Samoa moves to the other side of the world - and misses a day!

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Regular readers of Naked Security will know that I have some strong feelings about timestamps in logfiles.

In particular, the ambiguities created by logfiles based on local time - which is subject to local timezone regulations and changes - can work against your security interests.

Here's one reason why:

"..Don't let year-ends, timezones, daylight saving changes or varying local conventions confuse your logs. If you suffer a breach, you will almost certainly want to put together an irrefutable historical sequence of events, based on your system logs, possibly from many systems and many locations.."

Local time can confuse even local residents, let alone outsiders trying to make sense of unqualified timestamps in logfiles some time after the event.

For example, in New South Wales, Australia, there are three official timezones: one for the far west of the state, 1000km inland; one for the bulk of the mainland; and a third for Lord Howe Island, 700km to the east of Sydney. And there are two different increments for daylight savings: one hour for most of us; but just half an hour for Lord Howe.

Furthermore, the Government of New South Wales has made three legislative tweaks to local time in the past six years: a switch from GMT to UTC in 2005; a temporary change to daylight savings for the Commonwealth Games in 2006; and a long-term change to prolong daylight savings in 2007.

Confused?

Don't be, because all of this is as nothing compared to what is going to happen in Samoa and the nearby New Zealand dependency of Tokelau tomorrow.

Or, to put it another way, the day after tomorrow.

As I write this, it's 1pm on Friday 30 December 2011 in Sydney. It's 2pm in Samoa, and 3pm in New Zealand.

That sounds pretty convenient, considering that the majority of Samoan expatriates live in New Zealand and Australia, and that the three countries have strong business and sporting ties.

Except that it's only Thursday 29 December in Samoa. Back in 1892, Samoa did quite a bit of trade with Hawaii and California, so it made sense to decide to be twelve hours behind Greenwich, rather than 12 hours ahead. (Hawaii is UTC-10; California is UTC-8 or UTC-7.)

But in the 21st century, being the most westerly country in the world has become a huge business pain to Samoans when it comes to dealing with Australia and New Zealand, since our weekends don't line up.

By Friday, Samoans trying to wrap up the week's business can no longer get hold of their counterparts across the South Pacific - we're all at the beach, at the shopping mall, or in the pub. And to contact us early on Monday to catch up, the Samoans have to work on their Sunday.

So the Samoan legislature has taken a surprisingly simple, but astonishingly bold, step. At midnight tonight, the country will make a timezone adjustment, switching from UTC-12 to UTC+12. Figuratively, at least, Samoa will jump from one side of the world to the other.

Clocks won't change at all. Just the calendar will.

Simply put, there will be no Friday 30 December 2011 in Samoa.

How funky is that?

(Samoa is surprisingly good at low-fuss but potentially high-impact bureaucratic change. In 1997, the country changed its name from Western Samoa; in 2009, it switched from driving on the right to driving on the left, as does most of the South Pacific; and in 2011, it will calmly skip an entire day.)

Let this remind you once again why standardised and unambiguous timestamps are vital in logfiles, and take a moment to revisit RFC3339: Date and Time on the Internet: Timestamps.

As I wrote back at the start of 2010:

"..Without reliable logs, you are unlikely to understand [a security] breach, which makes it harder to prevent it happening again. Without reliable logs, you are unlikely to be able to prove your case against the perpetrator, if you are even able to get anyone in your sights. And without reliable and consistent logs, you might not even spot breaches in the first place.."

To everyone in Samoa and Tokelau - Happy New Year! This time, we can celebrate together. And remember this: tomorrow, footy season will be two days closer, not one.

Follow @duckblog
-

View the original article here

SSCC 78 - IE 9 upgrades, Android malware, Carrier IQ and hospital shut down from malware

function utmx_section(){}function utmx(){}(function(){var k='1156989329',d=document,l=d.location,c=d.cookie;function f(n){if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return escape(c.substring(i+n.length+1,j')})();SSCC 78 – IE 9 upgrades, Android malware, Carrier IQ and hospital shut down from malware | Naked Security /* */

Sorry, something happened and we couldn't sign you up. Please come back later and try again.

Congratulations, you've successfully signed up for our daily news! Check your inbox soon, we've sent you an email.

Sorry, that email doesn't look right to us so we haven't added it to our list.

We're adding your address to our list...

Join thousands of others, and sign-up for Naked Security's newsletter

Global websites    Press    About us    Contact us Naked SecuritySkip to contentSearch for:

Archive by date |author |category

Send us a tip | Subscribe by RSS

MalwareSpamSocial networksData lossLaw & OrderApplePodcastVideoMoreAbout Lax security blamed for 100,000+ sensitive files found on Manning's PCNaked Security wishes you great holidays SSCC 78 - IE 9 upgrades, Android malware, Carrier IQ and hospital shut down from malware

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Don't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.

Hi there! If you're new here, you might want to subscribe to our RSS feed for updates.

Already using Google+? Follow Naked Security's Graham Cluley for the latest security news.

On LinkedIn? Join the Naked Security discussion group and connect with your peers in the security industry.

Sorry, something happened and we couldn't sign you up. Please come back later and try again.

Congratulations, you've successfully signed up for our daily news! Check your inbox soon, we've sent you an email.

Sorry, that email doesn't look right to us so we haven't added it to our list.

We're adding your address to our list...

Join thousands of others, and sign-up for Naked Security's newsletter

by Chester Wisniewski on December 21, 2011|1147831 Commenthttp%3A%2F%2Fnakedsecurity.sophos.com%2F2011%2F12%2F21%2Fsscc-78-ie-9-upgrades-android-malware-carrier-iq-and-hospital-shut-down-from-malware%2FSSCC+78+-+IE+9+upgrades%2C+Android+malware%2C+Carrier+IQ+and+hospital+shut+down+from+malware2011-12-21+05%3A23%3A16Chester+Wisniewskihttp%3A%2F%2Fnakedsecurity.sophos.com%2F%3Fp%3D114783

Filed Under: Apple, Featured, Malware, Mobile, Podcast, Privacy, Vulnerability

I am pleased to have a new guest on the Chet Chat this week, Gary Korhonen. Gary is a Global Escalation Support Engineer working in our Vancouver office.

Gary and I began the Chet Chat discussing the benefits and potential pitfalls of Microsoft's announcement that they will begin automatically upgrading Internet Explorer to the latest version as part of Windows Update.

Considering it has been about three weeks since the last Chet Chat we had to discuss the implications of the installation of "spyware" on mobile phones. Carrier IQ seems to have dug themselves a bit of a hole and whether their software is beneficial to ISPs or not, people are justifiably concerned.

After Chris DiBona's recent proclamation that security apps on the Android are charlatanism, Gary and I discussed the recent incident when Google had to remove 22 malicious Android apps from the Android Market.

Lastly we talked about the very serious problem of safety in medical computer systems after a recent malware outbreak at a hospital in Georgia, USA. Things are not as simple as we might like to think and the best minds in our business should work together to help come up with creative solutions to provide security with longevity.

(20 December 2011, duration 21:41 minutes, size 14.9 MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 78, subscribe on iTunes or our RSS feed.

Follow @chetwisniewski

Tags: Carrier IQ, HIPPA, hospital, Internet Explorer, Malware, medical, Microsoft, vulnerability

Lax security blamed for 100,000+ sensitive files found on Manning's PCNaked Security wishes you great holidays Related PostsCarrier IQ clears the air on spying allegationsCarrier IQ snoops on US cell users - Spyware or service monitoring tool?Malware shuts down hospital near Atlanta, GeorgiaAndroid malware clean-up exposes reliance on mobile carriers to push out updatesOne Response to SSCC 78 - IE 9 upgrades, Android malware, Carrier IQ and hospital shut down from malwareSigh Man says:December 22, 2011 at 8:02 pm

My site has been infected with a malware and every time I visit it, I get a warning page either from google or firefox telling me that I have a virus on the site.

