When your Empire has no Clothes

How many data points does it take to call something a trend?  With the hack and subsequent data dump of the internal files of Hacking Team, a company most of us never even knew existed until this week, the world is getting to see a very public examination of the naked inner workings of an organization. This is the second time I can think of this kind of hack occurring.  The first was, of course, Sony Pictures.

Some number of hackers have turned two different organizations inside out from a digital perspective, exposing even the mundane stuff for public ridicule.  And some of the most harshly ridiculed practices of all in both cases involved passwords and credentials.

In the case of Sony Pictures, the effect was acutely embarrassing.  Scores of Excel spreadsheets, detailing personal, business, and IT system passwords, with filenames like “website passwords” and “usernames & passwords”.   When Gawker writes an article detailing what morons you are,  you know it’s bad:  http://gawker.com/sonys-top-secret-password-lists-have-names-like-master_-1666775151

sonypicturespasswordfiles

In the case of Hacking Team, enough data was dumped for both the obvious stupidity to come to light, but also for hashed passwords to be brute forced, to be gleefully revealed in horrific detail on twitter.  The examples below are (a) a dump of the admin’s Firefox password manager, and (b) an excel spreadsheet containing VPS credentials.

hackingteamexample2

hackingteamexample

 

 

 

 

So, let’s assume that this ‘dump and roast’ trend is really a trend, and will continue.  Perhaps it puts a little more personal skin in the game.  We all get lazy. We all take shortcuts.  But perhaps now that there is a risk that all those shortcuts get dissected at a later date, with a very sharp scalpel.

Trying to look competent during examination by your Future Hacker Overlords.  It’s an odd thing to imagine as a security influence.  But right now, it feels like it might become a thing….

Google Plus: Minus 1

Google Plus started out so well!  It was pleasant, easy, and there was a lovely gratification in adding people to circles and being added in return.  It felt like finally, perhaps somebody at Google had figured out how to be social!  People were sharing, and communicating, and suddenly it seemed like maybe there might be an alternative to Facebook that had a chance.

And then…. Google started enforcing their real names policy.  Obsessively.  The fly in the ointment?  While Google can state that they require real names, they have no definitive way to determine which names are real.  The result is an offensively discriminatory process of identifying names that don’t appear to conform and requiring proof of identity only from those people.

My question to Google:  what exactly are you trying to accomplish?  Because I thought you were trying to create a welcoming place where insights and observations were shared with fellow end users who have formed a relationship with each other.   A place where users invite each other to talk and manage relationships themselves.

Instead, the real names policy is a gating factor, at a time when the service is just struggling to gain critical mass.  You have real people with odd names being banned from using plus and required to prove their identity.  You have people with excellent internet reputations banned because they publish under a nickname.   The result is a ridiculously easy-to-game entrance requirement that punishes those who genuinely want to express their individuality, while offering a loophole the size of a planet for anyone else to slide through.

And for what?   In the identity industry we often talk about trading value for value.  In theory, users are willing to take extra steps in order to get extra value.  Is Google Plus about high assurance transactions for which the friction, pain and invasiveness associated with identity vetting is a worthwhile trade?  No. Completely outside of any question of whether a real names policy is right or wrong, enforcement of this policy is bad for business, if the business is supposed to be that of creating a popular and well-used platform that keeps users inside their Google bubble all the time.

The people I want in my social circles prove themselves over time. They say smart things and engage in positive ways. Requiring government identification before engaging in casual conversation would be considered horribly antisocial in real life – why does Google think it’s ok in the social networking world?   They are choking the life and personality out of their own service, before it has even had the chance to flourish.

Is it worth trying to communicate the facepalm that is Google Plus’s real names enforcement to Google in some quantifiable sense?  Perhaps the numbers-oriented folks at Google might look at a huge number of accounts that have been banned from the plus service and say “hey, maybe that’s bad”?   If so it might be worth adding that nickname in parentheses to your profile.  If Google is going to force identity vetting, they should be prepared to do it for all 20 million accounts.  And they should be prepared to monitor, and maintain, and police, and arbitrate.  And what will be the result?  An accountable digital space.   Sounds like a blast, right?  Party at Google Plus, bring your flights of fancy along for the ride…

 

Digital Dumpster Diving

Brian Krebs wrote a fascinating post recently on keylogger results that are being posted in various cloud locations.  As Brian put it, insult is added to injury — not only has your machine been compromised, but the results are hanging out on the internet to be scavenged by random opportunists who know what to look for.

