Loss of Privacy

The recent RockYou hack has revealed, once again, why it’s so easy to do such things. People used predictable passwords despite the vast amount of warnings not to.

Sensitive login credentials – stored in plain text – were left exposed because of a SQL injection bug in RockYou’s website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems.

From over 32 million passwords, the results were, sadly, not surprising. The top ten were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

While the top ten shouldn’t surprise you, the fact that over fifty percent of the passwords used regular names, slang, and common dictionary words should. Even worse, the admins stored the information in plain text, something that should never be done. Hashing the passwords is not difficult, yet RockYou failed to do such a basic task. RockYou also didn’t have simple security protocols in places, such as minimum password length, and alphanumeric passwords.

Users should be looking to create more difficult passwords or suffer the consequences of further breaches.

With President Obama pushing for more electronic medical records, Americans need to look closely at just how well guarded their personal, medical information really is.  Wikileaks reports that the Virginia Prescription Monitoring Program was hacked into and over 8 million medical records are being held for a $10 million ransom in an encrypted database.

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh For $10 million, I will gladly send along the password.”

Virginia now has a statement [pdf] clarifying that the backups are fine and details [pdf] on what was stored on the files.

In October 2008, a similar event occurred.  Though smaller in nature, these types of breaches will become commonplace if everyone’s medical information is digitized.  It’s just too easy for criminals to access.  There’s so much information in medical files that it’s a goldmine just waiting to be dug through.  Sometimes, low tech, i.e. paper, is still the best way to go.

Here’s something to think about.  Identity theft.  Hacking people’s medical records.  Getting hit by a car and sent, barely conscious, to the hospital.  Do you trust electronic medical records now?

Govtrip.com is the website that many federal employees are required to use when booking work related travel.  The site was shut down after it was infected with a virus.

Sometime on Feb. 11, hackers changed the Govtrip.com Web site to redirect visitors to a site that installed malicious software…..Govtrip.com also is used to reimburse workers via direct deposit, which means that many federal employees’ checking account information is stored there as well.

Fortunately, as soon as the problem was noticed, the site was shut down.  On February 12th, many employees were being told how to manually book trips until the problem was solved.

According to an analysis shared with Washingtonpost.com, the compromise of govtrip.com came from multiple sources and was fairly extensive.

The government hopes to have the site fully restored by Monday, February 23rd.  Until then, Northrop Grumman, the company that had run the site, has had its authority revoked.  It seems that Northrop Grumman isn’t the best company for this sort of situation, yet, they keep being awarded contracts to do so.

Monster.com was attacked again and their database breached.  A similar incident occurred in 2007.  Back then, the company said they would make the site more secure and they would take security much more seriously.  Their new and improved security was breached a few months later, proving that security appears to be just lip service at Monster.com.

“This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website,” reported Symantec.

Symantec said it had seen reports of phishing e-mails sent out to Monster.com users which were “very realistic” and contained “personal information of the victims”.

The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.

The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords.

Monster.com will also not be sending out emails to users to know of the breach, despite the fact that this is illegal in most states.  Instead, there is a small security update on the site’s main page.  It’s also easy to miss.

Though the company is offering help, there’s little to be done by users who don’t keep their software up to date and IT administrators who haven’t kept up with the latest reports of attacks or tried to actually make the site more secure.

One major way they could have made the site more secure is by using simple password security.  If you happen to use the account on a public terminal and forget to log out, anyone can go back into your account and change your password to a new one.  There is no prompt for you to type in your old password before creating a new one.  Passwords are also not encrypted.  These are the basics of security and Monster.com continues to fail at them miserably.

My advice is to go and log into your account, if you have one.  Delete your resume and cover letter.  Then, change your password to some random alpha-numeric string.  Then, cancel your account and explain to Monster.com that three breaches of security in less than two years is completely unacceptable.  Also explain that not notifying its customers of the breach, not taking responsibility, and, in general, the overall decline in usability are the reasons they have lost you as a customer.  Incompetence and a lack of integrity are what got Monster.com into this mess.  It’s the reason why you should be leaving Monster.com as well.

While everyone agrees that USB drives should be encrypted, you’d be hard-pressed to find anyone who thinks attaching the password to the USB drive is a good idea; until now.

If you are, or were, a patient at Preston Prison in Lancashire, there’s a good chance that your medical records are out in the open.  The USB drive went missing on 30 December 2008 and has yet to be found.

The stick may have contained information of up to 6,360 patients. However, in some cases, individual patients had more than one entry.

The information included prisoners’ surnames, prison number, cell location, age range, prison clinic appointment times and references to medical conditions such as asthma, diabetes, mental health and even sexual health references.

Health chiefs have apologised for the breach and have taken urgent action to prevent it happening again.

“Even though there is no risk to anyone’s ongoing treatment or care, we have plans in place to contact those affected to inform them of the breach and apologise.”

Uh, this happened two weeks ago and you still haven’t contacted those who may be affected?

Anyone with concerns should contact the PCT’s confidential information line on: 0845 609 9866. It is open 9am to 5pm seven day’s a week until January 23, 2009.

Because after the 23rd, the police will go back to not caring about this problem anymore.

You might be thinking, “Who cares, they’re just prisoners and the information was lost somewhere in the prison,” but what you aren’t thinking about is that this isn’t the first time something like this has happened.  The British government seems to have a habit of losing the private data on all of its citizens, from baby to adult, law-abiding to prisoner.  The USB drive was also lost in a place full of criminals.  Do you really think that anyone, prisoner or guard, isn’t going to be tempted to take this information and sell it?  How likely is it that it’s going to turn up anytime soon?  I believe that it would have already happened if an honest person had found it.

This is a huge problem that the British government doesn’t seem to care to fix.  Because it happened to prisoners, they seem to care even less.  Just remember, your private, personal information is only as secure as the idiot carrying it.