reporting transparency

Lately a lot of high level breaches surface, which is worrying since we expect that companies and/or organisations with a substancial number of accounts and business have the ability to adopt to the latest security developments. However it seems they have not, more specific some of the breaches are relatively easy to exploit but even easier to solve or prevent to happen.

In July 2013 OVH a French hosting provider got hacked, the positive note about it is that the provider decided to disclose the breach and even some details on how this could happen. They also made a statement on how to solve the issue from reoccuring. Imagine your local bank would do this?
The culprit was able to gain access to the mail account of an administrator, this access provided him the details to access the VPN, once in the network things became fairly simple to fiddle around with systems and search around for sensitive data. Now why would it be possible for an administrator to have access to his emails without using some sort of VPN connection, and I do not mean clientless vpn aka httpS. There is no appropriate answer to this question.
Only fools and horses in the layers of a company would allow this kind of access.
OVH explained that in the future a VPN connection is mandatory for these operations.
But a positive side note is that they were transparent about which data had been stolen, what consequences it had for you as a customer and how they will prevent it in the future. Let's say a step forward after having been set two steps back.

Another major hack happened only a few days earlier, the ubuntuforums got compromised. 1.8 million usernames, passwords and email adresses were stolen. The passwords were not stored in plain text, woohooo party we're secure! The fact of the matter is, you weren't . Because we lazy human beings tend to recycle the password a zillion times for each of our online accounts. And if true, the passwords are stored in a simple non salted md5 hash, which would make it for a brute forcing a realistic easy attack. The organisation informed each user and advised to change your passwords on the zillion other accounts you have. A daunting task that will lead everybody to use an identical password for each and every account Sourire

But hey, you can use a passwordmanager and generate a unique password for each account and store it safely.

The comments are closed.