And to think that the biggest worry used to be shredding our documents to prevent physical opportunists from sorting through our leavings…

Photo credit:  http://www.flickr.com/photos/sumit/

CardSpace *OR* ADFS 2.0

Microsoft announced last Tuesday that CardSpace 2.0 beta would not be releasing at the same time as ADFS 2.0.  That fact may not have immediate significance to you, but it certainly does to me.  Microsoft, you’ve blown it.

On one hand, I’m immensely relieved. A premature release of CardSpace 2.0 would have removed personal card support from the desktop, meaning that CardSpace would have been relegated to nothing more than Home Realm discovery.

On the other hand…  We won’t know for sure until ADFS 2.0 ships, but from what I and other people have seen from the beta and release candidate versions, Microsoft has broken backward compatibility with CardSpace 1.0.  This means that unless Microsoft has taken recent steps to regress their information card issuance code, ADFS 2.0 will ship in information card limbo.

I am trying not to care and failing miserably.   Let’s face it, Microsoft can release their software in whatever shape they see fit.  If they want to, they can release an initial version of a client with no server, and then release a version of the server *years* later that can’t work with the initial client, and can’t be deployed with the later client because that later client “isn’t done yet”.  I’m sure that the collateral damage is the least of their problems, and I actually know and understand better than most what internal and external pressures may have been brought to bear.   Resources are precious, and both FIM and ADFS have slipped themselves, so somebody had to draw a line.

But see, people were waiting.  Big companies, waiting to run information card pilots.  Governments, excited to use ADFS 2.0 to implement higher-assurance consumer identity projects.  There weren’t a huge number of interested parties, but dammit, they were BIG interested parties.  Those interested parties need a sustainable closed circle — a production server and a production client.   Not a production server that can only work with a client that “isn’t done yet”.

In the meantime, there is a very hardy little information card community that can at least now stop the horrible waiting and wondering game with respect to ADFS 2.0 and CardSpace 2.0.  The choice for the immediate future is becoming clear:  CardSpace 1.0 remains the defacto standard for information cards.  The rest is moot. Regardless of the hole that Microsoft may have dug for itself,  the quality and uniqueness of the interactions that the IMI spec makes possible are undeniable, and I hope inevitable in some variant. I continue to believe that this protocol represents our best hope to regain rational control over our own digital relationships.

It is entirely possible that companies like Azigo and Avoco Secure will see the silver lining here and do the extra work to shim up the ADFS server to work again with the rest of our ecosystem.  We’re not out for the count, and at least now we finally know what the biggest player in our space plans, even if it is a big fat WTF…

Commercial Phishing

Twitter broke a very interesting story this week about a hacker who bulk-harvested account details by installing backdoors in a popular torrent hosting solution.  Users registered for a valid service, and received value in return, but all the while, their details were being stolen.

This would be a pretty boring phish, except for the part where users re-use passwords and account names ALL THE TIME.  The current trend is upsell — harvest a low-value throwaway password at an insecure site and then see what high value matches can be made with the same username and password.

Identity Theft via phishing used to be a consumer identity problem, but Cloud services and extranets have changed that.  There is now a new game in town:  commercial phishing.  If your enterprise users are uninformed enough to use their work email and a standard, muscle-memory-password at a site like a torrent site, attackers now have a growing list of possible commercial candidates for that account.  Of course there is always the chance that the worst case scenario will happen and an attacker will harvest your entire Enterprise Directory.   You may say, my company is obscure, what use would hacking my company be?   Well, if you use outlook web access,  and your AD password is phished, and your accountant uses his/her work email address for password recovery on your corporate banking site, there is a path for an attacker to get at your organization’s money from the internet.

