Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Data Corruption at ma.gnolia

This blog entry has taken me a while to post, largely because I really didn’t wanted not to have to post it at all.

I have been a huge fan of social bookmarking ever since i first heard of it. For me it just makes so much sense. I store all my bookmarks online, so whether i’m on my macbook, my office pc, my mobile phone or using someone else’s computer i have access to the sites i love.  But its more than that, i’ve signed up to a number of groups of like minded peers, and am now part of those communities. I can see the sites that my friends have discovered, and access those resources, quite often these sites that i come across in this slightly serendipitous way are the real gems.

magnolia logo

Having played with several social bookmarking sites i’d settled on as the site that worked best for me. It was easy to use, worked graphically, had some nice tools, a great community, and i found Larry Halff the founder very likable.

Disasterously in early February magnolia’s suffered catastrophic data corruption. The database which was approaching half a terra bit (500gb) became corrupt. While backed up, the backup was simply backing up live data and not making archived duplicates go could not be roled back to an earlier version. After several attempts to recover the corrupt data, it was decided that there was no hope of recovery of the datastore. Larry managed to come up with some tools to recover individual users datastores from cached local and google data, and suggested other social bookmarking with good communities that users might migrate too.

Typically of Larry,  has been very open and very honest about the whole thing, sharing his experience so other people can learn from it. In the video below Larry Halff talks to Chris Messina of citizen’s garden about the history of magnolia, what happened with the data corruption and what the future holds for magnolia.

Larry Halff Discusses
Larry Halff discusses past,present and future with Chris Messina

I simply can’t imagine how much pain magnolia must be feeling right now, having spend to much time and effort to build up the site and the community surrounding it. While to ma.gnolia’s credit  i’ve never heard them once blaming anyone else or coming up with excuses. as an IT manager i have some idea how much pressure there must have been from users to maximize running speed and performance even at the expense of back-end services like backup and recovery.

I was lucky in that i had a recent backup and i was mirroring my bookmarks on delicious, what i miss mos though is the sense of community. I hope that magnolia does make a recovery and comes back bigger and better than ever, and that i and the rest of the magnolia community get an opportunity to help in whatever way possible.

One lesson that maybe we could all learn from this, is that we all need reliable back up plans of our own, and shouldn’t rely on internet based services too much because you really dn’t know when disater can strike.

Data Corruption at ma.gnolia

Lose Data and ‘Go to jail’

In an earlier blog i suggested that if a private company had lost the sort of data lost by various government bodies has recently, their directors could face prosecution. Well under a proposed addition to section 55 of the Data Protection Act, that is exactly what could happen.

If the proposed legeslation voted through the House of Lords, is voted through the House of Commons individuals negligently disclosing personal data could be jailed for upto 2 years. The Justice Secretary would have to consult with the Information Commissioner’s office and other appropriate bodies before the penalty could be increased, in the same way that the second amendment works for people that deliberately trade in personal data.

If passed the amendment will remove exemptions from prosecution for government departments and certain crown officials that currently exist.

It is not yet clear what will constitute neglect, but guidelines suggest incorrect data protection procedures or use of unencrypted devices might constitute offenses.

Lord Erroll said “Data controllers need to wake up to the importance of personal data, whether in the public or the private sector”, and tory shadow home affairs minister James Brokenshire is quoted as having said “reckless handling of personal data by government officials should be made an offence”.

Lose Data and ‘Go to jail’

Data Security

Following the loss of 2 disks containing Customs and Revenue records of 25 million people including names, dates of birth, bank and address detail, there has been quite a lot in the press about all sorts of changes to the law to protect this data. This is quite confusing as an IT manager i thought that the Data protection Act already covered all of this data. and that the data should have been encrypted at the very least. I believe that if it had been a private company that lost the data they would have been in a lot more bother. I haven’t heard any mention of the police being called in to investigate (although they called to help find the missing disks) or criminal charges being pressed.

What is more disturbing is that recent survey by SafeBoot (admittedly they are a supplier of mobile data encryption tools so they may be a little biased) showed that nearly 80% of public sector employees ignored their own data security policies and carry out insecure data practices. The survey also found that nearly 50% of private sector employees admitted to ignoring their data security policies.

Another survey this time by Orthus (another security service provider i know) found that 1/3 of data security leaks were down to IT staff.

Data Security