Comments on: Jobs.ie Hacked - Anyone Else? http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/ Software for the Human Capital Industry Thu, 28 Aug 2008 13:04:33 +0000 http://wordpress.org/?v=2.5 By: Alison Deegan http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-253 Alison Deegan Sun, 06 Apr 2008 21:32:58 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-253 I am one of the people who's CV/resume was apparently illegally downloaded. I was horrified at this. I do not have a bebo, myspace facebook or any other social networking type site that puts your information on the internet. I just wanted a job. I also tried to delet my account but all I could do was delete my CV and change my account, very poor! I have to now put up a further secure warning in my bank, I got a call from a recruitment agency, perhaps that is who downloaded the CVs. Besides all my complaining, I would like to know what exaclty will happen with my details?and why my cv it was awful!!!!!. Alison I am one of the people who’s CV/resume was apparently illegally downloaded. I was horrified at this. I do not have a bebo, myspace facebook or any other social networking type site that puts your information on the internet. I just wanted a job. I also tried to delet my account but all I could do was delete my CV and change my account, very poor! I have to now put up a further secure warning in my bank, I got a call from a recruitment agency, perhaps that is who downloaded the CVs. Besides all my complaining, I would like to know what exaclty will happen with my details?and why my cv it was awful!!!!!.
Alison

]]> By: Ivan | JobsBlog.ie http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-27 Ivan | JobsBlog.ie Wed, 02 Apr 2008 16:02:13 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-27 Well when you get someone from a far away country that you are not too sure what continent is it on, paying with the credit card of a resident in the US, usually a very young one, subscribing to your CV database online,... as a manager of a job board, should act as a safe keeper of the users data, and should not think about the revenue that you can make quickly there. Monster had it, Jobs.ie had it, and LoadzaJobs.ie was offline the whole day yesterday!!! Just a bit too greedy.... Ivan Well when you get someone from a far away country that you are not too sure what continent is it on, paying with the credit card of a resident in the US, usually a very young one, subscribing to your CV database online,… as a manager of a job board, should act as a safe keeper of the users data, and should not think about the revenue that you can make quickly there.

Monster had it, Jobs.ie had it, and LoadzaJobs.ie was offline the whole day yesterday!!!

Just a bit too greedy….

Ivan

]]> By: Glandore Systems Blog » Blog Archive » Resume theft? Tell Us Your Story. http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-25 Glandore Systems Blog » Blog Archive » Resume theft? Tell Us Your Story. Tue, 01 Apr 2008 14:09:35 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-25 [...] Contact « Jobs.ie Hacked - Anyone Else? [...] […] Contact « Jobs.ie Hacked - Anyone Else? […]

]]> By: paul http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-23 paul Tue, 01 Apr 2008 11:38:48 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-23 I think it is also possible to move the upload directory to a non-web-accessible folder, that might be a better idea. But you are right, these people will go to any lengths to try and break into information rich databases. Having emails/phone numbers/backgrounds of people and addresses is a good start at the whole identity theft idea. I'm guessing that Jobs.ie did have some way of detecting the break in, maybe it was a counter for checking how many CVs were being downloaded. On Boards.ie someone mentions that up to 60k CVs could have been compromised. paul I think it is also possible to move the upload directory to a non-web-accessible folder, that might be a better idea.

But you are right, these people will go to any lengths to try and break into information rich databases. Having emails/phone numbers/backgrounds of people and addresses is a good start at the whole identity theft idea.

I’m guessing that Jobs.ie did have some way of detecting the break in, maybe it was a counter for checking how many CVs were being downloaded. On Boards.ie someone mentions that up to 60k CVs could have been compromised.

paul

]]> By: James http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-21 James Tue, 01 Apr 2008 09:36:53 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-21 Paul, that's what I mean. There are other ways of getting to the data than accessing an open directory, and the easiest way is the Monster way - by hijacking an employer's account. By giving full search functionality to all employers, all it takes is for someone to break into an account (there are lots of ways - a brute force attack, social engineering, session hijacking, SQL injection, etc.) and they can use a bot to automatically download thousands of CVs in seconds. I don't know how many of the major job boards are protecting against this yet. One mode of protection would be to limit the number of CVs that any one account could download in a minute to protect against scripts. Breaches of this nature happen every day but are rarely disclosed, let alone making it to the newspaper. Paul, that’s what I mean. There are other ways of getting to the data than accessing an open directory, and the easiest way is the Monster way - by hijacking an employer’s account. By giving full search functionality to all employers, all it takes is for someone to break into an account (there are lots of ways - a brute force attack, social engineering, session hijacking, SQL injection, etc.) and they can use a bot to automatically download thousands of CVs in seconds.

I don’t know how many of the major job boards are protecting against this yet. One mode of protection would be to limit the number of CVs that any one account could download in a minute to protect against scripts. Breaches of this nature happen every day but are rarely disclosed, let alone making it to the newspaper.

]]> By: paul http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-19 paul Tue, 01 Apr 2008 07:50:13 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-19 James : Technically the CVs are uploaded, and then deleted. The upload folder is protected by .htaccess in case anyone looks at it at the right/wrong time and tries to download the CV. James : Technically the CVs are uploaded, and then deleted. The upload folder is protected by .htaccess in case anyone looks at it at the right/wrong time and tries to download the CV.

]]> By: James http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-17 James Mon, 31 Mar 2008 23:56:46 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-17 Ivan - wow, that <a href="http://www.jobsblog.ie/Jobs/developing-a-jobs-site-job-board/58" rel="nofollow">Irishgradjobs.ie security flaw</a> looks very bad - all of the resumes open in a publicly accessible folder. You are dead right in the post on your blog - there are so many job boards springing up over the past two years, far too many of them cut corners on the application development and pay little attention to security. Even medium sized job boards often do not have software developers on staff who can identify and patch security flaws when they do happen. Paul - you send the CVs direct to the employer, do you store a copy online? If not, then you have saved yourself a lot of potential headache - as they say, the only 100% secure database is the one that doesn't exist :) Ivan - wow, that Irishgradjobs.ie security flaw looks very bad - all of the resumes open in a publicly accessible folder. You are dead right in the post on your blog - there are so many job boards springing up over the past two years, far too many of them cut corners on the application development and pay little attention to security. Even medium sized job boards often do not have software developers on staff who can identify and patch security flaws when they do happen.

Paul - you send the CVs direct to the employer, do you store a copy online? If not, then you have saved yourself a lot of potential headache - as they say, the only 100% secure database is the one that doesn’t exist :)

]]> By: Ivan | JobsBlog.ie http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-15 Ivan | JobsBlog.ie Mon, 31 Mar 2008 20:17:57 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-15 And they aer not the first and teh only one... Ivan | www.JobsBlog.ie And they aer not the first and teh only one…

Ivan | http://www.JobsBlog.ie

]]> By: paul http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-13 paul Mon, 31 Mar 2008 20:16:55 +0000 http://www.glandoresystems.com/blog/2008/03/31/jobsie-hacked-anyone-else/#comment-13 James, I would be interested to hear what you do. Currently we run jobberbase on www.jobsinireland.org , which sends the CVs direct to the employers. It's a simple approach, but it works ! <i>paul</i> James, I would be interested to hear what you do. Currently we run jobberbase on http://www.jobsinireland.org , which sends the CVs direct to the employers. It’s a simple approach, but it works !
paul

]]>