Vudu Resets User Passwords After Burglary

New submitter Chewbacon writes "If you can't hack it, smash and grab it. Video streaming service Vudu has emailed customers informing them of the theft of hard drives containing customer information. CNET reports the information on the stolen drives included: names, e-mail addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. Vudu's Chief Technology Officer Prasanna Ganesan said while no complete credit card numbers were stored on the hard drives and expressed confidence in password encryption, he felt the need to be proactive with the password reset and encouraged users to be proactive as well should the encrypted passwords become compromised. Vudu fails to mention, perhaps in a downplaying move, the last 4 digits of a credit card and much of the other information stolen is often enough to access an account through virtually any company's phone support."

you data isn't safe

[Nyder]

when the thieves come in thru the window. (No, not Windows OS, but the actual window.)

Re:you data isn't safe

[Big+Hairy+Ian]

Physical security is just as important as online security you can get just as much info out of a PC in a skip as you can online if it wasn't wiped correctly for instance.

Re:you data isn't safe

If they steal our drives they're none the wiser. Use the OS-provided disk encryption people, the boot drive doesn't necessarily need to be encrypted but databases and log files should be.

To successfully "steal" our data this way the thieves need to arrive with a portable UPS, isolate the right machines, swap them over onto the UPS and then steal them still running, whereupon they can probably use some existing exploit to get past the login screens etc. on console. That's a big ask, considering they have to do all this against the clock because there's a silent alarm.

We have the facility locked down. Who picks up the trash? The sysadmins do. No cleaners, cleaners are too easily compromised, you hire Bob, he sends Jerry instead, next thing you know some guy with no paperwork is in the building and nobody realises it's a problem. So no cleaners. No unescorted visitors. No contractors, no "guy from the phone company" nothing like that.

Actually a bigger risk is just bribing or threatening a sysadmin. Get a sysadmin, put a knife to his throat and say "Copy all the data, or else we kill your kids, understand?" or maybe "Here's $50 000 in cash. There's another $50 000 when you give us a USB stick with the data on it". We make sure we hire people with no debt problems, that we pay them well and know we'll take care of them if anything happens, but we can't be 100% sure nobody will get to them. We emphasise that they shouldn't explain what they do, shouldn't be too explicit about their role, what they access to, but obviously people aren't always as careful as you'd like.

Re: you data isn't safe

The disks may have been encrypted, and the database may have been too ... but they didn't say things were encrypted except for specifically stating that they were confident in the password encryption.

Re:you data isn't safe

We? Are you with Vudu?

And you seriously think people in debt are the only ones who would accept a $50,000 bribe? You clearly do not pay attention to U.S.A. Politicians and corporations.

cheap bastards

[FudRucker]

keeping a night-watchman (armed guard) on duty during "off hours" would have more than likely prevented this

Re:cheap bastards

[cbiltcliffe]

Maybe they had a night watchman, and he's the guy that stole the drives.

Re:cheap bastards

[ThatsMyNick]

Cheap bastards. Having a night watchman to watch this watchman would have prevented that.

Also, you should have gone for - Who watches the watchmen. How could you miss it.

Re:cheap bastards

[lxs]

Who watches the watchmen.

I know! That movie is like three hours long.

Re:cheap bastards

But...who watches the watchmen that watches the watchmen. And who watches theMAXIMUM RECURSION DEPTH.

Re:cheap bastards

[Kardos]

Sounds like you need to increase your maximum recursion depth. With a limit that low, why even support recursion?

Re:cheap bastards

[Qzukk]

Maybe they cut a new back door while the guard was watching the front one.

Re:cheap bastards

Who watches the watchmen.

I know! That movie is like three hours long.

Yeah, but it is entertaining, and you can always hit the II button (I believe it's short for "iintermission") and take a breather, then watch the rest.

I wonder if that thing they did with the door frame in Neal Stephenson's "Cryptonomicon" would work in real life to prevent the compromise of information from stolen magnetic media? (Basically, the door frames had embedded wires with current running through them to wipe any magnetic media carried through them, so when Comstock raided Ordo's offices, the HDD's were supposed to be wiped like they'd gone through some BOFH's bulk-eraser.) If so, you'd have to disable the system whenever carrying magnetic media in or out of the room, and every opening to where the HDD's are kept would have to have this implemented, and moreover it would have to be configured to continue to operate even after power had been shut down, (on an UPS) and for some time... of course, booby-traps would work too...

For example, you could put the HDD's in a container that if you move it, or attempt to open it improperly, it Thermite's the contents... which of course are in a housing that prevents being able to remove the drives quick enough to save them from being melted. If you melt the stack of discs inside the drive, I think that renders the contents unrecoverable, though I could I suppose be wrong...
 

Re:cheap bastards

How could the night watchman have access to the drives? Why weren't they kept in a secured room only accessible by some combination of fingerprint scanner, key fob, and combination lock?

Re:cheap bastards

uh-huh.... And just how much does that cost? (An armed security force providing 12/7/365 coverage?) Oh, don't know? How unsurprising.

Then you've got the overhead liability if that person ever fires on someone (doesn't even have to, come to that, just pulling the weapon is enough for a lawsuit from an unarmed person.) And you've got the added risk that your guard will in fact engage in theft him-or-herself.

Yes, let's have every server in the country protected by an armed guard!

(Or one can try passive security, like cameras and locks, first. Discourages some, and for those it doesn't you've still got a record of when and how it happened.)

Who steals HDDs?

[fuzzyfuzzyfungus]

Does used commodity x86 server gear(with hot serial numbers, no less) actually have enough resale value somewhere that it would be reasonable to imagine that the thieves might actually have been after the hardware, or would they have had to have other motives(whether data access, or something else they thought was in the building) to make taking the risk worth it?

I can see the case for smash-n-grabs on consumer gear, especially laptops and iDevices and such, where gullible and/or morally flexible people do seem willing to buy dubiously sourced goods for a chance at cheap consumer electronics; but the phrase 'used hard drives from ebay' is the sort of thing that I'd only ever use in a server context if I were sneaking up behind an admin and trying to make him jump and turn a curious shade of purple...

Is the used market more robust than I give it credit for(or the scrap value higher)? Or would grabbing the hard drives be a fairly clear sign that you are after what is on them?

Re:Who steals HDDs?

DIMMs, video cards, CPUs and storage can all be sold quickly on ebay. No one logs serial numbers, and no on checks them.

Re:Who steals HDDs?

[jjjacer]

with the price of new drives not falling, maybe the used market has gotten bigger. i know back around the year 2000 at the super computer sales i swear i saw a bin of drives that got ripped out of stolen computers (looks like they were well used and abused and the seller looked like a drug dealer).

Or maybe people dont want to pay for new drives and are resorting to just stealing from places that have a large supply.

Re:Who steals HDDs?

[cdrudge]

Where does it say what type of drive was stolen or what it was in? Backups of a production database on a developers' laptop hard drives for instance would still fit the story if laptops were taken. Or if they were on external drives but used for the same purpose.

Even if they were "enterprise drives" in a server, NAS, SAN, etc there is some used market for them. Probably not the same market that wanted them new, but they'll still sell for the right price.

Re:Who steals HDDs?

[PlusFiveTroll]

If a thief thought he was getting a storage container full of SSDs, that could be enough motivation. Even used they go for big bucks, especially the enterprise ones.

My step-mom had her checking account put on hold once after a spurious transaction showed up on it. Come to find out a computer system from the electronic check processing company that Walmart uses was stolen by an employee and sold to some nefarious group.

Re:Who steals HDDs?

[Orestesx]

Why bother going through all that work when a waitress can just write down the cc number when she swipes your card.

Security through obscurity: don't clean up

[captainpanic]

Security through obscurity: My data is safe, even if the thieves break in. No way they can find anything in the mess that I call home. :)

Since everything was encrypted, no worries, right?

Everything was encrypted and the key was not stored locally, right? RIGHT? Fucking amateur hour wherever you look.

Last 4 digits = bullshit

Wish I knew which fucktard started that. The first 4-6 digits identify your card issuer, so if I knew you had a discover card (6011) and the last 4 digits, it would halve the search space for your card and LUHN will take care of a huge chunk of the rest. I once freaked out a coworker by reading her credit card number aloud as she typed it from across the room - she had the same university CC I had, the first 8 digits were the same. Look in your wallet and tell me how many cards you have from the same bank? If you were given back the first 4 digits of the card # on your receipt, you'd know exactly which card you used. Nobody else needs to know.

Re:Last 4 digits = bullshit

You are so smart; can I be your friend?

Good thing that:
a) credit card companies do not track transaction ATTEMPTS and lock out a card
b) there's no expiry date to guess
c) there's no security code that folks ask for when doing a transaction
d) CC companies don't monitor purchasing patterns

Anyways, they should have ENCRYPTED all the data not just the password.

Re:Last 4 digits = bullshit

I'm such a retard! I should never have let my CC company know what my credit card company was! Oh snap!

Re:From the who-the-hell-cares department

i'm a customer and i wouldn't have known about this if not for the slashdot article.

vudu customer

as a vudu customer the worst part is the realization that i can't cancel my account, can't remove my credit card info, and can't do anything other than sit on my hands. they offer some year long identity guard protection that looks more like a scam than anything actually useful.

googling to find out how to cancel the account reveals their suggestion of following the steps on their FAQ only there aren't any steps on their FAQ. instead there are complaints on google from 2008 onward about there being no steps to cancel on their FAQ. can't delete the credit card info without adding a new credit card. calls to their support desk let me know they don't open for hours (thanks for taking this seriously enough to extend your support hours) so i'm left sending an email to support@vudu.com and hoping someone decides to cancel my account otherwise there's nothing i can do.

sad thing is this is currently the most common way online businesses operate.

Re:vudu customer

[rossdee]

You can cancel that credit card and get a new cc number, and even change your email address. However changing your physical address is a bit more expensive, and changing your date of birth is not possible unless you have a time machine.

Re:vudu customer

Why would these sites need your date of birth ? Might as well give a random one.

Re:vudu customer

[operagost]

Federal law. Since it's an online service, it would require you to affirm your age is greater than 13 in the USA. They might also have requirements, due to content or similar requirements in other countries.

A secret you have to tell everyone

[jbmartin6]

It strikes me as a little silly to think that the type of personal information on those drives is somehow going to stay a secret. You have to give it to dozens of organizations: banks, employers, stores, and so on. So using this information as a security identifier is a very flawed approach. We seem to accept this since the level of fraud is tolerable. Plus the alternatives such as smart cards are extremely expensive to implement across all of society.

Re:A secret you have to tell everyone

just because some people have your information doesn't mean everyone does, and just because they can get it from somewhere doesn't mean you have to help them

Some people (mostly stupid people) get upset when someone refuses to hand over their personal information, or even asks what it will be used for. Treat these people like small children and either explain slowly if you think they might understand, or just smile and refuse (but don't leave), until they either continue with the process, or get someone with decision making power. And whenever you can't avoid giving information like for online forms, always lie, there are no legal consequences for it. Even if there might be legal consequences you can still minimize your exposure by doing things like using initials, or making "typos" in your data.

hard drive encryption, anyone

[Lluc]

How much do you bet this data was copied onto someone's laptop, sitting on a desk, rather than a thief breaking into a datacenter and pulling an entire server?

It seems to me...

that quite a few providers do not take security seriously. I know, having been in IT security for many years, that these types of services and companies attract the attention of miscreants looking for low-hanging fruit.

It's well known that once anyone has physical access to your stuff, all bets are off. Security is a process, not a product. No amount of guards, firewalls, etc., make a difference if your processes suck. No security is 100%, but what with so many companies being affected by either theft, cracking, DDoS attacks, etc., the idea of "defense in depth" has not sunk in. Companies are too quick to see the dollar signs but loathe to protect the investments allowing those dollars to flow.

I, like many other techies, am fascinated by online services (let's not say cloud, OK?) and what they can offer, but until online providers take security seriously, I refuse to place one bit on a server I do not control personally. I understand that spending money on security and setting up good processes is not only time consuming, but can be very expensive, but it's a most necessary item. Companies are loathe to spend money on things like security because there is no ROI on security. Apparently, there is no ROI without good security processes and defense-in-depth security.

Vudu?

[synapse7]

Anybody hear ever use vudu?

Re:Vudu?

[nevermore94]

Yup, I use and love VuDu. I currently have 38 movies in my collection on their service. Why, because they are the best online streaming service that supports Android tablets and they also offer the highest resolution streaming in their HDX format for my HTPC and laptop. You can also download local copies for viewing offline on Android tablets. I got much of my collection from redeeming UltraViolet codes from BluRays and also got some as free promotions. WalMart has also partnered with them to put any of your current BluRays or DVDs into your VuDu collection for only $2 a piece, $5 if upgrading a DVD to HDX.

Semi-security through obfsucation

[DewDude]

Yes, I. Use VUDU...solely because every BD I get has a redemption code for Vudu and UltraViolet. I'm not worried; they essentially got data on my that's accessable...last 4 of the CC number? That's been out there since. Everyone else merely just gets hacked. I don't use the same identity details on important things...you couldn't access my back with jus VUDU info...you need several pieces of info for that. At lease they're doing something; most places just say you're on your own and we're sorry...VUDU gave everyone affected a year of AllClearID identy protection.

Proactive proactivity

[zephvark]

Ganesan does not appear to have actually said "proactive" twice, or even once. "New submitter Chewbacon" is apparently a marketing droid.

Re:Proactive proactivity

I see it twice in TFA. Not reading TFA and complaining about TFS? Way to slashdot.

Less prison time if you get caught

[Linkreincarnate]

Seems like they would be better of just stealing drives than hacking anyway. What with how every da wants to make an example out of hacker types.