Archive

Posts Tagged ‘hack’

LivingSocial got hacked; 50 million passwords stolen, but it still hasn’t learnt all the right lessons

April 30, 2013 Leave a comment

We learnt over the weekend that LivingSocial got hacked, and 50 million passwords were compromised (I reported on the story for Infosecurity Magazine here: 50  million LivingSocial passwords stolen. We know that the passwords were salted and hashed with SHA1. And we know that LivingSocial thinks that’s enough, because talking about the hack it said, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.”

It is, of course, far from enough. SHA1 hashed passwords will take only a few seconds to crack using standard rainbow tables. Salted SHA1 hashed passwords will take a little longer, but not much. The only ‘correct’ thing LivingSocial has done has been a forced password reset for its users, and a subsequent shift to the more secure bcrypt hashing algorithm. But frankly that’s too late for any users that have had their passwords stolen if they’re re-used on other accounts (statistically highly probable).

LivingSocial has so far given no details on who perpetrated the hack, with what, or when. That last is important since all of the users’ other accounts using the same password have been vulnerable since the moment the hackers exfiltrated the data. Nor do we know if the hackers gained access to any salting scripts on the server – which would largely nullify any benefit from the salt process.

I don’t have a LivingSocial account, so I’m OK. But I decided to sign up after the hack. The sign-up page wanted an email address. I gave it ‘yougottabejoking’. It also wanted a password. I entered ‘12345678’. It accepted both, and gave me an account – this account:

spacer

My LivingSocial Account – no prizes for guessing the password...

My LivingSocial Account – no prizes for guessing the password…

spacer

Had I done this before the hack, said hackers would now be in possession of both my email address and my password – a password that even salted and hashed would not take long to crack. If I used the same password elsewhere – as many users do – then all of those other accounts would also be cracked.

My point is this. Salting and hashing is pretty useless if the password is weak. Salting and hashing (especially with bcrypt) is very good if the password is strong. So rather than allowing me to enter a 12345678, LivingSocial should be imposing a strong password policy that forces all users to use a strong password.

Categories: All, Security Issues

israel-trade.org got hacked – israeltrade.org did not

April 7, 2013 Leave a comment

There’s a really nice hack of israel-trade.org – visually very, well, nice. And coming at the beginning of the ‘Anonymous’ war on Israel, I suppose it is only to be expected.

spacer

Nice hack design on israel-trade.org

Nice hack design on israel-trade.org

spacer

Thing is, I’m not sure whether saying ‘you’re hacked’ on your own website is genuine hacking…

There is a very similar sounding site called israeltrade.org – and that site is still (at least at the time of writing this) running fine.

spacer

israeltrade

israeltrade.org still running…

spacer

But israel-trade.org got got – and oh look – it only took the hacker a couple of hours from registration to hack…

spacer

israel-trade whois

spacer

A rather late April Fool joke on the media, I suspect.

Categories: All, Security Issues

Senator Keith Alexander predicts the foretold cyber attack

March 13, 2013 Leave a comment

Strange little article in ZDNet today: Senator warns banks of cyberattack risk, Chase Bank targeted within minutes.

It’s strange on several counts. Firstly, it seems that General Keith Alexander, head of the U.S. military’s Cyber Command, has been promoted (or demoted) to Senator – for it seems to be he who issued the warning.

Then he was gifted with prescient superpowers. He warns of further attacks on the banks.

As if in silent agreement, hackers — potentially with a morbid sense of humor — decided to attack Chase Bank’s website within minutes of the speech, and this was later confirmed by the bank to CNBC. It is unknown whether the cyberattack was connected, but either way, the timing was ironic.

The attack itself was, predictably, a denial-of-service (DoS) attack, although it is unclear whether any financial or account data has been compromised or stolen.
Senator warns banks of cyberattack risk, Chase Bank targeted within minutes

Hmm. How clever of the general to foresee this attack. Who else – certainly not ZDNet apparently – would have had the intelligence to translate the al-Qassam Cyber Fighters’ public statement last week that phase 3 of their operation against US banks had started; and that, as before “a number of american banks will be hit by denial of service attacks three days a week, on Tuesday, Wednesday and Thursday during working hours” into an actual attack on an actual US bank on an actual Tuesday.

I’d like to predict, based on my superhuman knowledge of the current threatscape, that a US bank will be hit on Thursday – and if not on Thursday, then next Tuesday or Wednesday or next Thursday. The motivation, however, is not a morbid sense of humour, but simple, plain, good old indignation.

Categories: All, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 57 other followers