Sunday, March 08, 2009

ethical hacker not so ethical when hacked

one of the posts to catch my eye during my absence was this post on cd-man's blog about ethicalhacker.net getting compromised...

what struck me about it was that the folks at ethical hacker waited months to inform their membership that they'd been compromised and that users should change their passwords...

now, i suspected some months ago that ethical hacker had either had some kind of breach or had significantly changed their MO when i started getting spam at the address i registered with, but to find out that user's credentials have been in the hands of attackers for 8 months before ethicalhacker.net decided to warn anyone is simply outrageous...

i understand that no site is impenetrable so a breach of this nature is inevitable - i don't have a problem with that... i also understand that most of their users are probably using good password hygiene - however i also know that a surprising number of security folks probably don't... there are many people in the security world who, although they will enforce security policies rigidly within the enterprise, do not take anywhere near the same measures with their own systems at home and so most likely reuse passwords... these people were put in harm's way when the folks at ethical hacker chose sneakiness over transparency...

it's events like this that make me glad i use a different randomly generated password for each site (in addition to the different randomly generated email address i use for each site)... ethical hacker's name is now ironic, much like 'little john' or 'tiny', because they definitely aren't putting their users first...

0 comments: