« How not to respond to a targeted malware attack | Main | Paychoice update »

October 06, 2009



Payroll Associates Inc, any response to this?
(silence except for sounds of crickets chirping)

Chris Erwin

I've sent you an email, but one thing I'm concerned about is that the emails were sent with the username and part of the password that end-users use to log into the Paychoice portal. This seems to indicate that the attackers were able to pull at least some data from Paychoice. It also means that passwords are stored, at least partially, as plaintext or by some two-way algorithm instead of a one-way hash as it should be.

So, from my perspective, Paychoice cannot be considered secure.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)


  • Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:

    • C and C++ systems software development on the UNIX and Win32 platforms
    • Communications, including serial and TCP/IP based controllers
    • Enterprise internet security administration and configuration
    • Penetration tests, audits, and network reviews
    • Security forensics, reverse engineering, and tools development
    • General UNIX and Windows system/network administration
    • The Windows Printing System
    • Database software development
    • Technology problem solving and research
    • Technical writing and standup training

Unix Wiz

Stephen J. FriedlSoftware ConsultantOrange County, CA USASteve@unixwiz.net