Lousy Security from Phone Conferencing Companies

The other day I was assisting a group that needed to attend one of these “webinars” where we’re projecting a laptop onto a screen while we’re listening to a speaker over a POTS line. As the e-mail from the company sponsoring the webinar suggested, I dialed in about 20 minutes before the conference started to test, etc.

Except I wasn’t dumped into the conference I was supposed to be in. Instead I was now participating in some sort of briefing between salesman at a company that provides services to a number of large insurance companies. The salesmen could not hear me and were apparently completely unaware of my presence as they discussed the best approach to take with a particular client, and one chimed in with a list of things not to sayƂ during another.

Finally at the appointed time my call was supposed to start, the salespeople all hung up and the person from the company I was conferencing with was added to the call.

Now typically the security for these calls is you have to call a phone number and then enter an arbitrary number that corresponds to your particular call. So there are likely two possibilities for the mishap.

First, the people at the conference company could be complete morons and use a single ID # for a single conference slot and then give that conference ID out to different people, assuming they won’t call in outside their normally scheduled time.

Another possibility is that the algorithm the company is using to generate conference ID # is flawed and doesn’t generate truly unique IDs. One of the things I noticed is that with most audio conference companies I use, I typically get a 9-12 digit code for the conference, whereas these folks only used a 6 digit code which struck me as kind of odd.

Regardless if it was something like this or something completely different, this sort of thing is completely unacceptable and should never happen. I had never used this particular company before and certainly will warn other people in my organization about them.

Given how important security is in third party hosted audio/video conferencing, its surprising how cavalier some companies are about security.

SmugMug Re-Visited

A couple weeks ago I mentioned the security problems that had been discovered in photo sharing site SmugMug.Com, which were exacerbated by SmugMug.Com CEO Don MacAskill’s arrogant response to people who bothered to point out the problems with his company’s security model.

In response to the publicity across the Internet, MacAskill issued a challenge — he would pay $600 to anyone who could access a specific image secured by his service. This was a convenient challenge because the security hole didn’t have to do with being able to access a specific arbitrary image. Still, Sunnet Beskerming has written an interesting analysis of SmugMug’s security model for protectiong images like the one that is part of the challenge. And his conclusions are not encouraging for anyone still using SmugMug,

Disturbingly, it is only through the use of the password that a user can protect images from viewing. Any other choice of setting will still allow direct request of both images and albums. It is also apparent from random test selections that there is a loose correlation between album ID and image ID. Basically, the newer an album, the newer the images are that are in it. Using this approach, it is possible to establish a bracket of likely album IDs that have an image of interest, even if they are password protected and the image can not be directly accessed.

It is here that another unexpected weakness arises. Despite all the steps taken to protect the album name and user name, the page title helpfully announces both of these details when a request is made for a protected album.

Beskerming also postulates a different attack — rather than retrieving a specific user’s private images, what about making it appear as if the user is hosting an image that is in fact not in his or her albums,

To make matters worse, it is possible to spoof image origination, which could be used by someone with a malicious anonymised account to blackmail or harass legitimate account holders. By manipulating the URL, it is possible to load any non-password protected image in any non-password protected album. Passing a URL of the following form to a victim will make it appear that they have a malicious image (what sort of content that is is left to the reader) in their legitimate album:

http://victim.smugmug.com/gallery/legit_album_id#malicious_photo_id

If this URL is passed to others, it would appear that the malicious image has been placed there by the victim, while there is no way to determine who placed the malicious image on the site in the first place (though SmugMug should be able to work that one out). If such a URL held referenced an image of illegal content, the implications for the victim are significant, especially if it is passed to law enforcement agencies or those with limited technical knowledge.

So, for example, one of the non-password protected images that was exposed in the initial wave of reporting about SmugMug was a picture of a woman reclined on a bed. Using Beskerming’s technique, a savvy hacker could e-mail my wife a URL that would appear to show that image as part of my non-password protected SmugMug album.

As Beskerming concludes, what SmugMug needs to do is dispense with the silly challenges and pay someone to audit their security. Moreover, they should bite the bullet and transition to GUIDs even though that might break the URLs that some users have used to give family and friends access to their pictures. I know I would much rather receive an e-mail from a company saying, “we’ve discovered a serious security hole that has to be plugged now, and as a result all of the URLs will change” rather than instead wake up one day and find what I thought were my private pictures littering the Internet.

SmugMug Lives Up to Its Name

Philipp Lenssen of Google Blogoscoped created a mini-storm this week when he discovered a major security hole in the way photo-sharing site SmugMug.Com implements its privacy settings for photos people have uploaded to the site. Unfortunately, SmugMug’s reaction so far has been very…well…smug.

