Have you Considered Online Security?
It seems increasingly common to read reports of web site owners not taking as much care over the security of our personal data as both we and the authorities believe they should. Is this because they do not value our data, are just not aware, or worse, not capable to implementing adequate security?
Just browsing some of the recent headlines should start to worry you.
Sony – String of dates 2011-2012
Troy Hunt, a security commentator, summarised the string of events in Sony's recent past best. 77 million Sony Playstation Network accounts compromised initially, but then the company went on to a string of other breaches, the most recent being Sony Pictures.
You can read the full list of failures here http://attrition.org/security/rants/sony_aka_sownage.html but Troy Hunt's blog post analysing the issue makes interesting reading – particularly that although the blame was apportioned and the culprits stood up, they didn't learn from their mistakes and act quickly. http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
What was lost? Names, addresses and some other personal data including possibly, credit card information.
LinkedIn – June 2012
It may seem a while ago now but it was only two months ago that LinkedIn was hacked and 6.5 million of their 150 million registered members passwords were stolen. At least LinkedIn had them stored in an encrypted format which will certainly be a part saving grace, but the perpetrators have plenty of time to try and crack through the encryption. Unfortunately there seems to be a vast group of hackers now going through the accounts one by one and breaking that encoding.
What was lost? It's not so much the data that was stolen but the data on the LinkedIn systems that this gives access to.
eHarmony – June 2012
On almost the same day as the LinkedIn news we heard of eHarmony losing 1.5 million records, though some observers think the figure higher. The estimate came from the list posted online but LastPass were reported to suggest they were 99% certain there were more.
What was lost? The hacker posted only password files online without the login details but it is almost certain they have those as well.
Yahoo – July 2012
After Yahoo covered the failures at LinkedIn in some detail we heard a few weeks later of their own Voices site being hacked and 450,000 usernames and password taken. This time it was way worse as the passwords seemed to have been stored in plain text – atrocious practice and such a basic error.
What was lost? Again user names and passwords but as they were in plain text the hackers could get access immediately and compromise much more personal data. Curiously Yahoo claimed that only 5% of the stolen details had valid passwords. Doesn't seem to be any clarification on what was meant by this.
Tesco – August 2012
A number of leading experts in the field flagged this one up and now the Information Commissioner is going to look into the matter. Quite simply Tesco have been emailing your forgotten password to you. Firstly email is the most insecure method of communicating information and secondly for the system to be able to send the password it must be able to create it in plain text inside the system. That in turn means that if someone could hack into the Tesco site they may be able to get at the same routine. Worst case is that Tesco were, like Yahoo, storing it in plain text in the system in any case.
What was lost? Nothing directly at this time but it does flag up what could be poor practices.
The string of reports goes on...
- Blizzard's Diablo 3 network
- League of Legends (European servers)
- Nvidia (Developers Forums – 400,000 user IDs, birthdays, location, gender etc)
- Sega (1,290,000 user accounts including names, dates of birth, emails and encrypted passwords)
- Formspring (420,000 user accounts)
Here's one that slipped through but it is surprising the number of US Universities that appear in the published list of breaches in the USA. Nebraska University (654,000 records including name, address, social security numbers, transcripts, housing and financial aid information and, in some cases, bank account details)
Part Two tomorrow with a few ideas on how to look after yourself and perhaps the most important breach that was announced earlier today.