5-May-20 Password-Spraying

Photo by Pixabay at Pexels

Today it was reported that “The UK’s National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA) have seen large-scale ‘password spraying’ campaigns against healthcare bodies and medical research organisations” (NCSC, 5 May 2020).  ‘Password spraying’ is an attempt to access a large number of accounts using commonly known passwords.  Apparently, these groups are targeting organizations such as academia, pharmaceutical companies, , medical research organizations, and local governments to collect bulk personal information, intellectual property and intelligence.

The lockdown has created additional vulnerabilities as individuals work from home, some accessing remotely via virtual private networks (VPNs).  In April 2019, the NCSC published an analysis of 100,000 most commonly re-occurring passwords that had been breached: there were 23.2m victim accounts using the password 123456; 3.6m using ‘password’ and 333,139 using ‘superman’, for example.  The NCSC recommends using passwords comprising three random words, as well as two-step authentication processes. 

Some press outlets have speculated that China, Russia and/or Iran may be behind some of these attacks, though this is unverified (see blog 21-Apr-20 Entanglements for the politics of attribution).  It is fascinating to think how behind the guise of global efforts – such as the EU organised teleconference on 4 May 2020 where $8 billion was pledge globally for coronavirus vaccine research – countries are also vying to be first in the race.  The New York Times reports, for example, that the US did not participate in Monday’s effort, but is pouring billions into its own research efforts.  Neither did China make a financial pledge.

Whatever, the international politics of vaccine trophy-hunting, the NCSC-CISA statement reminds us that the continued shifting of our lives online requires some safeguards.  So check those passwords today: and ‘batman’ (203,116 breaches) and ‘tigger’ (237, 290 breaches) are no good.

‘Feminist’, however, is not on the top 100,000 list .  Interesting that.

© Natasha Mulvihill and Criminology Tales, 2020. 

%d bloggers like this: