Important online security news

Add to: Digg Add to: Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Tuesday April 30, 2013 at 9:52am

Security breaches

US online deals website LivingSocial has been the target of hackers and user details have been comprised. They emailed all registered users with a message that explained the issues:

“LivingSocial recently experienced a security breach on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with the authorities to investigate this issue.

The information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords; technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed. Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.”

At least on this occasion LivingSocial state the passwords were encrypted and not stored in plain text. Apparently they were using SHA1 with a 40-byte salt. Salting elongates the password and adds complexity. They have taken a proactive approach and have already switched their hashing algorithm from SHA1 to bcrypt, a smart move.

In other news WordPress sites were the target of hackers, in particular a Botnet (a network of hijacked computers, typically controlled by a criminal gang). The goal of this Botnet was to Brute force the passwords for the default username “admin”.

Any WordPress users should change with immediate effect the default username and also use an updated strong password.

Sharing passwords across online accounts

The above attacks highlight again the important of not using the same password across multiple online accounts and where possible using two factor authentication.

Trust No One

If you use cloud storage to backup sensitive data you may want to adopt the philosophy of TNO (Trust No One). This is where only the user holds the backup key, and online data can only be decrypted by the user. However if you forget your key you won’t be able to recover your data, but at least the bad guys won’t either!

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here