Identity Theft and Social Networks 190
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
Slashdot doesn't use SSL to login (Score:2, Interesting)
shame really (Score:1, Informative)
as they have a SSL certificate [slashdot.org], they just 302 you instead of processing the login then 302 you
but i guess programmers know best right ?
As a CISSP... (Score:5, Insightful)
It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!
Re:As a CISSP... (Score:5, Interesting)
Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.
It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.
Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.
It's even easier to sit back and scoff, "you should have done it in the beginning".
Re:As a CISSP... (Score:1, Interesting)
Re:As a CISSP... (Score:1)
The problem is that SSL (as usually practiced on the web...ie server-side certificates but no user-side ones) is in no sense whatsoever a solution to the security problems that these sites potentially face. Web-style SSL is a fair-to-middlin' solution to the nonexistent problem of man-in-the-middle sniffing of
Re:As a CISSP... (Score:5, Insightful)
I wasn't scoffing.
Secondly, it is easy to let security go slack. And that is my point. I have seen way too many places do just that. Everyone starts small. But how many people plan to stay that way?
How hard is it to use two commands to generate a CSR? If you don't know how to do it, Google for it. GeoTrust has step-by-step instructions, as it's in their interest. Don't know how to run Apache securely? Pay a consultant, or ask a knowledgeable friend. By posting to craigslist or slashdot, they could have found someone willing to trade services for potential profit sharing or even a free account for life.
I'm not saying that things like memcache or the databases aren't important, and shouldn't have been prioritised. But they ignored security, and their customers have already payed the price in some instances. There comes a point where the diminishing returns of working on everything *but* security will start to directly affect everything else, and that is what has happened here.
Re:As a CISSP... (Score:2)
The companies obviously got bad press. And the article states that at least one customer had his account hacked into, and those entries he kept private were posted publicly, embarassing both him and his friends.
All it takes is for that to happen to someone who has a good lawyer as a relative, and all of a sudden lack of security translates into legal expenses.
Re:As a CISSP... (Score:1)
web-hosting is THE solution (Score:2)
It's never late. Getting working site under SSL is 2 hours to 2 days work. I did it few times and never had any serious performance problems.
And if performance is still a problem, isn't reasonable to consider a web-hosting? If application is done one anything that a web-hosting company can run (Perl, Java, ASP, even Zope) then both performance and SSL are even less problem - most of hosting companies provide SSL and hav
Re:As a CISSP... (Score:2)
It's just common sense (Score:5, Funny)
Oh, wait...
Re:It's just common sense (Score:2)
what a bunch of idiots... (Score:5, Insightful)
Rule 1:
If you want to keep something confidential, don't post it on a free website.
If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."
Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.
Even with SSL (Score:4, Interesting)
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of
that anything they transmit over the net is sniffable
with a little effort.
In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.
GNAA!
Re:Even with SSL (Score:5, Insightful)
Re:Even with SSL (Score:5, Informative)
A trojaned laptop running a sniffer is not a man-in-the-middle (MiTM) attack. SSL is safe against sniffers. For MiTM, you need to compromise a router/switch. Or else compromise a proxy that the network requires you to use for external web-access.
Re:Even with SSL (Score:2, Insightful)
SSL/TLS is not vulnerable to MiTM when configured properly and used properly.
The main cause why MiTM on SSL can happen in the wild is that most browsers allow you to override SSL-warnings and establish a connection even tho the identify of the other end can't be guaranteed.
Whenever your browser presents you with a warning message (whatever it is) regarding the SSL-connection that it is about to establish then make sure to realize that you could as well switch back to plain ht
Re:Even with SSL (Score:3, Insightful)
I do realize this is /. but this is just bullshit. SSL/TLS is not vulnerable to man in the middle attacks as long as the trust chain is not violated.
Are there many people out there that do not understand that just clicking Yes when they're presented with a warning will expose them to all kinds of malicious attacks from some random web site? Yes, sure.
But any security system is only going to hold up if the people using it understand
eCommerce Failure (Score:5, Interesting)
All the more reason to allow "anonymous", one-time use of purchased credits.
Like phone cards - pay cash and use it online as you wish without easy tracking.
Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.
Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.
disposable CC numbers (Score:3, Informative)
You log on to their web site with your account info and gener... Oh, wait...
