Slashdot Mirror

← Back to Stories (view on slashdot.org)

Startups Increasingly Targeted With Hacks

Posted by Soulskill on from the waiting-for-the-easy-marks-to-ripen dept.

ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."

23 of 49 comments (clear)

  1. How is it a "rite of passage"? by khasim · · Score: 4, Insightful

    They're getting cracked because they're not paying attention to their security.

    After resetting users passwords, Twitch initially introduced longer password character requirements, but had to dial back its new 20-character password length requirement to 8 characters after users complained.

    Fuck you! If you cannot detect and mitigate a brute force attack then hire someone who can.

    Twitch also said it encrypted passwords, but warned that hackers might have been able to capture passwords in the clear as users were logging on.

    And make sure you know the difference between encrypted and hashed.

    1. Re: How is it a "rite of passage"? by Anonymous Coward · · Score: 2, Insightful

      Seems users would rather be insecure than secure. Good for them.

      Just because the average job is a retard doesn't mean you have to be. Nothing says you can't use the 20 character password even when everyone else is using an 8 letter one. Their stupidity won't affect you.

      However, there's no excuse for a website doing something like storing passwords in plaintext. That's just fucking stupid.

    2. Re:How is it a "rite of passage"? by OzPeter · · Score: 4, Insightful

      They're getting cracked because they're not paying attention to their security.

      But start-ups are all about the most buzz you can generate in the shortest time. You need to get that product out the door ASAP because your competitors aren't going to wait for you to build your secure system first. After all, you're not in the business of security, you're in the business of connecting up the most people and building your community. /sacasm*

      *Added because even I thought I was starting to sound like a lean-startup advocate

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re: How is it a "rite of passage"? by gbjbaanb · · Score: 1

      like storing passwords in plaintext. That's just fucking stupid

      not as stupid as you think. Sure, encrypting your passwords is another layer of security but really, if an attacker gets your password database, then they can (and will) crack them quite easily today. Given that all you're doing is slowing the attacker down, it can be better to store them in plaintext.

      Because - if you know your passwords are precious and need to be looked after, you will take many more steps to ensure the attacker doesn't get them in the first place. Too many websites think that if the passwords are encrypted then they're all secure. They don't think the (small) effort to properly put the DB behind a middle tier layer and not allow any web application to directly access the tables is worth doing, and so they get hacked and the passwords get cracked.

      I blame the web development frameworks, if your idea if security is running it all inside the webserver that's public internet-connected, then you're going to get hacked.

    4. Re:How is it a "rite of passage"? by s.petry · · Score: 1

      Until very recent times the OpenSSL project was maintained by 2 guys who pretty much worked for free, meaning that they had to work full time jobs in addition to maintaining OpenSSL. You may have had a point somewhere, but it seems to have been lost in ignorance.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    5. Re: How is it a "rite of passage"? by s.petry · · Score: 1

      However, there's no excuse for a website doing something like storing passwords in plaintext. That's just fucking stupid.

      If it comes to a point where a hacker has your password file, it's too late. Sure. The bad practice made it easier for hackers at this point, but you were already compromised so you are really trying to protect "everything else" from that point on.

      IMHO it is a culture that needs to change to improve. Some start-ups are security oriented, those tend to have long term success. Some have little concern, and tend to be fly-by-night companies. The latter is due to people playing the economic lottery.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    6. Re: How is it a "rite of passage"? by Zaelath · · Score: 1

      You are dangerously stupid or trolling.

    7. Re: How is it a "rite of passage"? by Zaelath · · Score: 1

      What you say is true, however it doesn't excuse the negligence of storing passwords in plaintext, or even with poor hashing algorithms.

      Just because access to the password file is a major loss requiring everyone to change their passwords, that doesn't mean a good hashing algorithm doesn't extend the period people have to change their password, or in the case of people that use good passwords, extend the likely breach of that password outside useful bounds. i.e. just because Alice's password is s3cur1ty! and will fall within the first 2 minutes of access to the hashed table, doesn't mean Bob's of (say) f37kqrLbaNQCnlfyBXnp is as even plausibly retrievable stored as a salted SHA512 hash.

  2. Hardly surprising by ilsaloving · · Score: 4, Interesting

    What's the demographic of the people running these startups? People who have grown up in the Web 2.0 age that think they know better than older folk that have already run into these situations and come up with means to mitigate them. Because it's "old" it's bad and has to be thrown away and discarded.

    Having worked with some of these people first hand, my level of contempt for these webscale "developers" knows no bounds. It's like working with 15 year olds who think they know how the world works and complain bitterly that their parents are holding them back. Their a testament to Dunning and Kruger.

    I've been pushing back at our company against using all these saas because this sort of situation is just going to keep happening, and undoubtedly escalate, all because webscale developers arrogantly dismiss the lessons of the past.

    (eg: I actually had someone tell me that they refused to use port 80 because it was "against modern development practises". I'm pretty sure I physically felt several brain cells shrivel up and die when I heard that. They also refuse to use version control and branching because merges are "too problematic".)

    1. Re:Hardly surprising by fahrbot-bot · · Score: 2

      What's the demographic of the people running these startups? ... It's like working with 15 year olds who think they know how the world works ...

      On the up side, things will never go to Hell in a handbasket - because they don't know what a "handbasket" is.

      --
      It must have been something you assimilated. . . .
    2. Re:Hardly surprising by checkitout · · Score: 2

      I hope it was because they want to use port 443 instead.

    3. Re:Hardly surprising by Anonymous Coward · · Score: 1

      >They also refuse to use version control and branching because merges are "too problematic".
      This depresses me. I'm depressed now.

    4. Re:Hardly surprising by sodul · · Score: 1

      On port 80 it could be that they want to avoid issues with privilege ports. A good chunk of people will just run everything as root because it fixes the privilege port issue. I simply have our Ops team to configure authbind through Salt so that whatever user need to run the services can have access to the privilege ports required.

      In all honesty if your application is not listening to the outside world directly, avoid using the privilege ports indeed. Your firewall/load balancer will get the port 80/443 requests and forward them to 8080 or 8443 (or whatever) for you. You can always configure nginx to listen on the privileged ports and do local forwarding.

      I've had to deal with some pretty stupid secure configuration decisions such as:
        - switch ssh to port 22222 so it is harder to find in case of attacks ... on the internal network ... ugh.
        - remove the telnet client from the linux machines because "telnet is insecure" ... the client needs to be removed??? It's one of my go to tools to check connectivity with services, right after ping.

      Cloud services are here to stay, and if you try to block them you will end up with your users going around your walls: block Box for file sharing and they will share with something shady you never heard of ... aka Shadow IT. So it is actually much better for you to embrace the 'grown up' cloud services that have proper security. There is a whole market for Cloud Security now and companies such as Skyhigh Networks that will help you Discover what services your company is actually using then help add a layer to enforce Data Loss Prevention policies for you. Now you become the guy that enabled them to get things done without risking the company intellectual property and not the grumpy old guy that gets in the way.

      Disclaimer, I work for Skyhigh Networks.

    5. Re:Hardly surprising by Hognoxious · · Score: 1

      Maybe you should explain that this isn't a training course.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    6. Re:Hardly surprising by ilsaloving · · Score: 1

      Keep hoping. >_

  3. extreme programming by Anonymous Coward · · Score: 1

    Extreme/agile/whatever trendy fucking shit programming gets you what it says, extremely broken code.

    These startups in a rush to get something out as these "development methodologies" say you should, shortcuts are taken, code isn't reviewed for security issues. The under 30 crowd think they're so AWESOME with their code, yet they don't know they're reinventing the same mistakes that were made 30 years ago.

    The more things changes, the more they stay the same.

  4. Re: Is it a problem with the technologies they us by DigiShaman · · Score: 1

    You can't afford Microsoft if you're cash starved anyways, so it's a moot point.

    --
    Life is not for the lazy.
  5. "start-ups" by dnaumov · · Score: 1

    I am not sure whether its sad or funny when people are so out of touch with reality as to call companies making massive amounts of money "start-ups".

  6. survival of the fittest by slashmydots · · Score: 1

    Newer companies are more likely to have newer IT infrastructures and newer security. If they have a less secure setup than an established mega-corporation, it's because someone massively messed up and had their priorities wrong or they chose a crap vendor or two after buying into their marketing fluff about how secure they are. I suppose they also could have gone with whoever was cheapest for antivirus, firewall, monitoring, etc and that's an equally dumb mistakes. The good news is, startups that keep making stupid mistakes are going bankrupt anyway. The smart ones shouldn't get hacked because they're smart enough to prevent it and they will succeed anyway. So this is a less of a problem than you might think.

  7. Twitch.tv is not a startup. by diamondmagic · · Score: 1

    Twitch.tv was rebranded from Justin.tv, which started in 2007.

    Now they're owned by Amazon.

    By contrast, Amazon Web Services was started in 2006.

    Hardly a start up.

    --
    Wonder what the public key field is for?
  8. next time hire quality labor by Anonymous Coward · · Score: 1

    instead, these startups hire H1B visa holders, and do whatever it takes to cut corners.

  9. With MVP, security is last feature. by hsmith · · Score: 1

    Startups, especially those going through some sort of silly accelerator target one thing, a Minimally Viable Product. What does this MVP mean? Everything but security. VCs and these companies only worry about security once they 1) become big enough 2) get hacked.

  10. Re:Is it a problem with the technologies they use? by Zontar+The+Mindless · · Score: 1

    +1, Troll.

    --
    Il n'y a pas de Planet B.