For the United Kingdom of Great Britain (England, Scotland, Wales) and Northern Ireland; News, Politics, Economics, Society, Business, Culture, discussion and anything else UK related.
[deleted]
payasugym.com just got hacked.
Archived post. New comments cannot be posted and votes cannot be cast.
Sort by:
Top
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
MD5, and presumably unsalted too if it's cracked, in 2016. It should be criminal to do this as soon as you store confidential information.
MD5 has only been known as broken for the best part of 3 decades, hardly enough time for anyone to switch.
Md5 is not understood to be weak or broken as researchers say, to be clear. The issue is that the algorithm is highly efficient and therefore brute forcing it. Especially with modern hardware, is fast.
There have been md5 collisions found. Most security researchers will recommended deprecating a hash algorithm if it there's even a hint this could be possible in the next decade.
In fairness, finding a collision is a different thing from finding your password.
There's only a finite number of hashes - 4 billion or so if I remember rightly. So yes, there will be collisions. But the chances of two slightly different documents/data streams having the same hash is minuscule! It'd be winning the jackpot every week for a month.
For cryptographic hashes, there are far far more possible hashes (significantly more than there are atoms in the universe. A modern PC can emumerate 4 billion things in seconds). So while there are in principle collisions, the expected chance of any collision occurring among all the hashes ever calculated using the algorithm is far far less than everyone on earth winning the lottery on the same day. So if a collision is found it's virtually certain that there's a weakness in the algorithm.
I learned to code a while ago and used MD5s for passwords, but I knew about salts. I would encrypt (my unique )+username=salt. Marginally more secure.
These days, just use the google or facebook APIs. Way easier and more secure.
MD5 is so weak (for security purposes) that salting doesn't help a whole lot. Something like hashcat will likely break most of the passwords in an astonishingly short time.
It's preferable to use bcrypt, scrypt, pbkdf2 or some standardised function instead of rolling your own.
It's been about ten years since I did anything that needed any security (even then, it was a shitty online game) so I don't care from a dev perspective right now.
I agree though. I think back then it was almost security through obscurity.
I like two-factor. Is there any inherit weakness in this system?
If implemented properly, it should be better than just a password.
For instance your multi factors might be a combination of something you know (password) and something you hold (token generator). It's generally more difficult for an adversary to breach both of those factors.
However, in practice it can be less than perfect because the token generator might be on the victim's phone or via a token sent by email or SMS which are vulnerable to social engineering attacks on the victim's phone. Seizing control of the user's accounts in this way, potentially allows them to obtain all of the factors - especially if it's sent by SMS, email or allows reset.
This has happened to a number of YouTubers.
2FA does generally raise the effort barrier quite substantially, though.
At any rate, it is a tangential problem to passwords being hashed and stored in an unsuitable way.
If it's good enough for Yahoo, it's good enough for anybody
Source: Elite hax0r Security Expert
Can someone with l33t sklz explain why the hell yahoo even exists? I mean who uses them and for what?
Apparently I have an account, I don't remember setting it up and I what to know why.
They owned a bit of alibaba. Also shit business can make money.
Ask.com, previously ask Jeeves, make $350 million a year
That piece of shit.
A lot of ISP-provided emails are tied to Yahoo. Yahoo also own[ed?] Tumblr, which is pretty big.
The problem with Tumblr is that for some reason a huge part of it's user base are people with very niche pornography tastes. So while it is a big and popular site, they can't monetize it properly without pissing off the users.
Erm..if I was to swop my emails. Just hypothetical of course...where would be the best place to go.
Tutanota. Just don't lose that password.
Use of the providers listed here -
https://www.privacytools.io/#email
They own shares in Ali Baba, which is pretty huge in China. Their other business operations actually have a negative market value (last time I checked)
It may already be in some of these cases. Besides separate laws and regulations for certain industries like healthcare & financial, the DPA carries provisions for limiting access:
http://www.legislation.gov.uk/ukpga/1998/29/schedule/1
The difficulty would be getting a court to state that MD5 is criminally negligent.
