ISP hacked
-
This isn't actually as much of an epic fail as it appears, since users will presumably change their password immediately upon receiving the letter, so interceptors can only use the password for maybe a day. Considering they've already been hacked in plain text, that's not so bad. It is stupid and symptomatic of a complete failure of security policy, definitely, and pretty shameful. But, imo, not as bad as storing the passwords in plain text in the first place.
-
This is a after a password change, not a password reset. They send you a letter every time you change your password, not only the first time. And one of the passwords is also used for account management, so this is really bad in my opinion.
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this. My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people. :)
-
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this. My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people. :)
On the plus side, anyone who actually reads the notice will take the best security step possible. They will move to another ISP. This protects their password by putting it into the hands of people whod have not proven they are incompetent. Hopefully, this will cause a large number of marketing types to quit in disgrace and seek careers in the hospitality or food services industry.
The early bird gets the worm, but the second mouse gets the cheese.
-
Eddy Vluggen wrote:
The largest Dutch ISP has not yet learnt how to securely store a password.
Calm down; its just you ISP. Nothing has gone from your account, right?
Eddy Vluggen wrote:
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
In case they were, it will not only you whose account can be hacked. Take it easy. :)
Regards, Jwalant Natvarlal Soneji
Jwalant Natvarlal Soneji wrote:
Calm down; its just you ISP.
It's my primary email, and I was under the assumption that my data was stored securely.
Jwalant Natvarlal Soneji wrote:
In case they were, it will not only you whose account can be hacked. Take it easy.
2 million accounts, and this is not something you can simply shrug of. The information on secure passwords is freely available on the internet, and I'm paying a generous amount for the service. This kind of amateuristic crap shouldn't happen.
Bastard Programmer from Hell :suss:
-
I'm unable to see your link, because dropbox is not blocked here, but maybe what they meant was that UTF8 is the encoding used to store the encrypted charaters, which leaves 1114111 different characters possible if the UTF-8 specification is strictly followed.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
It was saved in plain text, otherwise they didn't need to send a mail to 2 million people telling them to change their password.
Bastard Programmer from Hell :suss:
That's not the only reason to send a mail to everyone to change their password. This typically happens in any case of a breach, because encrypted or not the password is compromised.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this. My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people. :)
-
That's not the only reason to send a mail to everyone to change their password. This typically happens in any case of a breach, because encrypted or not the password is compromised.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
Not if it's merely a hash, with the salt in a different location. There shouldn't have been a breach, and when there was, the passwords should not have been in plain text format.
Bastard Programmer from Hell :suss:
I agree, if it's just a hash and the salt is somewhere else. And breaches happen, even hotmail has been breached already, it happens, nothing is breach proof. Now, if you're saying that it really was in plain text format, well you know better than me about the news.
-
It is getting worser. After changing your password they'll send you the username and new password by snail mail. And the password is readable without opening the envelope.
The place I used to work at would send out the protected product and the unlock code in separate mailings for security sake. Management decided to do a major update that required sending out new product and unlock codes. They came to us saying they had already designed the custom mailing package that would include both in one. :doh: We tried in vain to convince them that the only time product and unlock codes came within 5 feet of each other in normal production would be only if the person carrying the product happened to be walking past the person carrying the unlock letters. There was no mechanism in place to tie them together and it had purposely been designed that way for security reasons. But the new packing material had already been ordered and was on the way so we had to come up with something. :wtf: Heaven forbid management making a mistake of not seeing how and why things were the way before they went off and committed to doing something that violated all the security mechanisms that had been put in place to protect the product.
-
I agree, if it's just a hash and the salt is somewhere else. And breaches happen, even hotmail has been breached already, it happens, nothing is breach proof. Now, if you're saying that it really was in plain text format, well you know better than me about the news.
Fabio Franco wrote:
if it's just a hash and the salt is somewhere else.
..that's been a "best practice" for a few years.
Fabio Franco wrote:
And breaches happen, even hotmail has been breached already, it happens, nothing is breach proof.
Ah, but hotmail never had to mail me because of some simple fuck-up that could easily be avoided. Neither did GMail. I wouldn't be pissed if this were a zero-day hack, but this is something that could be avoided easily, and would have been caught at the first serious security-audit.
Fabio Franco wrote:
Now, if you're saying that it really was in plain text format, well you know better than me about the news.
..even if you didn't follow the news, that would be one that should be easily deducable from the given facts.
Bastard Programmer from Hell :suss:
-
Fabio Franco wrote:
if it's just a hash and the salt is somewhere else.
..that's been a "best practice" for a few years.
Fabio Franco wrote:
And breaches happen, even hotmail has been breached already, it happens, nothing is breach proof.
Ah, but hotmail never had to mail me because of some simple fuck-up that could easily be avoided. Neither did GMail. I wouldn't be pissed if this were a zero-day hack, but this is something that could be avoided easily, and would have been caught at the first serious security-audit.
