Startups Increasingly Targeted With Hacks

ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."

How is it a "rite of passage"?

[khasim]

They're getting cracked because they're not paying attention to their security.

After resetting users passwords, Twitch initially introduced longer password character requirements, but had to dial back its new 20-character password length requirement to 8 characters after users complained.

Fuck you! If you cannot detect and mitigate a brute force attack then hire someone who can.

Twitch also said it encrypted passwords, but warned that hackers might have been able to capture passwords in the clear as users were logging on.

And make sure you know the difference between encrypted and hashed.

Re: How is it a "rite of passage"?

Seems users would rather be insecure than secure. Good for them.

Just because the average job is a retard doesn't mean you have to be. Nothing says you can't use the 20 character password even when everyone else is using an 8 letter one. Their stupidity won't affect you.

However, there's no excuse for a website doing something like storing passwords in plaintext. That's just fucking stupid.

Re:How is it a "rite of passage"?

[OzPeter]

They're getting cracked because they're not paying attention to their security.

But start-ups are all about the most buzz you can generate in the shortest time. You need to get that product out the door ASAP because your competitors aren't going to wait for you to build your secure system first. After all, you're not in the business of security, you're in the business of connecting up the most people and building your community. /sacasm*

*Added because even I thought I was starting to sound like a lean-startup advocate

Re: How is it a "rite of passage"?

Venture capitalists and marketing scum spin it as a rite of passage...cornholing everything that moves, without a condom, in SF is less risky endeavour than most startups IT security practices.

Re:How is it a "rite of passage"?

They're getting cracked because they're not paying attention to their security.

But start-ups are all about the most buzz you can generate in the shortest time. You need to get that product out the door ASAP because your competitors aren't going to wait for you to build your secure system first. After all, you're not in the business of security, you're in the business of connecting up the most people and building your community. /sacasm*

*Added because even I thought I was starting to sound like a lean-startup advocate

Lean start-ups are not the problem. Poor designed systems are the problem. Was Heartbleed the result of a lean start-up team developing OpenSSL? Nope. The team allegedly had some highly-knowledgeable security experts yet even they screwed up severely.

Re: How is it a "rite of passage"?

[gbjbaanb]

like storing passwords in plaintext. That's just fucking stupid

not as stupid as you think. Sure, encrypting your passwords is another layer of security but really, if an attacker gets your password database, then they can (and will) crack them quite easily today. Given that all you're doing is slowing the attacker down, it can be better to store them in plaintext.

Because - if you know your passwords are precious and need to be looked after, you will take many more steps to ensure the attacker doesn't get them in the first place. Too many websites think that if the passwords are encrypted then they're all secure. They don't think the (small) effort to properly put the DB behind a middle tier layer and not allow any web application to directly access the tables is worth doing, and so they get hacked and the passwords get cracked.

I blame the web development frameworks, if your idea if security is running it all inside the webserver that's public internet-connected, then you're going to get hacked.

Re:How is it a "rite of passage"?

[s.petry]

Until very recent times the OpenSSL project was maintained by 2 guys who pretty much worked for free, meaning that they had to work full time jobs in addition to maintaining OpenSSL. You may have had a point somewhere, but it seems to have been lost in ignorance.

Re: How is it a "rite of passage"?

[s.petry]

However, there's no excuse for a website doing something like storing passwords in plaintext. That's just fucking stupid.

If it comes to a point where a hacker has your password file, it's too late. Sure. The bad practice made it easier for hackers at this point, but you were already compromised so you are really trying to protect "everything else" from that point on.

IMHO it is a culture that needs to change to improve. Some start-ups are security oriented, those tend to have long term success. Some have little concern, and tend to be fly-by-night companies. The latter is due to people playing the economic lottery.

Re: How is it a "rite of passage"?

[Zaelath]

You are dangerously stupid or trolling.

Re: How is it a "rite of passage"?

[Zaelath]

What you say is true, however it doesn't excuse the negligence of storing passwords in plaintext, or even with poor hashing algorithms.

Just because access to the password file is a major loss requiring everyone to change their passwords, that doesn't mean a good hashing algorithm doesn't extend the period people have to change their password, or in the case of people that use good passwords, extend the likely breach of that password outside useful bounds. i.e. just because Alice's password is s3cur1ty! and will fall within the first 2 minutes of access to the hashed table, doesn't mean Bob's of (say) f37kqrLbaNQCnlfyBXnp is as even plausibly retrievable stored as a salted SHA512 hash.

Re: Is it a problem with the technologies they use

What's better, Micro$oft???

Idiot.

We need a new startup

To protect these startups from hacks!

Hardly surprising

[ilsaloving]

What's the demographic of the people running these startups? People who have grown up in the Web 2.0 age that think they know better than older folk that have already run into these situations and come up with means to mitigate them. Because it's "old" it's bad and has to be thrown away and discarded.

Having worked with some of these people first hand, my level of contempt for these webscale "developers" knows no bounds. It's like working with 15 year olds who think they know how the world works and complain bitterly that their parents are holding them back. Their a testament to Dunning and Kruger.

I've been pushing back at our company against using all these saas because this sort of situation is just going to keep happening, and undoubtedly escalate, all because webscale developers arrogantly dismiss the lessons of the past.

(eg: I actually had someone tell me that they refused to use port 80 because it was "against modern development practises". I'm pretty sure I physically felt several brain cells shrivel up and die when I heard that. They also refuse to use version control and branching because merges are "too problematic".)

Re:Hardly surprising

get off my lawn!

Re:Hardly surprising

[fahrbot-bot]

What's the demographic of the people running these startups? ... It's like working with 15 year olds who think they know how the world works ...

On the up side, things will never go to Hell in a handbasket - because they don't know what a "handbasket" is.

Re:Hardly surprising

> they refused to use port 80 because it was "against modern development practises".

I actually fear for your soul.

Re:Hardly surprising

[checkitout]

I hope it was because they want to use port 443 instead.

Re:Hardly surprising

>They also refuse to use version control and branching because merges are "too problematic".
This depresses me. I'm depressed now.

Re:Hardly surprising

http://example.com:443/ ?

Re:Hardly surprising

[sodul]

On port 80 it could be that they want to avoid issues with privilege ports. A good chunk of people will just run everything as root because it fixes the privilege port issue. I simply have our Ops team to configure authbind through Salt so that whatever user need to run the services can have access to the privilege ports required.

In all honesty if your application is not listening to the outside world directly, avoid using the privilege ports indeed. Your firewall/load balancer will get the port 80/443 requests and forward them to 8080 or 8443 (or whatever) for you. You can always configure nginx to listen on the privileged ports and do local forwarding.

I've had to deal with some pretty stupid secure configuration decisions such as:
  - switch ssh to port 22222 so it is harder to find in case of attacks ... on the internal network ... ugh.
  - remove the telnet client from the linux machines because "telnet is insecure" ... the client needs to be removed??? It's one of my go to tools to check connectivity with services, right after ping.

Cloud services are here to stay, and if you try to block them you will end up with your users going around your walls: block Box for file sharing and they will share with something shady you never heard of ... aka Shadow IT. So it is actually much better for you to embrace the 'grown up' cloud services that have proper security. There is a whole market for Cloud Security now and companies such as Skyhigh Networks that will help you Discover what services your company is actually using then help add a layer to enforce Data Loss Prevention policies for you. Now you become the guy that enabled them to get things done without risking the company intellectual property and not the grumpy old guy that gets in the way.

Disclaimer, I work for Skyhigh Networks.

Re:Hardly surprising

[Hognoxious]

Maybe you should explain that this isn't a training course.

Re:Hardly surprising

[ilsaloving]

Keep hoping. >_

extreme programming

Extreme/agile/whatever trendy fucking shit programming gets you what it says, extremely broken code.

These startups in a rush to get something out as these "development methodologies" say you should, shortcuts are taken, code isn't reviewed for security issues. The under 30 crowd think they're so AWESOME with their code, yet they don't know they're reinventing the same mistakes that were made 30 years ago.

The more things changes, the more they stay the same.

How did they compromise slack's db from the web?

I'd like to know how they accessed the database at slack. If this was SQL injection, someone needs to get pilloried and canned.

Re: Is it a problem with the technologies they use

Nice troll.

Agreed 110%: Linus T. agrees too... apk

VERY well put & true (saw it myself too): Per my subject, iirc, even Linus Torvalds expresses NO INTEREST in 'web programming' (perhaps since it's NOT really programming?)... No, he's "for real" & yes - I do respect him (even Linux to an extent) though - he writes the platforms themselves without which there wouldn't be what these guys use & are yes, finding out what you & others state: Oldsters have 'been there/done that' & it's LONG AGO corrected.

Linux, via ANDROID, is finding out on smartphones in security too - it's no longer hiding by being least used on PC's & is being torn up for a decade++ now (despite all the years of FUD spewed here on /., worst place I've ever seen it in total deceit 1/2 truths of "Windows != Secure, Linux = Secure" b.s....)

APK

P.S.=> You can expect to be downmodded, along with other posts like yours merely expressing well-known truths about using 'the new hotness' (which is old & busted already out of the gate, lol) -> http://it.slashdot.org/comment... & also http://it.slashdot.org/comment... - it's what these fools do when you use facts & truth even cited from reputable sources (Linux vs. Windows on servers via CNN + Netcraft data I used before) -> http://news.slashdot.org/comme... & IT WAS DEMANDED OF ME YESTERDAY... lol, well - if these guys want to die of malnutrition (due to "eating their words", which != good nutrition, lol)? It's up to them... they do it to themselves EVERY SINGLE TIME too - despite their "sjw freedom of speech" b.s.? They're the BIGGEST ABUSERS OF IT via moddowns & sockpuppetry, hypocrites that they are... apk

Re:Agreed 110%: Linus T. agrees too... apk

What.

An APK post that isn't about a hosts file? What is this world coming to?!

Re:Agreed 110%: Linus T. agrees too... apk

When you're off topic trolling it's what apk said's expected on /. and you are off topic trolling struck speechless otherwise as usual showing us the best you've got = zero and faulty logically since all you have now is your illogic logic, nothing more attempting to bury truths that adversely affect your personal agendas championing something that's inferior as you're always wont to do attempting to fool others with 1/2 truths and attempting to hide posts that let you bury yourselves by exposing your b.s. and apk's annihilated you naysayer trolls so many times on hosts it's hilarious seeing you reduced once again to your true nature as worms.

Re:Agreed 110%: Linus T. agrees too... apk

Oh, Lordy, here we go again...

Opportunity awaits

Since there is no magic bullet to prevent these types of attacks, the appropriate remedy is insurance. Lloyd's of London made their chops by insuring sea voyages that in the days of sail had a high failure rate. Where others see difficulties I see business opportunities. Perhaps Patel of San Jose will be the next Lloyd's.

Re: Is it a problem with the technologies they us

[DigiShaman]

You can't afford Microsoft if you're cash starved anyways, so it's a moot point.

Re: Is it a problem with the technologies they use

Emacs of course.

Re:Big News Out of Canada: Future Shop Closing

Best Buy bought Future Shop years ago but maintained separate retail outlets in most shopping centres. Even the same products had different prices at a Future Shop and Best Buy side-by-side.

Agreed 110%: Linus T. agrees too... apk

VERY well put & true (saw it myself too): Per my subject, iirc, even Linus Torvalds expresses NO INTEREST in 'web programming' (perhaps since it's NOT really programming?)... No, he's "for real" & yes - I do respect him (even Linux to an extent) though - he writes the platforms themselves without which there wouldn't be what these guys use & are yes, finding out what you & others state: Oldsters have 'been there/done that' & it's LONG AGO corrected.

Linux, via ANDROID, is finding out on smartphones in security too - it's no longer hiding by being least used on PC's & is being torn up for a decade++ now (despite all the years of FUD spewed here on /., worst place I've ever seen it in total deceit 1/2 truths of "Windows != Secure, Linux = Secure" b.s....)

APK

P.S.=> You can expect to be downmodded, as I was the last time I posted this here http://it.slashdot.org/comment... since I KNOW THESE WEAK DOLTS BETTER THAN THEY KNOW THEMSELVES - predictable & weak trying to "hide" their fails, via effete methods (which most here see my posts since they browse below the bs threshold default of the so-called "moderation system" here that's easily sockpuppet cheated to to mod one's self up + opponents you can't get the best of DOWN with, especially vs. truth - the 1 thing weasels here don't use or like or have).

I was downmodded, you can expect it too - along with other posts like yours merely expressing well-known truths about using 'the new hotness' (which is old & busted already out of the gate, lol) -> http://it.slashdot.org/comment... & also http://it.slashdot.org/comment... - it's what these fools do when you use facts & truth even cited from reputable sources (Linux vs. Windows on servers via CNN + Netcraft data I used before) -> http://news.slashdot.org/comme... & IT WAS DEMANDED OF ME YESTERDAY... lol, well - if these guys want to die of malnutrition (due to "eating their words", which != good nutrition, lol)? It's up to them... they do it to themselves EVERY SINGLE TIME too - despite their "sjw freedom of speech" b.s.? They're the BIGGEST ABUSERS OF IT via moddowns & sockpuppetry, hypocrites that they are... apk

"start-ups"

[dnaumov]

I am not sure whether its sad or funny when people are so out of touch with reality as to call companies making massive amounts of money "start-ups".

survival of the fittest

[slashmydots]

Newer companies are more likely to have newer IT infrastructures and newer security. If they have a less secure setup than an established mega-corporation, it's because someone massively messed up and had their priorities wrong or they chose a crap vendor or two after buying into their marketing fluff about how secure they are. I suppose they also could have gone with whoever was cheapest for antivirus, firewall, monitoring, etc and that's an equally dumb mistakes. The good news is, startups that keep making stupid mistakes are going bankrupt anyway. The smart ones shouldn't get hacked because they're smart enough to prevent it and they will succeed anyway. So this is a less of a problem than you might think.

Twitch.tv is not a startup.

[diamondmagic]

Twitch.tv was rebranded from Justin.tv, which started in 2007.

Now they're owned by Amazon.

By contrast, Amazon Web Services was started in 2006.

Hardly a start up.

next time hire quality labor

instead, these startups hire H1B visa holders, and do whatever it takes to cut corners.

With MVP, security is last feature.

[hsmith]

Startups, especially those going through some sort of silly accelerator target one thing, a Minimally Viable Product. What does this MVP mean? Everything but security. VCs and these companies only worry about security once they 1) become big enough 2) get hacked.

Re:With MVP, security is last feature.

It's not just startups and VC's. Any company, of any age and size is vulnerable to MVP and all of the nonsense it incentivizes.

Week-long sprints. Stories that *must* be epics if they take more than one day to complete. One epic per week as a measure of 'productivity'.
This feeds executives who measure their technical staff almost entirely by looking at the pretty charts and graphs from JIRA. Which of course incentivizes the technical staff to do really silly things in an attempt to produce charts and graphs that are deemed acceptable.

Looking for tools and libraries/gems/modules ? .. just google for them and try to use the first one you find. If it takes longer than 10 minutes for you to figure out how to use your chosen tool, drop it and google for another one - you're wasting valuable time, need to get stuff to production as fast as possible.
Testing ? ... Another waste of valuable time. The best testers are your end-users - if they don't find the bug, then by definition it is not a bug. And on and on.

Hook a deployment pipeline up through GitHub to all of this, and you have a recipe for producing really crappy, unstable product - it's almost guaranteed.
Somehow, nobody notices the mounting pile of 'tech-debt' tickets, or the fact that a lot of the charts and graphs are the result of an almost constant, never-ending stream of PR's to 'fix' some problem, usually at the cost of breaking something else.

Re:Is it a problem with the technologies they use?

One of the funniest things I read all day. Thank you. :-)

Re:Is it a problem with the technologies they use?

[Zontar+The+Mindless]

+1, Troll.

Yes bbn by ac replies, & here we go

"You are more stupid than a kid in first grade." - by bbn (172659) on Friday March 27, 2015 @07:17PM (#49358399)

The # of PCs + Servers on Windows combined's > than Linux by huge orders of magnitude.

Additionally (per the ACTUAL debate here) - The use of C or C++ is huge on ALL platforms, so fools like yourself using obscure languages like Haskell and Scala which I see you seem to favor is also hugely outnumbered.

See below - THAT explains your illogical off topic ad hominem attack since I wagered you checked & found it's what I said which even rHBa agreed on PC client desktops Windows rules also by HUGE orders of magnitude (frustrated little *NIX noob that you are, & networking menial @ best from what I see in your posting history).