I cleaned my webhost, upgraded joomla to the latest version and deleted all the old files. I then went to google and requested a review, same thing for StopBadware.

is there anything else I can do to speed up the process?
And how long am I supposed to wait before I get unlisted?

ReplyLeave a Reply Cancel replyYour email address will not be published. Required fields are marked *

Name *

Email *

Website

Comment

You may use these HTML tags and attributes:

       
 Notify me of follow-up comments via email.
About the authorChester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.You can follow Chester on Twitter as @chetwisniewski or send him an email at chesterw@sophos.com.View all posts by Chester WisniewskiPopularRecentRelatedFree coffee from Starbucks and Tim Hortons? No, it's a Facebook scamFacebook's ticker privacy scare, and what you should do about itWant to see who has viewed your Facebook profile? Take care..Most Wi-Fi routers susceptible to hacking through security featureFree Costco Gift Card for all Facebook users? Scam spreads quicklyData leaks at Stratfor and Care2 mark the end of a year riddled with data theftMost Wi-Fi routers susceptible to hacking through security featureSamoa moves to the other side of the world - and misses a day!HMRC phishing scam promises end of year refundLarge percentage of websites vulnerable to HashDoS denial of service attackCarrier IQ clears the air on spying allegationsCarrier IQ snoops on US cell users - Spyware or service monitoring tool?Malware shuts down hospital near Atlanta, GeorgiaAndroid malware clean-up exposes reliance on mobile carriers to push out updatesVideo posts
More videos this way
VIDEO: How to solve the #dragontattoo #sophospuzzleTyposquatting - study reveals the real risks when you mistype a website's name [VIDEO]Identify your missing security patches this ChristmasVIDEO: Awkward! Facebook VP stumped by BBC questionIHC, Mac malware, Nerd New Year, Conficker and Privacy à la Google - 60 Sec SecurityTwitter Feedgcluley: Facebook distributing White Hat Debit Card to Bug Bounty Winners http://t.co/MToOc2gmabout 1 hour agogcluley: Which passwords should you share with your girlfriend? http://t.co/AR8zNYoX Some interesting responses..about 4 hours agogcluley: Anonymous imposters: hiding behind the AntiSec identity http://t.co/VxaK2lOUabout 4 hours agogcluley: Hackers may have accessed Gordon Brown's emails http://t.co/czvtbH2Yabout 6 hours ago
© 1997-2012 Sophos Ltd. All rights reservedLegalPrivacyJobsRSSutmx_section("Test trigger")jQuery(document).ready(function($){ Gravatar.profile_cb = function( h, d ) { WPGroHo.syncProfileData( h, d );}; Gravatar.my_hash = WPGroHo.my_hash; Gravatar.init( 'body', '#wpadminbar' ); });
View the original article here

Naked Security wishes you great holidays

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

We are slowly winding down for the Christmas break, and we wanted to thank you, our lovely readers and commentators, for all your help throughout the year.

To all of you who spotted inconsistencies or typos, offered us your point of view, recommended us to friends and colleagues, and generally helped us on our way, we tip our snow-flecked Santa hats to you.

Since our launch last November, we've aimed to give our readers the latest security news peppered with a little advice, research and opinion.

But this all takes a tremendous amount of work, and a few of our writers will be going on a well deserved holiday. And that is why you might notice a little less content than usual over the coming holiday.

But we promise we will jump back into our writing seats in January.

See you back here in 2012!

Oh, and if you fancy something topical to read over the break - be sure to check out our short history of Christmas malware.

View the original article here

Large percentage of websites vulnerable to HashDoS denial of service attack

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Researchers presented information on a long standing vulnerability in most web application frameworks at today's 28c3 (28th Chaos Communication Congress) security conference in Berlin, Germany, Earth, Milky Way.

