![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
unreal.livejournal.com posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
omonatheydidSouth Korean web users have been left reeling again just weeks after one of the biggest data breaches in the country's history, after hackers attacked streaming service GOMTV.net and compromised details including names, email addresses and passwords.
A post on the site on Sunday revealed that attackers had breached the site early on Saturday morning local time, but fortunately GOMTV uses PayPal to process payments so no credit card details were stolen.
"We strongly encourage you to change your GOMTV.net password and if you have been using the same password for other web sites, we suggest changing the passwords for those sites as well," noted the statement.
"As soon as we discovered the sign of intrusion we conducted a complete investigation into the incident and have also taken steps to enhance security and strengthen our network system in order to provide you with better protection of your personal information."
Paul Ducklin, head of technology for Sophos Asia Pacific, welcomed GOMTV's relatively quick notification of customers, but questioned the firm's password retention policy.
"It sounds as though [parent company] Gretech was storing passwords in a directly recoverable form on its web servers. As we've said many times before on Naked Security, this is almost always unnecessary for online authentication," he said in a blog post.
"You don't need to save a user's password permanently to be able to validate it later. Instead, you calculate and store a complex cryptographic hash of the password. If a user can subsequently provide a password which produces the same hash, you have satisifed yourself they know the password they chose originally. You need to have the password very briefly in memory, but you never need to store it."
Ducklin also criticised the firm for placing a large button on the breach notification emails sent to customers designed to make it easier for them to change their password, as it could be exploited in the future by scammers.
"Fake warnings which urge users to click on links in the email they've just received are the hallmark of scammers and phishers," he said.
"Avoid doing the same thing in your own alerts: this discourages users from entering confidential data on web pages they have reached via uncertain links embedded in emails."
At the end of July, South Korea suffered potentially its largest ever data breach after an attack on the Nate online portal and Cyworld social network exposed up to 35 million users' details.
Source: v3
A post on the site on Sunday revealed that attackers had breached the site early on Saturday morning local time, but fortunately GOMTV uses PayPal to process payments so no credit card details were stolen.
"We strongly encourage you to change your GOMTV.net password and if you have been using the same password for other web sites, we suggest changing the passwords for those sites as well," noted the statement.
"As soon as we discovered the sign of intrusion we conducted a complete investigation into the incident and have also taken steps to enhance security and strengthen our network system in order to provide you with better protection of your personal information."
Paul Ducklin, head of technology for Sophos Asia Pacific, welcomed GOMTV's relatively quick notification of customers, but questioned the firm's password retention policy.
"It sounds as though [parent company] Gretech was storing passwords in a directly recoverable form on its web servers. As we've said many times before on Naked Security, this is almost always unnecessary for online authentication," he said in a blog post.
"You don't need to save a user's password permanently to be able to validate it later. Instead, you calculate and store a complex cryptographic hash of the password. If a user can subsequently provide a password which produces the same hash, you have satisifed yourself they know the password they chose originally. You need to have the password very briefly in memory, but you never need to store it."
Ducklin also criticised the firm for placing a large button on the breach notification emails sent to customers designed to make it easier for them to change their password, as it could be exploited in the future by scammers.
"Fake warnings which urge users to click on links in the email they've just received are the hallmark of scammers and phishers," he said.
"Avoid doing the same thing in your own alerts: this discourages users from entering confidential data on web pages they have reached via uncertain links embedded in emails."
At the end of July, South Korea suffered potentially its largest ever data breach after an attack on the Nate online portal and Cyworld social network exposed up to 35 million users' details.
Source: v3
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2011-08-15 09:25 pm (UTC)no subject
Date: 2011-08-15 11:32 pm (UTC)I don't even understand WHY someone woulod attack GOMTV. The whole website is just Starcraft and music videos!
no subject
Date: 2011-08-15 11:33 pm (UTC)no subject
Date: 2011-08-16 01:06 am (UTC)I thought I was the only one.
no subject
Date: 2011-08-16 01:14 am (UTC)Oh my gosh I have been following the Brood War scene since forever and a half ago and now SC2 especially since it's been blowing up in North America finally and yaaaaaayyyyy hi nice to meet you heck yes esports.
no subject
Date: 2011-08-16 01:21 am (UTC)I started out as an 1.6 and COD eSports fan and transitioned to SC2 and MOBAs. Yeah, I'm a big eSports fan.
By the way, the whole EG announcement is about EG getting Huk from TL and getting a new big sponsor. Possibly Idra going back to Korea.
no subject
Date: 2011-08-16 01:37 am (UTC)...............wat. WAT. WATWATWATWATWATWATWATWATWAT WTF SOURCES PLEASE WTF why would Huk leave now with the TL-oGs partnership. TL is meh as a team but oGs practice has definitely helped him. And who does EG have.......
no subject
Date: 2011-08-16 02:32 am (UTC)Good thing for LoL. However, I'm wondering if it's featured in the MLG Circuit will it be part of their Season 2 leadup to the Grand Finals.
The reason Huk would leave TL is for the money that EG can provide and also his contract is about to end. There is more to it.
I can talk endlessly about eSports it's like my other part time job.
no subject
Date: 2011-08-16 02:42 am (UTC)It should be I guess...there's enough money for it lol.
...so there aren't any official sources. I can see TL forums being like 'EG is totally doing this u gaiiizzzzzz I KNOW FROM MY LEARNINGS.' Eh good for him if it's true.
no subject
Date: 2011-08-16 02:45 am (UTC)no subject
Date: 2011-08-16 12:09 am (UTC)no subject
Date: 2011-08-16 01:06 am (UTC)no subject
Date: 2011-08-16 01:37 am (UTC)no subject
Date: 2011-08-16 10:55 am (UTC)