Sunday, 25 October 2009

Guardian jobsite hacking fear

Got this email last night from the Guardian: "We learned yesterday evening that the Guardian Jobs website has been targeted by a sophisticated and deliberate hack, which has breached the security of the data on the site.
"You have used the site to make one or more job applications and we believe your personal data, relating to those applications, may have been accessed. We are absolutely committed to the privacy of our users, and would like to assure you that we are treating this situation with the utmost seriousness.
"The matter has been reported to the police, who are now undertaking a full investigation through the police central e-crime unit at New Scotland Yard."
I was not sure if it was genuine as it began "Dear Mrs. Slattery" but Timesonline is running a story here and quoting a Guardian spokeswoman: “We are committed to protecting the privacy of our users and are treating this situation with the utmost seriousness.”

2 comments:

  1. I was reading up about this with avid interest as e-crime facinates me. Especially stories where Hackers get the blame. This article was published recently by the guardian before the incident in which they promoted the act of "Sedition" by hacking into government websites.

    http://www.guardian.co.uk/technology/blog/2009/oct/23/you-decide-hacking-political-website

    You have to wonder how they feel now the shoe is on the other foot and they find themselves the victim.

    From the details being bandied around the web I am given to understand victims of the 'Hack' are being encouraged to join CIFAS by the Metropolitan Police service.

    But if the 'Hack' was as they claim simply a matter of personal details being stolen from a Job Search site, then why are people being encouraged to join a Credit Card Security Agency. It sounds more like what the attacker was after was not peoples personal details but employers credit card numbers and accounting information.

    I had the pleasure of making CIFAS's aquaintence last year when someone I know suffered something similar.

    Lets not forget you hardly paste your VISA card number onto the bottom of your C.V as the balance of your bank account is not going to impress a potential employer!

    ReplyDelete
  2. The details of the attack itself are being kept sketchy at best, all people are hearing is "Sophisticated & Deliberate" but what is there definition of Sophisticated, the full details of how the feat was accomplished would be far more interesting, an SQL injection is hardly sophisticated, niether is cross site request forgery or cross site scripting which any "Pentester" also loosly refered to as "Hackers" would be happy to inform you about. The guardian then make the claim they have prevented such acts from occouring in the future, but the old phrase "dont count your chickens till they've hatched" springs readily to mind. When someone puts there mind to hacking you at that level no ammount of security is going to stop them from throwing a spanner into the works, to proclaim otherwise is to invite disaster. Oh sure you've stopped them getting into your database but if they wanted to bring your entire website and all the servers it backs onto into a complete crawl then how hard is it for them to turn there minds to a DDoS. Otherwise known as a distributed denial of service attack.

    ReplyDelete