Clear security failings in Yahoo! password breach

Powered by SC Magazine
 

Leaving passwords in readable text is negligent.

The dumping of nearly half a million Yahoo! Voice clear text credentials paints a bleak picture of password security.

If the dump is legitimate -- and there's a chance the anti-security hackers posted old or cobbled together records -- it's a bad look for Yahoo!

According to some of the security folk now pouring over the records, the hackers from d33ds.co used run-of-the-mill SQL Injection to pinch the credentials from a smaller server.

That's enough to make many shrug their shoulders given injection is a mainstay of OWASP's Top 10.

But few companies could be forgiven for storing so many records in such an exposed format as clear text.

Encryption technologies are standard security fare, and by now, all passwords entrusted to an organisation worth its salt should be, well, salted.

An organisation accepts a lot of responsibility when it asks for users to signup. Not least because password reuse is common, and will remain so for a long time.

Users will also sign up using corporate email domains that may be sensitive, placing their organisations at a hightened risk.

Just look at those in the Yahoo! dump: There were 1870 *.edu domains, 93 *.gov and 81 pertaining to*.mil.

Local victims include a police prosecutor, a state treasury bureaucrat, an ambo and a decent representation of members from Australia's education system.

All are potential candy for social engineers.

Hacktivists have long demonstrated that its time for security benchmarks to be lifted. Anyone can be breached, but with decent encryption, everyone can minimise the impact.

Copyright © SC Magazine, Australia


Clear security failings in Yahoo! password breach
 
 
 
Top Stories
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 946

Vote