The Road to Hell is Paved with Bad Passwords

What’s the worst that could happen?

The day started like any other, nothing out of the ordinary. Peacefully about to chomp down on lunch. An imposing man in an expensive looking suit was sent to summon me. Usually this happens if there’s been an accident or death in the family. With the first bite of food still in my mouth, I fumbled when asking, “Was there an accident?” His response, “I wasn’t given that information, but it’s very important. Can you come with me please”

In 201X, I led an unusual digital crime incident investigation. A mix between cyber crime and cyber terrorism, leaving the events etched my the memory banks. Finding oneself in the midst of terrorist groups and high level political intrigue as a security expert and all around hacker seemed more fitting on a warped version of the IT crowd. Perhaps closer to Black Mirror. Not in real life.

Dam*it, not the best sign of things to come. I silently asked myself why on Earth I got out of bed that morning. Everyone whispered as if I had a huge piece of spinach hanging out of my mouth (probably did) or I was getting fired (me, mining BitCoin at work, never ;). Why did my alarm clock have to go off? I was having a nice dream.

Who said STEM was boring?

An Embassy in a European country had been hacked, pwnd hard. The back end, official business email account was targeted and subsequently misused by miscreants who sent out emails as if they were from the Ambassador’s trusted Secretary. Utilising the compromised account, the nefarious attackers attempted to extort additional visa fees from select VVIP applicants. Time was of utmost importance. Quickly, I assembled a team, myself and one person, a senior forensics expert rockstar. We immediately travelled to the location and began the investigation.

The Embassy in question was highly distrustful of both the local police and the local Diplomatic Corp Police, a separate branch of police for embassies and diplomatic staff. Embassies are political places, not everyone is friendly. Each location is sovereign country property, local police have no jurisdiction, local laws do not apply at embassies and owned locations. All sorts of mystery, intrigue and uncomfortable yet important meetings are held in these mini-seats of power. The Embassy email account was high value, gave attackers access to contacts, communications and could lead to maximum damage to reputation. Non reputation concerns. What damage could be done if the Embassy email account was further abused?

This embassy had problems, serious ones, OMG. It was the Embassy IT person’s first week on the job and the previous person gave zero hand over. They couldn’t even get in touch with the previous person. The Embassy IT person had zero security experience, pure IT; but was willing to do just about anything to stop the attack. Stopping the damage, the bleeding and securing the email account was a top priority.

123456 really?

Self explanatory

“What’s the username and password?” I asked, expecting some super duper 26 + character, two factor authentication credential set, virgin blood sacrifice and the attackers were super spies. Answer: [email protected], password is 123456. I did a double take, wanted to clarify, asked again, just in case there was a translation error. Answer: [email protected], password is 123456. This wasn’t exactly what I imagined a typical embassy network was managed.

My body fought back screaming: Nooooooooooo! Whilst whimpering inside.

We investigated further, my forensics person checked around, taking samples, network checks via taps. Even though Windows XP was rampant, no real anti-virus was installed. They relied entirely on Microsoft Security Essentials. How good is MSE? “In June 2013, MSE achieved the lowest possible protection score, zero.”

Lucky for them, only two systems had any internet access and were on a closed network, separate from embassy government operations. Embassies frequently host intelligence services in addition to diplomacy. Glad there was a real separation, almost an air gap. Dodged that bullet…

There was no malware or spyware detected by network tap or live memory samplings. Any good bit of news was a plus, it limited possibilities and helped zero in on the email account. Over the next few weeks, the email account was secured and a number of changes both physical and digital were recommended to mitigate risk in the future. All seemed fine and we headed back to normal life.

We’re back and it’s worse

the love that never, ever stops, on a galactic level, space herpes

A few weeks later, as life was getting back to normal, another summoning. At this point, I was never going to eat my lunch. What began as some dodgy emails trying to fraudulently acquire extra visa fees using the embassy email account grew, exponentially. This time, an email went out, again from the official embassy email account, signed as the Ambassador’s Secretary to a handful of friendly embassies asking for 25 thousand Euro in the name of a friend of ISIS. It seemed there was no getting rid of this f*cker and every bout came back worse, like space herpes. Signed ISIS.