I think it’s hysterical that a company will spend all sorts of money for education of their workforce around physical safety and nothing on account safety.  Why is there not a brightly colored data safety reminder on  every floor, something to idly inspect while you’re waiting for the elevator?  As much as you scoff at the idea, the very prosaic advice that this fire poster offers DOES help in muscle-memory situations.  The strategy of setting out simple rules and making them highly visible does work.

Not only does a sign like this not exist for account safety, I don’t even think that there is agreed-upon text to go on it.  No wonder we’re in the state we’re in.

Sears == Slimy

I want to talk about the Sears Holding Company, and I have nothing nice to say.

They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.

To me, this is worse than an accidental breach.  This isn’t about ignorance or stupidity, but about willful intent to do harm.  A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).   How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues?  How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect?  Worse, why *could* it be done? Oh yes, right.  We all use operating systems every day that have an egregious lack of granularity in access control.

There is little to do except spit in Sears’ general direction – so I do.   Ptooey.

Second Class (Non) Citizens

Just in case you all still thought that on the internet, no one knows you’re a dog: Heaven forbid you’re a plain ol’ Canadian dog who wants to experience streaming content now and then… and no, things like Hotspot Shield don’t work, sites like Hulu have been assiduous in their efforts to ensure that I cannot be a customer.

The truth is:  yes I am disappointed, and no I don’t understand.  I am sure this all about somebody somewhere insisting that I not be served until they get their pound of flesh.  I’m willing to PAY for my little part of whatever kickback has to happen – but apparently that isn’t enough.  It would seem that profitability can only be found in a scheme that rewards large demographics and denies everyone else.  What a shame.

Pandora ONE: US-only

Pandora ONE: Canadian FAIL

DIY Security for the Utterly Paranoid

I talked to several people who were somewhat disturbed about my last blog post.  Surely it can’t be that easy?

The  potential exists – and I think it is worthwhile to ask why.  Most people have been taught to guard their passwords, but have been carefully instructed to feel no responsibility for the other ways in which an attacker could access their account.  Why is it we can educate about password complexity and reuse, but don’t want to explain under what circumstances a “personal identification” answer might be used?   Why is it we will force a user to change their password every three months, but the email address that would be used in case of a password recovery effort is never tested, and security questions are never refreshed or reinforced?   Why is it that we as a culture have recognized the concept of a “fire drill” in the real world, and advise people to understand alternate exit routes in cases where the elevators are out of order, but in the online world, we feel that advising those users who happen to be of the more concerned persuasion to familiarize themselves with and verify the operation of the page behind their “forgot my password” links is a crazy and unthinkable thing to ask?

If you are someone who worries about being hacked, and if you are willing to take a little bit of time and energy to at least understand the risk you might be facing, my advice to you is:  Go forth and recover.

Go ahead.  Recover all of your accounts.  You probably needed to rotate those passwords anyway.  Find those “forgot password” links and click ’em. Chances are, you will be able to reset your password in an automated fashion,  either by answering a pre-specified question, or by getting a link sent to an email account (sometimes, both approaches are combined).    If you are asked a question, is the answer guessable?  Is it searchable?  Is it short? Is it a single dictionary word?   Can you control the guessability of the answer, or is it a hard-coded format such as a postal code or a birthdate?   If you are emailed a link, follow the chain to your email provider and recover your password there too.   Is it more pre-specified questions?  Are they the same questions? Were you required to click on a link sent to yet another email address?  If so, follow the chain again.  Rinse and repeat.  This is the same trail that a hacker would follow – often they find something you’ve forgotten, something out of date, an expired account or a typo that you never would guess could end up in a compromise of your identity.  Password recovery mechanisms were used to compromise Sarah Palin’s email account, and also used to steal corporate data from Twitter.   If you can satisfy yourself that the password recovery loop is closed, that your answers are not guessable, that you haven’t specified incorrect, out-of-date, or non-existent email addresses, and that the services you use don’t use unsafe mechanisms, you will be safer.

Don’t believe me?  Check out the techniques this guy used to compromise the identity of a mere acquaintance.  He gained access to supposedly “secure” accounts whose password recovery mechanisms depended on password recovery mechanism that depended on grossly guessable data.

