Oops: Dropbox Left All User Accounts Wide Open For Four Hours This Weekend

from the hacktastic dept

Dropbox's security has been under increased scrutiny lately, after some security researchers claimed that some of its security practices were questionable. So, it was probably the worst time possible for the company to have a "programmer's error," leaving all Dropbox accounts completely wide open to anyone for four hours on Sunday. Apparently, during that period of time, you could log into anyone's account with any password. Just type in a random string of gibberish and you're in. Not surprisingly, the company is apologizing and investigating how this happened. At the very least, it seems like a good reason to explore alternatives if you're doing remote storage.

Of course, this also raises interesting points concerning the big question of "cloud" security. Many people have suggested that relying on some third party -- such as Dropbox -- is inherently insecure. However, that assumes that an individual who goes a different route would be able to create a more secure system on their own. I'm sure that's true for some people, but it might not be the case for the everyday user. In the long run, you would hope that these remote service providers can implement stronger security, so that individuals don't have to. But, in the short run, I wouldn't be surprised to see more such stories of less-than-optimal security being exposed at these kinds of service providers.

Filed Under: cloud, passwords, privacy, security
Companies: dropbox

Syrian Government Posting Pro-Government Messages On Pages Of Dissidents After Getting Their Passwords

from the i'm-sure-that'll-convince-people... dept

After social networking played a role in the uprisings in Tunisia and Egypt, we found it interesting that Syria lifted a ban on Facebook, Twitter and YouTube that had been in place for many years. The government claimed that it wanted to show that it encouraged openness and expression, though some found that hard to believe. Indeed, as things have gotten worse in that country, there were reports a few weeks ago of a massive attempt by the government to swipe passwords on Facebook. Further reports are now claiming that either with swiped passwords or by forcing arrested dissidents to cough up their own passwords, the Syrian government has started posting fake pro-government messages on the pages of those dissidents.

I'm curious as to why the government is doing this. Do they really think that anyone is convinced by this or that it's effective? If you have been friends with or following a well-known dissident, who suddenly disappears, and then his page starts posting pro-government messages, it seems like most people would quickly realize that something was wrong. Meanwhile, the various dissidents and activists have found that the best way to avoid this is to just create fake personas on Facebook, despite that going against the company's policies. One hopes that Facebook is willing to let things slide under the circumstances...

Filed Under: dissidents, passwords, social networking, syria

Sony Admits That Playstation Hacker Got Tons Of Info, Including Passwords

from the this-is-what-you-get-with-a-company-that-rootkits-people dept

We had avoided discussing what was going on with the PlayStation Network hack and subsequent downtime until more details were known, and now Sony is finally revealing what many people feared: a ton of personal info was leaked. According to Sony's blog post, among the information that hackers got was:

• Name
• Address
• Country
• Email
• Birthdate
• PlayStation Network/Qriocity password and login

Sony claims it's not sure yet, but that it "cannot rule out," that credit card info and password security answers may have also been included. To deal with that, they're saying people should assume that such info was compromised. So far, Sony's plan is to tell you to stay alert:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

You hear that sound? That's the sound of a whole bunch of class action lawsuits being filed against Sony as we speak. I'd like to say it's a huge surprise that Sony would even store passwords and credit card data in a place where it could easily be extracted like that, but it's really not. This, after all, is the company that made the word "rootkit" famous, and spent the last few months wasting more resources in a quixotic legal campaign against a guy who added back a feature to the PS3 that Sony had deleted. Perhaps if it spent a little more time actually protecting its users rather than fighting silly battles, there wouldn't be issues like this.

Filed Under: credit cards, passwords, playstation, playstation network, security
Companies: sony

Google, Facebook Go To Court In France: Claim Data Retention Rules Violate Privacy

from the american-companies-protecting-european-privacy dept

We've noted that, one by one, various European countries are realizing that Europe's "data retention" directive appears to be in direct conflict with EU privacy rules -- and when you put the two up against each other, privacy should win out. Germany, Romania, Cyprus, Hungary, the Czech Republic, Sweden, Greece, Ireland and Austria have all either ignored the data retention rules, or had courts rule against them. As we discussed last month, over in France, however, new data retention rules were recently published, which requires service providers to keep all sorts of info about their users -- including passwords in plain text:

According to the decree with immediate application (so in force since 1 March 2011), the data to be preserved include: the identifier of the connection at the origin of the communication, the identifier attributed by the information system to the content that makes the object of the operation, the types of protocols used for the connection and for the content transfer, the nature of the operation, the date and hour of the operation and the identifier used by the author of the operation, when provided. Moreover, the hosting companies must also preserve, for one year after the deletion of an account, even more sensitive data such as the date and time when an account is created and the identifier of the connection, his/her complete name, pseudonyms, associated post addresses, e-mail and associated addresses, telephone numbers and even password.

In case the service subscribed is a paid one, the hosting companies must also retain data related to the payment method, the amount paid and date and hour of the transaction. Furthermore, they must preserve, for one year after the contribution to the content creation, data including the connection identifier, the identifier attributed to the subscriber, the identifier of the terminal used for the connection, the date and hour of the beginning and end of the connection and the features of the subscriber's line.

If that seems like quite a lot of information (passwords? really?!?), you're correct and Google and Facebook find this requirement problematic. The two companies are taking the French government to court over this rule, saying that it violates other rules on privacy.

I find it somewhat ironic that Google and Facebook -- two American companies, quite frequently bashed in Europe for not respecting privacy, are standing up to a European government for privacy rights of their users...

Filed Under: data retention, france, passwords, privacy
Companies: facebook, google

France Goes Overboard In Data Retention: Wants User Passwords Retained

from the anti-privacy-laws dept

There have been plenty of stories about various governments, often at the behest of either law enforcement or the entertainment industry, pushing for data retention laws. It seems especially ironic in Europe, where privacy laws are a much bigger deal, that they would also push for data retention, which is the opposite of a privacy law. However, Andrew Swift points us to a new data retention law in France that goes way beyond your typical "keep the log files" data retention rule. Instead, it appears to require that ISPs and hosting companies retain all sorts of private information (Google translation from the original French). Swift summarizes for us the information that needs to be retained:

Information furnished when agreeing to a contract or opening an account, including first name, last name, business name, associated mailing addresses, and pseudonyms utilized, associated e-mail addresses and accounts, telephone numbers, and passwords as well as data permitting the verification or modification of the password.

These companies must also keep all user id's and passwords for any internet connection, the IP address of the terminal used to connect, the time and date of every connection, and...

Here's the kicker: for EVERY action of a user on the internet, these companies are now required to record the nature of the operation, whether it is writing an e-mail or downloading an image or video.

Just the fact that these companies would even have access to passwords should be problematic. Why aren't these services encrypting the passwords? I'm really curious how a law like this could possibly work in conjunction with European privacy laws?

Not surprisingly, it appears that pretty much every online service provider is planning to challenge this decree in court (Google translation of the original French).

Filed Under: data retention, france, passwords, privacy

Maryland Corrections Agency Demanding All Social Media Passwords Of Potential Hires

from the privacy? dept

You may recall back in 2009 that we wrote about how the city of Bozeman, Montana was requiring people who applied for jobs with the city to cough up all of their social networking usernames and passwords, so that city employees could log in and look around. Beyond being positively ridiculous, this seemed like a huge invasion of privacy. After an awful lot of public ridicule, the city (wisely) decided to drop the requirement, and claim the whole idea had been a "mistake."

Apparently not everyone in local government was paying attention.

The ACLU is apparently taking on the case of a Maryland man who applied to be "re-certified" for a job with the Maryland Department of Corrections, after he had taken a brief leave. As a part of the interview process, he was required to hand over his Facebook password. Apparently, the Department of Corrections is now requiring all social media account info, including passwords, as a part of their "background check" process. In at least this case, the guy in question was told not to change his password for a few months -- leading to all sorts of questions about what private info state officials might look into while logged into his account. The ACLU sent a letter (pdf) to the Maryland Corrections Dept. noting that it believed the policy was "a frightening and illegal invasion of privacy," and a clear violation of the Stored Communications Act. The ACLU letter also demanded that the Maryland Department of Corrections rescind this policy.

