Slashdot Mirror

← Back to Stories (view on slashdot.org)

Monster.com Data Stolen, Won't Email Users

Posted by Soulskill on from the security-specialist-wanted,-apply-within dept.

chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"

16 of 200 comments (clear)

  1. Accountability by Zironic · · Score: 4, Insightful

    When will companies face accountability for the damages they cause due to lax data security?

    1. Re:Accountability by Zironic · · Score: 4, Informative

      In Sweden it's defined as any combination of data that can individually identify a person.

    2. Re:Accountability by thethibs · · Score: 4, Interesting

      Actually, it was IBM and CS academics that did that. OS360 was released with a long error list and assurance that this was normal for a product of that size. It was this era that produced factors like one error per so many LOC, where "so many" ranged from ten to a thousand depending on the source.

      This was long before Microsoft existed and it didn't need much pushing. It was so self-serving that the software industry never argued against it. It also came just in time to meet a huge increase in demand for programmers that could only be met by lowering the bar for entry--so for most of the new crop of programmers, the predictions were accurate.

      The sad idea of calling programmers "software engineers" in the hope that a new name would make them more diligent has clearly not worked. Since most are paid by the hour without reference to quality or results, it's unlikely that anything will ever work in this environment.

      What's needed is a change in the business model that links payment to a finished, correct product. ISVs working on fixed-price contracts and firmware developers have very low error rates.

      --
      I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
  2. Re:um by htnmmo · · Score: 5, Insightful

    You don't think they make their money from posting jobs do you?

  3. If only there was somewhere... by Anonymous Coward · · Score: 5, Funny

    If only there was some kind of service where you could advertise for a network security guy...

  4. Greetings Monster.com user! by assemblerex · · Score: 5, Funny

    I am a nigerian prince who wishes to hire you. I will send you a check for $60,000 to cover your employment of $55,000.
    All I ask is that you purchase $5000 in laptops to send back to the parent company here.You can even keep one as your work computer.
    As soon as we get the laptops we will send you another check for $100,000 to hire two employees. We only ask the extra $10,000 be sent back to the parent company.

  5. No wonder by PutonBackBurner · · Score: 4, Interesting

    I went in to change my password to something over 25 characters, with letters (upper and lower), numbers and specials characters. It kept notifying me that the pass was not strong enough. I reviewed and followed the instructions, then extending it to over 50 characters. I received the same warning message even when clicking on the submit button - wtf?

    After several attempts, I tried logging out and logging in with the new pass. Guess what, it did change!

    Bad interface, bad notifications, bad programming , bad (or no) testing. No wonder they got had.

    I mean really, if you can't design and code a simple change password feature....

    1. Re:No wonder by pimpimpim · · Score: 5, Informative

      What's also very nice: I just went there to change it. The change password feature does NOT ask you for your old password. So anyone who finds an open monster session e.g. in an internet cafe can change the password of that user and kidnap the account. This is the situation after their attack, not very promising what the future concerns. These are really basic security features that take at most a few hours to implement.

      --
      molmod.com - computing tips from a molecular modeling
    2. Re:No wonder by pimpimpim · · Score: 5, Informative

      oh, and... it's not even using an SSL connection, just plain http. Crazy.

      --
      molmod.com - computing tips from a molecular modeling
  6. Cancel Your Accounts by db32 · · Score: 5, Interesting

    If you have a Monster account cancel it and leave a note in the "why are you canceling?" box. Don't make it some rant, but make sure you explain that you will not tolerate their incompetence, their unwillingness to take security of their users personal information seriously, and their total lack of integrity by trying to hide the breech from their users. Then explain that you will try to get everyone you know to cancel their account for their own security. Finding jobs is all about networking...so is taking down misbehaving companies.

    --
    The only change I can believe in is what I find in my couch cushions.
  7. I'm not terribly surprised by kimvette · · Score: 5, Informative

    I'm not terribly surprised. They have a casual approach toward development and quality assurance. In the early days of Monster at TMP Worldwide the QA department consisted of just two people - Fidelity demanded they focus more on QA so they brought me in (Fidelity was and probably still is their single largest account. At the time probably 75% of the jobs were Fidelity postings).

    The code running the site was atrocious - and the web server consisted of a single DEC Unix box. They had terrible cross-browser issues (I can't remember if it was Netscape, which was still dominant at the time, or MSIE which completely broke). The developers had no clue what was wrong, so I did some digging and the issue was a lot of table cells and even table rows were never being closed. I logged the defects and was given access to the code (which was Datapult PF at the time - thank god it was not easy-to-write/impossible-to-read perl). I worked with the developers (coders, really) to identify where each type of cell was being generated, and where it should be closed. The code was such that I had to print it on a line printer and trace with pens where each cell was being opened, and there were a lot of cases where the code was not nested properly. It was UGLY. Well, after a few days I had fixed the bugs and it was rendering properly in "all" of the two major browsers, and even AOL.

    (as an aside, Datapult PF was kind of neat - very readable and a much better alternative than ASP. I had taken the defect tracking system and enhanced it and wanted to clean up the database schema but there just wasn't time)

    Then, by the time they closed the Framingham facility and moved to Maynard, the Fidelity contract had been finalized so they axed most of QA (read: all but one person) and offered me a job as a developer - for $38K, which was just slightly over half of what I was making as a QA engineer. I told them thanks, but no thanks, that $38K is actually quite insulting.

    I don't know if they have a proper QA process and department in place, but back when I was there (1997 or 1998) the only people who liked the fact that there even was QA at all was the developers. Management, sales, etc. all hated us, and the parent company (TMP Worldwide) looked at QA as a cost center. They Just Didn't Get It then, and I wouldn't be surprised if they still do not have QA now and Still Don't Get It.

    I don't know what they're running for a back end now, but the response headers say IIS 6.0 so I'd presume ASP.net. For .Net and PHP there are plenty of harnesses to test for SQL injection bugs, which If THey Get It, they would be running against the site, but far more likely it's a human issue (someone selling the info, since TMP Worldwide grossly under-pays permanent Monster employees, or at least did at the time) or the Windows server has a root kit on it (if it is in fact IIS 6.0) -- or is the result of an untested bridge to other systems they integrate with. If their modus operandi is still that of TMP Worldwide and they view QA as unnecessary unless a client demands it before awarding a large contract (Fidelity is a company which Does Get It) then I would not be surprised if QA personnel and processes are both totally lacking.

    It was a fun contract - don't get me wrong. I liked the people I worked with, and I liked working with the developers to fix the problem, but TMP as a whole just doesn't get it. Monster needs to be run internally like a software company, since it is a large internally-developed software project which is CONSTANTLY being enhanced with more and more features and integrated with other systems (ad servers, etc.). It's not a small project by any means and proper QA from requirements through deployment and maintenance is the only way to minimize liabilities such as this.

    As an aside: does anyone out there remember the sleeping monster? The sleeping monster was in place whenever code was being moved from the staging server to the live server, or when the Oracle database would go down. The sleep

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
  8. Re:Deleted my account. by chill · · Score: 5, Informative

    Log in, delete your resumes and cover letters, change your password to some random crap. Then, go to the preferences home page and there is a "cancel my account" option. Leave them a nice note explaining how the deserve to go out of business and where or where could they find a security person with a clue about hashed password storage.

    --
    Learning HOW to think is more important than learning WHAT to think.
  9. Massachusetts Breach Law by PDG · · Score: 4, Informative
    Not only is this violation bad in principle, its a violation in Massachusetts and several other states: http://privacylaw.proskauer.com/2007/08/articles/security-breach-notification-l/massachusetts-is-39th-state-to-mandate-breach-notification/
    The really kicker is the law requires the firm with a data breach to inform several state agencies AS WELL AS the person who's data has been compromised:

    "The law requires that a person or agency that owns or licenses personal information about a resident of the commonwealth notify the attorney general, the director of consumer affairs and business regulation, and the affected resident if it "knows or has reason to know of a breach of security"

    --
    "Where is my mind?"
  10. Password safes by thepacketmaster · · Score: 4, Informative

    This is why I only use randomly generated passwords for these type of sites, and store them in my password safe. They may have gotten my monster password, but they won't be getting into anything else.

    --

    --

    Luck is just skill you didn't know you had.

  11. Re:um by Gojira+Shipi-Taro · · Score: 4, Insightful

    Congratulations. You gave them grounds to not employ you based on the fact that you falsified information on a resume.

    I don't disagree with your primary point entirely, but for goodness sake if you think that the result is sufficient evidence to prove discrimination, by all means file a lawsuit.

    Telling Slashdot isn't going to help.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  12. Re:um by Ihmhi · · Score: 4, Interesting

    Then why don't they file it after the fact that they've hired the qualified persons? They don't need to know that data beforehand.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)