Base64!
So glad my password was protected not just by SHA1, but also the industry standard additional protection of base64 encoding. Whew, I was worried there for a second. So glad they clarified that, I feel safer now.
T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month. Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted …
And this, dear friends, is why you NEVER allow a database to be directly accessible from the internet.
You should pass through a firewall and ONLY allow the hosts that must connect to the database connect on the specific port required for the application.
This does not prevent the application server from getting hacked and then snarfing the data via the approved firewall rule. Especially since most developers are lazy and code the userid and password in their code.
OK Captain Obvious - tell us again about rudimentary security processes; I could be a full fledged security consultant now just by repeating what you wrote again and again to companies with a clause in my contract stating that if they fail to implement my recommendations, I would get an automatic year's credit monitoring.......
"...OK Captain Obvious - tell us again about rudimentary security processes; I could be a full fledged security consultant now just by repeating what you wrote again and again to companies with a clause in my contract stating that if they fail to implement my recommendations, I would get an automatic year's credit monitoring......."
So fucking obvious, yet how many companies breach even the basic rules of security? How often do we read about hard coded passwords, unencryped databases, apparently enterprise-grade applications/backends that have default crappy passwords left alone, database servers that aren't just left connected to the net, but also copies of them left unencrypted and forgotten about? How many times have lazy and/or incompetent devs left things like certificates and keys in their code or on cloud servers there for all to see?
Yeah it might seem obvious but fuck me if too many people can't see the woods for the trees.
It's time the ICO et al stopped pissing about and fined the company directors directly. It will do wonders for focussing their minds.
"why passwords were not properly encrypted" - because nobody checked the code, and they rolled their own security module?
The security module developer might as well have been a contractor too, and then the motto of "it it ain't broke don't fix it" was applied. I mean, it was working, right? No need to look into it to see how it does it - no time for opening cans of worms.
This usually involves using a framework that provides pretty much all the scaffolding you need and lets you focus on your business logic. Don't roll your own framework either.
I don't recall ever having an account there, but I got today's warning. It includes a mention of the dangers of using the same password with multiple accounts.
It's possible that it is one of those sites that lets you log in with a Twitter account, or Facebook, or Google. I am not inclined to go and check. It seems very obvious that, while there are advantages in tracking what people look at, and a cookie should be enough for that, they don't need a full account until somebody wants to buy something.
Twitter doesn't have payment data, but Google does. I'm not a Facebook user. The way that internet operations in the USA are sharing data is worrying. The way some of them refuse to accept connections from Europe suggests they's not even trying toi keep personal data safe and secure.
What can we do to be safe?