06
Mar
UK Telegraph web site compromised
Article from Rik Ferguson
Filed under: Hacking,Site Compromise,data leakage | RSS 2.0 | TB | Tags: , , , | 15 Comments

Well, it looks like the folks over at hackersblog have been at it again, specifically Unu.

 

Hackersblog have made some high profile web site compromises recently and today they posted evidence that they had compromised the website of the UK national daily newspaper, The Telegraph.

 

 

The SQL injection appears to lay bare much of the database, unfortunately including hundreds of thousands of subscriber email addresses and more worryingly, passwords in clear text.

 

Recently published research showed that 61% of people use the same password for multiple sites, so this kind of compromise represents real risk for many people.

 

Of course I contacted the Telegraph as soon as this compromise came to my attention and I am sure they are working hard on a resolution.

 

UPDATE: The people at the Telegraph reacted in a commendably timely fashion to this incident, which is detailed here.

 

In the meantime, it you are a Telegraph subscriber and are concerned about the safety of any other online accounts you may have I would encourage you to change your passwords on those other accounts, and of course on the Telegraph web site.

 

Here are a few tips for maintaining password security online.

 

  • Choose three complex passwords, easy to remember but difficult to guess, us a combination of numbers, upper and lower case letter and special characters like !£$@&. (Trend Micro’s advice on password creation is available in our Safe Computing Guide).

 

  • Use the first password as a general one for the majority of sites that require passwords to login. The second password, use for your email account and only your email account, that way, should other servies be compromised, you do not have to worry about your email account. Finally use the third password for any websites that could have financial consequences.

 

  • These passwords should never be shared and should be changed at least every six months.

 

  • Finally, for those of you out there hosting web sites that hold other people’s data, have a look at the guidelines in my earlier bog entry about Spotify…

Bookmark
| More
This entry was posted on Friday, 6. March 2009 and is filed under "Hacking, Site Compromise, data leakage". You can follow any responses to this entry with RSS 2.0. You can leave a response here, or send a trackback from your own site.

15 Comments to "UK Telegraph web site compromised"

 HackersBlog » Blog Archive » Telegraph.co.uk hacked, sql injection:
Friday, 6. March 2009 um 4:58 pm

[...] edit: if you are a member of telegraph.co.uk read this article too and follow the advice regarding [...]
  Daily Telegraph web site compromised, hackers claim by Dinters Technology News:
Sunday, 8. March 2009 um 8:06 pm

[...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]
Hackers claim attack over Daily Telegraph web site | Digital Prank:
Monday, 9. March 2009 um 9:14 am

[...] email addresses and more worryingly, passwords in clear text," according to Rik Ferguson on Trend Micro’s security blog. Actually I am quite surprised to see the site handles user passwords in clear text at database [...]
Telegraph site attacked, claim hackers : SupaFeed:
Monday, 9. March 2009 um 9:38 am

[...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]
Simon:
Monday, 9. March 2009 um 10:18 am

“and more worryingly, passwords in clear text”

What’s more worrying about that is that the passwords have been stored in a way that this could happen. If they used the standard one way encryption like MD5, they would only ever appear as jargon.
Telegraph.co.uk hacked | Developer Oracles:
Monday, 9. March 2009 um 11:09 am

[...] after the hacker reported his success, TrendMicro re-confirmed the event and informed that they already reported the attack to the Telegraph. They [...]
Hackersblog and Telegraph.co.uk | News in brief:
Monday, 9. March 2009 um 11:13 am

[...] you may have read elsewhere, Telegraph.co.uk was targeted by hackers at the end of last week. The main part of our website are not affected, nor are the accounts of My [...]
Kate Day:
Monday, 9. March 2009 um 11:46 am

This did not affect the main Telegraph.co.uk site or Telegraph blogs and My Telegraph. For the full story please see here . Thanks.
Rik Ferguson:
Monday, 9. March 2009 um 12:26 pm

Thanks Kate, I have updated the original blog post to include the Telegraph’s response, Well done on reacting so rapidly to this!
Telegraph site attacked, claim hackers | PTC07NEWS:
Monday, 9. March 2009 um 3:37 pm

[...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]
Telegraph site attacked, claim hackers:
Tuesday, 10. March 2009 um 1:59 am

[...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]
Boris Yeltsin:
Tuesday, 10. March 2009 um 8:14 am

You write:
Use the first password as a general one for the majority of sites that require passwords to login. The second password, use for your email account and only your email account, that way, should your email be compromised, you do not have to worry about your other services.

DOH. If your email account is compromised, then why shouldn’t “they” go through your email, find your “sign up” emails and go back to all of those sites asking for passwords to be reset, or to be emailed the password or whatever?

No, get a simple encryption app to protect a database of different passwords. It should be secured using a master password that is not used anywhere else. Use a virus/trojan scanner if you’re using Windows so you don’t get keylogged. Use Steel for Mac, or KeyPass for Windows.
Rik Ferguson:
Tuesday, 10. March 2009 um 9:44 am

Heh, nice observaration Boris as regards webmail accounts, my recommendation would certainly be to use a local client to store historical mails, especially those containing sensitive information., rather than leaving them in your online account.

I like the idea of encrypting your paswords locally, but I don’t completely understand how that would protect your credentials from being guessed, brute-forced, socially engineered or simply given away….

The other downside to using a locally encrypted password database is of course the fact that you are no longer as mobile (with logins) as you otherwise would be.

Having said that, the email account is always the holy grail of anyone trying to gain illicit access to any service online and should be protected with a very secure, difficult to guess password.
+++ Telegraph Users Passwords and Emails Hacked +++ - Guy Fawkes' blog:
Friday, 3. April 2009 um 3:43 pm

[...] boasting here. Security warning here. The Telegraph, as far as Guido can tell, has not alerted users that their passwords have been [...]
HackersBlog » Blog Archive » Telegraph.co.uk hacked - when will they learn?:
Thursday, 28. May 2009 um 4:43 pm

[...] the one used to log in to telegraph.co.uk . We also recommend to follow the advices listed here: here. Please read this too if you want to make an article about [...]

Name:

E-Mail (not published)

Website:


Spam protection


© Copyright 2010 Trend Micro Inc. All rights reserved.
Legal Notice | Disclaimer