Re: [Dataloss] Porn site coders expose user info of millions

["Al" <macwheel99 () wowway com>]

A careless programmer is one possible explanation.  There are many others.

Management is often reluctant to supply computer professionals with the
resources we need to do a proper job, so we end up with workarounds, to do
our job, which carry a variety of risks.

Sometimes companies call upon temporary workers, outsourced to manage some
coding changes, then the instant they have what is needed, the workers are
dropped, so any debug functions the temporary workers had initiated,
intended as temporary, to try to figure out why something not yet working
properly, never get turned off.

Sometimes there is a transition between different ways of delivering
computer services.  As soon as the new way is satisfactory, companies might
drop the IT staff implementing the change.  So the old way is still running
in parallel, never closed down.  Do this a few times, and multiple old ways
are still running in parallel.

Companies ask computer staff to set up something, which is to run without
human interaction.  With employee turn-over, corporate memory forgets all
what is running on their computer systems.

We all get lots of software, without the foggiest notion of what all that it
is doing under the covers.  We are only interested in particular features of
the software, which was our reason for getting it.  We includes most
everyone connected to our employer networks.
-
Al Mac

-----Original Message-----
From: dataloss-bounces () datalossdb org
[mailto:dataloss-bounces () datalossdb org] On Behalf Of Jake Kouns
Sent: Wednesday, February 22, 2012 1:02 PM
To: dataloss () datalossdb org; dataloss-discuss () datalossdb org
Subject: [Dataloss] Porn site coders expose user info of millions

http://blog.eset.se/porn-site-coders-expose-user-info-of-millions/

I got contacted by Alltid Nyheter, from Swedish public broadcasting
radio, regarding a thread on Flashback.org, Sweden's largest web
forum. User info of well over a million registered users was openly
accessible on the chat site of YouPorn until the server was taken down
yesterday.

The exposed information contains e-mail addresses and passwords. This
information can be used to identify porn consumers, but for some users
more than a reputation is at stake.

It is common knowledge that even today a surprisingly large portion of
Internet users use the same passwords for many (or all) of the
services they use on the Internet, whether it is e-mail accounts,
Facebook, PayPal, or other services.

For a security professional it is baffling how coders working on a
website with such sensitive content can make mistakes of this
magnitude. Allegedly hundreds of megabytes of data has been secured by
people with unknown goals. Cyber criminals can easily go through these
e-mail addresses and match them with passwords and this way gain
access to e-mail accounts. Once they are in, they can secure even more
sensitive information to use in phishing attacks, theft, or fraud.

It is difficult not to compare this case with the hacking of porn site
Brazzers earlier this year, even though in this case the site wasn't
hacked.

Looking at the data, it seems like a careless programmer
accidentally(?!) left debug logging on to a publicly accessible URL as
early as November 2007, and it has been storing all registrations ever
since.

Yesterday, it was found, probably by "accident" by someone sweeping
websites for publicly accessible, but non-linked ("hidden") folders,
looking for.. either porn or sensitive material like this, and struck
gold.

Hackers have already started going through the lists, checking which
users have the same password for e-mail or Facebook, and have posted
some intimate pictures found in some users sent/received e-mail.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left
unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/