• Commercial Phishing

    05Feb
    Categories: Identity Theory, U-G-L-Y Comments Off

    Twitter broke a very interesting story this week about a hacker who bulk-harvested account details by installing backdoors in a popular torrent hosting solution.  Users registered for a valid service, and received value in return, but all the while, their details were being stolen.

    This would be a pretty boring phish, except for the part where users re-use passwords and account names ALL THE TIME.  The current trend is upsell — harvest a low-value throwaway password at an insecure site and then see what high value matches can be made with the same username and password.

    Identity Theft via phishing used to be a consumer identity problem, but Cloud services and extranets have changed that.  There is now a new game in town:  commercial phishing.  If your enterprise users are uninformed enough to use their work email and a standard, muscle-memory-password at a site like a torrent site, attackers now have a growing list of possible commercial candidates for that account.  Of course there is always the chance that the worst case scenario will happen and an attacker will harvest your entire Enterprise Directory.   You may say, my company is obscure, what use would hacking my company be?   Well, if you use outlook web access,  and your AD password is phished, and your accountant uses his/her work email address for password recovery on your corporate banking site, there is a path for an attacker to get at your organization’s money from the internet.

    I think it’s hysterical that a company will spend all sorts of money for education of their workforce around physical safety and nothing on account safety.  Why is there not a brightly colored data safety reminder on  every floor, something to idly inspect while you’re waiting for the elevator?  As much as you scoff at the idea, the very prosaic advice that this fire poster offers DOES help in muscle-memory situations.  The strategy of setting out simple rules and making them highly visible does work.

    Not only does a sign like this not exist for account safety, I don’t even think that there is agreed-upon text to go on it.  No wonder we’re in the state we’re in.

  • Sears == Slimy

    24Sep
    Categories: Identity X-Files, U-G-L-Y Comments: 1

    I want to talk about the Sears Holding Company, and I have nothing nice to say.

    They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.

    To me, this is worse than an accidental breach.  This isn’t about ignorance or stupidity, but about willful intent to do harm.  A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).   How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues?  How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect?  Worse, why *could* it be done? Oh yes, right.  We all use operating systems every day that have an egregious lack of granularity in access control.

    There is little to do except spit in Sears’ general direction – so I do.   Ptooey.

  • Second Class (Non) Citizens

    06Sep
    Categories: U-G-L-Y Comments: 1

    Just in case you all still thought that on the internet, no one knows you’re a dog: Heaven forbid you’re a plain ol’ Canadian dog who wants to experience streaming content now and then… and no, things like Hotspot Shield don’t work, sites like Hulu have been assiduous in their efforts to ensure that I cannot be a customer.

    The truth is:  yes I am disappointed, and no I don’t understand.  I am sure this all about somebody somewhere insisting that I not be served until they get their pound of flesh.  I’m willing to PAY for my little part of whatever kickback has to happen – but apparently that isn’t enough.  It would seem that profitability can only be found in a scheme that rewards large demographics and denies everyone else.  What a shame.

    Pandora ONE: US-only

    Pandora ONE: Canadian FAIL

  • DIY Security for the Utterly Paranoid

    26Aug
    Categories: Identity Theory, U-G-L-Y Comments: 1

    I talked to several people who were somewhat disturbed about my last blog post.  Surely it can’t be that easy?

    The  potential exists – and I think it is worthwhile to ask why.  Most people have been taught to guard their passwords, but have been carefully instructed to feel no responsibility for the other ways in which an attacker could access their account.  Why is it we can educate about password complexity and reuse, but don’t want to explain under what circumstances a “personal identification” answer might be used?   Why is it we will force a user to change their password every three months, but the email address that would be used in case of a password recovery effort is never tested, and security questions are never refreshed or reinforced?   Why is it that we as a culture have recognized the concept of a “fire drill” in the real world, and advise people to understand alternate exit routes in cases where the elevators are out of order, but in the online world, we feel that advising those users who happen to be of the more concerned persuasion to familiarize themselves with and verify the operation of the page behind their “forgot my password” links is a crazy and unthinkable thing to ask?

    If you are someone who worries about being hacked, and if you are willing to take a little bit of time and energy to at least understand the risk you might be facing, my advice to you is:  Go forth and recover.

