Watch what you say about yourself
- By Joab Jackson
- Jun 06, 2008
A hacker with a list of user names can start guessing passwords, but even at an automated level, making random guesses can be time-consuming. However, hackers have other resources, thanks to the popularity of Web 2.0 sites.
Among the less-technical procedures Kevin Johnson of Intelguardians uses is to take a trip through LinkedIn, Facebook and other social-networking sites, where profile pages can be populated with details such as a person's age, marital status, employer, hobbies and so on. The profiles could provide hints at possible passwords or answers to questions asked by the password challenge mechanisms many organizations use for people who have forgotten their passwords, Johnson said. Give the right answers and the program will grant you access.
Johnson wasn't speaking hypothetically. He gained entry to an organization's system by finding a MySpace profile of an employee who used that system. On her page, the employee professed a love for various hobbies. It turned out that one of the questions on her company's password challenge asked about these same entertainments.
Johnson successfully answered the question, reset the user password and went on to find valuable information in other parts of the internal network.
Joab Jackson is the senior technology editor for Government Computer News.