ISP hacked
-
Fabio Franco wrote:
Best practices does not mean they are always followed.
We're not talking about some obscure website; this is the "royal" Dutch phone-service, and one might reasonably expect that their data is safe there. It would also not be unreasonable to think that they have their security checked by outsiders.
Fabio Franco wrote:
Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
The link merely shows a picture of a tweet from a spokesman of the company with said text on UTF-8. It would also be illogical to have two million subscribers change their password if it weren't leaked in a usable format. Yes, I'm furious; as said, should I be assuming that the bank doesn't implement the best practices either?
Bastard Programmer from Hell :suss:
Eddy Vluggen wrote:
Yes, I'm furious
I guess I'd be too.
Eddy Vluggen wrote:
should I be assuming that the bank doesn't implement the best practices either?
You'd be surprised and I'm not saying that out of complete ignorance.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
Eddy Vluggen wrote:
Yes, I'm furious
I guess I'd be too.
Eddy Vluggen wrote:
should I be assuming that the bank doesn't implement the best practices either?
You'd be surprised and I'm not saying that out of complete ignorance.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
-
It is getting worser. After changing your password they'll send you the username and new password by snail mail. And the password is readable without opening the envelope.
The fact that the password can be retrieved even 1 millisecond after it is set indicates a complete lack of knowledge on secure data storage. Snail mail, e-mail, it's outrageous that the password can be sent at all. I am NOT AT ALL concerned about UTF8 being used, but I am concerned about HOW it is used. The fact that "secure" measures were implemented immediately after the hack was found indicates there aren't secure measures available, period. Say “password” is your password. (I know, it's really bad that it is an allowed password.) You type password on your SSL site, the public key encrypts it and sends what looks like garbage on the net across to the service, the private key the service knows decrypts it back to password. It then sends “280938dkl;sideruos,xa]s[04938udkj.fhwsyJFLGJDK09sjdklkeru.xx” as the (bogus example of an) encryption key to the database. “password” is never stored anywhere. The service and the database are on a private internet connection, so the key is never exposed. UTF8 is used to define the key. You don't need to even store the encryption key, but if you don't, when the customer forgets his password, all his data is lost forever. So, on his account table, you store the encryption key as an encrypted field using a “secure” company password It takes time to set up that kind of secure process if it isn't in place. The fact they “fixed” it so quickly means they don't plan on really fixing it, ever.
-
I think he knows that...Check out the title of this forum?
Ideological Purity is no substitute for being able to stick your thumb down a pipe to stop the water
Let's say I mentioned that for the people who don't know.
-
Let's say I mentioned that for the people who don't know.
:laugh:
Ideological Purity is no substitute for being able to stick your thumb down a pipe to stop the water
-
It is getting worser. After changing your password they'll send you the username and new password by snail mail. And the password is readable without opening the envelope.
:laugh: That's the bestest!
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
Might be a badly communicated way of saying that they base64 encode the (now?) encrypted password so it can go into a UTF-8 database field. I agree with you though, given that they've been compromised, they need to be forced to clarify their meaning before they can be trusted... especially because it could be an indication of cluelessness on their part. If they refuse and give some compromising-security excuse, drop them if you can -- those kinds of excuses are nothing more than a way of saying that they believe obscurity is the same thing as security.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
Might be a badly communicated way of saying that they base64 encode the (now?) encrypted password so it can go into a UTF-8 database field. I agree with you though, given that they've been compromised, they need to be forced to clarify their meaning before they can be trusted... especially because it could be an indication of cluelessness on their part. If they refuse and give some compromising-security excuse, drop them if you can -- those kinds of excuses are nothing more than a way of saying that they believe obscurity is the same thing as security.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
It's obvious that all of you have missed the reason for the UTF-8 encryption. Do you realize how hard it is to process the new passwords for mailing if they are encrypted? Do you realize how much effort is involved to get that information? Heavens! Why next, you'll be wanting to secure your on-line financial dealings!!!! /sarcasm :-D
Cegarman document code? If it's not intuitive, you're in the wrong field :D
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
One free interwebs, you just won it! :)
Jeroen De Dauw (blog | Twitter | Identi.ca)