Sanitized 25 thousand ISIS extortion email

Back to the location again, this time alone to try and sort things out. Forensics was no longer required. The Ambassador was concerned it was an insider, as was I. As if we were on some sort of comedy skit on the BBC. We waited until everyone else exited the embassy after it closed for official business. Then, the comedy began by crouching down on our hands and knees looking for passwords written on post-it notes, under desks and other places. We were looking for embassy employee credentials to use their logins so I could further investigate certain employees without their knowledge. By we I mean the Ambassador and I. Never in my life had I expected to see an Ambassador sifting around dusty desks with me, on hands and knees. It was at this time I began wondering if I was hallucinating or suffering a mental breakdown, hypnagogic.


Galactic alien level facepalming

We began to liaise with the Diplomatic Corps Police in a limited extent. At arms length at all times, trust was strained. It took a great deal of effort, meetings with the Ambassador to speak with any outside party.

Many of you, or a “friend” have done this: sent an email via CC not BCC? Leave your worst experience, in the comments.

I have, you know you have. Well, even the Diplomatic Corps Police have. They were very nice, helpful as could possibly be and highly professional. As such, they sent out an email to all the official back end embassy accounts over CC, not BCC warning of some extortion attempts. They were being proactive, not identifying the embassy in question, giving all other embassies a heads up just in case. A little misstep that caused utter chaos.

That escalated quickly, f*ck

From ISIS, just in case you didn’t know

Unfortunately, the attackers still had access somehow to the embassy email account. The Diplomatic Police, sending via CC not BCC gave away all the other official embassy back end email addresses. Then the real fun began. The attackers quickly capitalized on the faux pas and sent back an email to everyone spreading the fear. What began as a few hundred euro grew to 50 million USD.

Further Down the Rabbit Hole

The threats grew to not so casually mentioning a big private event the Ambassadors of the USA, UK, Japan, 400+ dignitaries and staff etc.. were slated to attend. If the money wasn’t paid up, the event would blow in more ways than one. During this time, the attackers took a particular and personal interest in the Ambassador’s Secretary, prompting the regular police to become involved for a split second. The regular police had no jurisdiction or authority in the matter and were warned to back off ASAP.

Quietly and unbeknownst to the residents. The city was put on alert, embassies locked down, every person passing by was treated with suspicion. I even had the joy of not one, but three “Cultural Attachés” of an ISIS friendly embassy try to befriend me at a pub I frequented during the investigation. One gave me a very personal gift, a set of Islamic prayer beads. Which I had promptly checked for bugs. The trio didn’t drink alcohol but would sit patiently in the pub, drinking tea for hours until I arrived. The trio said they wanted English lessons, but all spoke English. It was beyond surreal.

Eventually I was able to gain the Ambassador’s trust to further interrogate some of the digital assets and accounts. This was quite unusual, I was not a citizen of the country in question. They allowed me to take back an asset to my lodgings. After getting comfortable, trying to relax, a glass of wine in hand. Eureka, I found it! The attackers still had access to the embassy email account because they had setup a back end email forwarder. Back end email forwarder closed, secured up the email account, gathered evidence. We then went on the hunt for who was behind the attack, hop by hop following each step back over multiple countries. The suspect(s) were isolated, placed under surveillance and effectively neutralized. Months later I was invited to a private embassy function. In the end, I was the only one blown away, by the Ambassador’s gift.


Please don’t do this, please

None of us are perfect, but holy mother of whatever may or may not be holy. Don’t use weak passwords. See what can happen! What can you do to keep yourself safer than this embassy? Or avoid perplexing baby memes?

  1. Use a secure password database like KeePass or similar which can keep track of all your credentials encrypted. These types of tools can also create passwords for you based on your criteria. Easy security means you’ll use it.
  2. Use complex passwords, not 123456 or well known ones.
Top 2017 passwords from Dr. Chelly

3. Don’t reuse passwords. Just don’t, or all your accounts can be hacked with one breach. You can make it easy by randomly generating passwords and storing them in an encrypted password database manager.

4. Change passwords as frequently as required based on risk.

5. If your password is to easy for you to figure out or crack, it probably will be for an attacker too.
Please do this 🙂

If you or your organization is high value, or known to have funds. Cyber extortion from fringe and terrorist groups is becoming more prevent. Over 400 high value targets could have been killed at an event, or worse. If the ransom was paid, ISIS could’ve killed more than 400 with 50 million more in their bank account.

This post is a case study from my book Down the Rabbit Hole An OSINT Journey and discussed during OWASP AppSec California 2018 presentation.