07 Jun Celebrity Hacker Proves It’s Easy to Get Logon Credentials
The Romanian cyber criminal known as the “Celebrity Hacker” revealed how easy it is to obtain logon credentials –and his long list of successful hacks proves that his simple methods work.
Logon Credentials are Easy Guesses
Marcel Lehel Lazar, who broke into the accounts of numerous celebrities, politicians, and government officials recently pled guilty in a U.S. District Court to charges of unauthorized access to a protected computer and aggravated identity theft. Lazar said that he gained access to numerous accounts by simply guessing the correct passwords after analyzing the account owner’s family and environment. For instance, he broke into Collin Powell’s account by entering the former secretary of state’s grandmother’s name as his password. It worked.
No Technical Expertise Needed
Using the same analytical techniques, Lazar is also adept at figuring out the answers to security questions used to protect accounts. For example, he broke into a Romanian politician’s account by first attempting access to find out what the security question(s) were. In this case: “What was the name of the street where you grew up?” Lazar found the name of the primary school that the politician attended on her public Facebook page. Armed with this information he methodically tried different street names that were close to the school until he found one that worked. Only a few attempts were needed before he found the correct one, which provided him access. The whole approach is a very simple but effective process.
What I found especially interesting is that Lazar stole all of the logon credentials using virtually no technical expertise. He has no programming skills. He didn’t exploit system vulnerabilities or write scripts or even purchase ready-made hacking tools. He simply found information online that he could use to deduce IDs and passwords – which he used to walk right in the front door posing as an authorized insider or account owner.
So if user accounts are so vulnerable, what’s the best course for an enterprise to take in order to guard against use of stolen credentials? Well one obvious answer is to require users to use multi-factor authentication or strong passwords that don’t consist of real words. That will deter a lot of data breaches – although not all. Of course another option is user behavior analytics. It’s the best thing I know of to detect situations when an impostor has stolen valid user credentials and attempts to use them.
The opinions expressed in this contributor article are solely those of the author, and do not necessarily reflect those of Fortscale.
Follow Fortscale online at LinkedIn, Twitter & Facebook.