Watch what you say about yourself

A hacker with a list of user names can start guessing passwords, but even at an automated level, making random guesses can be time-consuming. However, hackers have other resources, thanks to the popularity of Web 2.0 sites.

Among the less-technical procedures Kevin Johnson of Intelguardians uses is to take a trip through LinkedIn, Facebook and other social-networking sites, where profile pages can be populated with details such as a person's age, marital status, employer, hobbies and so on. The profiles could provide hints at possible passwords or answers to questions asked by the password challenge mechanisms many organizations use for people who have forgotten their passwords, Johnson said. Give the right answers and the program will grant you access.

Johnson wasn't speaking hypothetically. He gained entry to an organization's system by finding a MySpace profile of an employee who used that system. On her page, the employee professed a love for various hobbies. It turned out that one of the questions on her company's password challenge asked about these same entertainments.

Johnson successfully answered the question, reset the user password and went on to find valuable information in other parts of the internal network.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected