Hot on the heels of yesterday’s story about the ‘world’s greatest military hacker’ comes this tale of advanced doltery from train operator Great North Eastern Railway (GNER), who managed to publish their system passwords in a magazine available to thousands of passengers.
The April/May edition of their freebie passenger magazine, Livewire, positively invited hackers to come and do their devilish work, with an article on their operator’s control centre in York being illustrated with photographs showing mainframe and computer passwords written on a whiteboard.
Red faced and flapping like Fred McFlapster wearing flares in a gale force wind, William Higgins, editor of Livewire, surprised us all by declaring that including the picture was a mistake, insisting that the highly competent GNER technology team had already rectified any problems.
Martin Grey, technical services manager in GNER’s information systems department, claimed that passwords were changed before the magazine was published, ‘We quickly changed the passwords and user accounts so no one outside could get into our corporate data.’
‘The procedure in terms of our internal security was not being followed and we took quick steps to remedy that,’ he added.
A GNER spokesman later confirmed passwords were no longer being written bold and large on whiteboards and – presumably – their photographers will no longer be invited to go around snapping confidential information for free magazines.
GNER, owned by the Sea Containers Group, provide high-speed intercity train services along Britain’s East Coast main line, linking England and Scotland along a route of almost 1,000 miles.
Of their annual 15 million passengers every year, eight million are calculated to be business travellers, with the free magazine enjoying a circulation of more than 100,000.
A deeply unimpressed Phil Robinson, chief technology officer at security specialist Information Risk Management, commented that it was unusual to see passwords emblazoned on whiteboards, although it’s commonplace to see office monitors flapping with Post-it notes containing security information.
‘Mainframes are a sensitive part of any organisation and contain the crown jewels of data a business might want to protect,’ he warned.
Robinson suggested that companies need to work out a coherent security password policy and insist that employees use secure – but memorable – passwords, with a lock-out policy stopping repeated wrong password entries.
Microsoft’s ‘At Work’ site offers a series of tips for creating passwords, advising against using combinations of consecutive numbers or letters or adjacent letters on a keyboard such as “qwerty.”
The site also recommends avoiding any word that can be found in the dictionary, in any language, or replacing letters with numbers or symbols that look like the letters such as M1cr0$0ft or P@ssw0rd as hackers are wise to these tricks.
Instead, Microsoft advises coming up with a passphrase – a sentence you can remember, like “My son Aiden is three years older than my daughter Anna” – and then using the first letter of each word of the sentence to create ‘msaityotmda.’
It then advises mixing and matching a combination of upper and lowercase letters, numbers, and special characters that look like letters to come up with a hacker-challenging password like M$8ni3y0tmd@.
(Your writer now hastily goes off to change his own passwords…)