So, you’d think after all of the recent attacks against high-profile companies, including various database breaches of government departments (even the CIA!) and IT security companies, that people would learn how to do some of the security basics correctly. There’s some REALLY simple things that any company can do to help protect its users, but so many organisations are still not doing them!
IceTV is a provider of TV Electronic Program Guide (EPG) data in Australia, and I signed up years ago to try their services, but never ended up paying the monthly subscription fees. I’ve recently started receiving SPAM at an email address I’ve only ever provided to IceTV, so it’s fairly safe to say that their customer database has been hacked. The first thing I did when I realised they’d been hacked was to notify IceTV. So far, I’ve received an email stating “We take the security of our customer’s information very seriously.”
So, let’s test IceTV’s claim… do they take security seriously? My three pet security peeves for any organisation that stores my data are:
- Storing my information insecurely, particularly passwords
- Sending sensitive information in insecure ways (non-SSL, email, etc.)
- Not giving me reasonable ways to protect my own data
1. Store customer information in the clear
So, I went to IceTV to try and log in and see what information they had about me. It’s been years, so I didn’t remember my password. That’s ok, they have a nice helpful password reminder option. Wait a minute… reminder? Don’t you mean, “reset”? Nope! They’ll simply tell you your password if you ask nicely.
But, don’t worry. Take a look at the tiny warning they give you – “Note: Member ID & password sent in plain text“. IceTV – why do you even KNOW my password?
Come on, IceTV! Haven’t you heard of hashing?
2. Send sensitive information insecurely
Storing passwords in plain text is bad enough, but then sending them via email? Strike number two, IceTV.
The email they send me helpfully says “Please use the following Member ID and Password to access IceTV’s services”, and then provides the password I used to sign up all those years ago.
3. Don’t allow users to have secure passwords.
Alright, so I’ve figured out my password to IceTV (and so have the hackers, most likely), and while not a major concern, I did create this account back in a time when I wasn’t particularly good at making secure, unique passwords. IceTV had a password of mine that I had dedicated for “low risk” websites, but had still used for many other websites I’d also deemed to be “low risk”.
I now use LastPass to create and store my passwords, so I fired up the password generator, and created a nice secure password with upper and lowercase characters, digits and special characters.
Of course, I should have guessed. If IceTV aren’t hashing passwords, then they probably would have difficulty storing certain special characters. Trying to run something like:
INSERT INTO users (username, password) values ('myusername','mY;p@ssw'ord');
might send their SQL server into meltdown. Perhaps I should have tried a password containing “; drop table users;” just to see what happened?
Well, I was nice, and didn’t try to get up to any mischief. I simply generated a new password without special characters. Seriously, though, there is NO reason to prevent a user from selecting a good, secure password. If the password is hashed correctly (and, preferably salted), then all you’ll be storing in your database is a string of numbers and letters.
Did IceTV pass?
In a word, no. In two words, hell no! Protecting a website from vulnerabilities which may allow an attacker access to customer data is, admittedly, difficult. Even big IT security companies get hacked, and they (we would assume) actually do take security seriously, and should have some idea how to do it right. Good security doesn’t just happen, it takes time and effort, and most importantly requires a particular mindset. If your developers are only thinking about getting things to work, or aren’t given time to consider security, then I can almost guarantee that it’s just not happening.
I suppose it really should be no surprise, then, that IceTV’s customer database got hacked in the first place. Good thing they never had my credit card number…