Fabio Franco wrote:
Now, if you're saying that it really was in plain text format, well you know better than me about the news.
..even if you didn't follow the news, that would be one that should be easily deducable from the given facts.
Bastard Programmer from Hell :suss:
Eddy Vluggen wrote:
..that's been a "best practice" for a few years.
Best practices does not mean they are always followed.
Eddy Vluggen wrote:
Ah, but hotmail never had to mail me because of some simple f***-up that could easily be avoided
Thousands of hotmail users were contacted by hotmail to change the password because of a range of users had password breach. I remember that in the mail they mentioned that it was not an eminent threat (I supposed because all they got were hashes), but still encouraged the users to change the password.
Eddy Vluggen wrote:
but this is something that could be avoided easily, and would have been caught at the first serious security-audit.
Agree
Eddy Vluggen wrote:
that would be one that should be easily deducable from the given facts
Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
Eddy Vluggen wrote:
..that's been a "best practice" for a few years.
Best practices does not mean they are always followed.
Eddy Vluggen wrote:
Ah, but hotmail never had to mail me because of some simple f***-up that could easily be avoided
Thousands of hotmail users were contacted by hotmail to change the password because of a range of users had password breach. I remember that in the mail they mentioned that it was not an eminent threat (I supposed because all they got were hashes), but still encouraged the users to change the password.
Eddy Vluggen wrote:
but this is something that could be avoided easily, and would have been caught at the first serious security-audit.
Agree
Eddy Vluggen wrote:
that would be one that should be easily deducable from the given facts
Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
Fabio Franco wrote:
Best practices does not mean they are always followed.
We're not talking about some obscure website; this is the "royal" Dutch phone-service, and one might reasonably expect that their data is safe there. It would also not be unreasonable to think that they have their security checked by outsiders.
Fabio Franco wrote:
Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
The link merely shows a picture of a tweet from a spokesman of the company with said text on UTF-8. It would also be illogical to have two million subscribers change their password if it weren't leaked in a usable format. Yes, I'm furious; as said, should I be assuming that the bank doesn't implement the best practices either?
Bastard Programmer from Hell :suss:
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
Dude, you should be viewing this as an opportunity to show them how to encrypt their data using UTF-16. And then when that fails, UTF-32. They should be out of business at that point, but on the bright side you'll have all their money (provided they haven't decided they need to implement NFC access directly to your bank account by that point).
-
Fabio Franco wrote:
Best practices does not mean they are always followed.
We're not talking about some obscure website; this is the "royal" Dutch phone-service, and one might reasonably expect that their data is safe there. It would also not be unreasonable to think that they have their security checked by outsiders.
Fabio Franco wrote:
Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
The link merely shows a picture of a tweet from a spokesman of the company with said text on UTF-8. It would also be illogical to have two million subscribers change their password if it weren't leaked in a usable format. Yes, I'm furious; as said, should I be assuming that the bank doesn't implement the best practices either?
Bastard Programmer from Hell :suss:
Eddy Vluggen wrote:
Yes, I'm furious
I guess I'd be too.
Eddy Vluggen wrote:
should I be assuming that the bank doesn't implement the best practices either?
You'd be surprised and I'm not saying that out of complete ignorance.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
Eddy Vluggen wrote:
Yes, I'm furious
I guess I'd be too.
Eddy Vluggen wrote:
should I be assuming that the bank doesn't implement the best practices either?
You'd be surprised and I'm not saying that out of complete ignorance.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
-
It is getting worser. After changing your password they'll send you the username and new password by snail mail. And the password is readable without opening the envelope.
The fact that the password can be retrieved even 1 millisecond after it is set indicates a complete lack of knowledge on secure data storage. Snail mail, e-mail, it's outrageous that the password can be sent at all. I am NOT AT ALL concerned about UTF8 being used, but I am concerned about HOW it is used. The fact that "secure" measures were implemented immediately after the hack was found indicates there aren't secure measures available, period. Say “password” is your password. (I know, it's really bad that it is an allowed password.) You type password on your SSL site, the public key encrypts it and sends what looks like garbage on the net across to the service, the private key the service knows decrypts it back to password. It then sends “280938dkl;sideruos,xa]s[04938udkj.fhwsyJFLGJDK09sjdklkeru.xx” as the (bogus example of an) encryption key to the database. “password” is never stored anywhere. The service and the database are on a private internet connection, so the key is never exposed. UTF8 is used to define the key. You don't need to even store the encryption key, but if you don't, when the customer forgets his password, all his data is lost forever. So, on his account table, you store the encryption key as an encrypted field using a “secure” company password It takes time to set up that kind of secure process if it isn't in place. The fact they “fixed” it so quickly means they don't plan on really fixing it, ever.
-
I think he knows that...Check out the title of this forum?
Ideological Purity is no substitute for being able to stick your thumb down a pipe to stop the water
Let's say I mentioned that for the people who don't know.