Re:eCommerce Failure (Score:3, Interesting)
I have an account which has very little money that I use just for online transactions and at clubs.
Usually, my online purchases don't exceed $100, so I just pay using that account. And when there is a need for me to pay more than that amount, I just transfer the amount to my checking account.
Not exactly very convenient, but it works just fine for me. And it sure as hell is safe.
Re:eCommerce Failure (Score:2)
That's a good idea, but it lacks marketing impact.
The poor typically don't have multiple bank accounts.
Re:eCommerce Failure (Score:2)
In fact, there are a lot of banks that support small businesses and have no minimum balance requirements (Wachovia [wachovia.com], for one) for checking accounts. And there is almost no fee for maintaining the accounts, either.
I know that its not a "cool" idea but the point is that its simple and it works! I think once people are convinced of the after-effects of identity thefts, it would not be too hard.
Its almost like having multiple slashdot ids
Re:eCommerce Failure (Score:5, Interesting)
Re:eCommerce Failure (Score:3, Informative)
How stupid.
With a check card, your have all the liability while with the credit card its with the bank (-$50 in both cases according to the law but set at $0 by the CC compaines)
If I take $10,000 out of your account and the bank finds you at fault even if you never had more than $100 in the account, they will take all of your next paycheck. With a CC, your stuck with a bad credit report. Don't consider the best case for fraud, always consider the worst case when weighing your options.
Re:eCommerce Failure (Score:1)
Re:eCommerce Failure (Score:2)
In my experience (mostly secondhand), disputing the transactions is ridiculously easy (provided you have a good credit rating and history of paying on time)... the credit card company just eats the charges and goes on its merry way, and doesn't even make a significant effort to find the perps.
This is not especially comforting, being that if this is happening with any sort of frequency, you know the company's not going to say, "Well, we'll just
it's always been this way (Score:2, Informative)
It's an interesting proposition (Score:5, Interesting)
But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.
Seems like a rather immutable Catch-22 to me...
Define "user" (Score:4, Interesting)
Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?
Re:Define "user" (Score:2)
Re:Define "user" (Score:2)
Re:It's an interesting proposition (Score:2, Insightful)
You could build a wall around the house I suppose, which again is a pain for you, not to mention expensive, and doesn't slow me down all that much really, but it makes me nice and invisible from the street once I get in. So now you have to add all the e
Re:It's an interesting proposition (Score:2)
The admins thought that registering is too much of a pain so it stays open. The problem that didn't register with their little minds was that if a user weren't going to spend the ti
it'll go on like this until somebody pays dear... (Score:4, Insightful)
It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...
What do we expect anyway, common sense is the less common of senses..
The question is the wrong one (Score:2, Interesting)
The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don
I had to hack phpbb and get an SSL cert... (Score:3, Informative)
Re:I had to hack phpbb and get an SSL cert... (Score:1)
Re:I had to hack phpbb and get an SSL cert... (Score:3, Informative)
They claim that they do, but I tried one (a two-month demo cert), and immediately ran into users that couldn't use the cert. I have a lot of users with really old computers. Sigh.
Re:I had to hack phpbb and get an SSL cert... (Score:2, Informative)
Re:I had to hack phpbb and get an SSL cert... (Score:2)
Article Slant (Score:5, Informative)
The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"
Things we talked about that she decided to ignore in her article:
-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)
-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.
-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated
-- we don't let users do any major action (like, oh, change the account's password) without the original password.
-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.
Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.
Re:Article Slant (Score:4, Informative)
- LJ gains some exposure from this
- real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)
Brad, I'd suggest you post a copy of your reply at this url:
http://securityfocus.com/cgi-bin/sfonline/f
SecurityFocus happens to have a fairly visible forum system, you might as well use it.
Re:Article Slant (Score:3, Interesting)
Ha ha, only serious. But your profile is blank, and I can't see your PGP key - which might be construed as ironic under the circumstances
Re:Article Slant (Score:1)
Re:Article Slant (Score:2)
I just have to comment on this. Many people have Javascript sw
Re:Article Slant (Score:3, Interesting)
This little site [yahoo.com] happens to implement exactly the kind of javascript digest challenge/response he's talking about.
