[Owasp-board] LivingSocial

Tom Brennan tomb at owasp.org
Sat Apr 27 01:06:25 UTC 2013


If Tim O'Shaughnessy does not have a problem with it nor should you.

On Apr 26, 2013, at 8:47 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Tom,
> 
> This is not about fact, this is about judgement in communication when using official OWASP accounts.
> 
> Why do you think - in any way - that it's reasonable for an official OWASP account (not your personal account) to call out a company who is a longtime OWASP sponsor when they got hacked?
> 
> Your lack of good judgement is disturbing. What you did to @LivingSocial is foolish at best.
> 
> - Jim
> 
> 
>> 
>> Yes they were hacked like many others everyday your jihad is ridiculous Jim. 
>>  It's not a Weev troll rather a FACT
>> 
>> Your all spun up about this?
>> 
>> image.png
>> 
>> Or was it something else? Lets be clear
>> 
>> 
>> 
>> Begin forwarded message:
>> 
>>> *From:* Erica Absetz <erica at riskbasedsecurity.com 
>>> <mailto:erica at riskbasedsecurity.com>>
>>> *Date:* April 26, 2013, 6:29:44 PM EDT
>>> *To:* <dataloss-discuss at datalossdb.org 
>>> <mailto:dataloss-discuss at datalossdb.org>>, <dataloss at datalossdb.org 
>>> <mailto:dataloss at datalossdb.org>>
>>> *Subject:* *[Dataloss] Cyberattackers hack into LivingSocial, 50 million 
>>> customers impacted*
>>> 
>>> http://www.usatoday.com/story/news/nation/2013/04/26/liviing-social-hacked-passwords-amazon/2116485/
>>> 
>>> LivingSocial, the daily deals site owned in part by Amazon, has
>>> suffered a massive cyberattack on its computer systems, according to
>>> officials at the company.
>>> 
>>> The breach has impacted 50 million customers of the Washington,
>>> D.C.-based company, who will now be required to reset their passwords.
>>> All of LivingSocial's countries across the world appear to have been
>>> affected, except in Thailand, Korea, Indonesia and the Philippines.
>>> 
>>> The firm began sending emails to customers Friday afternoon telling
>>> them they would have to change their site passwords.
>>> 
>>> "We recently experienced a cyber-attack on our computer systems that
>>> resulted in unauthorized access to some customer data from our
>>> servers. We are actively working with law enforcement to investigate
>>> this issue," LivingSocial CEO Tim O'Shaughnessy said in an email.
>>> 
>>> The memo said that customer credit card information was not stolen —
>>> it was stored in a separate database. And while the hacker stole
>>> customer passwords, they were encrypted and "salted," or scrambled.
>>> 
>>> "Although your LivingSocial password would be difficult to decode, we
>>> want to take every precaution to ensure that your account is secure,
>>> so we are expiring your old password and requesting that you create a
>>> new one," O'Shaughnessy said.
>>> 
>>> The company advised consumers who used their LivingSocial password at
>>> other sites to change their password at those sits, also.
>>> 
>>> The firm expects its customer service phone lines to be deluged, so
>>> O'Shaughnessy warned that he may decide to temporarily suspend
>>> telephone customer service relations.
>>> 
>>> "Because we anticipate a high call volume and may not be able to
>>> answer or return all calls in a responsible fashion, we are likely to
>>> temporarily suspend consumer phone-based servicing. We will be
>>> devoting all available resources to our Web-based servicing," he said.
>>> _______________________________________________
>>> Dataloss Mailing List (dataloss at datalossdb.org <mailto:dataloss at datalossdb.org>)
>>> Archived at http://seclists.org/dataloss/
>>> Unsubscribe at http://datalossdb.org/mailing_list
>>> 
>>> Supporters:
>>> 
>>> Risk Based Security (http://www.riskbasedsecurity.com/)
>>> Risk Based Security equips organizations with security intelligence, risk
>>> management services and on-demand security solutions to establish
>>> customized risk-based programs to address information security and
>>> compliance challenges.
>> 
>> On Apr 26, 2013, at 8:00 PM, Jim Manico <jim.manico at owasp.org 
>> <mailto:jim.manico at owasp.org>> wrote:
>> 
>>> Sarah,
>>> 
>>> I trust your good intentions and I think the problem was from @AppSecUSA and 
>>> not from @OWASP.
>>> 
>>> I think we should have someone more responsible running the @AppSecUSA. This 
>>> is a major error in judgement and it's not the first time.
>>> 
>>> I also changed the password to @OWASP and shut down all connections to third 
>>> party apps. I'll get the password to you very soon.
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>>> Jim and all- this particular  RT ( not original from appsecusa) is my
>>>> fault and was trying to do something quick (retweeting something else)
>>>> and not thinking. I will send an apology to living social.
>>>> 
>>>> Regards,
>>>> 
>>>> Sarah
>>>> 
>>>> On Apr 26, 2013, at 7:37 PM, Jim Manico <jim.manico at owasp.org 
>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>> 
>>>>> LivingSocial just got hacking and the @AppSecUSA Twitter account just called 
>>>>> them out on social media. And the @owasp account retweeted it (not from me).
>>>>> 
>>>>> This is absolutely and positively unacceptable from official OWASP accounts. 
>>>>> LivingSocial is an OWASP sponsor and provides the OWASP Northern Virginia 
>>>>> chapter with a physical location for chapter meetings. And even if they were 
>>>>> not sponsors, OWASP should never be trying to call our or shame folks who 
>>>>> get hacked. It's trashy at best.
>>>>> 
>>>>> Who runs this account and what were you thinking? Or more like, you were not 
>>>>> thinking. Why would OWASP ever officially try to call someone out after they 
>>>>> were hacked?
>>>>> 
>>>>> I'm fairly sure this was Tom Brennan. Can we please have someone more 
>>>>> sensible and responsible managing official OWASP communication? This is not 
>>>>> the first time...
>>>>> 
>>>>> Regards,
>>>>> Jim Manico
>>>>> OWASP Board Member
>>>>> 
>>>>> 
>>>>> 
>>>>> -------- Original Message --------
>>>>> Subject: ??
>>>>> Date: Fri, 26 Apr 2013 18:36:35 -0400
>>>>> From: Jack Mannino <jack at nvisiumsecurity.com <mailto:jack at nvisiumsecurity.com>>
>>>>> To: Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>>>> 
>>>>> Wtf is this shit? They generously give my chapter an awesome space to use 
>>>>> every month, and Mike McCabe (promoted to Ken's job after he came to work 
>>>>> for me) serves on the NoVa chapter board with me. I have no clue who posted 
>>>>> that, but that's a good way to get a solid sponsor to say fuck you to us.
>>>>> 
>>>>> -Jack
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130426/c1be81ca/attachment-0001.html>


More information about the Owasp-board mailing list