Sunday, May 17, 2015

Analysis of Passwords released by Wikileaks from the Sony Hack

Sony Pictures Entertainment on November 24, 2014 suffered a devastating attack from North Korea.  This attack caused the release of multiple documents and emails onto the internet.  On April 16, 2015, Wikileaks released an analysis and search system for 30,287 documents and 173,132 emails from this attack.  To voice my opinion, I am not in favor of Wikileaks releasing this information.

However, since the information is available, for this post I would like to analyze the information released focusing on evaluating the strength of the passwords found.

Looking at the page,, there is Directory #4.  After you expand this you find a directory structure that lists a variety of files.

From the files in this directory I was able to gather the following number of passwords:


Then the 3 most common passwords used:
123 times used - "password"
43 times used - "T3CSPH#G"
24 times used - "devl0p"

The number of characters per password broken down: 
3 characters or less - 13
4 characters - 26
5 characters - 75
6 characters - 641
7 characters - 345
8 characters - 540
9 to 15 characters long - 677
16 characters or more - 6

Longest password was 40 characters long

Other Statistics
1,632 Passwords contain upper-case, lower-case and a number
691 Passwords contain special characters
575 Password only contain upper and lower case letters
453 Passwords only contain lower-case letters
52 Passwords contained the word "Sony", "sony", or other manipulations of the sort
32 Passwords only contain upper-case letters
16 Passwords only contain numbers

Evaluating the information I would probably encourage organizations to incorporate an Enterprise Password Safe or Enterprise Password Management solution.  This would eliminate multiple files containing passwords.  This would also help to enforce the strength of the passwords, because 47.4% of the passwords contained less than 8 characters.  The Enterprise Password Safe would bring a risk of all the passwords being in one location but some controls would be the passwords are encrypted, hopefully dual-factor would protect the safe, and precaution of least-privilege would be enforced.

I would also recommend a system that can scan inside of files that are stored on the network, identify the contents for passwords or sensitive information and then alert an administrator or data owner that they exist.  Then through regular clean-up and auditing these files can be cleaned up and maintained.  By using such a system you can also verify information is being stored in the correct locations.

I am in no way stating that Sony Pictures Entertainment should be criticized for the passwords that are found in these documents.  The passwords collected may or may not be an adequate population to determine the strengths or weaknesses in their program.  This information does allow a system administrator, manager, or data owner time to consider what the strength of their password program is and if it was exposed what would it appear like if the above statistics were applied.

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...