Sophos Cloud Optix
British tech news site, TechRadar, is the latest in a string of websites coming forward to admit they were hacked and user’s email addresses, usernames, encrypted passwords and dates of birth were accessed by criminals.
It appears the theft was either self-discovered by TechRadar or disclosed privately, as the notices were sent out to users of its forums without it having been leaked publicly.
This does bring up an important issue though. Is it really a good idea to share your date of birth with a random tech forum?
Why do so many websites, grocery stores, hotels and other establishments think it is appropriate to ask for something so important to our identities?
When asked to share your birth date, postal code or any other personal information ask yourself… Is there a legal reason they need to know, or is it just a nice-to-have?
TechRadar says that the passwords were “encrypted”. I am not sure how to take that.
Were they hashed? Were they salted? How many rounds? Saying “encrypted” raises more questions than answers.
TechRadar does share some good advice with its users. Don’t use the same password on more than one site and if you did, change them all immediately.
The forums at TechRadar are still offline while it investigates the incident and I do applaud them for coming forward about this situation.
Rather than debate the correct way to hash/salt/store passwords, I would like to suggest preventing your database from being compromised should be the first priority.
DoB is often required because of legal actions taken in the US to "protect" under 18s, which leaves sites' legal advisors risk averse, and needing to demonstrate they have attempted to screen younger readers even when the content is perfectly safe for under 18s.
I think it's an obvious good practice providing as few personal info as possible. As Data theft's becoming more common than ever, anyone should avoid password/patterns reuse ever!
Never reusing anything sounds good in theory. In practice it is a lot more difficult, I currently have a printed list of 132 sites (ranging from banking to MMO's to WheresGeorge) and each one has a login wth password. Managing it all without reuse is growing ever more difficult in todays world.
Well, that's weird but here is a tip:
use one password but add to the end of it or the beginning a prefix. example:
password: !G@V639
use the same password but add a prefix:
facebook: !G@V639+fb- [added prefix: +fb-]
gmail: !G@V639+gm- [added prefix: +gm-]
this will be enough if your password is strong enough!
Good luck
I consdiered this. But if i'm able to get ahold your password and cast a human eye with a little deduction i'm going straight to pay pall with "G@V639+pp".
Problem with that is if/when the hashes are broken and posted online your username with your cracked password will appear so anyone targetting you can search for your username/email address, see what password you used "——+fb-" and then think "aha!" and go off and try "—–+az-" for amazon and what not.
I guess ensure root and infact any other users are password protected, if possible only root access to be enabled for the localhost. Use prefixes on table names to make them more difficult to guess your way around the DB, dont display errors to the end user which may give away useful info to attackers, clean inputs and restrict input size to reduce risk of sql injections. Limit the number of results returned per request… Cant think of any more off the top of my head
Off the top of my head I guess some of these things may help…
All DB users, including root, use a strong password. If possible root access only to be granted to the localhost, Clean any inputs, escape characters etc and limit the length of inputs to reduce the risk sql injections. Limit the results queries return. Using prefixes on tables may make it harder for someone unfamiliar with the DB to guess their way around? Oh and dont display error message which may return useful information to attackers such as DB location, table names etc – in needed use a more generic error message.
Would hosting the DB in a different location help?
People re-use passwords because nobody can remember hundreds of different passwords for every site they ever use. Sometimes the only alternative is single-use throwaway ones (go through the reset password process every time you want to access the site) for everything you don't visit on a regular enough basis to be able to commit to memory.
There has to be a better way.
Just recieved that notice just now…so thats TWO so far in Two weeks for me…Tech Radar…and LinkedIN…both popular sites…hummmmmm…stay tuned kids!
So the question is then…is this attack really about the password or the email address? Since both of those accounts have the same email account in common I'm wondering.
That also brings to mind that I found at my MS Technet account two weeks ago…my dormant one… : ) … when I went to renew my email address had been changed … Microsoft tried to tell me it wasn't hacked..but I put in a trouble ticket anyway…they did call me back andwe went through the whole list of why the email address could have not been changed easilly.
To have a technet account they would like you to use a "Live ID" from either hotmail.com or Live.com and some of the old guys used to use msn.com if I remember right.
So if microsoft technet was hacked…it could have been that my email was too…(over 15 characters for a password)…or not…
The curious thing was the site (url) that the email was assigned to was up for sale…
AND…what causes a whole lot more of distrust swinging in the pendulum…Microsoft very well mat not have known until I brought it up…or they knew and aren't telling anyone yet.
3 down and more to go? wait and see kids…
As I always tell my computer clients…"if man made it man can break it…"
db
sounds almost like a "flame variation"…
Whilst I'm sure it's not a great day for the team at TechRadar, and there are probably a few questions to be answered, I'm glad they've gone on the front foot at let everyone know about the issue.
Seeing the amount of compromises we do (via a site I manage), disclosure is lot less common than you might think.
Stock phrase in these things (with minor variations): "we take the security of your data extremely seriously".
No you don't. If you did, you wouldn't have a need to send that message.
I NEVER enter my real date of birth, I always use a fake one. Leads to LOLs when people see its my birthday online and it isnt really though. I also never use real answers to security questions. I base my answer on the site itself so my first pets name on PayPal could be "hastings!paypal#1066" or whatever.
It’s the second in two weeks for me too, but at least I heard about this from TechRadar first.
I’m glad to say or me it’s just an inconvenience. They don’t have my date of birth nor my real name and because I’m paranoid I use a different username, email address and password for every site 😉
The update on their web site says “the passwords in the stolen data were encrypted using two rounds of an industry standard algorithm which was salted.”