A TREND MICRO BLOG

Mar 6

UK Telegraph web site compromised

Rik Ferguson

Filed under: Hacking, Site Compromise, data leakage | RSS 2.0 | TB | Tags: , , , | 15 Comments

Well, it looks like the folks over at hackersblog have been at it again, specifically Unu.

 

Hackersblog have made some high profile web site compromises recently and today they posted evidence that they had compromised the website of the UK national daily newspaper, The Telegraph.

 

 

The SQL injection appears to lay bare much of the database, unfortunately including hundreds of thousands of subscriber email addresses and more worryingly, passwords in clear text.

 

Recently published research showed that 61% of people use the same password for multiple sites, so this kind of compromise represents real risk for many people.

 

Of course I contacted the Telegraph as soon as this compromise came to my attention and I am sure they are working hard on a resolution.

 

UPDATE: The people at the Telegraph reacted in a commendably timely fashion to this incident, which is detailed here.

 

In the meantime, it you are a Telegraph subscriber and are concerned about the safety of any other online accounts you may have I would encourage you to change your passwords on those other accounts, and of course on the Telegraph web site.

 

Here are a few tips for maintaining password security online.

 

  • Choose three complex passwords, easy to remember but difficult to guess, us a combination of numbers, upper and lower case letter and special characters like !£$@&. (Trend Micro’s advice on password creation is available in our Safe Computing Guide).

 

  • Use the first password as a general one for the majority of sites that require passwords to login. The second password, use for your email account and only your email account, that way, should other servies be compromised, you do not have to worry about your email account. Finally use the third password for any websites that could have financial consequences.

 

  • These passwords should never be shared and should be changed at least every six months.

 

  • Finally, for those of you out there hosting web sites that hold other people’s data, have a look at the guidelines in my earlier bog entry about Spotify…

Bookmark
| More

This entry was posted on Friday, 6. March 2009 and is filed under "Hacking, Site Compromise, data leakage". You can follow any responses to this entry with RSS 2.0. You can leave a response here, or send a trackback from your own site.

15 Comments

  1. Friday, 6. March 2009 um 4:58 pm

    [...] edit: if you are a member of telegraph.co.uk read this article too and follow the advice regarding [...]

  2. Sunday, 8. March 2009 um 8:06 pm

    [...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]

  3. Monday, 9. March 2009 um 9:14 am

    [...] email addresses and more worryingly, passwords in clear text," according to Rik Ferguson on Trend Micro’s security blog. Actually I am quite surprised to see the site handles user passwords in clear text at database [...]

  4. Monday, 9. March 2009 um 9:38 am

    [...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]

  5. Monday, 9. March 2009 um 10:18 am

    “and more worryingly, passwords in clear text”

    What’s more worrying about that is that the passwords have been stored in a way that this could happen. If they used the standard one way encryption like MD5, they would only ever appear as jargon.

  6. Monday, 9. March 2009 um 11:09 am

    [...] after the hacker reported his success, TrendMicro re-confirmed the event and informed that they already reported the attack to the Telegraph. They [...]

  7. Monday, 9. March 2009 um 11:13 am

    [...] you may have read elsewhere, Telegraph.co.uk was targeted by hackers at the end of last week. The main part of our website are not affected, nor are the accounts of My [...]

  8. Monday, 9. March 2009 um 11:46 am

    This did not affect the main Telegraph.co.uk site or Telegraph blogs and My Telegraph. For the full story please see here . Thanks.

  9. Monday, 9. March 2009 um 12:26 pm

    Thanks Kate, I have updated the original blog post to include the Telegraph’s response, Well done on reacting so rapidly to this!

  10. Monday, 9. March 2009 um 3:37 pm

    [...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]

  11. Tuesday, 10. March 2009 um 1:59 am

    [...] email addresses and more worryingly, passwords in clear text,” according to Rik Ferguson on Trend Micro’s security blog. If that means you, you should change your password on that and perhaps other sites. His post adds: [...]

  12. Tuesday, 10. March 2009 um 8:14 am

    You write:
    Use the first password as a general one for the majority of sites that require passwords to login. The second password, use for your email account and only your email account, that way, should your email be compromised, you do not have to worry about your other services.

    DOH. If your email account is compromised, then why shouldn’t “they” go through your email, find your “sign up” emails and go back to all of those sites asking for passwords to be reset, or to be emailed the password or whatever?

    No, get a simple encryption app to protect a database of different passwords. It should be secured using a master password that is not used anywhere else. Use a virus/trojan scanner if you’re using Windows so you don’t get keylogged. Use Steel for Mac, or KeyPass for Windows.

  13. Tuesday, 10. March 2009 um 9:44 am

    Heh, nice observaration Boris as regards webmail accounts, my recommendation would certainly be to use a local client to store historical mails, especially those containing sensitive information., rather than leaving them in your online account.

    I like the idea of encrypting your paswords locally, but I don’t completely understand how that would protect your credentials from being guessed, brute-forced, socially engineered or simply given away….

    The other downside to using a locally encrypted password database is of course the fact that you are no longer as mobile (with logins) as you otherwise would be.

    Having said that, the email account is always the holy grail of anyone trying to gain illicit access to any service online and should be protected with a very secure, difficult to guess password.

  14. Friday, 3. April 2009 um 3:43 pm

    [...] boasting here. Security warning here. The Telegraph, as far as Guido can tell, has not alerted users that their passwords have been [...]

  15. Thursday, 28. May 2009 um 4:43 pm

    [...] the one used to log in to telegraph.co.uk . We also recommend to follow the advices listed here: here. Please read this too if you want to make an article about [...]

Leave a comment

XHTML allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection

© Copyright 2010 Trend Micro Inc. All rights reserved.
Legal Notice. Disclaimer