Monster hacked again plus information on security terminology


Posted By: Thomas Shaw, 8:19pm Wednesday 28 January 2009

It has been widely reported online and readers would have known by now that Monster http://www.monster.com websites have been hacked. Confidential information has been downloaded, maybe malicious scripts have been uploaded, who knows what else has been done. But the question is... WHY? Why has the site been hacked in the first place. We understand that Monster has recently undergone a site upgrade - but still, that’s NO EXCUSE for not protecting confidential information. Let’s look at common terminology on the types of computer security incidents, and computer security evaluation methods.

Off the top of my head I can think of at least 10 other job boards/recruitment sites which have failed security testing in the past 6 months. How do I know? I have been the one testing these sites and have found the data.

No... this is not "hacking" but programmers/employees leaving holes in software code, not protecting files (chmod, directory listings, etc) or just have stupidly left files and confidential information online thinking "no one will be able to find it". Well it have found it.

You must be proactive and vigilant with information stored online. Regular site testing and security checks by 3rd party professionals, as well as correct server configuration can help you. Feel free to contact me regarding these website testing services and if you ever recieve an email from me regarding security - take note!


Types of Computer Security Incidents


Insider abuse of access - An employee or person authorised to use the businesses computer system abuses this access, such as downloading a large amount of data, or accessing the internet for personal use against this businesses IT policy

Theft or loss of hardware - Hardware, such as laptops, PDA’s (personal digital assistant) or other devices, are lost or stolen and not recovered. Does not include hardware that is damaged or destroyed.

Virus or other malicious code - Software designed specifically to damage or disrupts a system, such as a virus or a Trojan horse. May be either self-replicating or non self-replicating code (any statements and/or declarations that are written in a computer programming language) to change the way a computer operates without the consent or knowledge of the system owner or user. This includes all types of malware (malicious software) except spyware

Spyware - Software designed to collect information from a computer secretly and send it anywhere (eg key loggers) or change settings and interfere with the performance of a compromised computer

Phishing - Assuming the identify of a legitimate organisation or website using forged email, fraudulent websites or other instant messaging communication forums such as MSN, to persuade others to provide information – usually personal financial, such as credit card numbers, account user name, passwords, social security numbers – for the purpose of using it to commit fraud.

Denial of service attack (DOS Attack) - An attack aimed at specific web sites by flooding the web server with repeated messages, depleting the system resources and denying access to legitimate users

Sabotage of network or data - Intentional destruction of, or damage to, a computer network or to data stored on a network or stand alone computer

Unauthorised network access - Obtaining access to a restricted computer network, without providing adequate credentials such as logon name and password

Theft or breach of propriety or confidential information - The unauthorised access to, and/or, use, viewing, duplication, distribution or theft of, propriety or confidential information. Proprietary information is information relating to or associated with the business’s product, business or activities. It includes, but is not limited to items such has trade secrets, research and development and financial information.

Incident involving the business’s web application - Any malicious or destructive incident that involves this business’s website. This might include placing unauthorised information on a website or preventing it from being used as intended.

Corruption of hardware of software
- Damage to computer hardware or software that renders it, in part or in whole, non-operational

Corruption or loss of data - Damage to or interference with data that renders it, in part or in whole, non-operational

Unavailability of service - Making the operations of your business either in part or in whole unavailable

Web site defacement - Damage caused to a public web sites that limits or prevents its intended use

Non-critical operational losses
- A disruption to your business that did not cause suspension or severe damage to your business’s operations

Non-critical financial losses - Loss of money or value to your business that did not cause a severe negative alteration to your business’s financial state

Harm to reputation - The reduction in confidence in your business or an increase in negative association with your business

Critical operational losses - A disruption to your business that caused suspension or severe damage to your business’s operations

Critical financial loss - Loss of money or value to your business that causes sever negative alteration to your business’s income or assets


Computer Security Evaluation Methods


Security audit by internal staff - A measurable technical assessment of a network, system or application that is carried out by a staff member of the business

Security audits by external businesses - A measurable technical assessment of a network, system or application that is carried out by a person who is not a staff member of the business – ie outsource to a consultant

Internet content filtering/image filtering or monitoring - Software or hardware designed for monitoring and limiting access to inappropriate information or data configured according to the organisation security policy.

Intrusion detection systems - Software applications designed to protect backbone services by detecting inappropriate, incorrect, or anomalous activities that cannot usually be detected by a conventional firewall

Intrusion prevention systems - Software or hardware designed to protect computers from exploitation by identifying and blocking potentially malicious activities in real time.

System penetration testing - A method to evaluate the security of a computer, system or network by simulating an electronic attack (ie an attack by a hacker)

System audit policies
- Policies mandating audits of this business’s computers, including issues such as the frequency and type of audits carried out and details of those responsible for undertaking those audits. This is a measurable technical assessment of a network, system or application

Risk assessment policies - Policies that govern the type and frequency of risk assessment of this business. Risk assessment is a process where the magnitude of potential loss and the probability it will occur are measured.

Security compliance check -
A form of assessment used to check a variety of security issues in terms of their compliance with a policy or guideline

Automated tools
- The use of software to monitor and report on the status of, and changes to files and settings on individual systems, networks, servers etc.

Email monitoring software - Software that is designed to monitor the email activity of users

Web activity monitoring software -
Software that is designed to monitor the web activity (sites visited, documents viewed) of a specific user or users.


Monster Hacked Again; 4.5 Million Records Stolen - http://www.ere.net/2009/01/27/monster-hacked-again-45-million-records-stolen/ (couldn't help but copy a screen shot of the article with paid advertisements for Monster on the right)