Alexander “alech” Klink and Julian “zeri” Wälde delivered a demonstration and lecture titled "Efficient Denial of Service Attacks on Web Application Platforms". In their lecture they explained in detail how most web programming languages utilize hashes and manage collisions.

The type of hashing used by PHP, Java, Python and JavaScript in this attack is not a cryptographic hash, it is a simple mathematical hash used to speed up storing and retrieving data posted to web pages.

Collisions in these hashes are expected and managed by the programming framework in a reliable way when not being abused.

It is known that an attacker who understands the values used in your hashing algorithm could pre-compute a set of values that result in all hashes being the same. Comparing these hashes becomes a quadratic function which can create a very heavy load on the web server.

An example given showed how submitting approximately two megabytes of values that all compute to the same hash causes the web server to do more than 40 billion string comparisons.

During the talk they performed a denial of service attack against an Apache Tomcat server, which is a commonly used java servlet container for hosting web pages.

They sent the server some pre-computed hash collisions and showed how it used 100% of their processor for the entire talk.

They explained that the proper solution to the problem is for the developers of the vulnerable programming languages to randomize the key used when computing hashes. This would prevent an attacker from being able to pre-compute the collisions.

Perl was updated to fix this problem in version 5.8.1, which was released in September of 2003. For some reason most of the other languages did not take the cue from Perl and are still vulnerable to these attacks.

Without fixing the hashing functions in the languages themselves there are three mitigation techniques available to website operators.

Reduce the length of parameters that can posted.Reduce the number of parameters accepted by the web application framework.Limit the amount of CPU time that any given thread is allowed to run.

Microsoft has released an advisory for ASP.NET customers with advice on mitigation until they are able to ship a more permanent fix.

It may be possible to configure web application firewalls and other network security devices to limit the impact of an attack as well, it would certainly be worth your time to consult with your security vendors to see if they can help.

Update: Microsoft have released a fix less than 24 hours after disclosure. ASP.NET admins can download patch MS11-100 to protect their IIS web assets. More information is available on the Microsoft SRD blog.

MS11-100 also fixes three other privately disclosed vulnerabilities, including one which could allow arbitrary code execution and elevation of privilege. Microsoft considers this update as critical, and I concur.

Follow @chetwisniewski

Tags: 28c3, asp.net, ccc, CVE-2011-3414, denial of service, DOS, Hashes, IT, Java, MS11-100, PHP, python, vulnerability

View the original article here

HMRC phishing scam promises end of year refund

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Emails are currently circulating that purport to be sent by the UK tax organization HM Revenue & Customs (HMRC). These e-mails claim that the recipient is eligible to receive a tax refund and that he or she must download an attached file and open it in a browser.

The scam e-mail reads in part:

TAX REFUND NOTIFICATION

Dear Taxpayer,
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 223.56 GBP.

Please submit the tax refund request and allow us 6-9 days in order to process it.

To access your tax refund, please follow the steps below:

- download the Tax Refund Form attached to this email
- open it in a browser
- follow the instructions on your screen

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

Opening the attached file displays a form which prompts the victim to fill in his or her full name, date of birth, complete address, phone number, and credit card or debit card information.

Of course, submitting the form won't actually send the information to HMRC; it will instead be sent to a malicious third party without the victim's knowledge or approval.

Scam emails purporting to be sent by HMRC are not a new phenomenon; Naked Security has previously warned about similar scams in November 2010 and even in January and February 2009.

The good news for Sophos customers is that the phishing attachment is already detected as Mal/Phish-A by our products, including the free Sophos Anti-Virus for Mac Home Edition.

For those who may be interested, I've written a few additional details about this particular phishing scam on my own security blog.

http://twitter.com/theJoshMeister

View the original article here

Most Wi-Fi routers susceptible to hacking through security feature

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Stefan Viehböck, an independent security researcher, published a paper on Boxing Day titled "Brute forcing Wi-Fi Protected Setup" to his WordPress blog disclosing a weakness in the configuration of most consumer/SoHo Wi-Fi routers.