Comment deleted by user
Fucking cloud. It's just fucking software running on computers you don't own.
It's a lot more resource friendly than buying a physical server. Plus I'd trust Amazon security engineers over someone a start up could afford
AFAIK, Amazon AWS isn't managed and you're responsible for the security of the instances you rent.
The quote given from the CEO is textbook Idiot Who Knows a Few Buzzwords Syndrome.
the dreaded """downtime"""
lol I love how "Online tools" now are called "cloud"
Theres a few specific definitions of "cloud" infrastructure, and the majority of them dont conform to it.
For people who don't use it and wondered WTF it was... "pay as you gym"
https://www.databreaches.net/hacker-claims-to-have-305000-payasugym-customers-data-up-for-sale/
I honestly don't see how the ICO can deal with these sorts of things in the long term. They're just going to get more frequent and bigger. There's no such thing as a secure site nowadays - everything will eventually be hacked at some point.
Vendors should have easy to access & responsive security contacts. This sort of thing should be required by EU/USA/UK law and governments are being very slow. Unfortunately it's also in the interests of every government to actually not promote good security practices, because it helps their intelligence services :(
Bug bounty programmes are rather good. TalkTalk, payasugym + others might not have happened if they did #1 and a decent bug bounty reward programme.
Work in sec (Pentester, I break stuff :) ) so can offer a little insight
They do, there's nothing stopping any company buying security or assurance services, however we're not cheap because it's a highly skilled field and there's not a ton of people that can do it.
Is actually bull. CESG and GCHQ do release information avaliable to the public on good security practices and accredited security software.
The reason a lot of companies fail is because their culture is wrong. They'd much rather not spend the money in the first place because "If it ain't broke don't fix it". Its quite difficult to see the objective monetary value of good security therefore they think it's better to be reactive than proactive which is arse backwards with data integrity because once you're hacked it's too late.
Computing Security in general is not about keeping monolithic state actors out. It's about deterring the 17 year old running a prebuilt SQL injection tool in his bedroom.
Similar to securing a house, you proactively put a lock on the door and close the windows when you leave. You're not expecting to repel the British army, you're deterring an opportunist who will just move along and try the next house. If someone is hellbent on getting in they're going to get in, but it's a bit late to think about getting a lock for your door and not leaving your windows open when someone's nicked your TV.
Well looking at the article, these guys evidently did not. If you are operating an online service, having a competent and available security team should be considered an essential business requirement.
It's pretty inexcusable not to respond to clear evidence of a security breach in a timely fashion.
Yep. There is a lot more that they could do though, and they are limited by their ultimate priorities: they need to be able to gain access to anything whenever necessary, and they need to gather all possible useful information, all while keeping their capabilities secret. So, they're currently limited to just publishing guidance documents without doing much in terms of liaising with large companies, but obviously there does seem to be quite a bit more activity in this area over the past few years, so maybe it will get a lot better.
There is a good chance that they (or NSA etc) would have seen the PAUG explot happen, and they would almost certainly have the desire & capability to archive the data being taken, possibly all in real-time. They probably didn't contact PAUG for various reasons (mainly capability disclosure, and this being low priority), and clearly they didn't corrupt or block the transfers being done by the people who now have the data.
So, now the PAUG data is public. And - AFAIK?? - there is no law dictating how or when all the individuals affected should be informed. There is also no means for the Government to do this on behalf of hacked companies. If reporting were mandatory, then it would help in many ways.
I think eventually there might be a public service offered by one of the major intelligence agencies - submit your public APIs & pages etc to their system, and they will try a Nessus-style suite of tests, using data gathered from real-life observed attacks, but excluding any that they need to keep for their own use.
( ^ bit of a wall of text, sorry)
That's fundamentally paradoxical, though. What, they'll ring up the CTO of a major firm and say "Hi, it's GCHQ. We've got this super-cool 0day we saw someone using against you"?
