Previous post: Coming to a Theatre near you
Next post: Internet Explorer Security Bug Reported
News, tips and updates from the GetSafeOnline.org team
About us
GetSafeOnline.org is a free public service from HM Government, the Serious Organised Crime Agency (SOCA) and partners from the private sector. We help individuals and micro-businesses use the internet safely.
Have you been Rocked.
by Tony Neate on December 18, 2009
Another guest blog from Richard Hollis
Did you see the news recently that social networking site RockYou suffered a data breach exposing over 32 million user accounts? If that wasn’t bad enough, it was also revealed that they were apparently storing all that data (user account information) in plain text in their database. This fact came to light only because when RockYou attempted to downplay and dismiss the severity of the incident, the hacker responsible published a sample of the data to prove it and demonstrate that all the user passwords accessible were stored unencrypted.
To make matters worse, the published dataset also contained user password and logon credentials for other social networking sites.
So however you do the maths, there is a possibility that this hack directly affected you if you use a social networking site. The hacker was able to access this information through a SQL injection vulnerability on the RockYou site. This hacking technique is old, widely known and does not require a great deal of expertise to execute. The point being that any online business even marginally concerned with security would have closed off this easily exploited security hole before even thinking of launching their site – but apparently not RockYou.
Their attitude towards security is further demonstrated in their published password policies as they only mandate a minimal length of 5 characters for their account passwords. They have no requirement for mixed case, alpha-numeric characters and in fact enforce password simplicity by not allowing any punctuation at all. This is where RockYou gets it wrong. Passwords are the very foundation of online security. At this time of year we should think of them like underwear- the longer the better.
Learn a lesson from this incident – buyer beware! Next time you sign up to a social networking site or any web service for that matter, read the fine print. What is their security policy? Do they have one? If they don’t publish it on the site – chances are they don’t. Sending you open text passwords in emails are another indication that their approach to security may be short of your expectations. Read the privacy statement. Do they inform their customers about losses or breaches? Do you want to use them if they don’t? The choice is yours.
Richard Hollis – Orthus Ltd