Security Market Segment LS
Tuesday, 15 December 2009 11:38

32 million passwords in the clear, in the wild

Anyone with an account on RockYou might like to RUN to every other site where they have used the same password and change it.

RockYou is an application hub publishing a number of gadgets for use on a variety of social networking sites.  Visiting their website, users are confronted with add-ons for Facebook, MySpace, Hi5 (the dating site, not the children's entertainers!), Bebo and many others.

According to reports, RockYou has around 32 million registered users.  And this is where the problems start.

According to the good folks at Imperva, it appears that there was a SQL injection flaw on the site.  This flaw allowed pretty-much unimpeded access to the back-end database.  It would appear that on December 4th someone took a copy of the entire user database.  We know this because they publicized pieces of it, with details obscured.  The link is on the TechCrunch site, but don't follow it – malware was pushed at my PC when I tried.

Unfortunately, it wasn't until at least December 14th that RockYou acknowledged the intrusion, although they claim that the intrusion was quickly detected and the site taken offline to close the loophole.

In a statement RockYou claimed that they are about to advise all users of the intrusion. 

Ten days after the intrusion, they still haven't advised the compromised accounts?

By the way – the reason everyone is up in arms about this?  The user database records contained (amongst other information) every user's email address and their RockYou password IN PLAIN TEXT!

So, if you were one of the majority of users who tend to use the same password on multiple sites, you now have a big problem.  Worse, the bad guys have a ten day head start on you.

So, what does this mean?

They can access pretty-much everything you own online!

Knowing your email address, and the likely password for it, criminals would now be able to seek out other sites you are a member of and request a password change.  Bingo, the advice comes back to your compromised mail box.  Job done.

Within your mail box, there is probably plenty of confidential information that would allow criminals to develop a very useful profile of you – possibly even enough for blackmail.

Your address book would also be a very useful addition to spam lists too.

iTWire strongly suggests that any RockYou user immediately changes the password on their email account.  Next, they should look through the account for any evidence of password change requests at other sites.  Finally, they need to fan out and change the password at every other site they use.  A different password at each site, right?

If the email address known to RockYou is used for any financial transactions, users should probably consider putting financial blocks in place – re-issue credit cards, request credit monitoring etc.

The only other thing users should do?  They should contact RockYou and express their EXTREME displeasure with the fact that passwords were stored in plain text.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News