This sends a non-replayable authentication token over the wire from which the password cannot be derived.
You can certainly "mutate" the script to send your password in the clear, but an even better attack would be to write your password in big letters on a web page, and post the URL here.
I'm looking forward to hearing more of your brilliant scheme to let the world know
Re:Article Slant (Score:2)
Now, it is true such a system could be vulnerable to an active man in the middle attack, but the very same applies for SSL, as ettercap [sourceforge.net] has shown.
Active man in the middle attacks are darn hard to prevent, and SSL alone is not sufficient to do it.
Re:Article Slant (Score:2)
I'm also fairly sure the recent %01 bug in IE could be used advantageously to cheaply pretend to be someone else's SSL server. The URL will look ok, the little lock will be closed, and no warning popup will show up. That's good enough for 99.9% of users.
I remember a time when web spoofing was just a theorical attack [princeton.edu].
Anyway, if you re-read brad's post, his home grown SSL replacement wil
SSL vs javascript (Score:3, Insightful)
Funny, both those documents said the user's client would display a big red warning saying: "HEY DUMBASS, THERE IS SOMETHING WRONG WITH THE SERVER'S KEY." It isn't the protocol's problem if the user doesn't understand basic security and will ignore warnings.
eBay's lack of SSL (Score:4, Insightful)
This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.
University requirements (Score:5, Interesting)
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.
After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)
Re:University requirements (Score:3, Interesting)
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Fine. Except for the fact that after signing up, they immediately e-mail me my pas
Re:University requirements (Score:1, Interesting)
Get an article in the college's paper (I assume you have one there?) complaining about this and explaining how someone could hijack this system.
Be sure, however, that the article does not use your name. The only problem with this would be if you complained to them in a non-anonymous manner. The sad thing is that whenever you do whistle-blowing like this, you NEED to be anonymous. I did my best to follow my own advice when reporting vulnerabilities to the staff of my college and, thankfully
Re:University requirements (Score:1)
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Well, -you- are trying to prevent others from obtaining it while they might not be. If something does happen, point fingers. You kept up your end, and mentioning their problem then might help. And my guess is you'll have an advantage legally?FUD (Score:4, Interesting)
Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source [schneier.com])
Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.
It's not stealing (Score:2)
Ben
Re:It's not stealing (Score:1, Interesting)
I think it's quite unique because the 'victim' can actually play no role whatsoever in the crime.
The person being attacked is the idiot whos beleif (security) is so slack that s/he takes an impersonator to be you. If you lose money as a result of this your real beef should be with that person who failed to apply proper scrutiny.
Thats one way of
YourReputation.com (Score:1)
Create your own community site (Score:1)
In addition you set the policy and shouldn't let anyone else in, so your posts can't be leaked. (Though you should be prepared for it, as anything that is on an internet-connected device has to be considered in-danger)
In addition I'm still not sure why people and businesses still use _unsigned_ and _unencrypt
Not Much Different From Real Life (Score:1)
Online or offline, there's always a trade-off between convenience and security and these sites are no exception. SSL tends to be slower because it requires more round trips between the server and client, much more processing power, etc and sites know that performance affects their popularity.
The rule of thumb should be: get info
For the record... (Score:2, Informative)
Jean-Luc Vaillant, VP Engineering, LinkedIn
Re:How often they get caught (Score:2)
Re:How often they get caught (Score:5, Funny)
Re:How often they get caught (Score:3, Interesting)
Re:How often they get caught (Score:1, Insightful)
What's the point? I mean, if they've only got a 1 in 7,000 chance of getting caught, then how good is any deterent going to be?
Rather than concentrate on more and more extreme punishments, maybe we should concentrate our resources on more and more effective ways of catching fraudsters? Y'think?
Apparently I have to wait another couple of minutes before posting this, so on another subject: why oh why oh why are CD players so big? I mean, with the latest
Re:How often they get caught (Score:1)
Re:How often they get caught (Score:3, Interesting)
damn.. i love sweden. everyone has an identity card; no photo = no identity card. you cannot do anything without your identity card; everything is based around your personal number (like social security id), but, if you want to do anything serious/transaction/bank stuff/use credit card - you have to flash that lovely little bit of plastic.
no problems with identity theft here. oh well.