As we all know the state of security for most home Wi-Fi networks was nearly non-existent only a few years ago.

This prompted the Wi-Fi Alliance to establish a new simple method for consumers to enable and configure WPA2 on their routers without knowledge of encryption, keys or how it all works.

The standard is called Wi-Fi Protected Setup (WPS) and is enabled by default on nearly all consumer Wi-Fi access points, including those sold by Cisco/Linksys, Netgear, Belkin, Buffalo, D-Link and Netgear.

It has three methods of simplifying the connection of wireless devices to WPA2 protected access points:

Push Button Connect (PBC) requires the user to push a button on the router which allows it to communicate with a client needing configuration. The client attempts to connect and the router simply sends it the security configuration required to communicate.Client PIN mode is where the client device supports WPS and has a PIN assigned by the manufacturer. You then login to the router's management interface and enter the PIN to authorize that client to obtain the encryption configuration.Router PIN mode allows a client to connect by entering a secret PIN from a label on the router, or from its management interface which authorizes the client to obtain the security configuration details.

The first method requires physical access, while the second requires administrative access, both of these pass muster. The third however, can be accomplished only through the use of the Wi-Fi radio.

The PIN used for authentication is only eight digits which would give the appearance of 108 (100,000,000) possibilities. It turns out the last digit is just a checksum, which takes us down to 107 (10,000,000) combinations.

Worse yet the protocol is designed where the first half and second half are sent separately and the protocol will confirm if only one half is correct.

So you have now reduced the difficulty of brute forcing the PIN down to 104 (10,000) plus 103 (1,000) or 11,000 possibilities.

Some of the routers Viehböck tested did seem to implement a mechanism to slow down the brute forcing, but the worst case scenario allowed him to acquire the keys within 44 hours.

Compared with attempting to attack WPA2-PSK directly, this is a cheap and effective attack.

As the sub-title of Viehböck's paper states "When poor design meets poor implementation" security is the loser.

If you own a reasonably modern Wi-Fi router you are at risk (unless you have installed some sort of alternative firmware like OpenWRT or Tomato Router).

If possible disable the WPS support on your router and contact your manufacturer for updated firmware which may provide a fix or mitigation against this attack.

Another researcher independently discovered the same issue and has published a tool called Reaver that implements this attack.

Similar to the Firesheep tool, this will likely light a fire under the butts of the Wi-Fi Alliance and manufacturers to quickly resolve these issues.

Follow @chetwisniewski

View the original article here

VIDEO: How to solve the #dragontattoo #sophospuzzle

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

By popular request, here is a video explaining how to solve the Dragon Tattoo-themed puzzle we published earlier this week.

(Some of the text comes out pretty small in the video window below. If you watch directly on YouTube, you'll see more pixels. The video was rendered at 1280x720, so you can even watch in HD if you want.)

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

And don't forget to keep your eye on Naked Security between Christmas and New Year. That's when we publish our annual New Years' Eve crossword puzzle - a handy bit of fun for techies who are at work whilst most of their colleagues are on vacation.

(If you'd like to practise for the NYE2011 crossword challenge, here's last year's puzzle, and here are the answers.)

http://twitter.com/duckblog
-

View the original article here

Data leaks at Stratfor and Care2 mark the end of a year riddled with data theft

function utmx_section(){}function utmx(){}(function(){var k='1156989329',d=document,l=d.location,c=d.cookie;function f(n){if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return escape(c.substring(i+n.length+1,j')})();Data leaks at Stratfor and Care2 mark the end of a year riddled with data theft | Naked Security /* */

Sorry, something happened and we couldn't sign you up. Please come back later and try again.

Congratulations, you've successfully signed up for our daily news! Check your inbox soon, we've sent you an email.

Sorry, that email doesn't look right to us so we haven't added it to our list.

We're adding your address to our list...

