Pizza, passwords and octopus!

I've been meaning to post this for a little while, ever since I read about the data breach that occurred 'across the ditch' at the popular 'Hell Pizza'.

The cause of the breach was some spectacularly bad development work that had the flash font-end making effectively unrestricted SQL calls to the back-end database. The database contained customer name and address details, their order history and their unencrypted password for the site.

But it's only a pizza website? Who cares!

The problem is that many people use the same password (or a variation thereof) or a wide variety of websites, pizza websites included. When the pizza website gets hacked for usernames, email addresses and passwords, you can bet that someone will try to use those same credentials (or a variation) against other sites, such as webmail, social networking and internet banking. That 'lowly' pizza website and it's abysmal security may have just trumped your higher security internet banking or webmail site.

It's the same old problem we always have with passwords, that people simply have to remember too many passwords. A Microsoft study [pdf] from back in 2007 found that: "the average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day".
From informal discussions I've had with friends and family, I'm surprised the number is 6.5 passwords as the feedback I've received is that the number is closer to 3-4 different passwords.

Unfortunately password-based authentication isn't going anywhere anytime soon, so the advice I give to non-IT people (on top of using complex, non-dictionary, unrelated passwords) is to set themselves with some different 'levels' of passwords.
The bottom level is a 'throwaway' password that you can use for anything that really doesn't matter - your pizza website, one-off registrations to download documents or software or other sites you rarely ever frequent or suspect of low security standards (like internet forums).
The next level of password is for your more frequently used sites with generally better security, like social networking or webmail sites. (While I'd advise to keep social networking and webmail passwords separate, I'm working on the 3-4 password theory...).
The next level of password is your 'online shopping' passwords, such as Amazon or eBay. This is for the types of sites where a password breach could run up a serious bill on your credit cards.
Finally the last password level is your 'high security' password, solely used for internet banking. The important part about the high security password is not only that it is strong, but it is not used anywhere else.

While i admit the above is far from perfect, neither are passwords or people! At least following that advice your average internet user might be somewhat better protected that using the same password everywhere.....

Onto another tasty subject, octopus! (in fact octopi! Or is it octopuses?)

Octopus #1:
A hacker in Japan has been arrested for releasing a virus that overwrites files on your PC with manga pictures of Octopuses and Squid. The funny part? It's the second time he's been arrested for this. Two years ago he was arrested for the same thing and charged with copyright infringement as he used copyrighted manga images. To show that Mrs Nakatsuji raised no fool, this time he used images he drew himself so he couldn't be charged with copyright infringement again! While I hope Japan has revised their computer crime laws since his first arrest, you have to admire his logic!

Octopus #2: The Octopus card is a common smart payment card in use in Hong Kong that is used in the MTR subway, convenience stores and fast food restaurants like McDonalds. Everyone I know in Hong Kong has one, and as a frequent visitor over there I have one in my wallet right now. Well it seems that the card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years, the exposure of which has led to the resignation of their Chief Executive. For all the good work we security people may do in protecting our corporate data from the 'bad guys', it is all for nought if the bad guys are in the boardroom....

Now all this talk of Octopus and pizza has made me hungry! I wonder if Hell Pizza deliver to Australia?

0 comments:

Post a Comment