People who post photos on SmugMug want to be able to share their photos with friends but not necessarily share them with the entire Internet. Moreover, they don’t necessarily want to have their friends to know a username, password, etc. So SmugMug has a “privacy” setting which doesn’t require a password but does require someone to have the exact URL to the photo being shared.

This is not a bad idea, especially if done with a Globally Unique Identifier. With a GUID, each photo would have an arbitrary identifier in the URL that would be very difficult to guess or brute force. But, as SmugMug’s CEO confesses, they didn’t know what GUIDs were when they first started SmugMug, so they didn’t use them.

Instead, SmugMug uses the incredibly stupid system of simply starting at 1 and incrementing up for all its photos and galleries in the form

http://smugmug.com/gallery/1000

http://smugmug.com/gallery/1001

…meaning it is trivial to write a script to crawl the site and easily view any and all “private” photos on the site. According to Jensen, there are other security problems that make it possible to view even some password-protected photos and galleries at SmugMug.com

SmugMug’s response is basically a) users of SmugMug aren’t complaining yet, b) implementing GUIDs would be expensive at this point, and c) using this method you can’t get at specific photos.

I’m not surprised that SmugMug users aren’t complaining yet, but I wonder how happy they’d be if they knew that, say, that “private” photo taken in a hotel room posing with lingerie is easily downloadable by anyone with enough patience (and most users seem to have their names on their galleries, so it wouldn’t be too difficult to download all of John Doe’s embarrassing pictures and then post them elsewhere on the Internet and associate the pictures with the individual who posted them). And all this from a site that trumpets it is “Safe and secure” on its front page pitch.

Definitely a service to avoid.

OpenVPN

Over the past 6 months or so, I’ve really been trying to take a more systematic attempt to keep my data and online activities safe from prying eyes. The last thing I’d want to happen is end up in one of those news stories about some idiot whose lacksidasical attitude toward security resulted in the leaking of sensitive information (not that I typically have much sensitive information, but better safe than sorry).

One of the nicer utilities for securing online communications is OpenVPN which describes itself as,

…a full-featured SSL VPN solution which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.

I use it primarily for WiFi/networking security when I am not at home. I have OpenVPN running on a server in my basement office, and then securely run all of my Internet access through that when I am away from home. It is nice ensuring that no one is spying (at least on my end) on my IMs and web browsing while I’m using WiFi or an insecure Ethernet network.

1/3rd of Workers Write Down Passwords &mdash Good for Them

This week saw a flurry of articles on an alleged security risk — 1/3rd of workers in a survey said they write down their passwords in one form or another. Nucleus Research and KnowledgeStorm, which performed the survey, portrayed this as a serious security problem and recommended biometrics and other security methods.

According to ZDNet,

“This [writing down passwords] is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat,” said David O’Connell, senior analyst at Nucleus Research.

Couldn’t disagree more. Writing down passwords is, in fact, the best way to deal with the need to a) maintain secure passwords that are not easily subject to brute force or dictionary attacks, and b) the need to maintain passwords for multiple systems.

Personally, I have userids and passwords to 50-60 accounts. Now maybe Mr. O’Connell has a photographic memory that allows him to remember at an instant the userid and password to dozens of accounts, but most of us don’t quite have that skill.

There are two ways people deal with this. One is to compromise the security of the accounts by using an insecure password that is easily circumvented by a determined attacker, or people tend to pick one secure password and use that over and over again for numerous systems.

Microsoft’s Jesper Johansson railed against polices against writing down passwords last year,

“How many have (a) password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of attendees raised their hands in agreement. “I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.”

According to Johansson, use of the same password reduces overall security.

“Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it,” Johansson said. “If I write them down and then protect the piece of paper–or whatever it is I wrote them down on–there is nothing wrong with that. That allows us to remember more passwords and better passwords.”

Security expert Bruce Schneier weighed in a month later agreeing that writing down passwords made perfect sense,

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

Personally, I prefer using programs that handle password management. Typically, the userids and passwords are stored securely in encrypted files that are accessed by a master password. It is much easier for me to memorize and secure a single password than it is to remember dozens of different ones.

Sources:

Microsoft security guru: Jot down your passwords. Munir Kotadia, CNET News.Com, May 23, 2005.

Study: Workers often jot down passwords. Reuters, October 17, 2006.

1/3 of Workers Write Down Passwords. Ed Oswald, BetaNews, October 18, 2006.