I recall some official (could have been the NSA or GCHQ) once saying along the lines of "if you're a business hit by a cyber-attack, contact us. We can help. We're not the SEC."
Comment deleted by user
I've reported loads of vulnerabilities to companies, and got legal threats as a response.
I don't care about the bounties, if you want to pay me, that's nice. But don't fucking threaten ot get your lawyers on me
True. Some researchers are happy for just a mention on a "thanks" page so that they can pad their CVs, or even just a bit of swag (free gym!). It doesn't necessarily take long to look for the basic but serious problems.
Except that this hacker wasn't looking for that much money, and would have showed them the problem and how to fix it. Could you consider it "extortion?" Maybe, but they could have treated it as a reward or bug bounty and then the data would not have been in the wild as they are now.
And keep in mind that their "Terms" made some security assurances that were not supported by the data and screenshots I saw. One database with customer data was on a server that had not had 126 security updates that had been available.
There's an easy solution to all of this that all startups should be using because they simply don't have the money to secure sites properly.
Passwords: Use oauth from a number of vendors like Facebook and Google. That way if you get hacked the worst thing you lose is a bunch of with tokens but no passwords.
Payments: For Christ sake just use PayPal or one of the many other payment gateway providers. You can't lose credit card data if you don't have it.
Minimal data: Only ask for the absolute minimum from users to cover your business needs. You no longer need anything other than their email address. Want to text them, query the oauth provider, get their number, send the message and immediately forget it again.
Or from the other point of view, if one user's Facebook account gets hacked, then the hacker has access to all of the sites and services they connected with.
Local authentication is better if you can trust users to use a unique password for your site.
Logging in with Facebook is no better than using the same password for everything.
Fuck your site if it forces me to connect with Facebook/Google or whatever. I'm going elsewhere.
Why are people using MD5 FFS
Stupidity.
Comment deleted by user
If a hacker is tweeting to your Twitter team to alert them and emailing your company, I don't think it's smart incident response to just ignore them. They also failed to respond to two notifications and inquiries I had sent them. I wanted to withhold publication until they secured their system, but they didn't even acknowledge the problem or my courtesy in trying to alert them.
Comment deleted by user
You're welcome!
Founded 2009.
When I had to make a new product for our small company earlier than this I had to do the security despite knowing bugger all about it. It took me about 2 hours to research everything I needed to know about how to store passwords securely. (edit: two hours regarding the password, additional time for other security concerns)
This shit really isn't difficult, the level of "no fucks given" needed to be using MD5 in 2009 is astonishing. Heck, SHA-1, while not recommended anymore, was published in 1995.
You went from bugger all to knowing how to securely implement a passworded website in two hours?
While I agree that you can learn what to do in two hours, and what the code would be in a particular language, I don't agree that there that someone can know enough to run a website securely in two hours.
There are big fat books about the basics of security that would take days to absorb.
This is not a personal attack towards you for what you said, but in general people think they know about website security and then go ahead and make these type of websites, and then it gets hacked.
Security in general is big subject that can be learned in two hours in this day amd age.
What you can do in 2 hours (if you already have solid background knowledge) is go from knowing nothing about how to securely store passwords, to having as good idea which COTS or FOSS package to do this you should look into using and roughly why.
The point i'm trying to make is that you don't STORE the password. You store the encrypted hash, which gets compared by user input, no one or no system should know the password.
True, which is why I would suggest going with a well known and respected OTS solution rather than developing your own. A lot of very smart people have spent decades thinking about these problems, so go with that.
Exactly. A web framework like Django should do well enough for most beginners (assuming the back end is Python based). Baking your own solution is not recommended as web security is a huge subject.
Plus, why re-invent the wheel. Follow a DRY principle.
Seriously, these flaws are amateur-level shit you'd laugh at a teenager for fucking up, let alone someone who calls themselves a web developer.
I didn't say anything about taking 2 hours to secure an entire website.
I was talking specifically about how to securely store a password.
