Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Thread beginning with comment 477703
To read all comments associated with this story, please click here.
...
by Hiev on Sat 18th Jun 2011 15:13 UTC
Hiev
Member since:
2005-09-27

Hey LulzSec, I dare you to hack OSNews, I bet you can't.

Reply Score: 2

RE: ...
by Tuishimi on Sat 18th Jun 2011 16:53 in reply to "..."
Tuishimi Member since:
2005-07-06

Ha ha! Good one! ;)

Reply Parent Score: 2

RE: ...
by Thom_Holwerda on Sat 18th Jun 2011 17:10 in reply to "..."
Thom_Holwerda Member since:
2005-06-29

Hey LulzSec, I dare you to hack OSNews, I bet you can't.


Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics, but suffice it to say they are all properly encrypted ;) .

Edited 2011-06-18 17:12 UTC

Reply Parent Score: 1

RE[2]: ...
by Alfman on Sat 18th Jun 2011 19:42 in reply to "RE: ..."
Alfman Member since:
2011-01-28

Thom Holwerda,

"Well, in all honesty - I did check with the team if our passwords (and yours) are all properly secured. I don't want to dive into specifics,"

Ah, security by obscurity then. (just kidding Thom)

" but suffice it to say they are all properly encrypted ;) ."

Well, not exactly since it's over plain HTTP.

If hackers did get in, they could alter anything in the database. They could install keyloggers or modify the hashing function such that they are able to decrypt passwords easily.

Am I right in thinking it's extremely unlikely that you'd notice?

Even a single XSS vulnerability would give an attacker the opportunity to steal your credentials if you follow a malicious link.

If you were a high profile target, it'd probably be worth hiring someone else to do penetration testing, which most companies fail to do.

Many companies around here don't even want to pay to fix known vulnerabilities. Like sony, a theoretical attack vector isn't important until it has been actively exploited.

Reply Parent Score: 3

RE[2]: ...
by Alfman on Sat 18th Jun 2011 20:31 in reply to "RE: ..."
Alfman Member since:
2011-01-28

Thom Holwerda,

Another point to make is that by allowing third parties to execute code on your web pages, you've implicitly given them access to our credentials as well.


For example, your pages are running scripts from google adsense, google analytics and quantcast. Any one of these could target osnews users if they wanted to and capture credentials without even touching anything on the site.

I'm often a little surprised how little this bothers people.

Reply Parent Score: 3

RE[2]: ...
by Soulbender on Sun 19th Jun 2011 19:06 in reply to "RE: ..."
Soulbender Member since:
2005-08-18

but suffice it to say they are all properly encrypted


I certainly hope you mean hashed, rather than encrypted.

Reply Parent Score: 2