Spotify loose user data

In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.

Spotify is an internet based music service
Spofity in in internet based music service

Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.

All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server.  (This is refered to as their Protocols).  The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a  password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account,  they then have access to your account, unless you have changed your account before they get the chance.

The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.

So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example  s’s for 5’s).

Spotify loose user data

Who’s Responsible for Data in the Cloud.

While trawling through the internet i came accross an a couple of articles that made me think, about

The first one was on the bbc technology site and it talked about cloud computing and the US Patriot Act, this is similar to the UK’s anti terrorism legislation and as far as i can see it gives the US government the right to look at data stored in the states if they think that it might include information about terrorists.

You might me thinking, well what does that have to do with me i’m not an american, so what if the americans can look at data within their own country. But what you have to remember is that many many services like amazons S3 data storage, hotmail, skydrive and gmail are all hosted in the states, so any data stored on these is covered by the Patriot Act.

What’s i bet that if they really wanted to they could make these laws extend to any data travelling through there network, so if you send an email, a twitter message, a file or any other string on ones and zeros and its routed through the us or any ther country they would be at liberty to read that information, and use it to whatever purpose they saw fit.

This got me to thinking as a system administrator, if i’m storing data in the states and viewing it on terminals in the Uk, do i need to adhere to both the Uk’s data protection Act and any american version of the same act, or does the data protection act only apply to data held on citizen of a particular country, if so do what laws do i have to adhere to if i have a mailing list which contains data from people in several different countries.

The second artical i came accross was something on tech crunch about a German Politician, that had a legal ruling made to prohibit the local german version of wikipedia from accessing information on the main wikipedia database in miami.

The focus of my thoughts here really is were does responsability lie if an english company say has a website hosted in the US, but bought and paid for in the UK, and you want to take them to stop them from false advertising, do you persue the Uk company, or the US isp hosting their data? And what if for example the banner ads you object to on the site as simply embedded links to data on a video server in say germany. In fact the whole area of links seems quite complicated, if you for example display an rss on your site from elsewhere on the internet and they say something that is could be slanderous are you also guilty of slander and howdoes this work across borders, i mean something may be deemed slanderous in one country but not another. There was talk yesterday that the german politicians background in the german police was protected under german law, but does that extend outside of germany.

what are you thaughts on this?

Who’s Responsible for Data in the Cloud.