Optus data breach

Whenarewethere · Guru

Optus data breach

Mike Harding · Guru

Whenarewethere wrote:
Optus have been asked to pay ransom so data is not released, including previous customers which information is required to be kept by our government for at least 6 years.

Be fair now, how else do you expect the government to spy into our communications.

Whenarewethere · Guru

Tax, Medicare, banking, shares, council rates, superannuation, vehicle registration, yacht registration, tolls & E tags, Australia Post mailing history, public surveillance cameras, E tags under the front edge of wheelie bins.

dorian · Guru

https://www.theshovel.com.au/2022/09/23/optus-change-password-name-date-of-birth-gender-data-breach/

Australia's second largest telco has responded to a massive data breach, advising customers to update their password, move house, change names and take on a new identity.

"We're hopeful that this cyber attack won't amount to anything, but to be on the safe side we do suggest anyone who has been an Optus customer since 2017 change their name, gender, address and birthday," Optus CEO Kelly Bayer Rosmarin said in a video message.

Mike Harding · Guru

I never give companies any more personal information than they absolutely need but I think, in future, when I'm asked for personal info. I'm going to reply; "To name but two of many both the American Department of Defence and Optus failed to stop data being stolen, what computer security strategies do you have in place which they failed to implement?"

PeterInSa · Guru

I now use another DOB unless its a Government Department.

Mike Harding · Guru

PeterInSa wrote:
I now use another DOB unless its a Government Department.

I only ever give any correct details where I absolutely must eg. banks, government etc otherwise every one of my accounts is false. Why the hell do Supercheap Auto or Safeway need to know who I am and where I live in order to include me in their "club" programmes? For DoB I use my ex-wife's which is similar to mine and sticks in memory... although I no longer send her a card :)

Magnarc · Guru

I'll second that Mike. I have three web addresses and aliases, and I use the Tor network (optional donations) all the time when surfing. There are far too many intrusions into our privacy these days and it is not always possible to avoid them. As a matter of interest,can any of our learned contributors tell me why a telco would need passport details?????

Have a nice day folks.

Tony Bev · Guru

dorian wrote:
https://www.theshovel.com.au/2022/09/23/optus-change-password-name-date-of-birth-gender-data-breach/

Australia's second largest telco has responded to a massive data breach, advising customers to update their password, move house, change names and take on a new identity.
"We're hopeful that this cyber attack won't amount to anything, but to be on the safe side we do suggest anyone who has been an Optus customer since 2017 change their name, gender, address and birthday," Optus CEO Kelly Bayer Rosmarin said in a video message.

Do we have a real link for this, Dorian

biggrin biggrin biggrin I am thinking of changing my date of birth to 29 February 1948 biggrin biggrin biggrin

Are We Lost · Guru

This site has a field for entry of Date of Birth. I note that some members appear to have their valid name and valid DOB visible for all. No members on this thread have both those details, but a quick look at a couple of other threads show that many do. Even if your name is not valid, a hacker could match your email address with information they already have.

I have previously sent a message to the Webmaster on this subject and she said she would pursue a solution. Now I see some members do not have that field displayed at all. I could not find a setting to show/hide it, but visibility means little online if the site is hacked.

Mike Harding · Guru

The site doesn't need to be hacked, just join as a member and legitimately view profiles.

Talking of hacking; how secure is the administrators password Cindy? Not very is my suspicion :)

I use a low level password for this and similar sites which will take 9 hours to crack but for banking and such I use a much more secure password which will take 200 years to crack:

Password strength test

Craig1 · Guru

oh dear 1.8 seconds for me for this site

Are We Lost · Guru

Thanks for the link Mike. Quite useful and also the description of why the rating. Mine is supposedly 5 days.

As for viewing the profiles I am less concerned about that because the time needed would only generate a handful of results. But it would be useful to have a limit on how many profiles a user can view each day.

What troubles me more is if the site (any site) gets hacked. Then the hackers have a list of thousands that can then be matched to a known database of already captured data. Just matching by email address is one way.

dorian · Guru

If you were to set up a password challenge that required a 1 second delay between each keystroke (ie like a real human), wouldn't that thwart a lot of automated hacking tools?