Ok, so out of curiousity how do would you store a password? This is a typical interview question. So after two hours research you should know this. I'm not attacking you, I am genuinely curious about what you know.
Most important are:
A secure hashing function, e.g. SHA-256
A per user salt
Some requirements to ensure users pick a secure password
Those are the minimum requirements, pretty much any big hack you read about it seems they have failed on at least one of those.
You can also perform multiple iterations using something like PBKDF2 to increase the length of time it would take someone to do an offline attack, known as "key stretching". Back when I did the research there didn't seem to be a good consensus on whether or not this was essential (very much a "depends on who you ask"). I'd be interested to know if opinion on that has changed since.
This is of course very narrow, and doesn't get into best practices around resetting passwords, security questions, multi-factor authentication, how to secure the database itself, making sure the password never ends up in log files, etc
He said password storage, not total website security.
Most languages and frameworks have distilled this down to two functions you can call that handle all of the hashing, salting, and choosing a work factor for you, using best practices, and even record which algorithm was used so that in the future the same functions will automatically update the stored hashes for you.
So yes it's possible to understand two functions in two hours.
You've oversimplified his reply, although he did say password storage, he didnt seem to mention using a framework nor did he mention that he undertstands the DRY principle. He researched passwors storage.
My point is that people shouldn't store the password. You store the encrypted password and compare against it, and secondly that you can use an already baked in function like you mentioned.
So one shouldn't need to research for two hours if he seems competent enough to be asked to implement a website, which is what originally led him to research password storage in the first place. If he knew enough, 10 minutes finding a function(/s), 10 more minutes understanding it, and another 20 mins implementing and unit testing it.
You shouldn't store an encrypted password, you should store a salted hash.
i was trying to be concise
Official email claims no financial info was breached:
Comment deleted by user
Is that redacted? Or is it the case that they only had partial numbers in their database?
And if it is partial numbers how useful are they?
Depends what you're trying to do, really.
Purchase fraud? The algorithms will probably catch it. You've got name, address and five digits to guess (six, minus Luhn). But a million monkeys, a million typewriters - someone will get a hit.
Though the Luhn point is kind of interesting - I haven't slept in a couple of days so I'm not really in a state to do the maths, but does knowing the check digit make calculating the middle digits any easier than a simple tenfold reduction?
Identity theft? Well, the above, plus looks like unsalted MD5 passwords (lol rainbow tables), how often you get asked the last four digits of your card number, plus your mobile number?
Yeah, this company's dead in the water now.
If you're a customer cancel your card. If you use the same email address and password anywhere else, change it.
TBH pay as you gym was dead in the water long before this, it was just less obvious.
Every single time I used their site I found quite bad problems.
Things like adding percentage discounts (ie, 30% off sale + 50% off voucher = 80% off).
Floating point issues when charging for a 5 pack purchase such that I was charged 1p extra and then was left with 1p credit.
A badly crafted promo with Quidco that meant I got £6 back on a £4 purchase
Prices changing higher when you put an item in your basket
I just checked their funding history.
Those fuckwits actually managed to convince people to lend them SEVEN. MILLION. QUID.
I saw the database with the credit card info. It indicated the type of credit or debit card and a partial number.
Storing partial card numbers to let your users know which card you have on file is pretty common, although usually it's just the last 4. This doesn't necessarily mean the attackers have access to usable card numbers.
Replace debit card/google email? i forgot which account I all used..
Check your emails for which email account you used. I just changed my google password for mine just in case I used the same password. I had already closed the bank account I paid with too, so hopefully that info's worthless to them. I guess I just need to warn my emergency contact about any suspicious calls. As another comment said, how does this happen in 2016?
Comment deleted by user
TheRapist.com ? ... ExpertSEXchange.com? lol :)
Was this part of the QuinStreet group that I was notified about in a haveibeenpwned alert today?
Pa-yasu-gym sounds like a Pokémon.
10/10 would not use any service with a domain like that lol