'Hacked' estate agency Foxtons breaks glass, pulls password reset cord Trendy UK estate agency Foxtons pushed the big red password reset button, as a precaution, after it appeared hackers lifted thousands of clients' usernames and passwords from its systems. Miscreants claimed to have leaked online user names, email addresses and passwords of nearly 10,000 Foxtons’ customers, Estate Agent Today …
We asked a Foxtons representative whether the company hashed or salted stored passwords, a basic security practice. The rep declined to comment on any aspects of the incident beyond saying that it may decide to issue a statement at some point.
So basically they got it wrong to begin with and continue on in the same vein.
"The recent spate of high-profile data breaches, such as this alleged attack on Foxtons, are evidence that organisations are either not taking cyber security seriously or are bewildered by the problem"
Anycompany: "How much will this extra security cost?"
IT Dept: "£xxxx"
Anycompany: "And if the worst happens what can we be sued for?"
Lawyer: "Only £xxx"
Anycompany: "Right. Operation 'Heads in the Sand postion'. All for? All against?"
Unless you can prove you can manage it properly. Including NOT STORING PASSWORDS AS CLEARTEXT!
This isn't postgrad-level stuff, this is basic 101 stuff.
This is what you get when the 'business' doesn't want to pay for paranoid, in-house corporate IT to secure their assets but goes to some Shoreditch outsourcing agency. There's a reason why IT departments are not popular, it's because they don't let you get away with spewing 10000 punters (multi-use I'm sure) passwords all over t'web.
Correct.
But it is a guarantee that user's passwords on exposed machines would have been hashed and salted, so the "hack" means next to nothing after exposure and cleanup, as opposed to plain-text which means that people run the risk of having their email and anything else with the same password also attacked. It's also a pretty good indication that a hack is less likely, will have less impact, will be spotted quicker, and be fixed better.
No, I don't use the same password for everything. But equally I don't use a different password for everything either. I have tiers of information that are protected by different passwords - ultra-secure "you can get my money" down to "spam-prone forum" all have different passwords. But I might use the same password on two spam-prone forums. And this is far above and beyond what the average person does with their passwords online, and still I'd be affected (I'm not, because I have no idea who Foxton's are).
If you aren't STORING THE PASSWORD then people can't STEAL THE PASSWORD. A simple rule. And with hashing there is no need to ever store the password at all, whatsoever, in any way. With properly salted hashes, you don't even need to worry about someone brute-forcing simple passwords with well-known hashes. Joe Bloggs doesn't understand this, an IT team will.
Which is why, when people ask me, they are astounded that I have no idea what their passwords are and no way to find them out. Of course, I can reset them to any given value but just from the way that works, they will know I've done that the second they next log in (because their password won't work any more!). I honestly have no idea about the passwords of my users. I get THEM to provide them when necessary (which is rare).
Trouble is that they have at least the London market pretty much sewn up. If you want to rent in London, then you have to be prepared to pretty much accept that you'll be paying Foxton's gouging fees (both as tenant or landlord). They also do nasty tricks like inserting clauses in contracts about changing utility supplies to some expensive outfit they have a deal with. They don't tell the landlord about this, and try to stop you having the clause removed. Advice to anyone using Foxtons, either tenant or landlord - get the contract checked over by a competent solicitor.
Make it a prosecutable offence to develop/maintain/own a website that doesn't perform basic secure password storage techniques. Salt, hash with SHA256+ and add a bit of pepper stored in the file system. Or ideally just use Bcrypt.
Having some sort of legislation to punish those who store the personal data of others insecurely would have been a better use of time and money than that bonkers cookie law which requires people to botch on nasty cookie consent bars onto sites. Just wait until people start getting nasty with the HTML5 browser storage APIs, cookies will seem like a walk in the park.
If you don't know how to store this stuff securely then you're in the wrong industry. The problem is website designers who have zero knowledge of software engineering principles thinking that reading a few PHP tutorials will allow themselves to unlock job title "website developers" and a higher salary. And companies who don't do security audits of code/databases.
in Foxpro
To be honest, if you are targeting a market sector for hacking, Estate Agents would be the one to go for. I have worked in many industry sectors over the years, and can confidently say that *no-one* is tighter than an estate agent.
Their favourite trick was to put a new starter (for some reason they always had a high staff turnover) on a desk with our software and helpesk number, and then let them try and use the helpdesk for free training, having refused to pay for training in the first place.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
