This time, it's at another Dutch digital certificate issuer, Gement.
According to the story, the hacker gained access to one of the web servers through the PHPMyAdmin module. It does not appear that any certificates were compromised, but it's this type of breach that is completely preventable.
When will companies learn that they have to be proactive about security. Put password policies in place, and enforce them, preferably systematically when possible. AUDIT to make sure they are being followed. Make sure you have someone that follows the bug and defect lists for your major components. Patches and fixes are constantly being released. There is absolutely no reason to be running HTTP, FTP, or SSL services with known vulnerabilities. That's just lazy and inexcusable.
Personally, if a company is running software or a configuration with widely known vulnerabilities, and have not made good faith efforts to mitigate (either by changing the config or patching the software) the problem, and customer information is compromised, they should absolutely be liable at law for the breach.
For the individual, don't just rely on the little lock symbol, or color-coding, or whatever other visual indicators your browser is giving you. You are also responsible for protecting yourself. Make sure that the URL is one you recognize, and where you mean to be. Make sure you have anti-virus software at a bare minimum. You should also strongly consider malware and adware software, and even a phishing filter. Most of these products are available as packages or suites, and there are some excellent free alternatives out there.
Oh, and you're regularly changing your passwords, right?
Oh, and you're not using the same password on multiple different systems, right?
Yeah, I know keeping up with all of your passwords is a pain, but there are password vaults and crypts available to help you manage that.
Trust me, keeping up with 50 passwords is less of a pain than dealing with 50 different compromised accounts all because you shared passwords amongst them.
Unfortunately, my company has instituted a password policy that demonstrably makes them significantly less secure, by imposing asinine max length caps and character requirements.
ReplyDelete