Mag publisher Future stored your FileSilo passwords in plaintext. Then hackers hit UK magazine publisher Future's FileSilo website has been raided by hackers, who have made off with, among other information, unencrypted user account passwords. FileSilo.co.uk is a website Future's mag subscribers can log into to download materials, such as Photoshop templates and graphics, for tutorials published in its print …
> El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. In accordance with FileSilo's security policy, we sent the request in plaintext.
>
> We have not heard back. ®
Let's not be too cocky. Until rather recently, certain other sites used to force credentials and session cookies to be submitted in clear text. Glad to see they saw the error of their ways though...
I hate to literally "actually" into a conversation but...
Actually, we went HTTPS well before 2017: experimentally, while we worked in things like ads, layout components, the mobile design, and so on, HTTPS was available, we just didn't hype it before it was ready. If you tweaked the URL from HTTP to HTTPS you would have had a nice surprise. We've been working on encrypted Reg reading for months :) Props to Marco, Tony and the tech team for their work. It takes time because there are so many components to a page, and all need to be served securely.
So in short, if you hit a HTTP link, change it to HTTPS. Gradually, these will all become HTTPS automatically.
C.
"It's time directors / business owners started getting sent to prison for this.There is no excuse for storing passwords in plain text."
A lovely idea, but never going to happen. The poor teaboy will get the sack for it, like a sacrificial lamb to the slaughter. And most of the time the time pressures etc exerted on to the developers and server people are never written down. It'll be a case of their manager coming round saying "Yeah I know the passwords should be encrypted but we simply don't have the hours to do that, so don't do it ok?".
A/C because I was a mere apprentice when similar shit hit a similar fan.
As long as the scenario you described is accepted nothing will change.
How many times can the same thing happen ?
Basic Security is not hard, there are enough warnings appearing in the press every day.
It is worth paying for someones time if you cannot work it out.
As it stands there is no comeback when you get caught out, you publish a standard letter with the standard 'You are so important ....' message and continue as before.
We will get told that the problem has been fixed but how are we to know ?
I have received similar messages from other companies and there is never any follow up and the problem is just dumped on my lap to deal with.
There needs to be real consequences that matter to the companies i.e. financial
Otherwise they will just continue in the usual slapdash manner with it hardly impacting their lives at all, somewhat different to the customers they screw up !!!
As part of a recent support session with a decent sized UK cycling retailer (not the orange one) I got sent a screenshot of my account details page on their backend systems. And guess what? - there was my password displayed for all to see.
So at best reversible encyption, but I very much doubt it.
Who designs these systems?
I could name a large multinational Telecoms company that started in the City Of London that appears to store their passwords in either plain text or easily reversible format.
How do I know?
Click the "I forgot my password" and they will kindly email it to you.
Yes I emailed them.
No they didn't understand.
I remember Amstrad Action. :-)
I think it would be good to post a link to an article which states how passwords should be dealt with on servers. The main problem could be that the sales and the management team have promised impossible time scales for the website development team. They get most of the money, while all the work is done by those engineers and others.
It takes seconds (literally) to implement an encrypted password store as there are standard toolkits available that perform all the basic processes you need.
Security conscious developers will also carefully trace the flow of the unencrypted password to ensure that the code route is as short as possible and that any unencrypted copies are overwritten as soon as possible and no copies are made. It's a relatively simple process and can save a lot of potential problems down the line.
I know that Britain is leaving the EU fold, but isn’t about time to look at legislating a more responsible approach to storing user data?
The EU has the Cookie Law, which requires user consent for using cookies or any other form of local storage on a web site. Why can’t governments understand that insecure handling of user data is much more serious than storing cookies, and require organisations to conform to a minimal standard which includes better handling of user data?
"El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. "
I'd have been a bit more pointed. I'd have also asked them to explain how this was taking their customers' security seriously. In a case like this they just shouldn't be given a free pass to come up with this junk, not even if it's printed with a pointed comment. They really should be pressed on the point.
