Monster.com Data Breach
Monster.com was hacked, and people’s personal data was stolen. Normally I wouldn’t bother even writing about this—it happens all the time—but an AP reporter called me yesterday to comment. I said:
Monster’s latest breach “shouldn’t have happened,” said Bruce Schneier, chief security technology officer for BT Group. “But you can’t understand a company’s network security by looking at public events—that’s a bad metric. All the public events tell you are, these are attacks that were successful enough to steal data, but were unsuccessful in covering their tracks.”
Thinking about it, it’s even more complex than that. To assess an organization’s network security, you need to actually analyze it. You can’t get a lot of information from the list of attacks that were successful enough to steal data but not successful enough to cover their tracks, and which the company’s attorneys couldn’t figure out a reason not to disclose to the public.
Matt from CT • February 9, 2009 7:41 AM
It’s far too early in the day, on a Monday no less, to be putting on the tinfoil…
But it does make you wonder if organized crime, with the help or at least toleration of foreign intelligence services, does any data aggregation of these various identity leaks.
Encrypted passwords are quite vulnerable if they’re not using some still secret salt to rainbow attacks. Even with a salt with enough passwords, computing power, and time they’re still crackable. Without having data in front of me, I’d guess most people use variations of the same password or a “theme.”
What’s the power of not only aggregating identity information like figuring out where people work, but also looking at several of their passwords you’ve stolen as plain text or decrypted over the last 10 years of state sponsored / tolerated cracking?
Now instead of a highly visible brute force attack against an account, you can try just the occassional attack using passwords you know the target has used, or common variations of them with a relatively high level of confidence…and do so over the course of years so you never reach the threshold for automated intrusion detection systems to issue alarms.