Saturday, February 26, 2005

The password debacle

Lately there has been a lot of media attention directed at the recent T-mobile hacks. I find the whole situation quite laughable. Its one thing for the media to go nuts over Paris Hilton's address book being spread far and wide, and over Fred Durst's little home video that he had stored on his account. Thats just how the media works. If there is celebrity dirt out there, they'll be all over it.

But perhaps the funniest part of this whole thing is how little attention is paid to the root of the problem -- the fact that so many online services have horribly flawed password schemes. Its not that its a single part of the password policy that is riddled with holes, its flawed from beginning to end.

Just a little disclaimer. There are many online services out there that do have good password and security policies. However, it just so happens that the most popular and prevalent online services -- phone, bank, utility, etc -- are the ones that are ripe for the picking.

At account creation time, users are asked to select a password. How often do you see suggestions on good password selection? How often do you see warnings about choosing bad passwords and the ramifications of someone being able to guess that password? Rarely. I mean really, who cares if someone can guess the password to my sidekick?

To make that worse, oftentimes these services have unnecessarily restrictive password requirements. I'm sure many people reading this are thinking "hey, thats a good thing!". Well, the problem here is that they are restrictive in the wrong direction. Here are some restrictions that I've seen:

  • Passwords must be of a fixed length
  • Passwords cannot be longer than, say, 6 characters
  • Passwords must only use letters or numbers. No punctuation or other characters!
  • Passwords must only use numbers

And what if you forget your password? Hell, I actually "forget" all the time. Thats usually because when I sign up for some random online service, I often pick a password that I'll never, ever remember -- `head -n 100 /dev/urandom | strings` and then pick one that is of sufficient length, or something similar. Of course, that only works if the particular service allows me to pick a password that is actually secure, which is unfortunately quite rare. So you forgot your password? Now what? Fortunately, the nice folks at your online service have given you a way to change your password. All you need to do is know the name of your first pet or the name of your favorite sports team and you can retrieve or change your password. Come on, guys. In the age of Google, information such as that might as well be public knowledge.

This whole thing just blows my mind. I can't see how any organization could ever get away with such lax security policies. Policies like these would never fly in any organization worth its salt. It really, really makes me want to pay a personal visit to the CISO of all guilty companies and see what kinda drugs they are on.

Its sad that things have come to this, but part of it is likely due to the fact that the general public has no idea that these policies are riddled with holes and pose a huge risk to their personal and financial well-being.

To hopefully educate someone, here is a little sample of how bad things are right now. The other day on trash day, I found a tri-folded piece of paper in the street. Trash on the street isn't that uncommon and I normally don't go picking it up, but this one had Bank of America's logo on it. So out of curiosity, I picked it up. To my surprise, it was the letter that you get from BoA when you get a new card. It had someone's name on it which immediately freaked me out because I'm the type of person you'll find at odd hours of the day cross-shredding any pieces of mail that even something as simple as my name on them. Some call it OCD but I call it a piece of mind. Anyway, when I took a further look at the paper I saw something familiar. Once again, the bank card number had been imprinted on the paper it had been shipped in:

And with the card security code also imprinted:

And, the irony of it all. They proudly state on the letter that they only include the last 4 digits of your card number "For your protection". Gee, thanks.

I sent email to the security and customer service departments of Sovereign Bank, Citizens Bank and Bank of America because they all seem to suffer from the same problem. I received no response from Sovereign. Citizens actually responded and they said they'll be forwarding my mail to the responsible parties. Bank of America, however, gave me a totally canned and pathetic response:

Date: Thu, 03 Feb 2005 05:32:44 -0800 (PST)
From: Privacy Security 
Subject: Re:  Information Security  (KMM19798778I30L0KM)
To: Jon Hart
X-Mailer: KANA Response 7.6.0.17.4
Dear Jon Hart,
Thank you for your e-mail. I apologize for any inconvenience you have
experienced.
Thank you for your e-mail regarding our privacy policy.
Below is information to assist with your inquiry.
Protecting your privacy, along with your financial assets, is at the
core of our business.  You have chosen to do business with us, and we
recognize our obligation to keep the information you provide to us
secure and confidential.
Our commitment to protect your financial information will continue under
the principles and online guidelines described below.
Keeping your financial information secure is one of our most important
responsibilities.  We value your trust and handle your information with
care.  Our employees access information about you when needed to
maintain your accounts or otherwise meet your needs.  We may also access
information about you when considering a request from you for additional
services or when exercising our rights under any agreement with you.
We safeguard information according to established security standards and
procedures, and we continually assess new technology for protecting
information. Our employees are trained to understand and comply with
these information principles.
You can count on us to keep you informed about how we protect your
privacy and limit the sharing of information you provide to us - whether
it's at a banking center, over the phone or through the Internet.
Please note that since we cannot control information on other Internet
sites, we are not responsible for the content of sites linked from
http://www.bankofamerica.com.
We appreciate the opportunity to assist you online.  Should you have any
further inquiries, please e-mail us again.
Sincerely,
Charles Duecy, Bank of America

It is quite sad that someone who is supposedly responsible for the security of Bank of America didn't even take the time to read my email. Instead, he or his email app automatically saw the word "security" or "privacy" in email and drummed up this canned response. Not surprising -- look at the X-Mailer header! "KANA Response", aka canned response. Unbelievable.

