What a mess.
I did not blog about it, but you may of heard of a computer breach that leaked a lot of personal information on the web, Ashley Madison.
It was an online dating website and a few million people got caught up in it. Some even killed themselves when they were found to be using the site.
Sad and unnecessary, but everyone involved were adults.
Over the past few days another computer system breach has come to light.
This time it is scary because it involves kids….. Like, under the age of 12 kids…..
http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html
The guy starts out by making a pretty good point;
I suspect we’re all getting a little bit too conditioned to data breaches lately. They’re in the mainstream news on what seems like a daily basis to the point where this is the new normal. Certainly the Ashley Madison debacle took that to a whole new level, but when it comes to our identities being leaked all over the place, it’s just another day on the web.
Socity, as a whole, is becoming conditioned to data breaches. Why and what implications that conditioning has remains to be seen. I know, for example, that I am a ticking clock. It is only a matter of time before one or more of the sites that I use (like Amazon where I buy (a lot of) things for example) is breached and my email, password (unique), credit card details and home address are in the hands of people I would rather not have all that information.
But again, I am an adult (well, Ok, in age if not behavior). I should be able to take steps to manage such a breach.
When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.
This is the background on how this little device and other online assets created by VTech requested deeply personal info from parents about their families which they then lost in a massive data breach:
The device is a type of child’s iPad. It is a robust touch computer with games and such on it.
To use it, the parents need to make an account on it so that they can manage it for the child.
(Well, that was the intent).
Here is what is in the breach from VTech.
4,862,625 rows and column headings as follows:
id
encrypted_password
first_name
last_name
password_hint
secret_question
secret_answer
email_promotion
active
first_login
last_login
login_count
free_order_count
pay_order_count
client_ip
client_location
registration_url
country
address
city
state
zip
updated_datetime
Phew. 4.8 million kids with those sorts of details.
If you are not chilled to the bone about this, drop me an email, I would love to chat for a bit.
Sadly, we are not done with the ahhhh, slackness…..
The next thing I checked was the passwords and whilst the column heading implies they’re encrypted, they’re not. The easiest way to check what’s going on with password storage is just to Google a few of the values stored in the database. For example, let’s take the very first one in the dump: 835af17f41292ba8ea3270f6859757ab
Their password is “welcome81”, it’s that simple. It’s just a straight MD5 hash, not even an attempt at salting or using a decent hashing algorithm. The vast majority of these passwords would be cracked in next to no time; it’s about the next worst thing you do next to no cryptographic protection at all. Speaking of which…
All secret questions and answers are in plain text. The questions are typical (albeit poor) examples such as your favourite colour, where you were born and your first school.
VTech did nothing to encrypt the information.
Anyone with a text editor can view it.
For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.
Ok, I think that’s enough for you to get the point.
Read the source article if you are interested in some of the tech details.
(The technical details are worth a read regardless of your role in computers – this kind of breach is staggering in its laxness and is really well written up).
I guess the point is that more and more of our lives and our kids lives are on line.
They (we) are in the hands of companies that we just assume is doing the right thing by our information. We can rarely check with them and ask them. I know that I would struggle to ask the right questions and even I don’t have time to try and crack, or hack at every company I give my details to see if they are secure.
My kids are (supposedly) grown up. Terry and I have had a vague conversation about passwords, he has switched to a longer one. I figured that since he majoring in computer programming that he would have a clue….. Probably a mistake to assume that.
Amy and I have never had the chance to talk about her online security. I shudder to think her password manager system.
Please take a moment to think about your passwords.
Make them long, make them unique for each web site.
Most of all, please look after your kids online.
EDIT: 6 Hours latter.
This getting worse, kids photos and chat logs are now part of the breach.
http://www.engadget.com/2015/12/01/vtech-breach-kids-photos-chat-logs/