Shocking but not surprising for a magazine publisher.
Years ago I tried to log on to a well known UK IT magazine publisher's site to manage my subscription and crashed the database web application, dumping the raw text of the SQL statement to the web page that had failed because of the apostrophe in my surname. And this was years after SQL injection attacks (and how to avoid them) had been widely publicised.
Thank **** I use a password manager that generates gibberish unique passwords for each of my logins.
A few years ago a magazine site (it's a long time ago but I think it was a consumer one about interior and exterior design) had a page on it for subscribing. No shocks there but what did catch my attention was that the main content on this page appeared to be overlaying something. Underneath visible and copyable was a customers name, (home) address and a few other details (no passwords but might have made phishing a lot easier). At first I thought they might be a dummy set supposed to populate the data fields until you typed your own in and something had gone wrong. You know something like Mr Benn, 52 Festive Road, etc. However I googled the person listed and they existed at that address, they'd filed planning applications etc. perfect person to have subscribed.
it was 5:30pm so there might not have been anyone in the office but I called the contact number for the editorial team and said you've got a problem with your website. No that'll just be the dummy data it won't be anyone real, is the response from them. So I said why don't you look at the following page and make your own mind up as to whether it's real or not. I'll hang on the phone whilst you check and once you're happy that it is I'll give you 5 minutes to remove it before I contact the ICO and then tell El' Reg. To their credit as soon as they saw the page it was obvious they were going to do something quickly as I was told if you could give us ten minutes we'll have it removed. Sure enough they did in under 8 minutes and I decided to keep it to myself. I can't remember which magazine it was but I was impressed at the speed with which it was removed.
I just looked up their privacy and security policy: "7. Security: In accordance with our requirements under the Data Protection Act 1998, we *will* adopt appropriate security procedures to help prevent unauthorised access to your information. Neither Future nor any of its group companies shall be liable for any attempt to hack or crack or otherwise gain access to any part of this website including any of your information. "
(Emphasis on the future tense is mine.) So I suppose they're acting exactly as they say they will. At some unspecified time in the future, they'll look after your data. Till then, FU! I too am grateful for password managers that allow unique, hard-to-crack passwords - not that I'll be using these particular clowns again.
"7. Security: In accordance with our requirements under the Data Protection Act 1998, we *will* adopt appropriate security procedures to help prevent unauthorised access to your information. Neither Future nor any of its group companies shall be liable for any attempt to hack or crack or otherwise gain access to any part of this website including any of your information. "
The tense actually makes sense. They're initiating an agreement with you. The agreement is about what you and they are going to do in the future; it has not past so the future tense is right.
However I don't think the ICO will be over-impressed with their disclaimer and come May next year it certainly wouldn't save them from a big fine.
Perhaps every site that offers accounts should carry a standard marking that would identify how their passwords were stored:
Big, bright red flashing turd: Passwords stored in plain text.
Big, red, non-flashing turd: Passwords stored by reversible encryption.
Amber padlock: Passwords stored hashed, no salting.
Green padlock: Passwords stored hashed with salting.
One of my pet hates (for oh so many reasons) is Verified by Visa
I generally avoid sites that use it, but occasionally have to use them for something that cannot easily be purchased otherwise (angry stare at SO and their obscure interests)
My low opinion of VbV always drops that bit further when it asks me to enter digits 4 7 and 8 (or whatever) of my pass-phrase. No decent system should be able to find ANY of my pass-phrase.
I recently registered for a special interest jobs site, and minutes later got a Thanks for Registering email with my username and password in plaintext.
Boggles the mind. I should have guessed when the password entry fields weren't even obfuscated.
They got a pretty stern response back from me.
Enforce salt and hash encryption for passwords (none of this reversible pick x of n stuff)
Make CEO criminally liable for breaches (as per HASAWA)
Make fines extortionate (as per GDPR)
Make programmers also responsible for their own mistakes (will sort the XSS, CSRF, and SQLi) [like servers are in pubs]
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