Should you have to do this?  No.  Not according to almost anyone in this business.  Are you expected to do this?  Of course not.  How many people actually memorize an alternate exit route from every hotel room they ever stay in?  Only the ultra paranoid, I am sure.  Still, if you care, if you are motivated,  and if you want to know what to do, perhaps this can be a starting point.

We have a winner!

I’m revising my “anti-chick-magnet” list to add this one: A reputation for animal cruelty.  What female is going to date a guy who kills a pet in a fit of drunken jealousy?   Prior to this, my favorite candidate for grossing out a potential date was to have a nice set of compensatory male genitalia hanging from your truck’s trailer hitch, but I definitely feel that the incumbent has been ousted.

I have high hopes that Mr. Joseph Petcka will find his dating options to be rather sparse after this.   After all, you can take the macho crap off of your truck, but it’s pretty tough to get past the Internet searches that proclaim that you killed a 7lb declawed cat in self-defense…

Playing with Fire

Even as the infrastructure around Information Cards and other user-centric and/or federated identity initiatives grows and matures, other groups & technologies are trying to solve the same problems. Browsers have had password managers forever, for example.

Browsers, however, do not travel to the service whose passwords you have entrusted to them and actually authenticate in order to farm your accounts for information.

This service does, however:

We already have RSS feeds – why not account feeds? These guys figure that if we just give them all of our usernames and passwords for all of our silos, they can give us a one-page dashboard of all of our bank balances, point balances, incoming email, you name it. Well actually, they name it. Because they can take whatever they want out of your account. Best part is: they reserve the right to use that data to market things back to you. But hey – you don’t have to enter your password when you go to any of the aggregated sites…

I have no problem with the general idea. I know people who would love to see all of their numbers from all of their investments, etc, all in one page, including a handy little “login now ” link for the website of each institution. What I do have a MASSIVE problem with, is the underlying technology used to achieve this end.

The whole site is based on credential management. You give this company complete access to your bank accounts, and they give you a pretty aggregated screen back. They authenticate as you and pull out whatever information they want, with no controls, no visibility into what they are doing while authenticated, and the obvious ability to make programmatic use of your credentials as often as they wish. You give it all to them, completely at the mercy of their ethics, business practices, and technological failsafes. Such a scheme benefits neither side of the transaction.

To me, this is a perfect illustration of the long-term future of federated identity. You want an aggregated account feed? Authorize a specific service to request a specific amount of information from your account. Want a handy login link? No problem, part of the information you can give the aggregator is your relying party endpoint, and next thing you know, you are asked to directly authenticate to the site in question, in a consistent fashion, using credentials that you trust, and that only you possess. Perhaps you don’t even need to do that – perhaps the aggregation site participates in a ‘circle of trust’ that in fact means you can seamlessly travel to your bank site. Chances are, this won’t happen though — and for very good reasons; because chances are banks may not trust the aggregation site. If they do trust the aggregation site, you can bet there is legal work backing that trust relationship up. What legal work backs up a user who gives their credentials away to a third party? There is no difference in user experience – but a world of difference in risk mitigation, in transactional repudiation, in auditability, heavens, pick any security or privacy buzzword, and it probably applies.

What do these guys have? They have a beautiful, easy-to-use interface. They solve a problem that many people are eager to have solved. They have some fancy logos in their footer that show they at least get the fact that what they are doing had better damn well be secure. But – in my opinion, they are basing all of this on a foundation that is quickly tilting sideways.

The whole “give us your account credentials” trend, whether it be for social networking or any other kind of data aggregation is a serious problem. Allowing such practices to gain a foothold in user’s minds as a valid practice simply because they are starting with “inconsequential” data is a surefire way to make future battles a lot tougher to fight in this area.

The good news is, this site is yet another validation of what the user-centric identity folks have long said. Silos are bad. People hate them. They want their online lives to improve, and they want improvement now, not in 5 years. The bad news is, if we don’t galvanize our industry into wholesale participation in providing an alternative in the near future, this site serves as an exact answer to where the world will go.