in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Security: Formspring Resets 28 Million Passwords After Hashed Password Leak

Following the password leaks of LinkedIn, eHarmony, and Last.fm from last month, Formspring, described as a question-and-answer website, has announced and plugged up a password leak.  One differentiating factor: Unlike the earlier data breaches Formspring used proper data security, at least in name only: they first salted their passwords before hashing them.

420,000 Passwords Post to a Security Forum

As the story goes, Formspring was alerted that a list of its members' passwords was posted on a security forum.  Formspring did some checking and found that the passwords did indeed belong it, and locked down their systems and emailed all 28 million users to reset their passwords.  Furthermore, it announced that

We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database....  We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to bcrypt to fortify security. [formspring.me]

There will be people who complain how this was terrible security, that people shouldn't be able to access the core (production database) via development servers.  Such criticism is not beyond the pale.

Password Security: Formspring Did Things Right

At the same time, the criticism is also not valid.  The reason why you need to have security in layers lies within the real-life fact that you just never know how or when or why you might have a data breach, either because you failed or someone else failed, within your organization or without.

So, despite what appears to be an idiotic data breach to some, I think some congratulations are in order for Formspring. I mean, we've obviously seen cases where companies whose entire worth revolves around data security online considers data sec an afterthought, at least practice-wise.

Plus, unlike the use of weak algorithms like MD5, Formspring used SHA-2 (specifically, SHA-256).  SHA-2 is currently considered strong, and Formspring didn't really have a reason to switch to bcrypt, a competing hash algorithm.

On the other hand, the main criticism against SHA-2 is that, just like SHA-1 and MD5, it's "fast" meaning that the technological progress in raw computing power means that SHA-2 will be defeated sooner than later.

So, the fact that Formspring decided to switch to a "more secure" (there's some arguing at the top echelons, I guess, whether it actually is more secure) hash algorithm, despite the fact that their current one was more than capable, speaks volumes about their security stance.  Unlike others who've managed to fix the barn after the horses have escaped, Formspring has in essence fixed the barn while their horses escaped...to the adjoining barn.


Related Articles and Sites:
http://news.cnet.com/8301-1009_3-57469944-83/formspring-disables-user-passwords-in-security-breach/
http://www.databreaches.net/?p=24715
http://www.theage.com.au/digital-life/consumer-security/formspring-resets-28m-passwords-after-breach-20120711-21vjl.html

 
<Previous Next>

Password Security: UK Spike In BMW Thefts Because Of Bad Security Implementation

Laptop Encryption Software: University of Texas System Asks All Laptops To Be Encrypted

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.