The recent attack on the Kaspersky website has been a bit of a concern. If a security company like Kaspersky are open to SQL injection vulnerabilities, then can any company be trusted? Certainly the latest breach of security at Monster.com has given us further call for concern.
Can we know if our details are safe on servers miles away? I would argue that we can’t. Computer systems are never going to be 100% secure, partly due to user error, partly due to administrative error, and partly holes in the code.
User error could be the notorious bad password. People still use the simplest of passwords if they can get away with it. Pets names, words like “password” and so on. This is less of an issue with many websites today requiring a minimum complexity requirement, however, the more complex the password the more people tend to write it down, which brings with it it’s own set of problems.
Administrative error is also something to think about. For example. I was talking to a systems architect for a large company about patching. He was telling me that to patch the hundreds of servers he had required a lot of rebooting, and to avoid any downtime, you need to reboot each server in turn, and make sure the change control had been updated and the server came back up. The overhead meant, that to roll out a simple patch could take months, and a service pack, well heaven help us!
This then brings me to the reason why we patch, holes in the code that allow attackers to steal our private data. Patch Tuesday is case in point that even the mighty Microsoft cannot avoid insecure code. It is not anybody’s fault, nobody wants to write bad code, but the resources are simply not there to test all the code in all the ways that it could be exploited. Even if they had more people, the time it would take would mean they would never release another OS.
Of course it not all bad news, as far as we can tell, no major banks have suffered a breach from an external attack to there computer systems. It’s more likely that staff on the inside leak data. So what can we do about it? Simply be careful. As you can never truly trust another computer attached to the net, try to leave as little data there as possible. For example, some sites allow you to put in your card details for the one transaction only, and most refer you to your bank for verification that you are who you claim to be. Use complex passwords with upper case and lower case letters and some form of symbol. I would even go so far as to say people should start to think in terms of pass phrases. Try not to leave personal data accessible on personal networking sites.
With a few simple steps you can certainly limit your exposure to security breaches, and some sesible advice can be found here and here. Lastly I would like to point out that serious security breaches are few and far between, and this should not stop you enjoying all the net has to offer. Certainly being simply aware of the problems are half the battle.
One thought on “How safe is safe? The Monster breach and You”
Bengaul, its really refreshing to have a very techie article on the site. I myself have been looking into security of websites a lot lately and its very difficult to create a very secure site, and its definitely not cheap so companies face the dilemma of balancing cost and security.
I’ve been working with the credit cards aspects of systems recently and for a company to accept Credit cards requires them to have a huge amount of security, they should meet PCI compliance or else they accept the cost of card fraud. This does include patching of servers and also PC’s etc so you can understand how expensive such compliance can be.
As a slight tangent though what’s really opened my eyes is that computer system are very very secure but the threat are inside the company. Most of the details sent over a network are encrypted and nearly impossible to view, companies aren’t allowed to store card details after they have been used either and this is all automated.
I’ve actually realised its more dangerous to pay over the phone to a human than via a computer system. Organisations are allowed to write down card details on paper now imagine if they got into the wrong hands. I now feel safer paying online.
I’d highly recommend you use a credit card which protects you against fraud.
I suppose that its important to understand safe surfing but I do feel that your safer online once you know what your doing.