A website that helps drivers avoid speeding tickets is warning its 10 million registered users that their email addresses and passwords may be in the hands of hackers who breached the site's security. The advisory was issued on Thursday by Trapster, which boasts more than 10 million users on its front page. The site uses crowd- …
There should be a law that makes storing plaintext passwords illegal and a fine of X * number of accounts.
And, as a contract developer myself, I'd go so far to say that whoever designed and implemented that system should have to help cover the costs (assuming they didn't flag it for the client's attention).
A company should be aware of the security of the data they hold, but developers need to take the responsibility to tell even their bosses if they're endangering sensitive data.
... goes both ways
Yates writes "developers need to take the responsibility to tell even their bosses if they're endangering sensitive data."
Who says they didn't? Then were told by some luddite manager that they'll do it way they say to do it, and if you mention it again you'll be looking for a new job.
Of course, I like the point of view in my development to add in /basic/ things such as this as part of the standard package, and if they specifically request to leave the passwords plaintext, I'll have that written out in the final hand-over documents that we both sign.
Granted, that's just my opinion, but leaving plaintext passwords is tantamount to purposely not putting SQL injection prevention measures.
Is it really that difficult?
"Trapster didn't say whether it planned to begin hashing passwords, which is considered a basic security precaution to prevent their disclosure."
It never ceases to amaze me just how many sites fail to take even basic measures such as hash with salt.
In this day and age.
it beggars belief that anybody would design such a system, and if they came from a more innocent age of the internet not updated it to hash passwords.
It makes you realise how unbelievably naive some of the most popular websites out there are.
It isn't that surprising
Most of these types of sites will have been setup by an enthusiastic amateur, who will probably just install a blog/CMS system with everything left on the default settings.
What is surprising is that these systems might not be set to has the passwords by default, and then not warn the administrators in subsequent updates.
They security needs to be built in by the professionals, so that the end user doesn't need to know or understand it.
Next you'll say...
that it beggers belief that some people have just one email address that they give to all and sundry, and that they use the same login credentials and passwords everywhere too.
(BTW. you are only anonymous until someone hacks into El Reg and finds your details and your posts, or the moderatrix leaks everything to Wikileaks :)
This is the responsibility of the programmers of said site. It shouldn't even have been an option to store peoples' details unencrypted.
It's stupid to believe that 'the general public' would even understand any of this conversation, except for the bit about their password being released onto the interwebs.
Now obviously it would be nice if everyone, everywhere would understand your concerns. But since there is still a huge portion of the world that doesn't - shouldn't it be the developers that protect users from as much of their own ignorance as possible?
silence is deafening
Not too much info to be found on the ACTUAL site... pity.
The only thing I have found is the orphaned webpage referred to in the twitter post.
On the other hand, I still am amazed at how many people still use the same password on sites as their email accounts and then wonder why they are compromised. I just use an email alias that forwards to an unpublished account. This almost ensures that if these breaches happen, I will never have an active email account compromised.
"I will never have an active email account compromised."
1. hack the alias
2. check where it forwards to
3. hack the active account
Why do you need a web site? Is it just a single page with the phrase 'Don't exceed the speed limit you numpty' plastered all over it?
Maybe because speed isn't the problem.
It's inappropriate speed that is the problem, and potentially speed cameras being used for revenue generation and not safety.
10 million users?
Never heard of it.
Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha ...
Couldn't have happened to a nicer group of people
They're playing big boys games in the big boys playground! Act like it!
A lot of these sites start as little hobbies and thus are knocked up on someone's backroom PC. As soon as they start to grow beyond a certain number of users they should start calling in professional coders and security experts to assess if they need to beef up security. Nope, easier to just coast along with your LAMP setup on a couple servers, adding a firewall here and there, some CAPTCHA code, just to try to make a token effort at security.
Where I work, to satisfy the auditors, we have to have regular penetration tests by third-party agencies to ensure our networks are up to spec, why can't these muppets do the same?
indicating the sad fact that some folks
"indicating the sad fact that some folks can't be bothered to use a unique password for different sites."
Hardly, I'm probably registered on 20+ different websites for various reasons. I'll give a medal to anyone that can remember 20 different strong passwords and which one is for each site. I use different passwords for internet banking and anything that really matters. The rest all use the same. Sure, you can save the passwords in your browser but that has it's own security issues, and then you can only login from that PC.
The solution is for websites to use something like OpenID, but I've not come across a single website that uses that yet.
I've got a base password for all websites (excluding banking), which is random, 8 characters, alphanumeric and mixed case. It doesn't take long to remember this, though for a while I could only remember the casing using muscle memory. Bit of a pain for smartphones.
You then create a simple reproducible method of adding characters to the beginning and end of it, eg. Prepend the first two vowels and append the last two consonants:
Base password: bCX6ckKy
Of course you can monkey around with the case, and various other things, but as long as it follows set rules it's a decent method of having the same password for multiple sites, and not obvious to anyone looking at a *single* instance of your password.
Of course, this doesn't work if you decide to use a base password of *MyPassword*.
Portable apps may be worth a look
"You can save the passwords in your browser ... and then you can only login from that PC."
