Monster.com Malware Tags Another Site

bl8n8r writes "The first wave of problems for Monster.com came in the form of malware as recruiters cluelessly pointed trojaned Windows systems into Monster's database. The incident reportedly gleaned more than 1.6 million records from the job search site's database. The second incident followed two days later in the form of an infected Monster.com server pharming out malware by way of advertisements hosted on its websites. The latest incident now shows jobseekers using USAJobs are also at risk from the pharmed Monster trojan. The worst part is Monster.com seems to shrug it off with: 'As is the case with many companies that maintain large databases of information, Monster is from time to time subject to illegal attempts to extract information from its database. Despite ongoing analysis, the scope of this illegal activity is impossible to pinpoint.'"

NEVER use Windows as a server OS.

If there's one thing we've been shown over and over and over and over and over and over again, it's that Windows is just not a suitable OS to use in a server environment.

The main problem is, as illustrated here, an insufficient level of security and quality. This isn't just a problem with the Windows itself. This is a problem with the other Microsoft products that are commonly used on Windows, including IIS and SQL Server. They're far too easily compromised, and fixes never come rapidly enough.

When high-quality products like Linux, Apache and PostgreSQL are available for free, there's really no reason to be using anything from Microsoft in a server environment. Hell, there are many reputable companies offering very affordable, and worthwhile, support for those products. And when the rare security issue does arise, a patch is usually available within the same day, if not within an hour or less.

Maybe someday IT managers and executives will realize that Windows is clearly not the optimal way to go. There are alternatives, and they are far better when it comes to security, quality, reliability, efficiency, and most importantly, cost.

Here, I'll pinpoint the scope for them:

[Ant+P.]

SELECT * FROM customers;
I'm curious to know how they could screw up a simple thing like database security to the point where some windows laptop on their network can just connect and do the above.

Trollish submitter

[packetmon]

The worst part is Monster.com seems to shrug it off with: 'As is the case with many companies that maintain large databases of information Funny how they shrugged it off:

Earlier this month, Monster discovered [a] a malicious code that attempted to harvest stolen email addresses from its database and transfer them to a server in Ukraine. The hackers then sent out phishing emails that claimed to be prospective employers offering a work-from-home job that asked for access to the user's bank account. Monster responded by notifying these job seekers that their contact records had been downloaded illegally and is now working with law enforcement officials and the appropriate regulatory agencies [b]. Monster also revealed that this incident was not the first time the company's database had been the target of criminal activity.

The company says that to boost its security measures it is implementing new robust capabilities for worldwide monitoring and surveillance of site traffic, reviewing and tightening all site access policies and controls and launching a series of targeted initiatives to protect job seeker contact information.

Source

[a] Monster discovered: Did you note that Monster themselves noticed the infiltration. Wasn't posted to a full disclosure list which means they caught it on their own for a change. Give them that credit

[b] Monster initiated contacting those affected and working with LEA's. This didn't come to light in the same fashion as say with what happened at LinkedIn. Linkedin spurns bug bounty hunter. So why post such a trollish statement as "monster shrugged it off". There should be a mechanism to moderate those who post articles.

We need to call those fools out.

Those of us who know the dangers of Microsoft technology need to really start calling those people out. And I don't mean online. I mean in person, in the meetings where they're proposing their Microsoft-based "solutions".

I've seen this happen in meetings before. During one such meeting, one DBA suggested the use of SQL Server 2005 for a new project. And immediately, two Oracle DBs tore him a new asshole. They listed the numerous security issues that SQL Server has been plagued with. They listed a variety of technical problems with SQL Server. They basically told him that they would not stand for that kind of, as one of the Oracle DBAs put it, "raccoon shit" on their network.