Anonymous leaked incorrect credentials of Congress members

Alleged members of the hacker collective Anonymous posted alleged passwords of Hill staffers, but according expert they are outdated and inaccurate.

Anonymous claimed to have stolen credentials of members of Congress to protest against the popular surveillance program PRISM.

Anonymous is back and once again it targeted US institutions, the group leaked over 2000 username and passwords, just a few days ago Anonymous hackers also published contact details of US Federal Emergency Management Agency (FEMA) contractors, subcontractors and employees.

News on the attacks were spread through the Twitter account @OpLastResort which claims to be linked to the Anonymous collective. Anonymous hackers also announced via Twitter that the list of credentials came from a senate.gov subdomain.

 

“We mean it. This is a pivotal moment for America, and we will not tolerate failure.”

Congress has in place a strict password policy to enhance computer security by encouraging members to employ strong passwords and use them properly, the secret words must be composed by a special character, an uppercase letter, a lowercase letter, and a number to make up a code between 6-10 characters.

For a limited period of time the password has been exposed on ZeroBin,  a minimalist, open source online Pastebin, but while I’m writing the past is no more available.

The list of credentials exposed revealed that the hacked passwords don’t respect minimum policy requirements for passwords composition, in many cases the secret word were composed of simple dictionary words concatenated with numbers on to the end.

The words used for passwords composition were very easy to discover, the names of the staffers’ bosses, or member’s favorite sports team were most popular combinations, moreover some of the email addresses exposed belonged to staffers who no longer work in Congress.

This circumstance led security expert to believe that data leaked was probably a fake or outdated credential.

“Senate Sergeant at Arms Terry Gainer said in a statement to The Hill that the passwords the hackers posted are not accurate. He confirmed that a hacker was able to gain “limited access to a vendor’s servers,” but said the Senate computers are safe and have not been hacked.”

Congress staffers issued a security advisory that confirmed the hyphotesis on passwords authenticity:

“Early today, hackers disclosed over 300 Senate email addresses and passwords. We have confirmed that the posted credentials are not accurate, and many disclosed accounts are long expired. Affected offices are being notified.”

Late Thursday, the House Chief Administrative Office sent a memo to all House staff confirming that credentials published by the hackers were outdated including email addresses and passwords for iConstituent Gateway e-newsletter accounts outside of the House network.

The advisory bulletin revealed that the House email system was not affected by the breach but as a precaution memo suggested to staffers who have iConstituent e-newsletter accounts to change their login for the House network.

“These passwords have expired and can no longer be used to access the external iConstituent service. However, to prevent access to other platforms (Facebook, Twitter, etc.), iConstituent Gateway eNewsletter users, old and new, should immediately change their usernames and passwords to other external sites and services if those user names and passwords have ever been used to access iConstituent Gateway eNewsletter accounts,” the memo reads.  

Zain Khan, CEO of iConstituent, did not confirm that its systems had suffered a breach, but some staffers raised concern on the level of security granted by outside vendors for their systems.

Ian Koski, communications director for Sen. Chris Coons (D-Del.), whose Senate email address was included on the hacker site said he’s didn’t receive a notice from a constituent about password changing:

“At this point, it’s been 18 hours, and we haven’t heard a word from the vendor even recommending we change our passwords, let alone explaining the extent of the breach. Our constituents’ privacy is our real concern right now.”  Koski said

Once again the questions arise:

• Is it possible that Anonymous leaked inaccurate credentials?
• Why?
• Is it possible that someone is trying to damage the image of the collective with the spreads false credentials?

I find it strange that the Anonymous collective has published credentials that could be completely inaccurate … What do you think about?

Pierluigi Paganini

(Security Affairs – Anonymous, hacktivism)