Yup, saw the advisory from Trapster in my inbox, sandwiched between offers of penis extenders and miscellaneous pills.
Given that account rarely gets spam it's not too difficult to guess where they leeched the address from.
Wouldn't it be nice if they could be fined 0.1p for each email/password harvested.
One way encryption...
...without it everyone with access to the database is a leak vector.
An equally big fail...
...is when sites email you a copy of your username and password.
Not a temporary password, that's fair enough, but the 'secure' one you just chose yourself, and which is now stored in the clear in countless email systems between them and you.
Only shows you your server can be penetrated.
Security by design means you expect your web server to get rooted eventually and design the system to not give up any sensitive information if it is. In this case all he needed to do was hash the passwords - what possible reason is their for not doing so?
A bad day is having someone deface your site, a disaster is telling all your customers they should change their passwords and ohone their bank.
Hashing is not enough
Hashing makes cracker's jobs slightly harder. First make a list of unique hashes, then run a dictionary attack, then cross reference the plaintext back to accounts. Chances are that 80% of passwords would be recovered by running a dictionary attack for an hour or two.
Probably need to hash the email (or hash + salt the userid) and hash + salt the password. The user id would become part of the salt for the password.
Hashing not enough
Gawker's problem was they hashed but didn't salt. So user A and Z both used "bob" as their password and the hash was the same. It's trivial to count how many people have the same password by looking for duplicate hashes. It's trivial to run a dictionary attack creating hashcodes and comparing to the hashes in the database. So a cracker would hash "bob" and immediately match against A & Z.
The defence is to make hashcodes unique by throwing in a appending "salt" to the password so they're not the same strings and don't hash the same. So for user A the salt might be "oiubqmnr", for user Z it might be "masddaewr". The hash of "bob-oiubqmnr" and "bob-masddaewr" differ so the hashes don't match. Additionally, the randomized password is now not vulnerable to a dictionary attack.
The problem is the salt should be unique to each user and needs to be predictable. That means it's probably computed from the user's initial email address, ip address or timestamp. So potentially the cracker could still guess or recover it by having access to these values or the source code that calculates the salt.
Why hack this site?
It seems a strange web site to target. Why would hackers want to know who accesses a website that "helps drivers avoid speeding tickets"? ... They could be doing it for another spam email list, but there is another possibility. It could have been a professional hacker hired simply to hack the site to get a list of people who use the site.
After all our Police now consider it a criminal offence to warn motorists of a mobile police speed gun. Therefore a whole website full of people warning motorists, is therefore a mass of people committing what our Police (State) would consider criminal offences. For example: "driver prosecuted for flashing his headlights to warn motorists of a mobile police speed gun"
The Police and the government are definitely building up lists on people they don't charge with any crime (at this point in time ... they hope to find something they can use later, for now its a fishing trip for names and other info). We are seeing more and more examples of this. For example the Domestic Extremist list & The freedom of information requesters list (maintained by GCHQ), so its not much to expect our Police State are now also seeking yet another list of this time people who (in their mind) seek to undermine their law enforcement by their speed cameras which are in effect automated policing systems.
If Trapster has 10 million users then that's potentially 10 million US citizens who also own Amazon accounts, Ebay accounts, PayPal accounts, GMail / Hotmail / Y! mail accounts, Apple store accounts, bank accounts etc. and are dumb enough to use the same password. Once you know their user id and password you can trying plugging the values into other sites. If you get really lucky you can log into their email account and start resetting their passwords and email address for other sites. Once you do that you can engage in a bit of daylight robbery, charging as many things to their account as you can manage.
I think there would be great potential for a Firefox add-on here. An add-on that let's you generate a random throwaway password for any site and optionally also a throwaway email address (e.g. through mailinator).
Should the website users now expect a visit from plod?
It's arguable, although not by me, that the site users could be seen as "obstructing police".
Seems odd that someone who tried to slow down traffic by letting other road users know there was a speed trap was convicted of obstructing the police. Surely the whole point of the speed trap was to slow down traffic in the first place?
Or was it just a revenue generating exercise as many suspect?
Maybe they were hashed -
- but with the hashes and the algorithm, you can dictionary-attack or brute-force the data and discover that the password for Robert Carnegie is either "speedy", or "2(?,aY-/" or something else that produces the same hash value - obviously it's the first. And so then you try to see whether his bank account password is also "speedy", and so on.
$spass=PASSWORD_SALT . $pass;
I, my teeange kids and most of the El Reg readership are available at reasonable rates on consultancy basis.
P.S. This took me less than the time to read about your screwup.
Re: Dear Trapster...
You do realise that as they have access to the databases they could probabily access the files themselves. A salt should be randomised to make it harder to generate tables for that string.
I usually create a salt and put it in the middle of my MD5 strings, or in a seperate column.
Re: Dear Trapster...
That's all very well, but the point of a salt is that it should be different for each user, otherwise all that's needed is a single rainbow table for that single salt.
Which websites are you responsible for again?
why hack this site
With the the state hard up for money any technology that deny them revenue most be stopped so they have hired some professional hackers to deal with problem and put this company out of business.
I went and asked them about it on their blog (politely). Got a bunch of thumbs up too, until they baleeted my comment. Oh well, Waze is better anyway.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'