• United States



Maybe This Monster Needs to Scare Off the Attackers

Jan 28, 20094 mins
CareersData and Information SecurityIdentity Management Solutions

Back on August 31, 2007 I hammered Monster on their first, reported breach  In their messaging to customers and users alike, Monster indicated that:

We also have announced a series of initiatives we are taking to enhance security controls for our website. These initiatives are part of the infrastructure improvements that were announced by Monster before the recently reported attack. The initiatives include:

-Implementing new, robust capabilities for worldwide monitoring and surveillance of site traffic.

-Reviewing and tightening all site access policies and controls.

-Launching a series of targeted initiatives to protect job seeker contact information

This is where Sal Iannuzzi was so kind to provide his hand written signature as an attachable image in the messaging that came as an email. Since that time, Sal hired some new people to shore up security and passed the crisis communications to Patrick Manzo, the Senior VP, Global Chief Privacy Officer. 

Patrick indicates that:

The protection of your data is a high priority for Monster. Our newly redesigned Web site has, and will continue to add, safety and security features to protect your information and we want you to feel confident using it.

We continue to devote significant resources to ensure Monster has appropriate security controls in place to protect our infrastructure, and while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks.

Do we really believe that no company can completely prevent unauthorized access to data from occurring?

Vasu Nagalingam, the Senior Product Director responsible for getting the redesign up as per the video on the site (by the way, the video takes a higher precedence on the page than the security breach notification). Are you, Vasu, responsible for security as well? You should be if this is your product! Is Vasu also responsible for the up and coming Super Bowl TV ad for Monster that will cost at least $3M for a 30-second slot?

Let’s time it come Sunday night to see how much is spent there and compare it to how much it would take to secure its website or even less, to encrypt user passwords in the database. Not encrypted you ask? Well, if you the hackers stole userids and passwords and Monster is going to have all users reset their passwords, I would strongly believe that they stored them in the clear in their database. How many users use the same password on multiple sites? Keep in mind that the cost of the air time does not include all costs to produce and create the ad.

If you can spend millions on a TV spot, how many thousands of dollars does it take to encrypt the password field? Is it even in the thousands? What did it cost to makeover this fine vehicle?

Monster’s privacy statement also reads:

Security of the Personal Information

We have implemented commercially reasonable technical and organizational measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration or disclosure. However, we cannot guarantee that unauthorized third parties will never be able to defeat those measures or use your personal information for improper purposes.

When you place an order online at Monster or Monster Networking, your credit card information is protected through the use of encryption, such as the Secure Socket Layer (“SSL”) protocol. SSL makes it difficult for your credit card information to be intercepted or stolen while being transmitted. We use a service company to process its credit card transactions. For further information on this company’s privacy and security practices, please click here.

Did you know that Monster claims to be Safe Harbor compliant and that they use Verisign’s TRUSTe services for privacy?  

Monster takes credit cards as well. I wonder how their PCI certification efforts are coming along? Hopefully they outsource this to a payment processor (or maybe I should not be hoping for this either eh Heartland ). PCI certification doesn’t work anyway. It is a point in time certification that does not focus on the ever changing threat environment. 

In light of how this year is starting off with respect to data breaches, I’m not getting a warm and fuzzy that my personal wall of shame (the wall where I collect and show off the letters I’ve received from companies who have lost my data) will not need more space.