Join thousands of others, and sign-up for Naked Security's newsletter

Global websites    Press    About us    Contact us Naked SecuritySkip to contentSearch for:

Archive by date |author |category

Send us a tip | Subscribe by RSS

MalwareSpamSocial networksData lossLaw & OrderApplePodcastVideoMoreAbout Most Wi-Fi routers susceptible to hacking through security featureData leaks at Stratfor and Care2 mark the end of a year riddled with data theft

Over 100,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Don't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.

Hi there! If you're new here, you might want to subscribe to our RSS feed for updates.

Already using Google+? Follow Naked Security's Graham Cluley for the latest security news.

On LinkedIn? Join the Naked Security discussion group and connect with your peers in the security industry.

Sorry, something happened and we couldn't sign you up. Please come back later and try again.

Congratulations, you've successfully signed up for our daily news! Check your inbox soon, we've sent you an email.

Sorry, that email doesn't look right to us so we haven't added it to our list.

We're adding your address to our list...

Join thousands of others, and sign-up for Naked Security's newsletter

by Chester Wisniewski on December 30, 2011|1185982 Commentshttp%3A%2F%2Fnakedsecurity.sophos.com%2F2011%2F12%2F30%2Fdata-leaks-at-stratfor-and-care2-mark-the-end-of-a-year-riddled-with-data-theft%2FData+leaks+at+Stratfor+and+Care2+mark+the+end+of+a+year+riddled+with+data+theft2011-12-30+22%3A35%3A43Chester+Wisniewskihttp%3A%2F%2Fnakedsecurity.sophos.com%2F%3Fp%3D118598

Filed Under: Data loss, Featured, Podcast, Privacy

Was 2011 the year of the data leak? Could be, but it is hard to tell.

From my vantage point writing daily about the most important stories in information security, data theft may not have been the most important story of 2011, but it certainly impacted more regular people and raised their awareness about the problem of all of their data being "in the cloud".

I shared my thoughts on this today with John Moe on Marketplace Tech Report from American Public Media in the United States.

You can listen to my thoughts on 2011 alongside John Moe, Jonathan Zittrain, Susan Crawford and Danah Boyd in this four minute podcast.

(30 December 2011, duration 4:00 minutes, size 1.9 MBytes)

While Anonymous/LulzSec dominated the data breach headlines, what became clear was that more and more organizations are collecting data about us and doing a poor job of protecting that information.

Compliance rules like HIPPA/HITECH, PCI and others are not really having their intended impact as health records, credit cards, passwords, birth dates and more were all stored insecurely on often woefully unpatched systems.

The number of records stolen was enormous. Sony alone was hacked more than 20 times and lost over 100 million records.

The bulk email marketing company Epsilon leaked names and email addresses from some of the world's most trusted brands like Best Buy, Marks & Spencer, Marriott Rewards, Walgreens and Chase Bank.

South Korean social media users were hit hard when Cyworld and Nate were compromised (both owned by SK Communications) and hackers made off with more than 35 million records.

Like video games that aren't related to Sony? Chances are your data was leaked when the Steam user forums were breached or when Square Enix was hit twice in 2011.

Citibank credit cards users had card information compromised affecting more than 200,000 people as well as customers of handmade cosmetics company Lush.

Of course the biggest story at the end of 2011, wrapping up the year of unsecured data has been the attack Anonymous made on Stratfor.

Stratfor, a company focused on security intelligence services, was attacked by Anonymous who have allegedly acquired 75,000 addresses, credit cards and names of their customers and then posted them publicly.

Sadly it seems companies still aren't learning the lesson of protecting their customers information, even after all of these headlines and millions of dollars in lost reputation to the companies involved.

It was brought to my attention that Care2.com's website was hacked revealing usernames and passwords for the sites nearly 18 million users.

Naked Security reader Bob emailed us to point out that Care2 is storing passwords insecurely.

Rather than storing passwords as a salted cryptographic hash that would not reveal their customers passwords if stolen (or make it much more difficult) they are storing them either in plaintext or in a reversible format.

