'Password patterns' eyed as potential clue in hack of Mandiant/FireEye security pro

Mandiant.com

Computer users have something new to worry about in the cat-and-mouse game with hackers. You probably use "password patterns" to create easy-to-remember-but-hard-to-guess passwords. Well, the criminals are on to you. Their ability to detect such patterns may have figured prominently in the high-profile attack on a security professional earlier this week.

Computer security professionals know they have a target on their backs. When you hunt hackers for a living, the hackers hunt back. Even professionals with impressive credentials sometimes fall victim to such attacks.

A stark reminder of this risk came this week when Adi Peretz, a senior threat intelligence analyst at prominent security firm Mandiant, saw his laptop and social media account compromised and exposed by a group of hackers. The group said it was beginning a campaign called #LeakTheAnalyst against security professionals they say are chasing after their Internet tracks. As retribution, they will begin tracking their adversaries on social media with the stated goal of “Trash(ing) their reputation in the field.”

Mandiant confirmed the attack in an email to me, but said it was limited to Peretz's laptop and social accounts.

"We are investigating this situation, and have taken steps to limit further exposure," the firm said in a statement. "While our investigation is ongoing, there is currently no evidence that FireEye or Mandiant corporate systems have been compromised. Our top priority is ensuring that our customer data is secure. To date, we have confirmed the exposure of business documents related to two separate customers in Israel, and have addressed this situation with those customers directly. This in an ongoing investigation, and new or additional information may emerge as we continue looking into this matter. We will do our best to keep you up to date."

The statement did not suggest how the attack occurred. But in their announcement of the hack, the criminals specifically mentioned they had found Peretz's "favorite password patterns."

The statement also pointed to a large data dump of stolen files and emails. A file included in the dump has entire section devoted to revealing these patterns, said Dan Clements of Insedia.com, a security firm. The file reveals passwords at various Peretz accounts, showing their similarities. Some are re-used, or are just slight variations of one another. Many include the word "fire," echoing the name of the firm -- FireEye -- which acquired Mandiant in 2014. (I am being intentionally vague about the precise details for obvious reasons, but I've seen the passwords).

Insedia has a database it calls Pitchfork that includes more than 4 billion records containing details from most high-profile database breaches from the past 20 years. The records are collected from underground forums; all of them are essentially "public." Clements uses that database to find password patterns, too.

He says that Peretz's LinkedIn account details made it into Pitchfork from the underground, perhaps as the result of LinkedIn's big hack in 2012. That was initially thought to include about 6 million victims, but last year, hackers claiming to have records on 117 million LinkedIn users tried selling the data online.

LinkedIn forced users to reset their passwords after the leak, but Peretz’s old password might have provided a hint to unlock his account, particularly if it followed a pattern.

In its dump, the hackers also revealed what appears to be a password at an Amazon account belonging to Peretz. A check of Insedia's data found the same password linked to a Gmail address (I won't disclose the password or other account information).

To Clements, all these patterns indicate hackers would have had several hot leads for trying to gain access to various accounts owned by Peretz.

I shared these details with Mandiant, which thanked me for them, but did not otherwise offer comment.

It's not at all clear that password management had anything to do with Peretz getting hacked. But it is clear the criminals were looking for password patterns; consumers who use them place themselves at risk.

Meanwhile, the incident is a reminder that security professionals make mistakes too. The problem for folks in the security space is the greater risk they face attracted the wrath of computer criminals.

From the "announcement" of the attack, it seems clear that the hackers had something personal against Peretz.

"Nobody understands the amount of dedication it takes to break into a highly secured network, to bypass every state of the art security measure installed to make a targeted network unbreakable, to code and hack not for the money but for the pleasure of being somewhere no one can be in, to be addicted to pain," the group said in a statement. "From time to time there is a know-it-all security professional tries to read your sick mind and blow your breach plan up to hell....For a long time we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say fuck the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field."

Given the seeming grudge against Peretz, perhaps the hackers' #LeakTheAnalyst "campaign begins and ends here. But that's not a safe bet. Greater awareness around bad password patterns is, however.

DISCLOSURE: I have been paid by Insedia.com in the past for free-lance writing. I am not currently being paid by the firm.