Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1274 posts

Uber Geek
+1 received by user: 4

Subscriber

  Reply # 623629 11-May-2012 17:58 Send private message

jree: Hi,

I'm one of the security guys at 2deg. We've been looking at this since Phillip got in touch.

The issue is on the fix list. couple of weeks hopefully

Generally the issue occurs on forgotten password, account reset from CS, or first time login.
In most cases the user should receive a OTP (24hr expiry) via sms.
Once logged in the new password is hashed etc in the backend.

Some of the other things mentioned were:
External audit.... We do engaged a third party #notanaccountingfirm to review the security of these servers and other elements across the 2deg infrastructure regularly.

PCI... I'll leave it to a QSA to decide what is in/out of scope however no customer CC data traverses or passes through these web servers. I'm not a web guru but the standard iframe setup is used with a backend validation system based off token.

We use equipment made be large asian vendors... I can neither confirm nor deny that both Nth american and asian vendors are involved in 2deg, nor can I confirm nor deny the level of trust we afford either :-)

Thanks
J




If you are hashing it on the backend how can you get it back to clear text in the js?
Unless you are using an algorithm that can be decrypted but that basically makes your hashing useless?

12 posts

Geek


  Reply # 623631 11-May-2012 18:04 Send private message

jbard: 


If you are hashing it on the backend how can you get it back to clear text in the js?
Unless you are using an algorithm that can be decrypted but that basically makes your hashing useless?


Hi,

The pwd should be an OTP sent and created by us.

Chrs J


1274 posts

Uber Geek
+1 received by user: 4

Subscriber

  Reply # 623637 11-May-2012 18:10 Send private message

jree:
jbard: 


If you are hashing it on the backend how can you get it back to clear text in the js?
Unless you are using an algorithm that can be decrypted but that basically makes your hashing useless?


Hi,

The pwd should be an OTP sent and created by us.

Chrs J



So you are saying the OTP password is left in the clear but the users password is hashed+salted?

12 posts

Geek


  Reply # 623644 11-May-2012 18:22 Send private message

jbard: 

So you are saying the OTP password is left in the clear but the users password is hashed+salted?


Yes. The fact the OTP is in the clear is also bad even though it has a 24 hr expiry.
The clear OTP is the bit we are going to fix... but it will take a few weeks to get to production.

Chrs J

1274 posts

Uber Geek
+1 received by user: 4

Subscriber

  Reply # 623646 11-May-2012 18:26 Send private message

jree:
jbard: 

So you are saying the OTP password is left in the clear but the users password is hashed+salted?


Yes. The fact the OTP is in the clear is also bad even though it has a 24 hr expiry.
The clear OTP is the bit we are going to fix... but it will take a few weeks to get to production.

Chrs J


Yeah it isn't as big a deal as the normal pwd being in plain text. Good on 2 degrees for getting it fixed.

4 posts

Wannabe Geek


  Reply # 623873 12-May-2012 07:10 Send private message

jree:
jbard: 

So you are saying the OTP password is left in the clear but the users password is hashed+salted?


Yes. The fact the OTP is in the clear is also bad even though it has a 24 hr expiry.
The clear OTP is the bit we are going to fix... but it will take a few weeks to get to production.

Chrs J


Thanks for the updates!

Speaking of hashing, in Django we recently increased the hashing algorithm to something more secure. Maybe something to look at as part of your process?

From the docs:

Django 1.3 uses the SHA1 algorithm, but increasing processor speeds and theoretical attacks have revealed that SHA1 isn't as secure as we’d like. Thus, Django 1.4 introduces a new password storage system: by default Django now uses the PBKDF2 algorithm (as recommended by NIST).



176 posts

Master Geek
+1 received by user: 10


  Reply # 630256 25-May-2012 11:24 Send private message

jbard:
SmileyChris: The much bigger problem than the password being rendered in the js / page, is that they had the password to begin with.

Any reasonable developer should know that you salt and hash (with a strong?algorithm) your passwords.


I think that was what the OP was pointing out, not sure he explained it as simply as you though.


I've been out of touch for a while.. Sorry if this has been addressed.

They might have had the password simply in the session due to the fact I just (successfully) logged in. That would be bad too, (swap, etc), but itself, doesn't prove they don't salt & hash.

1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Forms of government for New Zealand
Created by charsleysa, last reply by Kyanar on 18-Apr-2014 20:55 (98 replies)
Pages... 5 6 7


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by Sideface on 17-Apr-2014 17:28 (735 replies)
Pages... 47 48 49


galaxy s4 now on 4.4.2
Created by nzrock, last reply by Cameron1991 on 19-Apr-2014 01:35 (51 replies)
Pages... 2 3 4


why does the tax payer have to pay for the prince and princess' 6 star holiday?
Created by joker97, last reply by Geektastic on 17-Apr-2014 15:49 (67 replies)
Pages... 3 4 5


Snap suffering Trans-Tasman congestion 18/04?
Created by Lias, last reply by NonprayingMantis on 19-Apr-2014 00:05 (26 replies)
Pages... 2


Help ! Home business connection and VDSL dead. yikes.
Created by Scotsman, last reply by Scotsman on 17-Apr-2014 21:10 (26 replies)
Pages... 2


Free connection to Ultra Fibre not true
Created by kapitikarl, last reply by cbrpilot on 15-Apr-2014 13:24 (27 replies)
Pages... 2


TVNZ on Demand Jailbreak Detection
Created by TranceManNZ, last reply by hio77 on 18-Apr-2014 20:25 (12 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.