According to the companies own FAQ about the data breach "Q. What can I do to recover my password?
A. Visit http://www.care2.com/retrieve_password Enter your user name or email address in the green box titled “Forgot your password or log-in name?” Your password will be emailed to you."

Really!? After the attackers made off with all of your customer information you still are following the same insecure practices that put your customers information at risk in the first place?

Where does this leave us? Think carefully about who you share personal information with, and before doing so carefully weigh whether they need that information or not.

And for the sake of all of your digital presence use unique passwords for every site you access. There are great tools to help you like Keepass or LastPass.

To quote American folk singer Pete Seeger "When will they ever learn? When will they ever learn?".

Follow @chetwisniewski

Tags: 2011, Care2, Citibank, Cyworld, DataLossDB, epsilon, Marketplace, passwords, Sony, Square Enix, Steam, Stratfor

Most Wi-Fi routers susceptible to hacking through security featureRelated PostsTen tips for protecting sensitive data in your organisationWhat can you learn from the deluge of data leakage news?BP in troubled waters over Gulf oil spill data spillThree men charged in 130 million credit card identity theft2 Responses to Data leaks at Stratfor and Care2 mark the end of a year riddled with data theftJon W says:December 30, 2011 at 11:17 pm

Dear care2:
Instead of emailing our passwords back, why not just post a list of the email addresses & passwords on Facebook and we'll just pick out some to use...?

Replyjessi slaughter says:December 31, 2011 at 4:18 am

dropping the pete seeger reference in a stratfor story! well done chet, have a very happy new years!

ReplyLeave a Reply Cancel replyYour email address will not be published. Required fields are marked *

Name *

Email *

Website

Comment

You may use these HTML tags and attributes:

       
 Notify me of follow-up comments via email.
About the authorChester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.You can follow Chester on Twitter as @chetwisniewski or send him an email at chesterw@sophos.com.View all posts by Chester WisniewskiPopularRecentRelatedFree coffee from Starbucks and Tim Hortons? No, it's a Facebook scamFacebook's ticker privacy scare, and what you should do about itWant to see who has viewed your Facebook profile? Take care..Most Wi-Fi routers susceptible to hacking through security featureFree Costco Gift Card for all Facebook users? Scam spreads quicklyData leaks at Stratfor and Care2 mark the end of a year riddled with data theftMost Wi-Fi routers susceptible to hacking through security featureSamoa moves to the other side of the world - and misses a day!HMRC phishing scam promises end of year refundLarge percentage of websites vulnerable to HashDoS denial of service attackTen tips for protecting sensitive data in your organisationWhat can you learn from the deluge of data leakage news?BP in troubled waters over Gulf oil spill data spillThree men charged in 130 million credit card identity theftVideo posts
More videos this way
VIDEO: How to solve the #dragontattoo #sophospuzzleTyposquatting - study reveals the real risks when you mistype a website's name [VIDEO]Identify your missing security patches this ChristmasVIDEO: Awkward! Facebook VP stumped by BBC questionIHC, Mac malware, Nerd New Year, Conficker and Privacy à la Google - 60 Sec SecurityTwitter Feedgcluley: Facebook distributing White Hat Debit Card to Bug Bounty Winners http://t.co/MToOc2gmabout 1 hour agogcluley: Which passwords should you share with your girlfriend? http://t.co/AR8zNYoX Some interesting responses..about 4 hours agogcluley: Anonymous imposters: hiding behind the AntiSec identity http://t.co/VxaK2lOUabout 4 hours agogcluley: Hackers may have accessed Gordon Brown's emails http://t.co/czvtbH2Yabout 6 hours ago
© 1997-2012 Sophos Ltd. All rights reservedLegalPrivacyJobsRSSutmx_section("Test trigger")jQuery(document).ready(function($){ Gravatar.profile_cb = function( h, d ) { WPGroHo.syncProfileData( h, d );}; Gravatar.my_hash = WPGroHo.my_hash; Gravatar.init( 'body', '#wpadminbar' ); });
View the original article here