Re:How often they get caught (Score:1, Interesting)
Re:How often they get caught (Score:1)
Re:How often they get caught (Score:1)
Re:How often they get caught (Score:2)
The same happens with most laws. The laws the politician creates in the meantime are either of no real significance or to boost personal interests.
Re:How often they get caught (Score:1)
Re:lazy (Score:4, Insightful)
And your alturnative idea is... (Score:2, Insightful)
On the other hand, I tend to think people who live through their on-line journal / blog need to find a real life.
Re:lazy (Score:1, Funny)
poeple arenot geeting lazy! their just..aw fuck it.
Re:Something's wrong here (Score:1, Funny)
COPIED POST (Score:2, Informative)
Happened to someone else? (Score:1)
Re:Happened to someone else? (Score:1, Informative)
Re:Happened to someone else? (Score:2, Informative)
The posting-bots are only half of it. I'm sure that they keep a large enough stable of minimum use puppet IDs such that some of them always have mod points. (Remember the BBS program Pyroto Mountain? Slashdot reminds me of that sometimes.)
The other day, I noticed a new article had over 50 posts, and all but 10 had been modded down to -1. This must be a real pain for the slashdot crew.
Re:Well, duh. (Score:1, Funny)
2. "Make me your friend; my fans get +1 comment scores."
?
Re:Well, duh. (Score:5, Insightful)
social networks = valuable private data (Score:5, Insightful)
Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.
The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.
It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.
One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.
Sure, probably nobody will come looking for me, but I lock my doors at night anyway.
I do know people who wouldn't have gotten certain jobs if their network of friends was known.
Troll Alert (Score:2)
Re:Troll Alert (Score:2)
Re:Compare with Europe (Score:4, Informative)
I have no real contention with the rest of your statements, just this one.
Re:Compare with Europe (Score:1)
I have to say that I am English, not American, so I could be talking rubbish (which is not unknown...)
Wired [wired.com] has a rather old article about this, and i remember doing some project work for a large US bank in London for this. No idea if anything came of it though.
(Of course, by the sound of it, from the parent poster, nothing much did come of it)
Re:Compare with Europe (Score:2)
However, I don't get the impression that things have changed. Whenever I complain about how much crap you have to go through to open an account in France, and how it takes roughly 10 minutes with no paperwork in the US, nobody has ever jumped up and said, "Wait, that's not true, I opened an account last month and I had to...."
I
Re:Compare with Europe (Score:2, Insightful)
Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).
Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you
Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that
Re:Compare with Europe (Score:2)
If this is a checking account, you have the possibility to overdraw it. Eurocheques have a maximum guaranteed amount, so the bank cannot really bounce them... The bank must protect itself against customers who open a checking account, deliberately overdraw it, and run.
Re:Compare with Europe (Score:2, Insightful)
Even though this looks like a copy, I'll respond.
I am a french citizen. I have a CARTE NATIONALE D'IDENTITE, which consists of a photograph attached with 2 rivets to a cheap paper and a bad stamp. With this document I can enter france (and most of the
Re:Compare with Europe (Score:2, Informative)
However... i had to cancel a few cards at the bank, and they asked me for no ID. I had to renew my drivers license, and no ID again. So, all of those who are crying about loss of freedom, it's not a big deal. In Portugal, police can take you in for identification if you can't provide it, but that's it.
And about mailboxes... they're not that safe... i open mine with an old bicicle lock key...
Re:Compare with Europe (Score:2)
Banks here (Canada) have digitized reproductions of the original account owner's signature. How far away are we from having a face image in the database?
And will this generate more of that face-ripping-off crime?
Re:Compare with Europe (Score:2)
We aren't that far off from the face images in company databases.
Re:Compare with Europe (Score:2)
Re:Compare with Europe (Score:1)
Re:I am astonished (Score:4, Insightful)
This is the same as the morons that are happy about the fact that the police in my area cannot get into a high speed chase unless they are in pursuit of someone who is in the commission of a felony. Well, guess what kiddies; fleeing and eluding is a felony in itself and will thus warrant a high speed chase.
The bottom line is that it's very easy to talk smack on the internet but I can assure you that if a cop asked for your ID...you damned sure would hand it over.
Re:Awww... (Score:1)