Press Embargo until April 12, 2007
Rankings: Noobs: **** LOLs: * 0wnz: ***
As part of the ongoing series of Myspace password thefts, one such list of just over 550,000 entries was posted to the highly-trafficked Full-Disclosure mailing list on January 15, 2007. The attack used was of the sort described in recent MOMBY advisories.
While this is three-month old news, the "bug" exposed by this event is one of operational security, which speaks to a lack of a coherent, organized security policy to deal with such events.
- Myspace was unaware of the issue for at least 48 hours, or otherwise failed to act. This indicates either a lack of basic security intelligence, or a lack of a coherent, written security response plan in the event of a disaster (or, half a million users compromised does not constitute a disaster).
- Given that Fox Interactive had already gone through a similar exercise less than a year prior (reported here and picked up by Digg), the security plan of early 2006 did not contain a post-mortem phase for disaster recovery.
- The security organization at Fox Interactive does not appear to have a full understanding of How The Internet Works. This is evinced by the attempts to quash the spread of the password list by asking various registrars and ISPs to disable web sites hosting the password list (such as the n SecLists.Org incident). This speaks to a basic lack of training or hiring qualifications for Myspace's security responders. Screenshot: http://tinyurl.com/2q85zh
- Finally, no coordinated action has been taken in light of the half-million password leak, now almost 90 days past; namely, many accounts remained active at least at the time of the SecLists.Org incident, and to date, the account holders have not been informed directly by Myspace their passwords have been compromised. While it's uncomfortable to officially recognize security incidents, mature organizations understand that these actions are the only responsible position to take.
Credit: Mondo Armando, MOMBY. And everyone else who thought about this issue for more than five minutes. And yes, that's five, count 'em five, bugs in one advisory. I dare you to post a comment that this "isn't a bug report." Also, yes, the screenshot has nothing to do with the advisory. I just thought it might alleviate the boredom of reading a rant about policy documents.