It’s become fashionable to assume that all cybercriminality these days is about money.
In other words, attacks that aren’t likely to be worth anything aren’t likely.
It’s also fashionable to assume that the attackers are increasingly and exclusively after rich and fruitful targets, such as multinationals and governments.
In other words, if you’re a little guy, you’re off the radar and can stay safe online simply by keeping your head down.
Sure, cracking into systems just for the fun of it – the lulz – was briefly popular a couple of years ago, thanks to the appositely-named Lulzsec crew, but a bunch of arrests seemed to put paid to all of that.
But those arrests didn’t stamp out cracking for the sake of it. There’s still plenty of gratuitous, “because it’s there” digital break-and-enter going on.
Even if you run a tiny website and don’t have much to hide, you (and your customers) are nevertheless at risk from criminals, like the apppositely named @JokerCracker, who openly gives his reason for hacking as, “It’s just a personal challenge.”
JokerCracker has announced a number of hack-and-reveals over the past few days.
That’s where he digs around on your website for holes, probably using automated tools to find what software you’re running, and what vulnerabilities he can most easily exploit.
Once he knows a likely way of tricking your webserver into dumping one or more of its databases, instead of simply answering one of your pre-arranged queries, he’ll extract what he can, and upload anything that looks like Personally Identifiable Information (PII) to a public drop site, where data-theft voyeurs can grab it at will.
The final step is a tweet to let the world know.
A sad example over the weekend was his hack of a boutique Australian babycare site. He only made off with about 900 records, perhaps because that’s the whole database collected by the site owner.
(Only email, screen name and passwords were leaked. Your full name, your child’s name and birthday, requested on signup, didn’t appear in the dump. That’s a small mercy, I suppose.)
The passwords, as you may have guessed already, weren’t hashed or obscured at all. They were all stored in plain text.
- If you are a user of a website that gets hacked this way, and you shared your password with any other sites, change those passwords immediately, and stop re-using passwords.
- If you’re the owner of a website that gets hacked this way, consider publishing a warning on your main page and alerting your users.
- If you’re the operator of any sort of web site or similar online property, don’t keep plaintext passwords.
- If you think a site is storing plaintext passwords, consider withdrawing from it until it stops doing so.
Note that the last point implies that you can easily tell whether a site is doing the right thing with your passwords.
Fortunately, many sites publish, or will tell you if you ask, how they deal with password storage and reset.
But others won’t, and often that’s because they know they have bad news, or don’t even realise the importance of the question.
In that case, you may be able to find out simply by trying a password reset.
If you get back a password reset link, they probably haven’t been storing your password in plaintext. But if you get your old password back in an email, then clearly the site must have been storing it.
Babycare Advice, for what it’s worth, doubles up on its insecure behaviour because doesn’t use HTTPS during its login phase; worse still, it doesn’t even use HTTP “challenge-response” password verification, which at least prevents your password going out unencrypted. Your password is there, in the clear, waiting to be sniffed.
Web site users, be vigilant. If you think a site is not treating your PII with the respect it deserves, even for so-called casual or throwaway logins, then consider working, shopping or playing somewhere else.
Web site operators, don’t be happy with the security standards of ten, five or even two years ago. Show that you care about PII and help to build and maintain the trust of your customers.