It appears that Maryland's response to all of this has been to totally ignore the letter. The ACLU waited three weeks, and after receiving no response at all, has gone public with the story. I would imagine that a lawsuit will soon follow.

Filed Under: maryland, passwords, privacy

Ryanair Shrugs Off Discovery That Others Can Edit Your Flight Booking; Says It's Your Problem

from the oh-really-now? dept

European discount airline Ryanair is somewhat famous for their near total lack of concern about customer happiness. The airline, at times, seems almost gleeful about the complaints it gets from customers. Still, it seems to go pretty far to completely shrug off a security hole that allows others to edit your bookings (found via Glyn Moody). Basically, some researchers discovered that if you know someone's email address and the date (and locations) that they're planning to fly, you can access their account and even adjust and manipulate the bookings. That's because the site apparently does not use passwords, but just those bits of information. What's really stunning is Ryanair's response:

"Your 'experts' are talking complete rubbish. If someone's lunatic ex-partner wants to access a flight booking and pay for priority boarding or extra baggage for the person they just split up from then they all have a lot more to worry about than a simple amended flight booking. It is everyone's individual responsibility to keep their personal information personal."

That's from Ryanair spokesman Daniel de Carvalho. Anyone taking bets on how long until someone changes one of de Carvalho's own flight bookings?

Filed Under: booking, hacking, passwords
Companies: ryanair

Bizarre Amazon Password Bug: Ignores Everything After 8th Character On Some Old Passwords

from the passwordblahblah dept

The folks over at Consumerist do a nice job summarizing a weird bug in some old Amazon passwords that was discovered and discussed on Reddit. For whatever reason, on some "older" passwords, Amazon apparently ignores anything past the 8th character in your password. That is, if your password was password123, anything that has those first eight letters -- "password" -- will work. So, just plain old "password." Or "passwordblahblahblah." Of course, this can make it much easier to crack certain Amazon passwords. In looking at why this happens, it sounds like Amazon used to use an old hashing technique that would truncate input to just 8 characters. At some point, Amazon caught up to modern technology and changed this, but for old passwords, it only had the hash for those first 8 characters, and had no way to recreate the "full" password. For users, the fix is just to update your old password, but for folks who have kept passwords that long, it seems like it may be difficult to get them to update their passwords without Amazon prompting them to do so.

Filed Under: bug, hash, passwords
Companies: amazon

How Facebook Dealt With The Tunisian Government Trying To Steal Every User's Passwords

from the security-in-action dept

If you haven't yet read it, you owe it to yourself to read Alexis Madrigal's fascinating piece at The Atlantic about how Facebook responded to what apparently was a government-run country-wide hack attack on Facebook (prior to the recent regime change) designed to capture every Tunisian user's Facebook password. As the article notes, for all the talk of how much Twitter was used to communicate during the Tunisian protests and eventual ouster of the old government, Facebook may have played an even bigger role.

However, Facebook's security staff had been hearing anecdotal stories from people in Tunisia claiming their accounts had been hacked, along with some indications that something odd was going on. Eventually, they realized that the Tunisian ISPs appeared to be running a giant man-in-the-middle keylogger system, that would record a user's password any time they logged into Facebook. So how do you respond to that if you're Facebook? A two-step approach: force all traffic from Tunisia to run through https: to encrypt the passwords and prevent this from happening and then set up a system for when people logged in, asking them to identify a friend, in order to prove it was really them. Of course, all of this makes me wonder why Facebook doesn't always use https, but that's another question for another day.

While the solution wasn't perfect, it appears to mostly do the job, even if it came a bit later in the process. But just from an outsider's perspective, it is a fascinating story of how various internet tools are playing into world politics, and how that leads to some totally unexpected situations.

Filed Under: hacking, passwords, tunisia
Companies: facebook