Ok, so big deal. You get your new card and toss out the letter. It has your account number faintly imprinted on the paper. What will that get someone? It could potentially be used to make unauthorized purchases, but then again maybe not. What if I, as an attacker, want to view your account, transfer some funds around and have some fun. Hah, says Bank of America -- "We are committed to protect your financial information". Bzzzt. Wrong. Your online service uses my account number and PIN to authenticate me. In this case, the PIN is just digits. I can crack all passwords from length 4-12 digits in less than an hour. Congrats. Your information security policy just toppled. What say you now?

*sigh*

Friday, February 11, 2005

Ununemployment

Monday night I finally spill my guts about my lack of a job, Tuesday morning I have an interview, an offer later that afternoon and I accepted the job Wednesday morning. I wonder if its the lack of blogging about Black Dragon that has kept me from getting a job all this time...

So yeah. I now have a job. Its a contract position at another "start-up", but the environment seems promising and looks like I'll be able to not only learn quite a bit, but sharpen many of my existing skills. I start next week.

Yesterday I attended a computer security oriented lecture series at Northeastern. I had gotten an invite in the mail a month or so back. Apparently all Alumni and factulty get them. Its free to attend, there was a free breakfast and the talks at least seemed interesting at first glance. To be honest I wasn't expecting much. During my time there, there were almost no security related courses or studies being done in the CS program. In fact, the only real movement in the security space at Northeastern was Crew, a group I was very much active in and continues to do cool stuff to this day. I left the lecture series with a new found respect for the CS program. Some of the newer professors that they've brought on board are actually doing security related research that has real-world impact and isn't 3 years behind the non-academic arena.

One of the things I've been toying with for over a year with is running OpenBSD on an embedded device. I've got a Soekris NET4511 and it had been serving as the wireless access point for our house for some time. Every once in a while I'd rebuild it to upgrade to the latest release. The downside to this particular setup is that it uses compact flash cards as its hard disk. While cheap, small and quiet, I've actually had less than stellar luck with them. I had a 1G IBM microdrive, while not exactly a CF card, it still worked fine for many months and then started to croak. Then I replaced that with a considerably older 128M CF card. That lasted for, oh, 2 months at best and then it too died. So the other day I went to CompUSA and picked up a 1G CF card. Now prior to this card I had been using stripped down versions of OpenBSD to make the machine run a bit faster and to deal with space requirements. I started to do the same thing with this new card and then realized there was no point -- I can cram a fully functional OpenBSD environment into much less space without sacrificing certain binaries. I've got some more tweaking to do, mostly to minimize writing to the disk which is one of the things that'll kill a CF card quickest.

Wednesday, February 2, 2005

Work is no more

Its been quite a while since I last wrote anything. As usual, a lot has happened. Unfortunately I don't really have the initiative or the brain capacity to write about all of it.

You are in luck, though. I've managed to muster enough energy to write about one particular incident thats been on my mind almost constantly.

It was noon on December 31, 2004. I had just woken up and was gonna take care of some personal things on my paid day off before hitting the town for a New Year's celebration. I checked my work email to see if anything important was going on. The only mail in my inbox was this:


To: "All Black Dragon" 
Subject: [Bd-all] On behalf of David Smith
Date: Fri, 31 Dec 2004 12:06:38 -0500
X-Mailer: Microsoft Outlook, Build 10.0.3416
Please be advised that the governing members of Black Dragon LLC have
decided to cease operations as of this date.   Therefore, your
employment by Black Dragon LLC is terminated as of this date.  Some
personnel may be kept on for a specified period for the purposes of
winding down the company.  Any further information will be provided in
the appropriate forum in the foreseeable future.

Yeah, you read that right. The company closed New Year's eve with no notice whatsoever. Black Dragon Software LLC, often referred to as Black Dragon, BDS or previously "Carmichael Employee Leasing" had shut its doors.

Sure it was a startup and we all knew that this could've happened at any time, but it still sucks. Suddenly having no income in the peak spending season is difficult to say the least.

Want to know what makes things even worse? Not getting paid for the prior two weeks of work, unused vacation time, no severance pay, and no notice. Hell, the final two weeks of December, I took <>

It took quite a while for me to come to grips with the situation. New Years I spent most of my time staring blankly, wondering WTF. But honestly, I didn't have time to let it really get to me. After all, the upcoming week was the first in a new quarter, and hiring may be especially active. So I wasted no time, got my resume updated and started the job search.

Its now February and I still don't have a job despite the market actually being fairly active in the security arena.

All in all, though, I'm almost thankful for this unfortunate event. To be honest, collecting unemployment and being able to sit at home and do whatever I want is kinda nice. Although I really enjoyed my job, it was getting to be a bit stressful and I was spending too much time doing work related things and too little time elsewhere. I wouldn't call this a vacation but more of a time-out.

Thats it. I've actually got considerably more to say, but you need to get a beer or two in me and I'll let you know the real deal. Don't get me wrong -- I'd love to sit here and rip a certain someone a new one but what would that get me? It'd be easy, too. I busted my ass, made personal sacrifices and bent over backwards all for the success of the company. And you know what? My hard work did have a significant impact on things. Hell, if the rumor that Black Dragon Software got bought is true (and I believe it is), then I feel so completely betrayed. Instead of a "Thanks, Jon", I get an impersonal email on my day off announcing the closing of the company, and not even the common and professional courtesy to respond to my emails and repeated phone calls looking for answers.