Security consultants using free email?
Seriously, why is a security consultant using a free email service to send and/or store potentially private documents? Not exactly someone I would like to consult regarding my security.
On Sunday morning, security consultant Alan Shimel woke to discover that his personal blog, which is frequented by countless peers and reporters, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and aired sensitive documents he filed with the …
Perhaps now these "security" people will pay more attention to what they do in day-to-day life, rather than just telling others what they should do? I mean, come on, using gmail if you're at all interested in security? They deserved to be cracked just for that. People in a field should apply what they know, or risk being caught out.
What's interesting is that these security researchers are putting their trust in 3rd parties to protect the stored information. This breaks the possession/control attribute of the Parkerian Hexad of security, one of the foundations of security.
For example, the google privacy policy doesn't lay out any guarantees that data is protected from a hacker.
I intuitively guess that most readers here rely on 3rd parties to provide some layer of security every day (insert names of OS vendor & web browser here)
Do any privacy policies explicitly guarantee complete protection against hackers?
It's doubtful any firm would make such a bold claim, security can be compromised in many ways, some methods even circumventing what's in your direct control
Whatever works now can never be guaranteed future proof. Just look at the *KNOWN* lists of many high profile companies, .gov sites, ISP's, banking, IM & e-mail systems that have been caught with their pants down in some way or another
There's no hope, be afraid of the future, back to pen & paper everybody! Ahem, were *my* pants down when I started?
<blushingly pulls 'em up and wonders if a pants down icon is suitable for the reg>
"...Schimel admits the administrative password for his blog .. was also used to unlock his Yahoo Mail account..."
He was not even smart enough to use a different password for each authentication point. Proves that the IT security sector is filled with clowns who cannot follow the most basic tenets of the security.
It's not that these security researchers placed trust in a third party, ultimately you'd have to, I mean, at some point your data hits your ISP. But that is not the point. These researchers placed *unnecessary* trust in a third party. For something like email none the less. Since it is these guys' jobs to know how to securely configure various kinds of server more securely than the average company (i.e. Google), you would think they'd have their own domain, firewall, routers, etc. That they would have a DMZ, layered security, separate email and web servers, and that they would configure these servers to their own demanding specifications that they tell other people to follow.
Nothing... They are capable in their own field which is finding flaws and finding ways to work around them etc... In general security... They can recommend best practises etc... But I doubt a lot of them would be able to run secure no relay smtp servers, imap/pop3 servers and web servers and keep on top of it all.
I'm not saying that they couldn't do this if they set their minds to it it's not that hard but it's a different area than looking through code, trying to crack passwords, trying to work around security issues. I'm a sysadmin by trade and a bit of a paranoid one at that so I do go to an extra trouble of trying to workaround any more obvious security issues but this doesn't involve delving into code or trying to crack passwords.
Security is a process it's not a state. A lapse in such a process can be harmless or devastating.
The best way about security is to be aware of the entire process from start to end and any flaws that are inbetween. If you are aware you can expect it.
So yes most security researchers/consultants will only advise people on what a best practice is
the sysadmins and others more knowledgable in the field of implementation will actually have to update their processes.
When professional card players play each other they shuffle the cards by spreading them face down on a table and stir them about. as it is possible to cheat using other shuffles. So, buy a pack of cards, write the available characters on them, stir, stack, read 'em, (don't weep), and there is your password.
Not very technological but BOFH and PFY approved for their own use. Paris, because she told me about this.
John Edwards
Guys, all of this sounds so funny. It's easy to blame the PROs, but none of you actually talk about the real bad guys in the story. I am not in the security business myself, but for me it is pretty normal that people have more than one email account. It will be waste of time if you try to administrate them all. I understand if there is a leakage of corporate information and your clients are in a great danger, but to judge someone' professionalism because his subscription' mail box is not safety enough is just insane.
Dave Hall pointed out that using a email service violated the possession/control principal. The thing is, this doesn't necessarily imply a bad security decision. Rarely is there perfect security, and even if the researcher were to have managed their own mail server, he likely would be sacrificing on the Availability and possibly even the Utility of their mail solution. It'd be rare for any individual to be able to fund the redundancy and bandwidth required to withstand a concerted DoS effort against a botnet's attack against infrastructural elements of a home network (or even a small consulting business). By insisting on a 'do-it-yourself' mentality for things like mail, you could expose more surface area for attack.
Also, frankly, gmail (along with gcalendar and other g-goodies) are a lot more *useful* than most mail-only solutions out there. The trade off between utility and security isn't always a cut and dry question.
The article seemed to imply the Cross Site Scripting (XSS) attacks generally only provide a single transaction vector for attack. It surprising that the register would make this mistake as the canonical example of a XSS attack is to demonstrate the mapping of the DOM element 'document.cookies' into a web request to an attacker's website. This attack provides an attacker all the session credentials needed to login to a web application without requiring a password (and thus allowing full access to all archived mail). I'm not saying this is what was done in this case, but to dismiss this vector as impractical would be a mistake.
"Schimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account."
The fact that he wasn't doing so already, and seems to have been tripped up by a sKript k1ddie exploit and/or by using ware that is well known to be vulnerable speaks volumes about his professionalism.
Reputation deservedly smeared, I can't help but think. But then, I'm not very nice.
wow :) now I am really scared :) this could happen to everyone, even the best ones in the field. Even if you are too paranoid about these issues, you can still get hacked. It's not about any security protection, it's about targeting and determination. Everything is vulnerable nowadays. Damn !
P.S Sorry for my English
In passing ...
[script type="text/javascript"]
// uppercase+lowercase+integers
passchars=new Array("A","B","C","D",...etc...);
passwd="";
// modify 10 if you want longer/shorter password
for(i=0;i<10;i++) {
// add to 62 if you also include symbols in your array
newrand=Math.floor(Math.random()*62);
passwd+=passchars[newrand];
}
document.write(passwd);
[/script]
I know Javascript doesn't have a truly random number generator, but if you want pretty-darn random password characters, this'll do it. I keep it as "passgen.html" on my desktop, and any time I need a new one, I open it in my browser and, voila ... 10-char password.
Hi William. You are quite right. Security is a risk assessment. Suffering a DoS is likely a lot less damaging than having information stolen though. The DoS will end but stolen information is gone forever.
I use alpine to read my mail and the only way to my MTA is to authenticate ssh using RSA keys. The box is locked behind a firewall too. Yes I could suffer a loss of availability or utility but I have assessed the risk and determined that it is a good trade-off.
I'm a sysadmin who takes a lot of notice of security (as all sysadmins should, imho) and I was really surprised to see these security researchers making such basic mistakes.
Dan, you say, "Still others guess that the miscreants gained entry through the victims' blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes."
This is false, and you should know better. The results from the Pwnie awards to the IBM X-Force report to the U.S. Department of Homeland Security's reports all list WordPress among the least secure applications of any kind, not just web apps. TypePad is nowhere to be found on those lists, because it's consistently been extremely secure and reliable for our users.