(published on 19.7.2021 by Marianne Rudigier)
Very common excuses for not having to deal with the topic of data protection and information security include "no hacker is interested in me and my data anyway. I'm just a small fish" or "I have nothing to hide anyway!"
Are you really sure about that?
At the beginning of 2021, a data set with 3.2 billion email and password combinations appeared in a hacker forum. This is not a new hack, but a collection of data from past data leaks.[1] It will probably not be the last such data set.
The German BSI[2] assumes that almost every company in Germany has already had to deal with cyberattacks (this is also true for Austria[3]), although this does not mean that all attacks were also successful. The head of the BSI - Arne Schönbohm - reports that in 2020, around 117 million (!) new variants of malware were circulating, with attackers being increasingly aggressive.[4] Universities and research institutions in particular are also increasingly becoming targets of cyberattacks[5], as can be seen in the example of the TU Berlin. TU Berlin became the victim of an attack at the end of April 2021. The central IT services of the university are still not fully available today.
What does this mean for our everyday work?
For example, if you use the same password for your private accounts (e.g. Google, Amazon, Facebook, Ikea, Zalando, etc.) as for your TU account, it is easy for hackers to hack your TU account as well if the databases of one of your privately used platforms have been hacked. It may be that the data you process is not of too much interest for hackers. However, your account can be used as a starting point to penetrate deeper into the systems of the TU Wien and cause damage there. This must be avoided at all costs.
How can you find out if you have already been a victim of a hacking attack and if the passwords you use are secure?
You can check whether you have been affected by indirect password theft on the Have I Been Pwned page (https://haveibeenpwned.com/). There you can also check the security of your password by entering it on the page (https://haveibeenpwned.com/Passwords) and clicking on "pwned?".
"Mooooment! Enter my password on a website? It might be stored there and even more be tapped and used for an attack!", the attentive colleague now objects. Absolutely right! Basically.
However, the operators of Have I Been Pwned use a complex security mechanism[6], which makes it unnecessary to store the password. A cryptographic method is used to calculate a unique checksum of the password, which only matches one password and does not allow any conclusion about the password. When the password is entered, the page locally in your browser also creates such a checksum. Then only the first five digits of the hash are sent to the Have I Been Pwned server. It, in turn, sends a list of all the checksums that start with these five characters. The browser then matches the data.[7] Don't worry, even my brain occasionally gets knotted up reading such descriptions. Fortunately, we have many patient IT specialists in the house to help with unknotting and explain the technology behind it.
A good and simple description of Have I Been Pwned can be found here: www.spiegel.de/fotostrecke/hack-check-so-funktioniert-have-i-been-pwned-fotostrecke-166383.html, opens an external URL in a new window, opens an external URL in a new window.
You can change your passwords for the TU account and for your upTUdate account at the following link: login.tuwien.ac.at/passwort/mitarbeiter/, opens an external URL in a new window, opens an external URL in a new window.
In the next post, you will learn more about how and why credentials are stolen.
[1] See: www.derstandard.at/story/2000124114364/hacker-stellen-sammlung-von-3-2-milliarden-passwoertern-ins-netz, opens an external URL in a new window, opens an external URL in a new window (last accessed 07/16/2021).
[2] Note: Federal Office for Information Security www.bsi-fuer-buerger.de/BSIFB/DE/Home/home_node.html, opens an external URL in a new window, opens an external URL in a new window
[3] Cf. E. Schultz: statistics on cybercrime in Austria. Statista. Dec. 10, 2020. de.statista.com/themen/4253/internetkriminalitaet-in-oesterreich/, opens an external URL in a new window, opens an external URL in a new window (last accessed Jan. 13, 2021).
[4] Cf. B. Benrath: BSI chief interview. "The blackmailers are becoming more aggressive". Frankfurter Allgemeine Zeitung. FAZ.NET. Jan. 11, 2021 (last accessed Jan. 13, 2021).
[5] Cf. T. Thiel: Cyberattacks on research. Viruses in the gold rush. Frankfurter Allgemeine Zeitung. FAZ.NET. 06.06.2020 (last accessed 13.01.2021).
[6] See: (https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity) (last accessed 13.01.2021).
[7] Cf. M. Schmidt: Special: Security Checker - Hack Checker Have I Been Pwned. Have I Been Pwened: Online account hacked? Find out! Computer Bild. May 10, 2019 (last accessed Jan. 13, 2021).