Posted by Jason Remillard on Wed, Mar 31, 2010 @ 12:05 PM
As reported in the past few days, a site selling Durex condoms have had a small 'exposure' problem. As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login - simply by changing the order number!
I know that this is a 'simple' mistake, but come on folks.. This isn't 1998 where you wrote apps in MS-access and wrapped a report around it! This is (was?) a fully fledged shopping system, with um...confidential information regarding previous orders (hmmm.....size...color...flavors???)
According to the lawsuit, the company took quick action to pinch off the problem, but who knows how long the problem was exposed? What is more interesting to me, is that this problem was found by an unsophisticated user. I mean, he wasn't a cracker, malware engineer or depth-defying trojan writer. He was a customer that said, "Hmm... I wonder".... Perhaps we can all take a lesson from this scenario and consider thinking not just outside of the box with security, but also using I 
suppose accidental techniques to test services and applications. I'm sure my tester friends have a technical term for this, but it just goes to show that sometimes 'what if' is a testing parameter.
Usually conversations in this context deal with adult-content oriented websites - those are usually the first and most often attacked. Considering this case, things are a little different but no less important - the last thing you want is your customer information all piled up in someone else's control.
On a better note, our facebook group seems to be cooking now, over 170 fans now. Even better, our WordPress Security Plugin is getting great play - over 500 Installs now!
Posted by Jason Remillard on Mon, Jan 11, 2010 @ 11:07 AM
Well, its happened. This time, the users themselves have taken action against
rockyou.com for their inadvertent disclosure of customer information.
As we previously
reported, Rockyou was hacked and disclosed it looks like over 32,000,000
accounts. Yes, 32 Million!
What is interesting about this case, for me anyways, isn’t the large
disclosure number (1 million, 30 shmillion), its the fact that the lead
plaintiff is accusing Rockyou.com of disclosing PII (Personally Identifiable
Information) as part of the exposure. This will open up Rockyou to a lot more
legislative-litigation than a simple information disclosure — now we’re dealing
with users’ personal information. As noted, Rockyou is a launchpad type of
service, that holds credentials for other services (myspace, facebook, etc.) as
part of their service.
The suit alleges that “RockYou recklessly and knowingly failed to take even
the most basic steps to protect its users’ PII (personally identifiable
information) by leaving the data entirely unencrypted and available for any
person with a basic set of hacking skills to take the PII of at least 32 million
customers.”
Read more:
http://www.consumeraffairs.com/news04/2010/01/rockyou.html#ixzz0bU0uS2cv
So now, Rockyou is being claimed to be responsible for exposures across the
OTHER platforms as well. As part of our risk mitigation service, we’ve been
warning site owners about the risks associated to holding PII information of
consumers. Its not just the email addresses alone that are risky (like the aweber
hack reported last week - I expect the impact of the aweber hack to be less
litigious). The aweber attack was ‘just email addresses’ that were exposed –
fairly low on the PII-scale.
On the Rockyou.com side, the PII exposure seems to be much larger since the
PII information included not just names and addresses, but now account
information for other services. So, from a ‘customer’ perspective, the
rockyou.com information could be the cinch point in targeting people who are
otherwise trying to be anonymous.
Consider this: A user has a facebook account, blog service, and a myspace
account. Consider this person has a private profile on facebook, an open blog,
and an open myspace account. Consider that the myspace account has some er….
risque content.. on it (pick your genre). To date, this person was afforded
privacy since he/she could operate these services independently of each other.
Now, with the rockyou.com exposure, you have account information for everyone,
on each service. Anyone looking through the data could stitch the services
together and paint a pretty complete picture of this persons activities.
THAT is what makes this exposure large and frightful.
Rockyou was entrusted with the information, really did little to protect it (as
evidenced with clear-text passwords, etc.). As well, the exposure was documented
‘nicely’ by the hacker. That is, he posted enough information to document the
hack. He didn’t expose the information to the masses. However, if this hole was
there for xxx time (weeks, months, years!?!?), who knows who else has
this information, and what its being used for.
As business owners, we should be greatly concerned and watch this case with
interest. Since, other than big names (like Verisign, Heartland, etc.) who
simple swept it under the carpet and bought out the exposed people, this is one
of the first ’small’ companies being hit with this exposure and the lawsuit.
Reading the language of the lawsuit, you’ll see many joining this class
action suit, and the damages will probably rock rockyou.com quite hard. Since
they are small, don’t have the teams and reams of lawyers the big guys have, and
potentially, if they lose the case, would probably shutter the service.
So, a greatly valuable and popular service is now at risk (business-wise and
otherwise), because they didn’t invest in simple ongoing security scanning. Like
insurance, you only need it when you need it. I suspect the management in
hindsight would’ve invested a small amount in a regular scanning service like
ours. Its ‘cheap’ insurance, and our solution would’ve reported the exposure the
second they got a scan.
Knowledge is power, and protection is imperative in this time and age. Not
investing in simple security measures like this, really is criminal.