![]() ![]() One things for sure if hackers are looking to exploit people then yes, they'd need to hurry up as that window of opportunity is now way smaller since the incident went public. ⚠ If you used your Lifeboat account password for any other services, please change them now ⚠ /H4302cOWwl- Lifeboat April 27, 2016 For example, just read through some of the responses to this tweet: As an attacker, you have someone's email address and their password and you want to use that to compromise other accounts because password reuse remains the norm rather than the exception. Assumedly, this statement and the earlier one about not letting the attackers know they have limited time relates to the window of opportunity in which an account can be exploited. If they alerted people about passwords being reset they would've basically been telling the hackers to hurry up and ALL data would've been stolen. It started out with a discussion on Twitter which used the same justification for concealing the breach: But with that said, let's get to the meat of the issue. I'm sure we've all evolved our thinking over time and would be embarrassed to look back on some of the views we held once upon a time and I suspect that will be the case for this bloke as well. I'm not going to link directly to the thread in order to save the individual embarrassment because in all likelihood they'll later realise the serious implications of what they've said. ![]() A large portion of those passwords would be reverted to plain text in a very short time.Īs much as that comment shocked me, the discussion I then saw on Twitter from someone who works for Lifeboat made it even worse. Or you do it en masse using hashcat as I recently showed for salted MD5 hashes (hashes with no salt such as Lifeboat's are significantly easier to crack). This is 7 million records which contain passwords stored as MD5 hashes too which means that you can take the hash then simply Google it and like magic, here's the plain text value. I was stunned when I read this - you mean they knew about the incident and decided to cover it up?! I'm used to seeing organisations genuinely have no idea they've been hacked but to see one that actually knew about it - a 7 million record breach at that - and then consciously silence the incident without telling anyone left me speechless. When this happened early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act When approached by the reporter in the above story about this incident, Lifeboat stated: Well actually, the breach itself was many months ago but the disclosure was only this week and therein lies the problem. This relates to the Lifeboat data breach from earlier this week. Hopefully if this strategy is ever considered by others in future they'll stumble across this post and think better of it. I want to capture the details of it here and frankly, tear it to shreds because we should never see an organisation playing fast and loose with people's data in this way. I saw a security "strategy" this week in the wake of a major data breach which was alarming, to say the least. Yet somehow, well over a decade after we started seeing mandatory disclosure laws come into effect, some organisations not only ignore the push for public transparency, but even justify non-disclosure by saying it's in the victims' best interests to keep it quiet. It's always been ethically dubious not to disclose a data breach to those who have been impacted by it, but it's also illegal in many places if not now, then very soon. Most US states have had mandatory data breach disclosure laws since 2002, Australia has a draft bill that will go to parliament this year and the EU's General Data Protection Regulation is making it mandatory across the board there too. ![]() Fortunately, cover-ups like this can no longer happen in many parts of the world. ![]() There were 80,000 people impacted in that incident and they never knew that their personal information had been obtained by criminals for fear that the very organisation that lost the data in the first place would be adversely impacted. Loss of business due to the perception of others that computer systems may be vulnerable Towards the end of the book, there's a reference to a 1997 case in which the government persuades the sentencing judge to permanently seal the court transcripts for fear that disclosure would impact the targeted company as follows: I've just been reading Kingpin by Kevin Poulsen which sheds some really interesting light on criminal credit card fraud in the mid 2000's. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |