Monster.com Attacked, User Data Stolen

Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"

4,3,2...

[timmarhy]

i smell a lawsuit

Tomorrow's Ad today

[JonTurner]

Wanted:
New sysadmin. Must have experience in data security. Submit resume to adminjob@monster.com

Re:Tomorrow's Ad today

[Harmonious+Botch]

I did it. Hire me.

Re:Tomorrow's Ad today

[high_rolla]

Yeah, followed by the new marketing campaign: "Nobody else makes it this easy for your details to reach more employers"

Re:Tomorrow's Ad today

[janrinok]

I don't agree. If you RTFA, you will see the the system was penetrated by using valid UIDs and passwords, which had been previously gathered using a phishing attack. Any system is vulnerable to such an attack and you can hardly line all up all sysadmins and have them shot - despite any justification that the odd one might actually deserve it. But I am surprised by the number of techies that fell for the phishing attack in the first instance.

Re:Tomorrow's Ad today

[bazorg]

Prince Charming is that you?

Re:Tomorrow's Ad today

[plague3106]

But I am surprised by the number of techies that fell for the phishing attack in the first instance.

It sounds like it was done via employer accounts, which I would typically think falls to the HR department in a company.

Re:Tomorrow's Ad today

[Anonymous+Brave+Guy]

But I am surprised by the number of techies that fell for the phishing attack in the first instance.

Was it the techies or the hiring managers, though?

It seems like the average HR department at a software firm with a C# vacancy would rather hire some guy a couple of years out of college with a bit of C# experience and a MCSD certificate than an experienced pro with a track record of shipping working software using half a dozen different languages including Java and C++. The same sort of firm probably wouldn't hire an DBA with a decade of experience using Oracle, SQL Server, PostgreSQL, Perl and Python for a MySQL+PHP job. They know the buzzwords, but they are clueless about what they mean in practice. Is it any wonder they are also clueless about security?

Re:Tomorrow's Ad today

[indiejade]

You forgot to include the key hallmark of a monster.com listing:

Please send your resume as a Microsoft Word document

.

Re:Tomorrow's Ad today

[Weslee]

I personally don't see this as as big an issue.

As an employer, you pay extra money to get access to peoples resumes directly.

To me this looks like nothing more then someone automating the employer "Resume Search", which btw, gives all the information the article mentioned.

So as far as I can tell, from the article and what I've read here - No breech happened at Monster, rather a stolen account that paid for the resume search feature was used to harvest resumes.

Re:Tomorrow's Ad today

[MagusSlurpy]

I think it might more likely read "Submit resume to /dev/null@monster.com."

Re:Tomorrow's Ad today

[superpulpsicle]

In other news, candidates hired with 6 figure salary and sign on bonuses before interviews.

Monster attack steals user data

[Nibbler999]

I like the BBC headline better.

Re:Monster attack steals user data

[niceone]

I like the BBC headline better.

I saw that BBC headline, but I didn't read the article because it sounded like a joke story... it's clever, but didn't do it's job (make me read the story).

Re:Monster attack steals user data

[ObsessiveMathsFreak]

I liked it when Slashdot got its tech stories before the mainstream news outlets.

Re:Monster attack steals user data

[Colin+Smith]

I liked it when Slashdot got its tech stories before the mainstream news outlets. Really? When was that then?

Phishing Attack

[grahamux]

You know, every time I get an email telling me my Bank of America account is going to be frozen, and should go to http://myaccounts-bankofamerica.net/ I always ask myself "Who actually falls for this stuff?". Now, I know. The people I look to for jobs. /cheer

Re:Phishing Attack

[Farmer+Tim]

What, you needed more evidence that your (potential) boss is an idiot?

Re:Phishing Attack

[timmarhy]

It seems to be a universal fact that to be in HR you need to always have an IQ lower then the people you are interviewing. It certainly has been in every company i've worked at.

remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.

Re:Phishing Attack

[jombeewoof]

It seems to be a universal fact that to be in HR you need to always have an IQ lower then the people you are interviewing. It certainly has been in every company i've worked at.

remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.

I have the official HR handbook. The basic rule is "You can be NO smarterer than the chair you sit in"

Re:Phishing Attack

[arivanov]

Err... You are missing the point.

Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

Recruitment agencies are actually a prime target for such attacks:

1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.

Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.

So let's hope that the Monster case will cause some moves towards that.

Re:Phishing Attack

Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

And this month's award for the shittiest neologism goes to...

Re:Phishing Attack

[Quince+alPillan]

Have you seen the phishing emails that are sent out? They're actually very very well done. No spelling errors. Use of an actual monster email address instead of garbage. HTML design looked pretty. The first thing that tipped me off was that they wanted me to download a program. I'm not the type to download programs willy-nilly, but I've seen stupid companies attempt to get you to download their new latest and greatest program before. I then looked closely at the link that they were wanting me to go to and realized that it was a phishing attempt. If they hadn't tried to get me to download a program, I would have thought it from monster because I normally don't look at emails that closely.

Re:Phishing Attack

[sholden]

If companies are ignoring existing laws, why would new laws have any affect at all?

Why not, stay with me on this it's complicated, enforce the existing laws.

Re:Phishing Attack

[kalirion]

How can I unfreeze the account if your link is broken? Ah well, could you please unfreeze it for me? My BOA username/password is kalirion/password123. Thanks a ton!

Re:Phishing Attack

[RESPAWN]

I've literally had a recruiter forward me a resume one time for a candidate who didn't even know what company he was interviewing for. I've been forwarded resumes that looked like they were typed by a 5 year old. I've been sent resumes for candidates who have no technical experience at all. Period. I look at HR as nothing but a block to the actual hiring process. I'd rather they let me go to Monster.com and look at resumes than have somebody without technical skills do it for me.

That said, I did have one IT outsourcing company that found my resume on Monster.com and when they called me, they wanted a social security number as part of their pre-interview screening process. When I refused, they claimed that it was necessary to save time by performing a background check before they potentially wasted their time on a candidate who wasn't able to pass a background check. I basically told them that they were idiots and that if they were legitimate, the only candidates they'd get with that policy are also idiots who had no business maintaining computer systems. Especially if the systems are considered sensitive enough to warrant a background check. The best part was that they had the gall to call me back and try to get my social one more time after that conversation.

Re:Phishing Attack

[growse]

It's all about risk. People speed because the chance of being caught combined with the penalty is such that they feel it's a risk they'll take. If you create new laws that enable capital punishment for speeding, people won't speed. You won't have to police or enforce it any more, it'll just happen.

That's pretty much what SOX did. If the company makes it's numbers up, the CEO and/or CFO go to jail. That's a pretty big jump from the punishments had before. Therefore, companies are less inclined to take that risk.

Re:Phishing Attack

[InlawBiker]

Acts like Sarbanes Oxley ("SOX") are not new laws. They're acts making punishment of breaking the existing laws more severe. It also makes the officers of the companies personally responsible. The intended effect is to give CEOs incentive to make things right.

Re:Phishing Attack

[sholden]

But surely you try enforcing the laws you already have first.

Sure, if the punishments are too small to stop the behaviour the law was enacted to stop then you need to do some tweaking - upping the penalties for example. But first you have to enforce what you have, it might be good enough - you can't know if you never enforce.

Re:Phishing Attack

DPA says remove details as soon as not needed, Conduct of empoyment agencies and recruitment businesses regs 2003 + employment agencies act 1973 require us to keep details for 1 year after last contact. We have to be able to show them if audited.

Therefore DPA requires us to delete at that 1 year period and not before

By the way all our CV are on a system with no remote access hidden behind a firewall running on a centos based server.

Re:Phishing Attack

[Danse]

Sure, if the punishments are too small to stop the behaviour the law was enacted to stop then you need to do some tweaking - upping the penalties for example. But first you have to enforce what you have, it might be good enough - you can't know if you never enforce. The problem is that these kinds of cases are notoriously difficult to prosecute, and generally require quite a bit of testimony from company insiders to make a decent case. Evidence is hard to get since it is often destroyed (emails and files deleted, etc.). So the risk is fairly low to the individuals, which means that the penalties need to be much greater to have any real deterrent effect.

Re:Phishing Attack

[arivanov]

Looking at the logs on my mail server and PBX they have /dev/null-ed 6 agencies that were way past the 1 year period (2.5 years in one case). So I suspect that you are a minority regarding caring in the slightest about the DPA. Most of your agency bretheren do not give a f*** so tightening up the regs until they do is a jolly good idea.

Similarly, for the last 5 years I have seen only 2 UK agencies in the IT area (including security oriented ones) that are aware that MS Word leaves personal information including paths and such in the document. As a result the supposedly "top secret" client name is easy to find as 99% also tend to put "Cable and Wireless" cvs in a directory called "Specs\CW" on a _WINDOWS_ server and the directory stays in the doc metadata. There was a point when I used strings and hexedit on job specs _before_ reading them as that provided more information than then agencies were willing to provide (including old revisions of the spec, email trails with the request and even information on how much you can actually bargain for). Personally I find it hard to believe that someone that is so inept that they cannot clean up private info out of MS Word can protect against a well designed and directed Trojan attack. This is besides clearly using a Windows driven network and Windows file storage as a method for keeping their CVs and specs organised.

Granted, some of the bigger agencies use database systems and 3rd party AV and mail services which shield them to some extent, but this still leaves thousands (in the UK) potential marks for a well placed Trojan which can after that trawl jobsite, jobserve, cwjobs, monster and the like and collect several GB of personal information for further consideration. Exactly like in the Monster case.

Further to this, it is only a matter of time until this type of information is used not for spearphishing, but for targeted burglaries and good old classic crime. As there are less and less people who can be caught even with a targeted phishing attack, the data thieves will inevitably start to sell their data to people ingaged in more mundane activities like burglary.

o noes

[yourmomisfasterthana]

now hundreds of millions will be able to see my resume, instead of the usual tens of millions!

Re:o noes

[Dekortage]

That's what I was thinking... like, aren't MORE people seeing those resumes now? Isn't that a GOOD thing?

Of course, it's really a problem for identity theft, since there are many details of a persons' life on their resume. In fact you could call them up and make yourself sound like you knew them: "Hey, this is Jamie over at First Bank of Goobersville... yeah, remember when we worked together before you left for Retail Mega-Schmaltz?" I've even seen resumes where people put down the names of their pets -- hello password-reset questions!

Re:o noes

[kalirion]

And then they start blackmailing you - "Hey, I've got your active resume here, wouldn't want it to show up in your supervisor's inbox now, would we?" Or better yet, what about all the people who use the same username/password combinations on all online sites?

Re:o noes

[Hoi+Polloi]

Unfortunately you'll only get job offers from the Russian mafia and Rumanian criminal hackers.

"You better start commenting your code and indenting or you might have an 'accident'."

Re:o noes

[geeknado]

That's really dependent on how your options were set on Monster, right? I wonder how many of these are nameless/faceless CVs...I know that I always post resumes anonymously. Presumably, unless Monster violates its own privacy terms(which would, imo, be a big deal), recruiter access would not give the thiefs in question access to the address/name/phone/etc information for those who do choose that anonymous option.

Also, I'm curious what it did with uploaded resumes/cover letters.

Hehe

[JimboFBX]

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. I'll let you guys stew on how ambiguiously funny that sentence is.

Re:Hehe

[Capt'n+Hector]

As they say, Timeo Danaos...

The real question is

[EEPROMS]

Who actually wants this data, many will think it just some Russian hacker but this doesnt feel right to me. I wouldn't be surprised its a government agency collecting data the easy way.

Re:The real question is

[dfgchgfxrjtdhgh.jjhv]

the government already has all that data (and more), but it is worth quite a lot to spammers.

Symantec has a very detailed explanation of it

[indraneil]

Symantec's explanation
The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E
Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
They have informed Monster about it

Re:Symantec has a very detailed explanation of it

[bughunter]

They have informed Monster about it

Somehow I'm not convinced Monster is going to be concerned enough to take action, at least not until it threatens to cost them significant money.

I've been job searching recently, and Monster is the worst when it comes to privacy and security. First, when creating an online "resume" on Monster, between every "real" page, there's an ad page that looks like a Monster form to fill out, but it's actually a phishing page, an advertisement posing as a form that's asking for your personal information.

Second, I use different email addresses for each job search site, and the one I registered with Monster.com is getting all kinds of phishing-like emails, with no specific information, or for jobs in completely unrelated fields, with links to click that have forms asking for personal information.

Also, the month after I posted a PDF resume, the email address on the resume started getting the same kinds of emails.

You'd think, that with the detailed personal information that's available on sites like CareerBuilder, Monster, and Rice that they'd take an extra measure of security.

Yep, they're counting on you thinking that.

/not surprised

In Soviet Russia...

In Soviet Russia, Monster.com attacks you!

hmmm

[wizardforce]

so Monster had no way of preventing some set of IP addresses from downloading over a million entries? does that sort of thing happen alot and they didn't think it was unusual or what? it would just seem to me that if there were alot of servers downloading an unusual amount of entries that there should be some way to prevent that...

Re:hmmm

[skeftomai]

Maybe the program had direct access to the database?

Re:hmmm

[kramulous]

Agreed. That 1.6E06 views of records from one user within x seconds (not sure about time, but a lot faster than anyone, yes even those txt message masters, can key press) should have been detected as a little suspicious. monster.com should be advertising for another sysadmin.

Monster doesn't help anyway--why use it?

Monster and Dice are just meat markets. Relatively few people actually get jobs there, at least in IT. The real way you get a job is to know someone and have a good network of people. That's how I got my job, Monster and Dice never helped me. They're more like "cattle calls" for movie parts. Who knows, maybe Monster and Dice sell the email address lists to spammers...for the right price?

Speaking of spammers, this is for you spambot email harvesters.

Re:Monster doesn't help anyway--why use it?

[bakana]

Yes, who you know is important. But, if I know someone that works a cool place and a job isn't avialable, where do I look? Your friend isn't going to create a job for you, he can tell you when a job will open up. I highly doubt he can talk his upper managment into thinking a 3rd sysadmin would be needed. A lot of people get jobs because of who they know, for the rest of use who don't rub elbows with the Donald Trumps of IT, we get our jobs the old fashioned way. You either get recruited out of college, like myself, or you go through newspaper, Monster.com, and Dice like millions of others.

Re:Monster doesn't help anyway--why use it?

I sure didn't rub my elbows with the "Donald Trump" of IT at my place of work. I just knew someone who recommended me, and I was able to take it from there with my ability. I probably wouldn't have this job but for that person (I wouldn't have even known about the opening).

Unfortunately, Monster and Dice are indeed "cattle calls." More than once I've caught a Monster or Dice recruiter using my resume to try to land a government contract. Then, once getting said contract, that same recruiter fills that same position with one of his or her buddies. Without going into detail, I set up a couple of situations in which I confirmed that this was happening. Unfortunately, to my knowledge, there isn't a law against it (IANAL).

So, the *idea* of Monster and Dice is good. Unfortunately, the real-life *implementation* isn't that good. Furthermore, you risk your information getting stolen, as this incident has shown. You're better off using the newspaper. I always had much better success with the newspaper than those two online cattle-call sites.

Re:Monster doesn't help anyway--why use it?

[uptownguy]

Monster and Dice are just meat markets. Relatively few people actually get jobs there

Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.

Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)

Re:Monster doesn't help anyway--why use it?

Craigslist is horrible! If I wanted to be scammed, or give details to someone so they can possibly try identity theft hijinks, or just know where I live so they can kick down my door for a home invasion robbery, I'd use them.

I have had zero luck with Craigslist even for buying and selling. When selling, people demand that I accept their temporary checks, and won't pay otherwise, so I tell them to find another victim. When buying, I ask for some proof the item wasn't stolen, or at least show me that the item doesn't have major damage around the Kensington lock slot, and people fail on both these counds.

Its not Craigslist's fault in any way, its just that the site is a criminal's paradise.

Re:Monster doesn't help anyway--why use it?

[edittard]

The real way you get a job is to have executive hair, be a graduate of the right school and be related to at least one person whose title follows the pattern C*O

Fixed.

Re:Monster doesn't help anyway--why use it?

[penguin_dance]

Craigslist...right.... Lots of ads, like the following:

WEB DEVELOPER needed for growing company, must be prorficient [sic] in PHP, ASP, ASP.NET, C++, Java and XHTML. Students welcome. $10 hr.

Oh, and here's a title from an actual ad now running (you can't make this stuff up):
Big Dog Web Developers Needed for a Big Back End

I don't even want to know.

Re:Monster doesn't help anyway--why use it?

[baadger]

So what you're really saying is Monster.com is the equivalent of all those useless download sites for awarded software ...but for jobs. I think that analogy fits.

Re:Monster doesn't help anyway--why use it?

[RESPAWN]

I think that's true to a point. Being able to get good candidates off of CL depends, at least partially, on how active CL is in your market. Granted, market size probably also factors in here, but let's compare my market to, say, Houston. Yesterday, there were 14 system/network admin jobs posted on CL for Houston. Here, there were 14 jobs posted in a over a month. The last job posting here was on Sunday, and in the past month the most active day was Jul 19 with 3 total posts.

That said, I was hired via Monster.com. My previous job I received due to who I knew and the contacts I'd made, but this job was a cold hire straight from Monster.com. When I moved, I didn't know anybody with any sort of connetions in the IT market here, so I used Monster and was successful. I also managed a couple of other job offers from Monster during my job hunt. IME, it wasn't nearly as useless as people make it out to be.

Re:Monster doesn't help anyway--why use it?

[notamisfit]

I really can't comment on IT, but when I put my resume up on Monster for the energy field, I had to turn down several jobs in the mid to high five-figure range. (The one I ended up taking is high five to low six, but it involves 60+ hr workweeks and 95% of my time on the road. Not bad for a single guy with no college degree.). I guess it's all a matter of what's hot and what's not.

Re:Monster doesn't help anyway--why use it?

[Comatose51]

I've been out of college 3 years and have had two jobs. One was for a major hedge fund ($13 billion) and the current one is for a large software company. Both of them are/was awesome jobs and I was contacted by recruits via Monster.com. I know for a fact that at both companies Monster.com is used heavily and to some extend LinkedIn. We get tons of resumes but a lot of candidates simply do not cut it. A programmer with a MS in Comp. Sci. but has never dealt with multi-threading is hard to believe but they do exist. There's a ton of bad resumes and candidates on there but that doesn't mean that you can't get a job if you're actually good.

Re:Monster doesn't help anyway--why use it?

[crabpeople]

Do you work for a newspapers classified section or something? Ive done literally hundreds of craigslist deals and the worst you get is flakey people who hum and haw wasting time, or ask stupid questions. Cheque scams? Ive never had anyone even offer to pay with anything but cash...

The majority of items in my apt were purchased off of craigslist. Not to mention my car, my current job and the apt iteself.

Re:Monster doesn't help anyway--why use it?

[RobDude]

I disagree completely...

My last two jobs (plus two offers I refused) came from Monster/CareerBuilder.

I put my resume up one night and the next day I had several emails, and phone calls. They do all the work; I check my email, check my voice mail and listen to the jobs. I call back the ones that seem like they don't suck. Then I go to the interview and get a job offer.

'Being buddies' with someone is the worst way to get a job. I mean, who cares about credentials or your ability to perform a task...just be buddy-buddy with someone to get the job...I think it's crap.

Re:Monster doesn't help anyway--why use it?

[HungWeiLo]

I'll be another data point for your "research":

- Sold 2 of my cars in the last couple years at the posted price - both within 2 hours of posting.
- Got my job there. Very happy.
- Got all my wedding vendors there. Very happy for the most part.
- Run my ads for my side business exclusively on CL. Get more business than I can handle.

Re:Monster doesn't help anyway--why use it?

[Shadukar]

"or just know where I live so they can kick down my door for a home invasion robbery"

Not to imply that you are stupid, but are you aware that people can kick down YOUR door for a home invasion robbery without you telling them where you live?

Additionally, are you aware that there are quite a few doors/houses as well as quite a few "home invasion robberies" without the involvement of craigslist ? I dare venture, and feel free to call my bluff, but I would say that majority of "home invasion robberies" take place without the aid of craigslist - thus, you posting your address or NOT posting it has very little if any effect on the possibility of your door getting kicked in ?

ps, have you considered sending your resume in to foxnews ? you could go very far...

Re:Monster doesn't help anyway--why use it?

[fataugie]

Consier this Craigslist ad:

For Sale:

Moving to nursing home.

Rare coins, loads of my dead husband's tools, the large screen plasma TV, antique silverware, huge gun collection (I can't shoot so they do me no good).

I'm on prescription medicine (vicodin, Percaset, Demerol), so no calls before noon please. Contact me for prices. Cash only please, I have plenty of money to make change!

123 Off the Beaten Path St.
Yourtown, Somestate
==================

Ah yes, I can't see any reason for someone to target that nice old lady.

cue sound:

[doyoulikeworms]

M-M-M-Monster Kill (...kill...kill...kill...kill...)

Re:cue sound:

[BaronElectricPhase]

"GODLIKE!!!"

They got me!

[Chris+Pimlott]

What a nightmare, I'm already being flooded by dozens of job offers for adult websites development...

So to summarize...

[saikou]

While the fact that employer's Monster account(s) were stolen/cracked/pilfered is sad, the article says that trojan was essentially storing search results.
That information is available anyways, as people with resumes in open access do want to be contacted so they publish the email/phone/name etc and anyone with a screen scraper can amass this pile of "personal data". There is no indication that job seeker's database was stolen.

As for phishers I had a run in with one company claiming to "hire for Google" and demanding my SSN so they could "put my data into candidate database at Google, that absolutely demands SSN as unique ID".
That was several months ago.

Copied, not stolen

[Meneth]

Seriously, if even Slashdot can't use the word properly, how can we ever expect the MAFIAA to learn?

Re:Copied, not stolen

[pembo13]

It is really kinda sad.

New ads on Monster tomorrow:

[grasshoppa]

Seeking networking security professional for immediate vacancy.

Don't forget this news...

[ngt]

August 1st: "Monster.com lays off 15 per cent of staff" http://www.vnunet.com/vnunet/news/2195363/monster- com-lays-per-cent-staff It makes you think if one event leads to the other...

Best headline ever

[FrostedWheat]

This story has the best headline I've seen on the BBC in a long time:

Monster attack steals user data

Ruh-roh! Someone call the Scooby Gang!

Re:Best headline ever

[Hoi+Polloi]

"GODZILLA!" [crowd of Japanese pedestrians running in terror]

nah

[someone1234]

There would have been dozens of comments which insult the submitter for the bombastic title.

job scams

[timmarhy]

This could be used in job scams. be wary of job offers coming in from monster. always get a phone number from the phone book and ring them back to verify.

Re:job scams

[thetoastman]

I have already been targeted with at least one job scam as fallout from this.

I have gone back and searched through my Monster mail folder, and have found some interesting items. Apparently the Trojan phish has been tried at least twice. I have a mail message from February 27 and one from March 30 with links to non-Monster sites. The February 27 attempt was a little craftier in that the EXE file was not a part of the URL. The March 30 attempt contained the remote host name, and jobseeker_tool.exe as part of the URL.

Both of the mail messages appear to have come from a Yahoo hosting service, hostingprod.com, which maps to geocities.yahoo.com.

Fun and games, folks.

Monster sucks donkey nuts

[Wee]

Heh, heh. I thought the same thing. Monster emails are almost entirely spam anyways. I mean, they may have been relevant a few years ago (that's being charitable) but I've never had anything but crap from them.

Nice bonus is trying to find a link on their website where you can contact a real human. Or contact anyone. They seem to assume that anyone who wishes to contact them is either a job seeker or job poster. I don't think this is an oversight. I do think the staff at monster.com don't want to be conversed with in any way. Slimy.

I removed my "profile" years ago, but somehow they still persist in contacting me. Obviously, it's a one-way thing; I couldn't possibly email I real human there. Because if they *really* wanted to talk to me, I'd ask them to remove all my info and leave me the fuck alone.

-B

Re:Monster sucks donkey nuts

[drewzhrodague]

I thought the same thing. Monster emails are almost entirely spam anyways. I mean, they may have been relevant a few years ago (that's being charitable) but I've never had anything but crap from them.

Seconded. Monster is an advertising vehicle, not a job board -- not anymore, at least. I've been trolling Monster for about 7 years now, and while I have had many many interviews, I have received about 10,000 spam messages from recruiters from all over the world. I do UNIX systems administration.

Here's a fun trick, which I recommend for those trolling for recruiters:

[] Sign up with El Jobboard
[] Include superfluous keywords. I have a big block of text at the bottom with a ton of UNIX and systems keywords.
[] Update your resume every Monday or Tuesday. Insert a space. Remove a word. Anything to get your resume 'updated'.
[] Do the same with the other job boards, once a week.

You'll receive tons of email from various recruiters offering you jobs from anywhere and everywhere. Most of them are bunk, which I discuss at one of my projects (shameless plug) Recruiter-Rater. I get offers from modeling agencies, insurance sales, and other completely unrelated stuff. I passively milk the jobboards for new recruiters to post about, as do a few of our other regular users.

Otherwise, Craigslist is the way to go, if you are *actually* looking for work.

Re:This is yet another reason to use Linux

[Arimus]

Errrr.... no.

The program used stolen login credentials so linux and any other os would have thought the trojan was a valid user...

Re:"US recruitment site"??

[janrinok]

the Internet is AMERICAN A troll by any other name......

Re:"US recruitment site"??

[jombeewoof]

Are you out of your mind?
They specifically state it's a US site because it's a British article.

You're dumb.

got scammed

[PipoDeClown]

well iam not interested in stupid employees or stupid employers who fall for this kind of scamms anyway

Re:got scammed

[animelover4all]

Ironically, I got the e-mail stating that I needed to download the new tools back at the end of '06. Said I couldn't use monster.com if I didn't download these tools. I didn't download the tools, but I can still access monster anytime I need. I still have a copy of the e-mail in my mailbox, actually. Not sure why I've kept it, though....

when did it happen?

[Artifex]

It could have been done over weeks or months, some time ago. This story doesn't say. I have had no notice from Monster about the breach in security, yet. Good thing I'm already in the middle of a round of interviews with a great company this week, for which I submitted a resume directly. I look forward to being able to delete my resumes and other information from Monster very soon.

Re:when did it happen?

[Cheeze]

and you really, really hope that when you press delete, monster actually removes it from their database.

Omigosh!!

[Eastender]

I know my boss is a sadistic, slave driving control maniac, but this!

Blame the data security officers & project mgr

[JonTurner]

Upon reflection, I agree with you. It's not the admin's fault -- once it was in the admin's domain, it was already too late. IMO, This breech happened due to a design shortcoming, not a programming error. Let me explain: Any serious company with an internet presence should be asking "When a loss of an external user account/password occurs, what's the maximum damage that can occur? What can we do to minimize the impact?" Frankly, there is no reason at all that one user account (or even dozens) should be able to download 1.6 MILLION (!!) resumes. That's an incredible number!

I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.

So if someone must be sacrificed, line up the data security officers and a project manager or two. It's their job to be asking these questions and ensure they are compliant.

Then again, hindsight is 20/20. Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.

Re:"US recruitment site"??

[IBBoard]

...you have an un-American bias

We'll stop calling websites for the USA "US Websites" when you stop butchering our language. The word you were looking for is "anti-American" ;) "un-" means "not", "anti" means "against", you meant "bias against America" not "bias that's not American".

Also, if you check your history then Europe created the public WWW (with the CERN site in France/Switzerland) and it was a Brit, Tim Berners-Lee, who first developed HTML and worked on the original HTTP specification (Wikipedia references).

They have much bigger problems

[oxygen_deprived]

Here in India too, monster runs a portal (monsterindia.com ). The site is full of holes. I had informed them of the problems by email recently, and they did was respond with a "thank you".That was more than a month ago , the holes are still there.
Some examples:
1. An attacker can create a profile/resume with embedded scripts that will steal a profile viewers cookies and post to remote server.( XSS ). This way, one may steal "employers" details.
2. An attacker can post a job with embedded scripts that can steal a job seekers details.
3. There also are more severe holes that have a bigger impact.

Re:"US recruitment site"??

[dltaylor]

No, he had it correct. When you tend to identify, with the shorthand "US * site", those web sites either based in, or of particular interest to the citizens/residents of, the United States of America in order to differentiate them from others, you are showing an "un-American" bias to take into consideration a global audience. The OP, blithering idiot that he is, shows a completely "American" bias to denigrate, or at least ignore, the global audience and the accomplishments of those outside "America".

I quoted "American", BTW, since the USofA is only one of many countries in the American continents and "USA" could just as easily refer, for example, to the "Union of South Africa".

Monster Spam

[dharmadove]

I received many of these emails that my access would be denied to Monster unless I installed the app. Yeah right, like I'm an idiot. Let's install some unknown crap on my PCs... I wanted to forward the emails to Monster's fraud unit but never could find any address on their site to email them to. I looked a long time too, I mean a loooooong time. Nothing but useless FAQ's. If they published a fraud address to forward them to for investigation it might have stopped a lot sooner. I get phishing emails all of the time for Ebay / Paypal on my domains and forward them. They respond (probably automated) but at least they find out in a timely fashion. Monster seems to be pretty lame security wise. Makes you wonder if their security folks have won any Irish lotteries or helped out that poor Nigerian woman collect her millions?

Re:Monster Spam

[ArcadeX]

I never even bother searching. When I get fraudmail I just forward to abuse@. If it goes through, kudos to them for using a standard, if not, they may deserve any fraud and odds are they wouldn't check into anything anyway.

Re:Monster Spam

[superslacker87]

I actually succeeded through much perseverance and actually found out the email address. It's siteabuse@monster.com and I have used it on one occasion, though I could have used it many more times since then. I just haven't.

Re:Blame the data security officers & project

[timmarhy]

it's called division of power. don't allow any one person the power to perform such a hack, and it raises the bar a lot.

Re:"US recruitment site"??

[orcrist]

...when you stop butchering our language.

Your language? Get over yourself. Did I miss the memo where the English who migrated to America suddenly lost their "magical English essence" which apparently comes from being on the soil where the language originally evolved? Kind of like how my sister is more closely genetically related to my parents because she still lives closer to them?

Both Brits and Americans speak descendants of earlier forms of English. Nobody speaks the English which was spoken when America was colonized. A language belongs to all its native speakers. By any sane measure there are at least 3 times as many native speakers of the various American descendants of early Modern English (the English of Shakespeare's era) as there are of the various British descendants of early Modern English. So, democratically speaking.... ;-)

I swear, Brits attacking Americans for perceived arrogance (such as claiming the Internet is purely American) and then turning around and claiming English belongs to them are priceless.

P.S. The Angles, Jutes, and Saxons called from Germany and they ask that you Brits kindly stop butchering their language. :-P

Forgot something?

[Joseph1337]

Maybe now we will know why Kerry forgot Poland...

Re:Porn

[clickclickdrone]

I know this will get modded down but...
>thousands of minutes of erotic movies
TIP: say hundreds of *hours*. Saying minutes really implies your target audience don't umm, last very long IYSWIM. Not good marketing to insult them up front.

Re:"US recruitment site"??

And the WWW was originally designed by that well known Briton who was living in France and working in Switzerland...

Beside the articles is written from the POV of the British reader, being as it's on a British news site and it was necessary to distinguish it from the UK portal.

Not everyone lives in the US you know...

Same trojan attacked Dutch bank

[MoreCoffee]

The Dutch bank was attacked by the 'man in the browser' type of trojan, which cached the output from the challenge-response between user- and bank. This bank by default performs two challenge-response sequences;
1) when loggin in
2) when confirming a transaction
A third, is performed when transferring large amaounts of money.

Appearently, the trojan told the customer the first attempt had failed, (while in the background preparing a transaction, which could be verified by the bank, because the client was so kind to re-autenticate (this time to the transaction challenge, while they were still thinking it was the login challenge)

Here's the story (in Dutch, hurrah)
http://tweakers.net/nieuws/48895/Virus-ontfutselt- geld-van-klanten-ABN-Amro-update.html

/steven

Re:"US recruitment site"??

[Bloke+down+the+pub]

Nobody speaks the English which was spoken when America was colonized.

Sir, you are quite mistaken, and if you persist in perpetuating these fallacious fripperies I shall be honour bound to demand that you perambulate into my vicinity and repeat them, on pain of fisticuffs. Good day!

Re:"US recruitment site"??

[orcrist]

:-) Now that's the kind of contribution from a Brit which I love: classic British irony. Nicely done.

Not quite acurate...

[Toreo+asesino]

If you take a look at the history of the English lingo, it was easily recognisable as far back as the 14th century, and discernible all the way back until 900 AD if you really don't mind squinting.
My point is that essentially, US English really isn't much of a shift at all away from English English, which is why many Brits will say that "it's our language". Personally though, I don't think anyone 'owns' a language, but recognition of origin is always nice.

And yes, English language is more or less the same as it was when the US was colonised. Things have changed for sure, but if it's variations you're looking for, you need not look any further than the UK itself - every major city has a variation of English far more extreme than US English will probably ever be.

Re:Not quite acurate...

[orcrist]

You didn't read my sister-analogy at all, did you.

US English really isn't much of a shift at all away from English English

U.S. English isn't any kind of "shift" away from English English. They are both (admittedly slight) shifts away from the English which was spoken when they branched off from each other. Strictly speaking U.S. English shifted less, if you consider pronunciation and vocabulary.

Let me state the analogy again, but in more detail:
A couple has two children, let's call them John Doe and Jane Doe. John grows up and moves to another country where he marries and has a child, Jim. Jane stays in the hometown and eventually marries her high-school sweetheart; she and her husband are pretty modern-thinking, so he takes her surname and they have a kid, Jenny. Now does it sound in any way reasonable if Jenny starts talking down to Jim saying the Doe family is *her* family rather than *his*? After all she still lives where the "family started", right? The "origin" here is not the town, but the grandparents.

(in the UK) every major city has a variation of English far more extreme than US English will probably ever be.

This has no meaning. Variations have to be relative to *something*, and I suspect you mean they are variations from some mythical standard English; and what does 'extreme' mean in this context? That the differences among them are greater than the differences between any of them and a given U.S. dialect?

If you take a look at the history of the English lingo

I've done more than take a look. I've studied it.

Look, I know language is fascinating; that's why I studied Linguistics. But I can hardly think of another field where more people think they are qualified to talk about it just because of its application in their daily life. Being facile with language and/or knowing some "little-known" facts, etc. implies no deeper or real understanding of the actual evolution and mechanisms of language than being a great lover makes you an expert in Genetics. Human language is not a construct like computer languages, and you can't meaningfully talk about a given language like some discrete 'object' and say "This is the actual real English and every other dialect is a variation of it", in the same way you can point ANSI C and say what's standard C and what's not.

Re:Not quite acurate...

[eharvill]

Look, I know language is fascinating; that's why I studied Linguistics. But I can hardly think of another field where more people think they are qualified to talk about it just because of its application in their daily life. Being facile with language and/or knowing some "little-known" facts, etc. implies no deeper or real understanding of the actual evolution and mechanisms of language than being a great lover makes you an expert in Genetics. Human language is not a construct like computer languages, and you can't meaningfully talk about a given language like some discrete 'object' and say "This is the actual real English and every other dialect is a variation of it", in the same way you can point ANSI C and say what's standard C and what's not. Nice. I get into similar arguments with my wife who is from Spain and speaks the "proper" Castilian Spanish. She goes on and on about how Puerto Ricans, Mexicans, South Americans, etc "butcher" her beautiful language. What I think is very funny, and you might be able to confirm this, is the Castilian dialect was formed because a Spanish King spoke with a lisp and everyone in his court mimicked him and it spead throughout the region and eventually became the standard dialect. I haven't researched it, but I still like to get a rise out of my wife by telling her that story. :-)

Re:Not quite acurate...

[Toreo+asesino]

ok, well from my point of view, English has been English for the last 7 centuries, and even if you look at all the permutations of it from the point when the US got it's independence until now (to use your example), there's very few changes relatively speaking, and thus....we do kinda have a claim on it as "ours" in that respect...it was 'built' in England, has split out into many other countries since, and hasn't really changed from the original pre-empire days of the UK.

On the other hand, Latin is one example of a properly split language....Spanish, Italian, Portuguese and so are all derivatives (as I'm sure you know), and all have very common ground, but not enough to call all the languages just "Latin". That's why, as a Spanish speaker, I can go to the pub with an Italian and actually have limited conversation with them (which btw, I have done), having never studied a second of Italian.

Re:Not quite acurate...

[orcrist]

What I think is very funny, and you might be able to confirm this, is the Castilian dialect was formed because a Spanish King spoke with a lisp and everyone in his court mimicked him and it spead throughout the region and eventually became the standard dialect. I haven't researched it, but I still like to get a rise out of my wife by telling her that story. :-)

I've heard that story too, but I have never heard a reliable confirmation of it. However, I can say with confidence that one of the principles of language change is that colonies are more conservative than their parent countries; IOW, if you want the more 'original' version of the language you will almost always find it among the most recently settled speech communities. This holds for e.g. English, Spanish, and French; interestingly, many French French speakers at least recognize this, but then rip Canadian French for sounding "archaic".

And Monster's publicity team says...

[shadowspar]

Nothing. Absolutely nothing.

The story's all over the media and the internet, Symantec has a blog post and a virus writeup, and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.

Trustworthiness

[just_forget_it]

Is it strange that I trust the thieves with my data more than Monster.com?

Re:Blame the data security officers & project

[ptudor]

Having RTFA, my first comment is "wow, what a great press release from Symantec."

The sort of anti-spider technology you describe was in place years ago and likely still is; think of the trade value of Monster's data. Now, instead of the traditional overly active account from an identifiable netblock imagine someone using their own zombie network to scrape a single resume/job/data an hour from across a few thousand machines. Wild speculation on my behalf but it's easy to fly under the radar if you try. (There are probably plenty of people competent enough to avoid common active countermeasures, story at eleven.)

What user data? Monster is a fake site

[gelfling]

Everyone knows that. I never met a single person ever who ever got a job through monster. Or even got a callback. I doubt 1% of the listings on Monster are real.

Re:What user data? Monster is a fake site

[aarenz]

I got my current job through Monster. I would suspect that the people that have posted resume information there would like their information to be made public. This is not like having your bank records made public. If you live somewhere and have a phone, how much more info do you thing is usable in their system? I guess I do not see this as a big deal. If you want your information to be private, do not post it to someplace like monster. BTW, most of the information there can be made private if you choose the right options, so you get a blind email routed through monster to request if you want your information released, so they know that I have some education and maybe the city I live in, but not more than that until I put in a request to release the info to a prospective employer.

Re:What user data? Monster is a fake site

[XPACT]

I've got my current job through monster, I simply responded to an add. I didn't put my resume there, I had an account before but it was long time ago, and my name could have been spelled diferently.

Re:What user data? Monster is a fake site

[Chili-71]

I'm not saying Monster is great or even good, but it has worked for me. I arranged several job interviews through Monster - one just recently with a major insurance firm. It works, but only if you use it correctly: submitting your resume for a rocket scientist position when you have no training and only have a GED isn't going to get any call backs.

Espoinage

[N8F8]

I'm betting this stuff is espionage to get private data on Americans. At work we have been inundated with "greeting card" phishing over the last six months. The retards running our IT department seem helpless to stop it. I tried whining about it and got blown off. We're talking a top defense contractor here.

Re:Espoinage

[burning-toast]

I'm not going to comment on Espionage, however, if you are using Clam-AV as a mail filter the unofficial signatures here:

http://sanesecurity.co.uk/clamav/index.htm

May help substantially.

- Toast

I've gotten a few jobs through Monster.

[StressGuy]

I've been using Monster.com since it was a gopher site called "occ". These days, I keep a resume on that site as a matter of course (which needs to be updated).

Besides job hunting, it's also an excellent tool for getting a feel for what the market is like in a given industry center. Today, for example, I'm pretty happy with my present gig, but I still keep a resume on Monster.

Sweet

[Wolfger]

That's one way to get my resume out there!

Re:"US recruitment site"??

[zrq]

Did I miss the memo where the English who migrated to America suddenly lost their "magical English essence" which apparently comes from being on the soil where the language originally evolved?

I think the name kind of gives you a clue here ... 'English' as in 'the language of the people of England' (or more specifically 'the language of the King/Queen of England'*).

It is sort of like an open source project. When you break away from the group and establish your own project, you loose the modification rights over the original code base. If you want to take the basis of the language and evolve a new fork, called say 'American', then go for it.

* Yes, the Scots, Welsh and Irish have their own distinct languages too, but history says that the King who won was the King of England**.
** This was not necessarily a GoodThing(TM).

Didn't Monster just fire a lot of people?

[Harlockjds]

Didn't Monster just fire a lot of people? I'm guessing they let someone go who has access rights that weren't revoked (or happened to know someone login info who wasn't fired) and that person decided to 'get back'.

Re:Didn't Monster just fire a lot of people?

[newdsfornerds]

They are hiring Linux sysadmins for the Maynard, MA (headquarters) office. I interviewed there a few weeks ago for said position(s). They are primarily a Windows (IIS) shop and mainly use Linux for Oracle. As of yesterday, I was still seeing a listing in my Monster job agent results for this Linux admin position. Hmmm.

Re:"US recruitment site"??

[Beyond_GoodandEvil]

'the language of the King/Queen of England'*).
You mean french?

Re:"US recruitment site"??

[orcrist]

Sigh. More cluelessness. I feel like a Biologist talking to a roomful of creationists. By your logic ("it is what you call it") all the Native-Americans should be citizens of India, right? And Amerigo Vespucci is the... I dunno, inventor of America?

Look if you guys want to jump into the debate, at least read the points I'm making in the other posts, and maybe read up on the relevant fields of Linguistics.

I'm obviously not getting through to anyone, which I should be used to by now.... everyone thinks they're an expert on Language. Maybe another Linguist wants to take it up; I'm done here.

Re:Porn

[NatasRevol]

Slashdot: Helping those who sell porn to have better ads...Stuff that matters!

GOOD!

[Vampyre_Dark]

I hate Monster. Nothing ever works there. All the forms to fill out are always broken to hell. It's fun having to answer questions on forms when the part of the text that tells you what the question is about is cut off. It's always a treat when something I want to apply for can only be done through monster and I have to deal with a page full of script errors and missing text, or that won't accept Canadian data on a Canadian form because it's not valid US data. It's even better than it will only allow you to give an answer with numbers, where it's out of context. Binary must be in this year.

Just about the only thing that works correctly is the offer to join the Columbia House DVD club every 3 times a page loads.

So it's nice to hear they got fucked up the ass. May your bleeding asshole be front page news.

Actually, just visited Monster.com and...

[StressGuy]

here's what I found..

http://help.monster.com/besafe/

I don't know if what they are talking about is related to this or a separate problem however.

Re:Actually, just visited Monster.com and...

[shadowspar]

Yeah, I saw their homepage link to http://help.monster.com/besafe/email/, but I thought that was a general "don't respond to phishing email" warning. It doesn't give any indication that it's something they put up specifically to address this. Mind you, looking back at monster.com in the wayback machine, they don't appear to have had that link on their homepage back on 14 June.

Re:"US recruitment site"??

[IBBoard]

As someone else mentioned, it's "our" language because it's English. "Your" language is American. American is a derivative of English that branched off with colonisation, while 'modern' English is the continuation of older English that has remained in England.

If you want to be picky then we speak British English, but people don't tend to say "he speaks British" where as they do say "he speaks American" for American English.

I think you did miss the memo, though. Anyone who emigrated to America became (eventually) American. Yes they have English/British heritage, but they're still American ;)

As for the Angles, Saxons and Jutes, that's apples and oranges. We developed their language and it gained a different name. Americans speak American and often insist on just calling it English (like the amount of times I've seen games install as "English" then use "color"). Not quite the same situation ;)

Re:"US recruitment site"??

[IBBoard]

From that definition then IMO you'd be showing an international or non-American PoV, but not an "un-American bias". Bias implies some form of degradation or improvement in opinion based on a PoV. PoV is just the point of view with regards who "you" are and what's local (and for the BBC then British is local) with no particular changed opinion.

My original suggestion of "anti-American" was because the OP seemed to be saying that it was some form of racial bias that we were specifically picking out the Americans as if they were different when they were a large proportion of the Internet.

ID Theft Protection?

[ZOMFF]

Does this mean monster may be offering ID Theft Protection for 1.6 million people? Hasn't it been the case with previous data theft cases like this that the company provides ID monitoring or protection like in Ohio?

Re:Blame the data security officers & project

[roaddemon]

Actually, I used to work at Monster and they were very strict about this. They had several levels of spidering detection and prevention, both at the data level and iis request level. I'm curious how this bypassed those throttles.

Re:Blame the data security officers & project

[ari+wins]

Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.

I'd love to, but then I'd actually have to RTFA, and I don't have time today. I have to get a copy of my birth certificate and a visa, so I can help out my new Nigerian friend with a lucrative situation.

Re:Blame the data security officers & project

[flosofl]

WTF does this have to do with anything? This is about Monster.com and data disclosure, not gratuitous bashing of a Linux distro. Yes, we get it, you don't like Ubuntu. If this were an article about Linux, that would be one thing, but this is not the place. Mods, please rate parent offtopic or troll, it fits either (as it regards this particular article)

Old News / Ransom-Ware

[duplo1]

Did anybody even bother to read TFA??? The victims of the attack were recruiters, not candidates. Most recruiters I've heard about, with some exceptions, aren't the most technically minded shall we say.

More interestingly, the recruiters' accounts were configured to send out emails with a bit of malware attached, which encrypted user files, such as documents. Fortunately, the the encryption was fairly weak, and I hear most of the files were recovered.

I actually heard about this several weeks ago from a friend who works at an undisclosed government agency that was hit by this. I'm surprised it took this long to report.

Re:"US recruitment site"??

[Virgil+Tibbs]

what makes you think thats a brit?
:

"yeah?
yeah?
c'mon,
you wanna fight now then?
fucking wanko
I'll fuckin knock ya out!"

-that would be more like the average brit, if you go to the Uk these days.

as it has been noted - the language used in the parent comment is the root of American & Australian& British english.

I'll give you a metaphorical pound for every (living) person in the uk who ever says "tallyho, what up, old chum?"

Re:"US recruitment site"??

[orcrist]

what makes you think thats a brit?

The username "Bloke down the pub" and his sig; Sure it's an assumption, but I felt it was a fairly safe one. Maybe he'll correct me if it was wrong...

The way he was speaking in the quote was obviously ironic and I didn't take that to mean anything other than that he's funny.

Re:Blame the data security officers & project

[flosofl]

Dude, I'm not upset because of your opinions on Ubuntu. I could not care less about what you think of Ubuntu or GRUB. What I care about is the thread-jacking. How should I put it... this is not an article about Linux, Ubuntu or GRUB. The post you are referring to is talking about design considerations from a security perspective as it regards user access. Specifically Monster.com.

Ubuntu has fuck all to with anything in this context. You thread jacked, so either troll or off-topic is only appropriate here.

Re:"US recruitment site"??

[Virgil+Tibbs]

The way he was speaking in the quote was obviously ironic and I didn't take that to mean anything other than that he's funny.
sorry, it just....
I don't like some American stereotypes of Europeans... that's all... i should have realised slashdot by definition is full of people who are relatively broad minded
again
apologies

My only question is...

[charleste]

Why did we hear about this on the news? Why didn't Monster notify the users first?

Re:"US recruitment site"??

[orcrist]

No problem dude; that's very gracious of you :-) I get riled up by European stereotypes of Americans so I can understand ;-) After all, I'm an American who's lived in Germany for 12 years and spent a couple of years of that making regular business trips to the U.K. so I get it coming and going :-/

Re:"US recruitment site"??

[IBBoard]

What is this "What up" of which you speak? I regularly greet my acquaintances with a cheery "What-ho, old chap" and can often be heard yelling "tallyho" as I ride off on the thrill of the hunt* in my spanking red uniform with baying hounds at heel, but never have I uttered "what up". To my finely attuned ears it almost sounds like the language of yobs with their lower-class call of "what is up".

Now, I demand you hand over a metaphorical pound so that I may deposit it in my metaphorical savings account. And no metaphorically handing it over - that would just be unsporting and definitely not cricket.

* I've never actually gone hunting, and don't plan to. I've never ridden a horse for one thing!

Monster Tool?

[PPH]

I thought this was just another one of those pecker enlargement scams.

Re:Blame the data security officers & project

[Tom+Veil]

I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.

Technically, we don't know that this isn't the case. Look at the article again:

Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.

The stolen data could be used to send phishing and spam e-mails.

"This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website," reported Symantec.

Correct me if I'm mistaken, but the article doesn't say anything about how many resumes were stolen or how the breach was discovered. The server had 1.6 million resumes available, but for all we know the program downloaded 200 of them before hitting a maximum download quota. I'm not saying that that's necessarily what happened; I'm just saying that we don't really know what happened without more information.

Re:"US recruitment site"??

[pjt33]

By your logic ("it is what you call it") all the Native-Americans should be citizens of India, right?

Actually, that's the precise opposite of GP's argument. By his logic native Americans, not being from India, should not be called Indians.

Hilarious

[obeythefist]

What are people worried about?

They stole resumes!

I highly doubt there is any real, non-falsified personal information in any of those! Not if any of the resume's I've ever seen have been any indication.

Re:Hilarious

[css_crazy]

Actually, Monster.com is the *last* place you should go if you are serious about finding a real job. "Some things I know; some things I don't know."

Re:"US recruitment site"??

[zrq]

By your logic ("it is what you call it") all the Native-Americans should be citizens of India, right?

No, it is the other way round. I'm suggesting we use the right name to describe things, so more like "call it what it actually is" than "it is what you call it".

The people you describe as Native-Americans aren't from India, they are American, so we shouldn't call them Indians. That is a name imposed on them by the European colonists. They had perfectly good names for themselves before we invaded, we just ignored them.

From Wikipedia : http://en.wikipedia.org/wiki/Indigenous_peoples_of _the_Americas

The word "Indian" was an invention of Christopher Columbus, who erroneously thought that he had arrived in the East Indies. The misnomer remains, and has served to imagine a kind of racial or cultural unity for the autochthonous peoples of the Americas. The unitary idea of "Indians" was not one shared by most indigenous peoples, who saw themselves as diverse. Europeans however have not until recently acknowledged the scope and variety of indigenous American populations, but largely found it more convenient to talk about Indigenous Americans as a single fairly homogeneous group.

ps

everyone thinks they're an expert on Language

Most definately not - Apologies if my comments are naive, I freely admit that I'm not an expert.
However, I am a native of England.

Re:"US recruitment site"??

[Bloke+down+the+pub]

Europeans? Don't go lumping Her Majesty's subjects in with them, you bounder!