Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
February 26, 2019 08:31 pm PST

Security researcher warns of power company customers' passwords being stored in the clear, software provider responds with lawyer-letter

SEDC is an Atlanta-based company that provides back-ends for utility companies; a security researcher discovered that the company stored his password in the clear. The company's products have more than 15,000,000 users, whose logins and passwords are potentially also stored in plaintext. When the researcher alerted the company about this, the company ignored them, then denied that there was any problem, then demanded that the researcher not communicate about this except to SEDC's general counsel.

The responses from SEDC general counsel Mark Cole split hairs over the security implications of storing unencryted passwords, insisting that because this was not prohibited by PCI-DSS, an industry regulation governing storage of customer billing information; and because logging in would not reveal billing information, there was no problem.

The security researcher who discovered the password problem has received assistance from the Electronic Frontier Foundation (disclosure: I am a consultant to EFF).

Cole eventually sent the researcher an email that implied that the company had reformed its password handling, but with a great deal of worrying ambiguity.

Storing passwords in the clear is an industry worst-practice. Because so many people re-use passwords, password breaches are a useful source of data for "credential stuffing" attacks on other sites; if SEDC or its customers suffer a breach, they could unleash millions of passwords that could be used to compromise the users of its services.

So is the situation "fixed"? It's unclear. SEDC's counselwho did not respond to Ars request for an interviewgave as little technical information as possible during the entire 120+ day saga with X.

Read the rest


Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/0eviLTETPio/password1234.html

Share this article:    Share on Facebook
View Full Article