password

I had a Monster.com account hanging out there for a few years. I wasn't looking for a new position so all the privacy controls were turned on. Along comes the second data breach in under two years. I decided I didn't need that account anymore. I know, closing the barn door after the horse is already gone.

Anyway, I went to log into my account to have it removed and couldn't remember my password. No problem. I clicked on the 'Forgot my password' link and received a nice email with url in it to reset my password. Slight problem. The URL didn't point to an SSL encrypted page.

I decided to give them the benefit of the doubt by assuming I would be redirected to a secure page to actually reset my password. Nope. The reset page was also unencrypted. To reset my password I had to let it flit across the hostile internet in cleartext. I went ahead and did it since I was deleting the account anyway.

That made me a little curious and I decided to poke around a little more to see if anything else obvious popped up. Didn't take long.

The sign up page wich asks for your full name, email address, password, location and current employment status is also not encrypted. Once again, I decided to give them the benefit of the doubt and took a peak at the page source to see if maybe they posted the information to a secure page. Nope. At least not that I can find.

What this says to me is that there is a serious lack of understanding of information security in Monster.com's organization. If as basic a tenet as encrypting passwords when in transit and at rest is not understood and enforced, what else are they missing.

</hops off soap box>

-Kevin

Reblog this post [with Zemanta]

{ 1 comment }

In today's bits post we see information on card readers, penentration testing tools, crypto challenges, NSAIG chapter meetings, reversing Blackberry apps, passwords, and a happy blog birthday. Read on for the details.

  1. Um, now you don't need to make you own card skimmer.
    Pocket Credit Card Reader Takes Transactions on the Go - Network World
    Tags: ( scanner creditcard )
  2. Set your reminders and mark it on you calendars. January 13th at 2:00 p.m. EST. Details inside.
    Best Of Webcast Series - Part I - Best Of Network Penetration Testing Tools
    Tags: ( tools pentest webcast pauldotcom )
  3. The answers and winners to the latest crypto challenge from the Ethical Hacker site are posted. Bonus - My first name is involved 😉
    The Ethical Hacker Network - Scooby Doo and the Crypto Caper - Answers and Winners
    Tags: ( challenge crypto answer )
  4. For those in Altanta or within a reasonable driving distance, the next meeting of NAISG is scheduled for the 14th of January. Check the post for details.
    Andy, ITGuy: Atlanta NAISG Meeting #2
    Tags: ( naisg atlanta meeting )
  5. Most of this is over my head :), but those of you into reversing might find it of interest.
    Don't Stuff Beans Up Your Nose! >> Disassembling Version 6 BlackBerry apps
    Tags: ( blackberry java reversing )
  6. Jeff has a nice post up which talks about a way to deal with brute-force dictionary passwords attacks.
    Coding Horror: Dictionary Attacks 101
    Tags: ( password twitter brute-force )
  7. Six years is a good run. Happy B-Day TaoSecurity. Keep it up.
    TaoSecurity: Happy 6th Birthday TaoSecurity Blog
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }