
Database leak exposes 3.3M Hello Kitty fans - tolien
http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html
======
nly
> unsalted SHA-1 password hashes

Can we please get password storage built in to _databases_ as a dedicated
column type already? There are N-to-infinity crappy languages and CMS's out
there, but only a handful of databases. It's becoming clear that widespread
standard library support for decent password hashing just isn't enough to get
people moved over.

~~~
nononoxd
Any good tutorial on how to deal with passwords? In a site of mine I generate
a salt with UUIDv4 and generate a sha512 of the passsword+salt and store both
the salt and hash. When the user authenticates I regenerate the hash and
check. This is good, right? I still don't know how to deal with
cookies/sessions though. And have no idea how basic http auth works.

I'd search myself but I'm afraid to find a "bad" tutorial.

~~~
ZoFreX
There's no way to beat around the bush: No, it is not good. It's better than a
lot of sites, but it's still nowhere near good enough.

The key is speed: it's too fast. Far faster than you need it to be. Fast
enough that attackers could attempt very large numbers of passwords per
second.

What you want is something slow, to slow down the attackers.

Probably the most popular choice is bcrypt, and you can't go wrong making that
decision. In some environments you may need something more standardised /
accepted, in which case you want to look at PBDKF2. There's also scrypt, which
is a bit stronger than bcrypt, but a bit newer.

_Any of these three are uncontroversial choices._ Using any of them is better
than using just about anything else, and the gap between each of them is much
smaller than the gulf between those three and schemes such as yours.

Once you've picked one you also need to tune it: make it as slow as you can
bear. If your users won't be driven away by login taking a whole second, then
make it take a whole second! The key is making it slow.

\---

One broader piece of advice: Don't reinvent the wheel when it comes to
security things. Passwords, sessions, and so on, you should be looking for
well-supported, maintained, high-quality libraries that have been vetted for
design and implementation mistakes. There's libraries out there to solve these
problems, if you aren't a security expert you should be using them :)

------
dpina
> Update 2: Earlier this afternoon, Chris Vickery confirmed that the three IP
> addresses that were disclosing user information have been secured. The issue
> wasn't a hack, but a misconfigured MongoDB installation.

> The source of the configuration error isn't clear, as neither the ISP nor
> Sanrio has answered questions on the matter.

A MongoDB database open to the outside world on a public IP address?

~~~
eli
i.e. the default configuration

But yeah, that's not good.

~~~
nacs
> i.e. the default configuration

The default configuration for MongoDB is to listen on localhost only. Someone
changed the configuration if it was listening on a public IP.

~~~
drzaiusapelord
This is only true after the Mongo people were lambasted on the web for having
such a terribly insecure out of the box product. Which was fairly recently.
For years the product would bind to all IP addresses. Which is insane for a
default install.

Feb 2015:

Discovered 40,000 vulnerable MongoDB databases on the Internet

[http://securityaffairs.co/wordpress/33487/hacking/40000-vuln...](http://securityaffairs.co/wordpress/33487/hacking/40000-vulnerable-
mongodbonline.html)

The changes were made after this, so we're only talking a few months now.

------
BooneJS
Evening project: union Hello Kitty and Ashley Madison lists.

No, some things are better left unknown.

~~~
whywouldyou
I'm not sure what compels people to download and look at any of these leaks.

There's a real dichotomy between the mostly universal opinion on here that ad
tracking is a terrible evil, but downloading and investigating people's
private data that was illegally obtained and distributed is okay.

~~~
subie
It's interesting to look at? I don't think most people looking at the leaks
are trying to profit (exception of people exploiting people based on the
data). Ad systems however, are always looking at the data as a way to increase
profits.

~~~
whywouldyou
So violating people's personal privacy is okay if it's interesting to look at?
I guess people who put hidden cameras in bathrooms feel the same way as you.

~~~
subie
No, I'm saying the person who did the leak or placed the camera did the breach
of privacy. You want to say everyone looking at is also breaching the privacy.
I'd say they are simply looking at the result of a breach not committing
another one.

"There's a real dichotomy between the mostly universal opinion on here that ad
tracking is a terrible evil, but downloading and investigating people's
private data that was illegally obtained and distributed is okay."

What differs between these two is that the ad system is the person placing the
camera, watching the video and distributing. The interested person is simply
watching the video. Sure that doesn't seem fair to the victim but if they are
not trying to exploit the victim I don't think it's a problem.

------
MilnerRoute
Reuters headline:

"Hello Kitty fan site exposed, but no data stolen: web host"

"There is no evidence any data has been stolen, the Hong Kong-based company
hosting the data said on Tuesday."

[http://in.reuters.com/article/us-sanrio-cyberattack-
idINKBN0...](http://in.reuters.com/article/us-sanrio-cyberattack-
idINKBN0U42B720151222)

------
noinsight
So, are we going to see extortion attempts like in the Ashley Madison leak?
"We know you like Hello Kitty"...

~~~
nthcolumn
This guy is worried. [http://imgur.com/RNiWGSl](http://imgur.com/RNiWGSl)

------
nemon1c
This is the same guy that uncovered the MacKeeper user database as well, which
also used MongoDB. From what I've read, he just used Shodan to uncover these
instances. This isn't meant to discredit him, but it interesting how we're
calling people like this "security researchers".

~~~
dopamean
I don't know who Vickery is but could he not be a security researcher who uses
Shodan?

------
MilnerRoute
Found when I Googled for more information...

"Hello Kitty and Minnie Mouse arrested after fight over tip money in New
York's Times Square."

[http://www.mirror.co.uk/news/weird-news/hello-kitty-
minnie-m...](http://www.mirror.co.uk/news/weird-news/hello-kitty-minnie-mouse-
arrested-5833387)