Mike Harding · Guru

People think setting a good password is too hard - who can remember ^HQ!gbh&yq8 - no one of course but how about

#MyDogLikesMeat#

That will take 12,000 years to crack! Now these numbers are a bit wooly but they are a good indicator of password strength.

&HipposAreBig& = 21 years

Paddington - 0.71 seconds

Use a bit of imagination and you'll soon have a great password.

dorian · Guru

Why don't Optus and others keep their user databases offline, at least in the plain text version, and then keep an encrypted version online? They could encrypt each customer's data with a unique encryption key, and the user's chosen password would then be used to encrypt the key. All that an attacker would see would be a database of individually encrypted data, with uniquely encrypted keys for each user. Of course all copies of the original unencrypted keys would be discarded. AES is a commonly used encryption algorithm (256 bits) that would take longer than the life of the universe to crack, even with quantum computers.

In fact Android phones have been using uncrackable file based encryption for many years, so the knowhow is already out there.

-- Edited by dorian on Tuesday 27th of September 2022 04:15:57 PM

Whenarewethere · Guru

Isn't some of the problem is that keystrokes can be recorded.

Are We Lost · Guru

Making use of that site does give some useful techniques for choosing a password. Small changes to that &HipposAreBig& gives some idea.

&HipposAreBig& 21 years
&CamelsAreBig& 1 year (Hippos is not in the dictionary but Camel(s) is)
&CamelsAreGib& 45 years (Gib ... letters reversed .... is not in the dictionary)
&HipposAregiB& 751 years (2 words not in the dictionary, capitalised last letter of giB)

And if you need (!?) more...
&HipposAregiB&.$ 5 million years

&Hippos2AregiB&.$ 1 billion years (many sites require numerics in the password)

Now if only all the hackers used the same algorithms. And of course you need a way to know this site uses Hippos while the next site uses Rhinos ... ad nauseum.

Of course passwords that strong are needed if you are protecting the crown jewels. But I doubt some hacker is going to waste time and computing power try too hard for my accounts.

For me the exercise has been very helpful. My Paypal account was recently accessed by a hacker. Paypal sent a notifiier of changes and I was able to catch it before any damage. I worked out it was due to a low budget site like this one being hacked, and I had used the same password. Since then I have been working to devise a simple system so that I can work out what the password would be without looking it up, yet avoid repetition. This brings me closer to a solution.

-- Edited by Are We Lost on Tuesday 27th of September 2022 04:38:37 PM

dorian · Guru

Whenarewethere wrote:
Isn't some of the problem is that keystrokes can be recorded.

That's a problem at your end. If you've been infected by keylogging malware, none of your online accounts will be safe. There's nothing that Optus can do about that except to inform you that a login attempt was executed from an unfamiliar IP address, or at an unusual time. Some sites will send confirmation codes to your mobile or email address when you login. That's an extra level of protection.

I'd like to see a purpose built gadget specifically for online banking. This device should have a tiny OS and minimal user interface. It should do little more than what one can achieve via phone banking, except for a little display. Make the software open source, and make it fit in less than 1MB, just like the old DOS days.

-- Edited by dorian on Tuesday 27th of September 2022 04:50:06 PM

Mike Harding · Guru

dorian wrote:
Why don't Optus and others keep their user databases offline

Simply because it's more convenient for *them*. They, of course, don't give a stuff about you or your data and who gets to access it, it's only when a massive stuff up like this happens that they pretend to be all caring and concerned.

A few years past I did some consulting work on a military radio design project which was classfied; I had two quite seperate computers on my desk, one was connected to the company network and the internet, the other was *solely* connected to an internal secure network with no connection to the outside world at all - all the classfied work was kept on the secure network, to hack it you would need physical access inside the building and to the network itself. On the ocassions I needed to share data between the two systems I had to sign out a special encrypted USB stick which was wiped when I returned it. *That* is decent security.

