Posts

Showing posts from January, 2009

Monster and Website Passwords issues further explained by Sophos

Graham Cluley, a Security Expert and blogger from Sophos got in contact after reading my recent posts on the latest Monster jobsite breach and the problem website passwords . Graham had also highlighted the same issues with website passwords on his blog , and has put together nice little video explaining the issue, which he has kindly allowed me share below. What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo .

Monster Jan09 breach: The Website Passwords Problem

Only a day or so after posting " The Problem with website Passwords " another big data breach at online job website “Monster” has come to light. What is particularly relevant to my last post and highly concerning, is in their breach statement Monster said website user account passwords were stolen along with other personal details, including Email addresses, names and user IDs. "We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers" - statement from http://www.monster.com/ Firstly their web application is blatantly insecure by design, it's basic web application security for website (web application) passwords to be one-way hashed with a unique salt (number), which in other words making it pretty much impossible to obtain a user's actual password anyone, including a hacker or someone with full privileged access. This is bec...

The Problem with Website Passwords

We are all consumers of the Internet and as consumers we are heavily reliant website a single username and a password to identify and authenticate ourselves into the vast majority websites, the number of different websites any one typical individual is tapping in a username and password combination, is not only an awful lot and but is always increasing. Typically we are talking in the excess of 30 different websites, which range from e-commerce shopping websites, online banking, an auction sites, social networking websites, online Email, forums and message boards, World of Warcraft and even blog sites such as this one, so the list of websites requiring an individual access credential by an Internet consumer is pretty endless. Yet if someone else were to find out and use our website access credentials for ill gain, it can turn into a stressful situation at best, or a costly time consuming soul destroying nightmare of identity theft. However when it comes to the security of our website...

Why UK Data Breach Disclosure Laws are Necessary

Just before Christmas, a UK national press reporter asked for my views on public disclosure of data breaches by UK companies. The reporter was writing a piece highlighting UK companies and organisations which appear not to have a policy of publicly discolouring their data breaches, and were even dead set against any moves for new UK laws forcing public disclosure. I think the reporter was expecting a "the public has the RIGHT to know" type response; however I see a more overall fundamental benefit for having laws in place to ensure all UK companies and organisations fully disclosure data breaches to the UK general public... “Public disclosure of data breaches plays an important role in driving security improvement across industries. Public scrutiny and criticism often acts as a wake up call to companies running unnecessary risks, especially those operating in the same industry as the breached organisation. There is nothing like seeing a competitor made to run over hot coa...