    Go ahead.  Recover all of your accounts.  You probably needed to rotate those passwords anyway.  Find those “forgot password” links and click ‘em. Chances are, you will be able to reset your password in an automated fashion,  either by answering a pre-specified question, or by getting a link sent to an email account (sometimes, both approaches are combined).    If you are asked a question, is the answer guessable?  Is it searchable?  Is it short? Is it a single dictionary word?   Can you control the guessability of the answer, or is it a hard-coded format such as a postal code or a birthdate?   If you are emailed a link, follow the chain to your email provider and recover your password there too.   Is it more pre-specified questions?  Are they the same questions? Were you required to click on a link sent to yet another email address?  If so, follow the chain again.  Rinse and repeat.  This is the same trail that a hacker would follow – often they find something you’ve forgotten, something out of date, an expired account or a typo that you never would guess could end up in a compromise of your identity.  Password recovery mechanisms were used to compromise Sarah Palin’s email account, and also used to steal corporate data from Twitter.   If you can satisfy yourself that the password recovery loop is closed, that your answers are not guessable, that you haven’t specified incorrect, out-of-date, or non-existent email addresses, and that the services you use don’t use unsafe mechanisms, you will be safer.

    Don’t believe me?  Check out the techniques this guy used to compromise the identity of a mere acquaintance.  He gained access to supposedly “secure” accounts whose password recovery mechanisms depended on password recovery mechanism that depended on grossly guessable data.

    Should you have to do this?  No.  Not according to almost anyone in this business.  Are you expected to do this?  Of course not.  How many people actually memorize an alternate exit route from every hotel room they ever stay in?  Only the ultra paranoid, I am sure.  Still, if you care, if you are motivated,  and if you want to know what to do, perhaps this can be a starting point.

    Tags: ,

  • We have a winner!

    18Sep
    Categories: U-G-L-Y Comments: 3

    I’m revising my “anti-chick-magnet” list to add this one: A reputation for animal cruelty.  What female is going to date a guy who kills a pet in a fit of drunken jealousy?   Prior to this, my favorite candidate for grossing out a potential date was to have a nice set of compensatory male genitalia hanging from your truck’s trailer hitch, but I definitely feel that the incumbent has been ousted.

    I have high hopes that Mr. Joseph Petcka will find his dating options to be rather sparse after this.   After all, you can take the macho crap off of your truck, but it’s pretty tough to get past the Internet searches that proclaim that you killed a 7lb declawed cat in self-defense…

  • Playing with Fire

    14Feb
    Categories: U-G-L-Y Comments: 5

    Even as the infrastructure around Information Cards and other user-centric and/or federated identity initiatives grows and matures, other groups & technologies are trying to solve the same problems. Browsers have had password managers forever, for example.

    Browsers, however, do not travel to the service whose passwords you have entrusted to them and actually authenticate in order to farm your accounts for information.

    This service does, however:

    We already have RSS feeds – why not account feeds? These guys figure that if we just give them all of our usernames and passwords for all of our silos, they can give us a one-page dashboard of all of our bank balances, point balances, incoming email, you name it. Well actually, they name it. Because they can take whatever they want out of your account. Best part is: they reserve the right to use that data to market things back to you. But hey – you don’t have to enter your password when you go to any of the aggregated sites…

    I have no problem with the general idea. I know people who would love to see all of their numbers from all of their investments, etc, all in one page, including a handy little “login now ” link for the website of each institution. What I do have a MASSIVE problem with, is the underlying technology used to achieve this end.

    The whole site is based on credential management. You give this company complete access to your bank accounts, and they give you a pretty aggregated screen back. They authenticate as you and pull out whatever information they want, with no controls, no visibility into what they are doing while authenticated, and the obvious ability to make programmatic use of your credentials as often as they wish. You give it all to them, completely at the mercy of their ethics, business practices, and technological failsafes. Such a scheme benefits neither side of the transaction.

    To me, this is a perfect illustration of the long-term future of federated identity. You want an aggregated account feed? Authorize a specific service to request a specific amount of information from your account. Want a handy login link? No problem, part of the information you can give the aggregator is your relying party endpoint, and next thing you know, you are asked to directly authenticate to the site in question, in a consistent fashion, using credentials that you trust, and that only you possess. Perhaps you don’t even need to do that – perhaps the aggregation site participates in a ‘circle of trust’ that in fact means you can seamlessly travel to your bank site. Chances are, this won’t happen though — and for very good reasons; because chances are banks may not trust the aggregation site. If they do trust the aggregation site, you can bet there is legal work backing that trust relationship up. What legal work backs up a user who gives their credentials away to a third party? There is no difference in user experience – but a world of difference in risk mitigation, in transactional repudiation, in auditability, heavens, pick any security or privacy buzzword, and it probably applies.

