Formspring Hacked - 420,000 Password Hashes Leaked 68
wiredmikey writes with news of yet another business suffering a data breach. From the article: "Formspring, the Social Q&A portal ..., admitted to being breached on Tuesday. The compromise led to the loss of 420,000 passwords, forcing the site to reset all member passwords. Mirroring the recent LinkedIn breach, Formspring said that it was alerted to a forum post that contained 420,000 password hashes. Engineers shutdown the service and confirmed the passwords were indeed theirs. In less than a day, an investigation revealed that the attacker(s) had 'broken into one of our development servers and was able to use that access to extract account information from a production database' .... There have been no reported incidents of individual account compromise, but there were reports of Phishing by some users on Twitter attempting to capitalize on the incident."
Network Isolation (Score:5, Insightful)
When are people going to get a clue and do proper network isolation of servers ... especially Database servers. There should be no way to attach to a database from outside network. Production and testing servers should all be on sandboxed networks that don't touch the outside.
Yet another reason to use a variety of passwords (Score:5, Insightful)
And once again we are reminded that using the same password on every site is a terrible idea for just this reason. I know I'm guilty of recycling a generic password on sites I don't care about, but I fear that my family members are even worse. I'd say there's an 80% chance that my family recycles the same password on both social and banking sites.
It doesn't help that many password validation routines choke on spaces. Being able to use a passphrase is way easier than trying to remember some random group of characters that just happen to have a high entropy. The Correct Horse Battery Staple [xkcd.com] model is my new favorite for any site that will accept spaces. Sadly, one bank that I have done business with won't even allow a password that is more than 8 characters and only accepts letters and numbers. They try to shore this up with some bogus security questions on the following page, but I don't feel really "secure."
What other password strategies do you all use to make sure you keep reasonably secure? I eventually gave in to using KeePass to keep my less frequently but more important passwords secure.
Re:Network Isolation (Score:4, Insightful)
When are people going to get a clue and do proper network isolation of servers
You apparently read alot about security but haven't done much enterprise administration.
Database servers behind a second DMZ with reverse proxying always look great on paper, and start life out that way but what always happens is there is some "corner case" piece of software which doesn't work with your setup and you need to make an exception. Next, the developer group will explain they've wrote their applications to use "realtime" data and the subset of data you've copied out to the DMZ DB is 6 hours too old. You go to the DB Admin and ask him what it would take to increase the frequency of the Oracle dump and he explains it already takes 6 hours to complete and the dump locks tables so you have to do it at night when Sales and Marketing are not using it. You find out the backups are running after the dump process and the network is quite saturated as it pulls 1500G over the wire to the archive SAN. As a result it takes you another 2 hours to get the subset of data moved out to the DMZ. This whole process takes about 12 hours to run and since you are on the West coast you can't tie up the network or the DB for an additional 2 hours or the Midwest offices can't begin work at 8am. Eventually the boss screams he wants it fixed whatever the cost so someone dual-homes the DMZ database so things can get sucked off the back-end on a separate wire. Sunddenly, developers start using the second nic to connect directly to the DMZ DB but you find out all the added traffic on the second gig nic tops out the old Sun box taking all it's spare CPU cycles with it. The nail in the coffin finally comes in when the AD server in the DMZ is found to have been compromised for over 6 months and has been siphoning data off the Oracle connector to some place in China.
This is why compromises happen and why we can't have nice things like secure database setups.
Re:Network Isolation (Score:4, Insightful)
I've run into this before. We've got a DB that's hosted in a "cloud service" then we have idiot supervisors/management that want to do training... so they set all their training accounts to
Username "training1"
Password "training1"
We find out, force them to change it. Next thing we know, they're trying to sick VPs on us... "Why are you making it hard for my department to train?!?! It's only a test server!"
Explaining that it's a duplicate of production doesn't seem to phase them... It's kind of irrelevant which database the hackers get into when they are identical to each other. Calling one "test" is kind of irrelevant from a security standpoint.