A Christian singles Web site called Singles.org was infiltrated by hackers last weekend, reportedly absconding with the secret passwords of over 9,000 of its users.
The breach has widely been blamed on the Web site’s security system, which has been described by one outraged blogger as “pathetic… such rampant incompetence that it's in a word, criminal.”
Trend Micro Australia’s David Peterson’s diagnosis was along the same lines.
“Basically, the site was written with no real security on it at all... In this particular case, the term “hack” is probably being a little bit overgenerous to the technical skills of the people involved.”
Peterson explained that, due to the site’s lack of proper authentication protocols, it would be quite easy for anyone to just “hop” from their own account to somebody else’s, armed only with the knowledge of that person’s user ID.
“And that user ID is just a sequential set of numbers. So if your user ID was 10001, if you changed the URL to refer to when the page might be “Edit My Profile ID= 10001” and changed the number to 10002, suddenly you’re inside someone else’s page.
“And to compound matters, the passwords and email addresses are stored in plain text, so it was a simple exercise [for the perpetrators] to just go through all of them and pick out every single one of the emails.”
As a direct result of this, user accounts on the site were compromised and profile pages vandalized.
But according to Peterson, this defacement of people’s profile pages is merely the tip of a dangerous iceberg.
“The problem is that email addresses are commonly used as logins, and people tend to reuse the same logins and passwords for multiple other sites. So, once a hacker gets hold of details via an easily accessed site such as this Singles.org one, it can lead to large credit card bills, strange or offensive emails, and private information being circulated globally.”
According to Peterson, a good, prudent piece of management is to consider having more than one email address and password in operation: “A lot of people have a work email address and a home email address and possibly a Hotmail address as well. Try to keep yourself compartmentalized -- so if you’ve got your social applications which are tied to an email address, do make that different from the email address and password -- at the very least the password -- that you might use for something financial.
Passwords are regarded as an inconvenience, but when there’s money at stake, do regard that as security and do have different passwords so you’re not exposed to this sort of level of compromise.”
Indi Siriniwasa, ANZ sales director at security firm F-Secure, echoed Peterson’s words, saying there is no excuse for having the same username and password for multiple accounts. “It is stupidity more than anything else,” he said. “It is good practice to have a unique password -- and not names and birthdays—for different log-ins.”
He also said that, when it comes to passwords, size does matter: “We [F-Secure staff] have 14 digits for everything, which is hard to crack -- and has nothing to do with your day to day life.“
The longer the password the harder and longer it takes for password cracking algorithms to be effective, and the greater your chances of staying safe, he said.
Peterson said the best approach is to have three separate sets of passwords, one each for business, finance and recreation. While he acknowledges this may be difficult for some people to remember, he suggests having a different “theme” for each set of passwords as a helpful way for users to remember them, but also to remember to keep them separate.
“Don’t recycle [passwords] between those three compartments because if someone has your password for Facebook today, it might not be your company password today, but it may be tomorrow… Multiple email addresses are not a bad idea, but multiple passwords are the most important thing.”
He believes this is something IT Managers should make very clear in their internal policies; that the passwords employees use for their work, which they may be using to access their corporate intranet remotely through VPN, should not be used on the Internet for anything else.
“Because then you risk compromising your company as well, which is not going to make anyone popular… As well as keeping a separation between social and financial, also do keep a separation between work and play.”
"It’s a hard lesson learned for these 9000 or so people. Password access alone is simply not enough to secure a Web site… The key thing is, if you’re putting something out there on the Internet, you always have to be considering security.”