Will Angley

Just another WordPress site

(In)security

⌨️ ¯\_(ツ)_/¯. mostly breach notifications; I don't do much security stuff any more.

And no, these aren't all of them.

Incident of the day: Bonobos

by

Important update about your Bonobos account security

From: ninjas@bonobos.com

Dear William, 

We believe an unauthorized third party may have been able to view some of your account details, including your contact information and encrypted password. Your encrypted password was protected so your actual password was not visible. Payment card information was not affected by this issue.

To protect the security of your account, we are resetting your password and have logged you out of your account. To log back in, you just need to set a new, unique password through the link below:

Walmart acquired Bonobos three plus years ago, and runs it as a separate business. I’m generally glad they did this; Bonobos is as much about its software as its clothing, and I like their storefront much better than Walmart’s.

But it sounds like they could use a Security Ninja.

Incident of the day: Blackbaud

by

Blackbaud Data Security Incident

From: blackbaudincident@wm.edu

Dear Friend of William & Mary,

We take your privacy seriously at William & Mary and value the trust you place in us when you share your personal information. We wanted to make you aware of a data security incident involving Blackbaud, Inc., a vendor of William & Mary and the William & Mary Business School Foundation that provides data processing and hosting services for advancement-related activities. Blackbaud also provides similar services to thousands of universities and nonprofits worldwide.   

Blackbaud recently notified us that it was the victim of a ransomware attack in which a bad actor removed a copy of certain backup files maintained by Blackbaud. The files contained some limited personal information of a subset of our alumni and donor population, including your personal information. 

It’s between the lines in this email, but Blackbaud paid the ransom.

Incident of the day: Twitter

by

An update on your account security

From: info@twitter.com

Hi @willangley,

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

This is a surprisingly common bug; GitHub also did this, although my password wasn’t one of the ones logged.

How did this happen? I’m not sure of the specifics. But if you’re used to working without exceptions, you can get in the rhythm of checking and logging errors after every function call that can fail:

int ret;
if (ret = bcrypt_hashpw(passwd, salt, hash)) {
  syslog(LOG_ERR, "bcrypt_hashpw: got error: %d while hashing: %s \n", ret, passwd);
  return ret;
}
Code language: JavaScript (javascript)

And sometimes you should skip the logging 😛