Don't give companies data they don't *need* - just say "No" when they ask and if they say "Why?" my reply is "Because I don't want to tell you" - it's always fun to see the confused look on their faces :)

Mike Harding · Guru

Quote from an e-mail I've just received from Optus:

----

The information which has been exposed is a combination of your name, date of birth, email, phone number and/or address associated with your former account.

----

They make no mention of driver's licence or Medicare number both of which were reported to be at risk on the news and indeed the Vic government has now said they will issue a new number to people affected.

Optus! You're a bunch of useless w@nkers!

Ivan 01 · Guru

My view is it is not so much the password but all the info behind it.
The FBI who apparently is investigating would be laughing at us.
What is the purpose of all our details given to prove our identity.
Is this is so we cant get a burner phone.
I prepay my telco through PayPal and that telco has no need to have all my details.
I dont have plans and purchases with credit.
I buy my equipment and use the telco SIM card.
Any company at which we need to get credit to obtain goods could be hacked at any time.
I would ask the question
Is this an inside job.
That would be the easiest Avenue to obtain customers records. At any company.

Tony Bev · Guru

Tony Bev wrote:
dorian wrote:
https://www.theshovel.com.au/2022/09/23/optus-change-password-name-date-of-birth-gender-data-breach/

Australia's second largest telco has responded to a massive data breach, advising customers to update their password, move house, change names and take on a new identity.
"We're hopeful that this cyber attack won't amount to anything, but to be on the safe side we do suggest anyone who has been an Optus customer since 2017 change their name, gender, address and birthday," Optus CEO Kelly Bayer Rosmarin said in a video message.
Do we have a real link for this, Dorian
I am thinking of changing my date of birth to 29 February 1948

the above was a joke answer

But back in the real world, we really have no idea how good or bad, other peoples security is

I do not like giving personal information, to any websites, but unfortunately we have to

If I had my way, I would punish all hackers, by chopping off the bottom part of all their fingers

I leave nothing on my computer/laptop, that I will miss, (if I am hacked)

I transfer all my important stuff to thumb drives

Craig1 · Guru

Reported this evening that Optus C E O has plenty of spare time, sits on the board of three other companies.

Mike Harding · Guru

Craig1 wrote:
Reported this evening that Optus C E O has plenty of spare time, sits on the board of three other companies.

After this total and complete failure of her management ability I trust she will have the good grace to resign from all four due to her incompetence.

Whenarewethere · Guru

Not long ago I renewed my Australian & British passports.

Australian $193.00

British £75.50

Further more the British passport had it's expiry date forwarded as they couldn't post it at the time due to Covid issues and there was no extra cost to Australia for the courier. Actually 2 couriers as the old passport was sent back separately.

The Australian passport was 10 years to the date I lodged it, so effectively back dated as it took some time to turn up.

Interesting the differences between Australia & UK approach on passports, & price for that matter.

Cupie · Guru

Mike Harding wrote:
The site doesn't need to be hacked, just join as a member and legitimately view profiles.
Talking of hacking; how secure is the administrators password Cindy? Not very is my suspicion :)
I use a low level password for this and similar sites which will take 9 hours to crack but for banking and such I use a much more secure password which will take 200 years to crack:
Password strength test

Thanks for that..

I tried a variation of the one that I use here & it was rated very poor with a few hours to crack.

A variation similar to the ones that I use for banking et al was rated as taking 21 centuries to crack.

Pretty happy with that.

Thankfully I have never been an Optus, or any of its resellers' customer.

Cupie · Guru

Mike Harding wrote:
Craig1 wrote:
Reported this evening that Optus C E O has plenty of spare time, sits on the board of three other companies.
After this total and complete failure of her management ability I trust she will have the good grace to resign from all four due to her incompetence.

I watched an interview with her & decided that she was rather lightweight.

Perhaps a token Female CEO.

The ex Aus Post CEO was a far more impressive person.

But then even Telstra had a succession of questionable CEOs including a failed AT&T Manager & his mates & a Nuclear Physicist/Scientist.

-- Edited by Cupie on Sunday 2nd of October 2022 12:06:22 PM