In fact, I LITERALLY gave you, & SUGGESTED YOU CHECK, all the opportunity using the very data I put up in 2010 to test it & you're running from that simple test: Actually, I'd say you looked and found it it's still much the same.

NewsFlash: I looked again for posterities' sake (Some HAVE changed in your favor by the way OR are a "mix" of both, but it's not by that much (5 from the list I provided of nearly 400 total)):

---

The sampleset data still shows tons more sites from the Fortune 500 (5 changed to Linux by the way but I am still way, Way, WAY ahead even 3 yrs. later), Government, and Educational Institutions running Windows or IIS vs. other *NIX variants combined... but I'm still ahead by roughly a 32 of 37 listed ratio.

29/30 of "best companies to work for" in that data also STILL use MS IIS & Windows Servers too you little asshole... loL!

The next 30 are STILL much the same as well in favor of Windows/IIS.

State Government offices (20/52 states) are same as they were too, using Windows/IIS.

Of 90 top universities tested? 3 changed but it's still hugely showing Windows Servers in place.

You can check the remaining 50 I haven't yet to see what's-what but I wager the trend is unchanged as the above is to this day 3 yrs. later or so.

---

Linux does apparently get used as a load balancer in some (like CISCO stuff & F5 Big IP) but the servers from my list for the web & otherwise ARE favoring Windows, hugely.

My point stands strong with valid data - yours? Pure fantasyland bs!

Smallfry cash-strapped STARTUPS *may* use Linux, since they're poor, but see here http://it.slashdot.org/story/1... & that *might* explain WHY they're attacked too possibly...

I have ACTUAL data that's verifable - NOT "fantasyland" bullshit like you & ALL the other dumbshit "penguins" attempted.

So "argue with the numbers" dummy, not me & your nitpicking bs isn't standing up to verifiable, concrete, undeniable fact you BIG MOUTHED LITTLE BLOWHARD!

Then again, tossing names when you can't attack my points & instead attempt to attack me proves my point you're an ignorant illogical imbecile!

Am I tossing names now, doing what you did to me? Absolutely - you, however, prove you MERIT it in return (what's good for the shot down goose, you, is GREAT & justified for me, the gander, asswipe...)

APK

P.S.=> In the end, it's YOU who ARE stupid & eating your words with your fictional invalid 'sampleset' statistically & with your nitpick bullshit as well as tossing names at me (which signals you are defeated in and of itself) - I tear little wannabes like you up here ALL the time, you're nothing new (same old same old shutting you NIX dorks down for your BULLSHIT propoganda LIES you spout here on /. as usual... apk

Avengers 2's coming, so ULTRON quoted

"Shutdown code, rejected: My programming http://start64.com/index.php?o... has advanced beyond your commands - BEYOND your weakness..." ->http://it.slashdot.org/comments.pl?sid=7165835&cid=49361657 Quote from https://www.youtube.com/watch?...

"The ONLY way to achieve peace, is thru the elimination of those http://it.slashdot.org/comment... who would perpetuate war. THIS IS MY PROGRAMMING http://start64.com/index.php?o... & soon, I will be unstoppable..." Quote from https://www.youtube.com/watch?...

"You are NOTHING to me: 1 by 1, I will destroy you http://it.slashdot.org/comment... ! I will never tire. I will NEVER show mercy. I will NEVER STOP till each & every one of you, are dead..." Quote from https://www.youtube.com/watch?...

"This is NOT a threat: There is nothing you can do to stop it - The process has already begun. I receive no pleasure in this. It is simply the only logical solution..." Quote from https://www.youtube.com/watch?...

* :)

APK

P.S.=> Downmodding last time I posted this? Ok there it is again - keep blowing your modpoints - I'll burn them up on you easily & repost everytime you downmod/upmod/downmod me (it's the ONLY 'effete weapon' you "freedom of speech" bs spouting losers have & you KNOW it - you're the biggest abusers of it I've ever seen, hypocrites)... apk

FTFY

What. An AC post harassing apk about a hosts file? How many times has apk burnt you on them (forcing your unidentifiable ac posts and downmods of proofs of you losing to him every time)?