Comments

Davi OttenheimerJuly 23, 2009 12:24 PM

I noted this sentence:

"A security hole in iTunes gave HC access to full credit card information in clear text."

None of the other failures of security were described as holes, but when credit card information is exposed...

They also make a few notes to cloud security, but this has more to do with automation of password reset services than cloud anything.

In small environments the password reset is manual and trust is checked by an administrator, but in high-volume environments automation is introduced with varying degrees of trust checks.

The security holes of hotmail and google are clearly in their automation of resets, which is not a cloud-specific issue.

ShaneJuly 23, 2009 12:40 PM

Not to be a Devil's advocate or anything, but... Gmail *is* a cloud application.

Had they been using their own internal servers for mail, there would not likely have been an 'automated reset' feature, or web-based security q&a form, albeit they almost certainly would have had other vulnerabilities to deal with.

Just saying, the cloud nods aren't entirely irrelevant here.

kangarooJuly 23, 2009 1:23 PM

And this is why people need to actually use gpg or some such end-point encryption. Such an attack would be massively limited if at some crucial points you had to go beyond passwords into the realm of arbitrary numbers.

noahJuly 23, 2009 1:40 PM

Gmail can do password resets by sending you an SMS. If you have a mobile that can receive SMS, delete your secondary email and security question*, then it's the only option.

* Don't remember if you can actually delete the question, but you can always change the answer to something like md5(your_password).

Marc B.July 23, 2009 1:43 PM

Again a disadvantage of webmail (and IMAP). When we downloaded our e-mails to our own computers, it ensured that no one could search through them without physical access to our computer.

But now that we want to access our mail accounts and archives from everywhere with any mobile or other device, the bad guy only needs to social engineer access to the account and gets our whole mail history and archive presented with it.

Petey BJuly 23, 2009 2:33 PM

@noah, im stealing that and making all my secret question answers an MD5 of my last name (with a salt).

periJuly 23, 2009 5:27 PM

@ noah, Petey

noah's accounts can be accessed by obtaining password hashes. These are stored hashed in the first place so that if the hash is made public the account is still not compromised.

Petey at least sees a little protection from the salt but a last name adds nothing secret.

Any protection provided by a password evaporates if there is a simpler method to access an account. Any answers to secret questions should be regarded as your other passwords for that account so the same care should be taken when they are created, stored and destroyed.

So I would suggest just using the account's password as the answer to any secret questions. After all, if the site doesn't hash your answers then when a thief gets that data your account is already compromised.

willJuly 24, 2009 1:39 AM

regarding cloud

The weakest link is the extent to which normal computer users maintain many accounts and the human need to rationalise on passwords and things to remember between them.

If Twitter was using all internal email servers and such, they would still have fallen in exactly the same way - a Twitter employee used a public, free email server with a secret question.

Go on, propose an alternative to secret questions that'll work for a free email service and'll work with the 99.9% of the population who don't think they're a target...

nEJCJuly 24, 2009 2:55 AM

Just wondering...
The attacker actually got away with it because he could change the password (and re-change it) while the user stayed clueless.

How about system sending a semi-permanent, non-deletable, non-junkmailable, mail message saying something like:
"your password was recently changed. if you did it then ignore this message. if you didn't you've been hacked and should ACT NOW"

This message would stay on for about a week. It should be a mail because of remote access from POP or IMAP.

Would this be useful or only a new nuisance?

AnonymousJuly 24, 2009 6:33 AM

@nEJC: A semi-permanent, highly visible marking as you suggest would be a step in the right direction. However, a week long timeout is probably too short. With the amount of information that Hacker Croll had access too it would be easy enough to figure out when the targeted employee was next going on vacation, or otherwise going to be away from email access for a week+.

In fact, is it not common in business, when going on vacation or otherwise going to be away from email, to put an auto-response on email saying just that: I'll be out of the office and unable to access email for the next two weeks... etc.

Good idea though, bravo.

JonyJuly 24, 2009 9:58 AM

1. Out of offfice messages disclose valuable information to hackers and other criminals and I suggest avoiding them.

2. Use PasswordSafe to manage your passwords. I don't even know most of them.

3. I guess the time zone difference helped - the hacker did not log on while the account owner was active.

4. When forced to use secret questions, I specify incorrect random answers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..