exposed", Mr Hunt wrote that the mechanism the ABC used to store the credentials of Making Australia Happy users was "woefully inadequate". The ABC site has been identified as being developed by Ben Zemcevicius of The Project Factory, a digital production company.
Guy Gadney, director of The Project Factory, said the company was contracted by Heiress Films to produce the Making Australia Happy website for the ABC in 2010. "Any issues regarding security and data breaches are a matter for the ABC," Mr Gadney said.
"What we've got here are hashes, or in other words the output of a one-way cryptographic process," Mr Hunt wrote of the way the ABC website stored users' passwords. "Done right, hashes provide good protection in the case of a data breach (such as what we've got here) as they can't be un-hashed. Done wrong, hashes can be re-calculated en masse and effectively 'cracked' thus disclosing the original plain text password (also what we've got here)."
In his blog post, Mr Hunt explains how in 45 seconds he was able to crack about 53 per cent of the total 49,561 hashed passwords. With more time and a larger dictionary he said he would have cracked more, which another security expert decided they would attempt to do.
The ABC hack highlighted "just another example of sloppy development," Mr Hunt said.
"It's a very unfortunate mess for everyone involved."
The federal privacy commissioner, Timothy Pilgrim, told The Australian he would not be investigating the incident. He said he was pleased with the ABC's handling of it and that consumers could lodge a complaint with his office if they were not satisfied.
A hacker who appeared to publish the ABC database on Wednesday said the release of it had to do with the ABC airing an interview with controversial Dutch anti-Islam politician Geert Wilders.
A Twitter user who first linked to the hacked database called Phr0zenMyst said: "ABC hacked for giving a platform to Geert Wilders to spread hatred #OpWilders - database leaked!"
Late on Wednesday afternoon the ABC began emailing affected users. The email included a link to a question and answer page about the breach on its site, which recommended that people change the password they used on other online services if it was the same one used to join the ABC site.
In a statement, the ABC on Thursday said that it had been in touch with external security agencies, such as the Australian Federal Police and AusCERT, to ensure it was "doing everything possible to prevent further breaches".
"The ABC is taking immediate steps to check all of our external websites that are developed and hosted outside of the ABC to asses security," it said. "This will include confirming with external partners their security practises and technologies."
This reporter is on Facebook: /bengrubb