Comments on: Delivering Unhappiness http://www.veracode.com/blog/2012/01/delivering-unhappiness/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: På den säkra sidan – Utgåva 06 | SAFESIDE-bloggen http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14626 På den säkra sidan – Utgåva 06 | SAFESIDE-bloggen Thu, 19 Jan 2012 23:26:46 +0000 http://www.veracode.com/blog/?p=3119#comment-14626 [...] hos Zappos (CS) http://www.veracode.com/blog/2012/01/delivering-unhappiness/ http://isc.sans.edu/diary.html?storyid=12406 [...] [...] hos Zappos (CS) http://www.veracode.com/blog/2012/01/delivering-unhappiness/ http://isc.sans.edu/diary.html?storyid=12406 [...]

]]> By: Security’s Rough Ride « psilva's blog http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14596 Security’s Rough Ride « psilva's blog Tue, 17 Jan 2012 22:10:53 +0000 http://www.veracode.com/blog/?p=3119#comment-14596 [...] Delivering Unhappiness [...] [...] Delivering Unhappiness [...]

]]> By: Chris Eng http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14587 Chris Eng Tue, 17 Jan 2012 15:35:47 +0000 http://www.veracode.com/blog/?p=3119#comment-14587 @Dan: For the record, my guess is unsalted hash too. :) @Dan: For the record, my guess is unsalted hash too. :)

]]> By: Dan http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14580 Dan Tue, 17 Jan 2012 03:43:31 +0000 http://www.veracode.com/blog/?p=3119#comment-14580 You're not really informed, even if they said salted hashes, you should still take their advice and change your passwords, immediately, everywhere (that you care about). It was urgent enough to the people on the inside of Zappos for them to make the business call to inconvenience all of their customers. I imagine that, as a matter of good corporate governance, they didn't take this step lightly. Would you do the same actions that they are doing if you knew that the passwords were managed properly? Maybe it's just me, but I would totally minimize my press releases if I knew I had nice secure bcrypted passwords. i.e., "You might want to change your passwords sometime in the next year or so if you think a major government might want access to your accounts... Otherwise, check out these cool new shoes..." ;) My guess is either crypt or md5/no salt. You’re not really informed, even if they said salted hashes, you should still take their advice and change your passwords, immediately, everywhere (that you care about).

It was urgent enough to the people on the inside of Zappos for them to make the business call to inconvenience all of their customers. I imagine that, as a matter of good corporate governance, they didn’t take this step lightly.

Would you do the same actions that they are doing if you knew that the passwords were managed properly? Maybe it’s just me, but I would totally minimize my press releases if I knew I had nice secure bcrypted passwords. i.e., “You might want to change your passwords sometime in the next year or so if you think a major government might want access to your accounts… Otherwise, check out these cool new shoes…” ;)

My guess is either crypt or md5/no salt.

]]> By: Chris Eng http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14577 Chris Eng Tue, 17 Jan 2012 01:34:00 +0000 http://www.veracode.com/blog/?p=3119#comment-14577 @Dan: Valid point regarding "how much they really cared" pre-loss. But still, people should know how urgent the situation is. Call it amateur risk assessment if you want, but to me it's making informed decisions. Do people need to change their passwords immediately on every site where they've used that email/password pair? Probably not. How long do they have? Depends on the answer to my question. @Dan: Valid point regarding “how much they really cared” pre-loss. But still, people should know how urgent the situation is. Call it amateur risk assessment if you want, but to me it’s making informed decisions. Do people need to change their passwords immediately on every site where they’ve used that email/password pair? Probably not. How long do they have? Depends on the answer to my question.

]]> By: Dan http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14576 Dan Tue, 17 Jan 2012 00:17:24 +0000 http://www.veracode.com/blog/?p=3119#comment-14576 "This detail is critical, because it indicates how easy it will be for attackers to recover the original passwords" This detail is critical because it gives us a gauge into how much Zappos really cared - pre-loss. But to paraphrase Ranum... (http://www.inforisktoday.co.uk/interviews.php?interviewID=1154) If a company tells you that they've been hacked and that you should change your password, you should change your password. Any amateur risk assessment at this point is foolhardy. “This detail is critical, because it indicates how easy it will be for attackers to recover the original passwords”

This detail is critical because it gives us a gauge into how much Zappos really cared – pre-loss.

But to paraphrase Ranum… (http://www.inforisktoday.co.uk/interviews.php?interviewID=1154)

If a company tells you that they’ve been hacked and that you should change your password, you should change your password.

Any amateur risk assessment at this point is foolhardy.

]]> By: James Dorrian http://www.veracode.com/blog/2012/01/delivering-unhappiness/comment-page-1/#comment-14574 James Dorrian Mon, 16 Jan 2012 21:43:59 +0000 http://www.veracode.com/blog/?p=3119#comment-14574 Perhaps a premature assessment on my part, but it seems their action is bold and decisive, which is exactly what is necessary in the event of a breach. Perhaps a premature assessment on my part, but it seems their action is bold and decisive, which is exactly what is necessary in the event of a breach.

]]>