    What do these guys have? They have a beautiful, easy-to-use interface. They solve a problem that many people are eager to have solved. They have some fancy logos in their footer that show they at least get the fact that what they are doing had better damn well be secure. But – in my opinion, they are basing all of this on a foundation that is quickly tilting sideways.

    The whole “give us your account credentials” trend, whether it be for social networking or any other kind of data aggregation is a serious problem. Allowing such practices to gain a foothold in user’s minds as a valid practice simply because they are starting with “inconsequential” data is a surefire way to make future battles a lot tougher to fight in this area.

    The good news is, this site is yet another validation of what the user-centric identity folks have long said. Silos are bad. People hate them. They want their online lives to improve, and they want improvement now, not in 5 years. The bad news is, if we don’t galvanize our industry into wholesale participation in providing an alternative in the near future, this site serves as an exact answer to where the world will go.

  • Hard-won Lesson

    24Dec
    Categories: Privacy? What's That?, U-G-L-Y Comments: 1

    Imagine this little scenario:

    • Your Macbook hard drive fails.
    • You take it to the Apple Store to get fixed.
    • They charge you a fortune for an out-of-warranty repair and then refuse to return your broken hard drive to you – they say it is Apple’s property, not yours.
    • Your original hard drive gets refurbished – and somebody thinks to look at the platters before they zero it for the next person.
    • Next thing you know, your data is for sale on Ebay.

    The first 3 bullets happened to Dave Winer – and he has no control now over whether the last 2 bullets become a reality.

    What I find especially interesting about this story is that this wasn’t even a case where Dave got a free drive through warranty — he actually paid for the new drive, he paid for the computer itself — yet the original drive was not considered his property. How does that work exactly? And how does Apple get away with an opaque policy with no option for redress?

    I sincerely hope that none of Dave’s data shows up in the wrong hands. Apple should hope so too; that is assuming Dave’s story even penetrates Apple’s shiny white corporate iExterior.

  • My new day of celebration

    04Sep
    Categories: U-G-L-Y Comments: 1

    Who needs birthdays? Instead, I will crown today the day of all days.

    This is the day that my McAfee subscription auto-renews. Not that I want it or use it. I just get billed for it every year.

    Last year, I was surprised to find the cheerful confirmation of auto-renewal (read: my credit card was charged for USD$40) in my inbox, and immediately called in. The helpful staff refunded my money and instructed me how to alter my online account so that I would not be auto renewed again. I still have the ‘confirmation of account change’ email in my inbox.

    Today, I found yet another cheerful confirmation of auto-renewal. I loged back into the McAfee account that I haven’t used for a year to check my account status. It has me listed as signed up for auto-renewal again, and this year I can’t change it myself, I have to get the McAfee customer service folks to change it. Which, of course, I promptly do. After all, I have to get my $$ refunded.

    So, to celebrate this day of days, and to aid me in what I fully expect to be an identical conversation with an equally pleasant and obliging customer service clerk next year, I thought I would capture a screenshot of my account auto-renewal preferences page. Note the empty box at the bottom of the picture.

    Doesn’t it just make you feel so warm and fuzzy to know that somebody out there cares enough to force you to call them once a year? Talk about the gift that just keeps on giving. It brings a tear to my eye, really it does…

    Proof for next year

  • Interesting Choice before me.

    28Aug
    Categories: U-G-L-Y Comments Off

    activated2.jpgWell – I’m almost at the end of my Vista pre-activation period.

    At this point I get to decide whether I want to continue dual-booting with Apple’s Boot Camp and also access my Vista partition via a VMWare Fusion Virtual Machine.

    If I want to keep on choosing to natively boot and virtually boot, I’ll have to pay for Vista twice.  Even though the same code is running on the same CPU.  And even though I can’t ever possibly use both of my licenses at the same time. 

    I don’t think I can do it.  I don’t mind paying for value,  but I’m not a big fan of paying twice for the same thing.   The small amount of utility & flexibility that comes with being able to choose between a native or virtual boot process is obviously not worth the cost of an entire operating system all over again.  

    Locked down, fenced in, held back.   Enthusiasm dampened, pocketbook closed more out of anger than thrift.  Do they have the right to ask for more money?  Sure.  And they can go right on asking.

    I suppose that this cloud’s silver lining is that I won’t have to remember to hold down the option key every time I start my machine anymore…

Disclaimer


These thoughts are mine. Everyone else can get their own blog.