Passwords, Stratfor, and Newton’s 3rd Law of Motion

Newton's 3rd law is often stated as "for every action there is an equal and opposite reaction." Actually, what Newton actually said is a little more complex* than that, but this article isn't about physics (or else I'd leave the discussion to someone better qualified). 

The Internet, despite its grounding in the physical world of hardware and digital media, is (from my end of the telescope, anyway) primarily a psychosocial entity and much harder to define and measure, but even in the mental universe, the third law applies to some extent, though we might want to drop the word "equal". Here's a very specific instance that we might put like this: for every action taken to promote security, there is a potential negative consequence.  

A web page set up by Dazzlepod offers a service for checking whether a given email address is represented in the databases of email addresses, passwords, addresses and credit card details dumped by Anonymous to a number of sites, making them available to any bad actor who bothers to download the archive. While the site suggests that, for privacy, you don't put in your full email address, it's actually quite easy (if tedious) to navigate through the entire 73162 (full) email addresses currently listed on that page.

This doesn't have quite the same negative implications as other facilities: there's no other information listed there, and if a blackhat already has the full database dumped by Anonymous, he doesn't need to go through Dazzlepod's lists since they don't offer a significant shortcut. However, it does, like those other services, offer a distraction from the main event. For a start, it only contains (at present) the account names for those registered users whose credit card information is directly at risk. However, if you don't have those data on record with Stratfor, there's still the risk that they might be accessed through an account elsewhere using the same password.

Dazzlepod is saying, more or less explicitly, if your account name comes up, change your current password in any context in which you (re-)use it. Doesn't it make more sense to assume that your account is compromised and go ahead and change it anyway and everywhere? And if Stratfor does have your credit card data, doesn't it also make sense to contact, advise, and take advice from the card supplier now? While I applaud Stratfor's attempt to remediate by offering ID protection, this is a proactive measure that's worth any temporary inconvenience.

ESET Senior Research Fellow

*To every action there is always an equal and opposite reaction: or the forces of two bodies on each other are always equal and are directed in opposite directions.

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.