Monster.com breached

In late January, our friends at Monster were victims of a data theft covering an unspecified (but large) number of users. Because Monster also provides the USAJobs.gov website, it was also subject to the attack.

The first question everyone wants to know is, of course, “How many accounts were compromised?” Unfortunately, Monster has not been forthcoming about the magnitude of the breach, which could be intentional, or more likely, because they don’t know themselves (much like the Heartland breach I wrote about earlier). That tells me that, in theory, it could have resulted in the compromise of every single account in Monster’s system, and in fact, that’s my guess as to what really happened. In any case, with no additional data, it’s certainly what I’m forced to assume.

This looks like a basic database theft, where the attacker managed to get access to the Monster user database and steal basic demographic data, such as names, e-mail addresses, and so on. Monster asserts that passwords and SSN’s were not stolen, but this is belied by the password-change requirement that Monster imposed on all users (all) only five days after the break-in. Another article states that passwords and SSN’s were not compromised because they were encrypted (although it doesn’t identify a source for this information).

Time for a quick technical digression about encrypted fields in databases. A lot of sites will advertise that their passwords or SSN’s are stored encrypted in their databases. This is usually technically incorrect; typically, they’re stored as a one-way cryptographic hash, often using MD5, although sometimes using SHA-1 or something more exotic. These algorithms are great for finding a checksum (like a fingerprint) of a block of text, such that if you change anything about the text, the checksum will change with it. It’s Very Hard to take a given checksum and find a block of text with that checksum, although of course (way) more than one block of input text can have the same checksum. However, a good hash function tends to limit these collisions as much as possible.

So, great: in theory, everyone’s password and SSN are MD5′d before being stored in the database. In actual practice, that doesn’t matter as much as you’d think. The reason is that  you have to consider both the domain and the range of the function. Yes, the range (output) is very random-looking and is distributed over the 128-bit (or 160-bit, for SHA-1), but we know something special about the domain. For SSN’s, for example, it’s a number between 1 and 1,000,000,000. So, if you tried every single number, on average you’d have to try half of them before you found a match, meaning that the effective security of that “encryption” is the amount of time it takes your computer to do 500,000,000 MD5 sums. That is not that long any more.

You can guard against mass-cracking by salting your hashes. This is quite helpful, because the bad guy has to compute and store the checksum for (with a 32-bit salt) over 4 billion different versions of every possible SSN or password. Still, with SSN’s anyway, there are only a billion combinations (a little less than 2^30), each of which is a number that can be stored in 4 bytes (less, if you’re clever). You can think of it as a 62-bit key. There are some interesting combinations of pre-computed tables and on-the-fly processing that can yield some workable attacks even against keys this long.

All of a sudden, Monster’s warning that users change their passwords looks a little more serious. If the Bad Guys are 200 playstations away from being able to brute-force your password, you’re in trouble. Same goes double with your SSN: Monster already admitted to the theft of names, addresses, and dates of birth. That, plus a cracked SSN, is all the Bad Guy needs to get credit, or to do a variety of other nasty things.

But wait, there’s more! According to one stat I’ve heard, 41% of people use the same password on every website they use. Wow! Furthermore, I’d bet the number goes way up when you factor out the high-security sites like banks. Put another way, even if you’re in the other 59%, I’d bet a lot of people have the same password on Monster as on their e-mail account. And think about that for a second… where do you think all of those “I forgot my password” reset e-mails go? Yep, losing your e-mail account to a Bad Guy is just about as bad as it gets.

So, what do you do? For starters, quit using the password you used at Monster, forever. Change every password you have. Change all of your “secret” security questions and answers everywhere you can. And, of course, keep an eye on your bank accounts, credit card statements, and so on.

There are a couple of other things that can be done, as well. Websites that use two-factor authentication for login security are a big help, of course. You can also help mitigate the problem by using services like OpenID for login to sites that support it. That way, you only have to maintain your password in one place. And what’s more, if you use the right OpenID provider, you can get two-factor authentication for it. That leaves you in a particularly good position, at least for sites that accept OpenID.

And as for Monster… they saw fit to make everyone change their passwords (presumably because they could be compromised, as I described above), but they didn’t see fit to proactively notify users or buy ID theft protection for them, even though SSN’s are only 30 bits long, vs. your average 8-character password with at least one capital and one symbol, coincidentally also estimated to have 30 bits’ worth of entropy.

Fourth break-in in two years. Just sayin’.

If you're new here, you may want to subscribe to the RSS feed. Thanks for visiting!