Exposed Christians a reminder for the use of multiple site passwords

Hackers broke into the Singles.org site last weekend, not only defacing user profiles but also using their oft used username and password combos to potentially gain access to other personal and financial info.

A Christian singles Web site called Singles.org was infiltrated by hackers last weekend, reportedly absconding with the secret passwords of over 9,000 of its users.

The breach has widely been blamed on the Web site’s security system, which has been described by one outraged blogger as “pathetic… such rampant incompetence that it's in a word, criminal.”

Trend Micro Australia’s David Peterson’s diagnosis was along the same lines.

“Basically, the site was written with no real security on it at all... In this particular case, the term “hack” is probably being a little bit overgenerous to the technical skills of the people involved.”

Peterson explained that, due to the site’s lack of proper authentication protocols, it would be quite easy for anyone to just “hop” from their own account to somebody else’s, armed only with the knowledge of that person’s user ID.

“And that user ID is just a sequential set of numbers. So if your user ID was 10001, if you changed the URL to refer to when the page might be “Edit My Profile ID= 10001” and changed the number to 10002, suddenly you’re inside someone else’s page.

“And to compound matters, the passwords and email addresses are stored in plain text, so it was a simple exercise [for the perpetrators] to just go through all of them and pick out every single one of the emails.”

As a direct result of this, user accounts on the site were compromised and profile pages vandalized.

But according to Peterson, this defacement of people’s profile pages is merely the tip of a dangerous iceberg.

“The problem is that email addresses are commonly used as logins, and people tend to reuse the same logins and passwords for multiple other sites. So, once a hacker gets hold of details via an easily accessed site such as this Singles.org one, it can lead to large credit card bills, strange or offensive emails, and private information being circulated globally.”

According to Peterson, a good, prudent piece of management is to consider having more than one email address and password in operation: “A lot of people have a work email address and a home email address and possibly a Hotmail address as well. Try to keep yourself compartmentalized -- so if you’ve got your social applications which are tied to an email address, do make that different from the email address and password -- at the very least the password -- that you might use for something financial.

Passwords are regarded as an inconvenience, but when there’s money at stake, do regard that as security and do have different passwords so you’re not exposed to this sort of level of compromise.”

Indi Siriniwasa, ANZ sales director at security firm F-Secure, echoed Peterson’s words, saying there is no excuse for having the same username and password for multiple accounts. “It is stupidity more than anything else,” he said. “It is good practice to have a unique password -- and not names and birthdays—for different log-ins.”

He also said that, when it comes to passwords, size does matter: “We [F-Secure staff] have 14 digits for everything, which is hard to crack -- and has nothing to do with your day to day life.“

The longer the password the harder and longer it takes for password cracking algorithms to be effective, and the greater your chances of staying safe, he said.

Peterson said the best approach is to have three separate sets of passwords, one each for business, finance and recreation. While he acknowledges this may be difficult for some people to remember, he suggests having a different “theme” for each set of passwords as a helpful way for users to remember them, but also to remember to keep them separate.

“Don’t recycle [passwords] between those three compartments because if someone has your password for Facebook today, it might not be your company password today, but it may be tomorrow… Multiple email addresses are not a bad idea, but multiple passwords are the most important thing.”

He believes this is something IT Managers should make very clear in their internal policies; that the passwords employees use for their work, which they may be using to access their corporate intranet remotely through VPN, should not be used on the Internet for anything else.

“Because then you risk compromising your company as well, which is not going to make anyone popular… As well as keeping a separation between social and financial, also do keep a separation between work and play.”

"It’s a hard lesson learned for these 9000 or so people. Password access alone is simply not enough to secure a Web site… The key thing is, if you’re putting something out there on the Internet, you always have to be considering security.”

Tags hack

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Emma McKinnon

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?