All the latest UK technology news, reviews and analysis
|
|
|
26 Oct 2009
The details of half a million web users could be at risk after hackers used a sophisticated attack to penetrate the security of The Guardian's Jobs web pages.
The newspaper was quick to respond to the breach, and users of the site whose details were thought to have been compromised were emailed with a warning and information about what had happened.
"We have been assured by our provider that the system is now secure and we have identified and contacted everyone who may have been affected," said the company in a security update.
A later statement said that around 500,000 of the site's 10.4 million users could have had their data compromised. The paper added that it had contacted the Information Commissioner's Office, as it should, and is working with Scotland Yard's e-crime unit to resolve the issue.
"The police remain anxious to keep information about the apparent theft to a minimum in order not to compromise their investigations, but did agree with us that we could inform those users who may be affected," read the statement.
"We stress our regret that this breach has occurred. This is apparently a deliberate and sophisticated crime, of which The Guardian is a victim in addition to some of our users."
Patrik Runald, senior manager at security firm Websense, urged users of the jobs site to be cautious about their data for some weeks to come, suggesting that the criminals could use the information to build up a sophisticated social attack over a period of time.
"The bad guys having access to personal information about the target makes it possible to create a very attractive and believable email that will have a high likelihood of tricking the recipient into clicking on a link or running an attachment," he said.
"We advise anyone who has received notification from The Guardian that their personal data has been compromised to take extra care over the next few weeks, both at home and at work."
David Jevans, chief executive at Iron Key and chairman of the Anti-Phishing Working Group, went further, explaining that the hack signalled the death of old methods of online security and paved the way for more secure alternatives.
"The attack on the Guardian Jobs web site demonstrates why the days of a username, email address and password being sufficient to protect your data on the internet are over," he said, adding that two-factor authentication is the best available method for providers and businesses alike.
"We need these protections for online services that are accessed by consumers, and for cloud computing services that companies are beginning to outsource their data services to," he explained.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
PHP Developers - Fixed Term Contracts (initially 6 months...
Junior Ruby on Rails Developer - London - Permanent...
A Project Manager is required to join a leading Insurance...
CCIE Network Engineer required with fluent Hungarian...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Vulnerable Applications
Protecting the network, locking down the servers and running regular patch updates only covers part of the problem. Exploiting weaknesses in vulnerable web applications is more often than not an easier attack vector. Application design and development needs to be done with security in mind, following best practice - likewise thorough application security testing is required to ensure the application is secure - it only takes a simple input validation issue to expose the application and backend services to all kinds of attack.
Posted by: Dave Hewson 29 Oct 2009
Tip of the iceberg exposed again
With this breach and the UK branch of Zurich Insurance losing 51,000 customers? details on a backup tape in South Africa, the security industry is taking yet another hammering by the press and each organisation?s customers by failing to adequately protect private records. It?s the tip of the iceberg as to the problem though - we?re more concerned about the number of breaches going unnoticed and unreported! At least these organisations acknowledged the breaches ? many companies don?t even monitor for or can?t detect such losses. Databases are always going to attract security attacks ? especially for identity theft given the type of information they hold. There?s a huge black market out there for personal data - bank account details sell for 5-10% of the account value and credit card data can sell for up to £30 per account. Take this and multiply by the 51,000 records at Zurich or the data for the 0.5 million CV?s at The Guardian, and whoever did this would have a pretty nice payday. It?s widely recognised that 100% prevention of these types of violations is very difficult, but organisations need to be even more vigilant in managing processes and procedures for protecting sensitive data and also monitoring access rights (and keeping on top of it ? a policy is great, but only if you maintain it!). They need to consider threats and attacks from both internal and external threats and protect all data copies, locations and platforms. It should be actionable in real-time to detect, alert and prevent. The need to preserve the confidentiality and integrity of data and monitor privileged user activity is driving CIOs and auditors to re-consider their strategy for database security and impose stringent controls across database systems. It?s critical they implement a workable, secure solution and that they not only act upon it, but that they maintain processes and stay up-to-date with patches and controls. Compliance demands it and the public expect it. Guy Churchward, CEO, LogLogic
Posted by: Guy Churchward, CEO, LogLogic 27 Oct 2009
Learn From Mistakes
Many Companies are falling into the same exploits weakness's in security. This is purely down to the people responsible for the security of the network. Not keeping in the know or updated is the no 1 problem. No system is 100% secure, If someone wants to hack information from your online services they will get with without u even knowing. Most new exploits are posted by hackers on there sites its just a matter of being in the know ;) Jobs sites are now being targeted by euro hacker groups to steal personal info. This is going to happen allot more in the future. Keep vigilant! W2S
Posted by: Dean 26 Oct 2009