01/31/2007 — Never forget
(from the wall of our old office)
Today’s cyber-security horror story comes from Naoki Hiroshima, whose rare Twitter handle was stolen from him by an extortionist. The thief used social engineering to obtain information from Paypal, which allowed him to reset passwords on Hiroshima’s domains to take ownership of those domains. The thief then essentially held Hiroshima’s websites to ransom in exchange for the coveted handle.
Analysis of the problem
So what went wrong? Both GoDaddy and Paypal seem to have dropped the ball dramatically here. Paypal released confidential information to someone claiming to be the account owner. GoDaddy then accepted partial (and easily obtainable) information as proof of identity, after which their ‘security’ procedures swung in to block the legitimate owner from fixing the problem.
From the account, it appears that GoDaddy accepted the last four digits of Hiroshima’s credit card, plus the first two, as proof of identity. The last four digits are relatively easily obtainable — even if Paypal hadn’t happily handed them over, it’s common practice for businesses to send out paper or electronic invoices that refer to “your credit card XXXX-XXXX-XXXX-1234”. So now the attacker only had to guess the first two. But the first two digits of a card are part of the Issuer Identification Number. If the attacker knew who had issued the card (or even the type of the card), it would only take them a few guesses to get the right first two digits. And according to the attacker, the GoDaddy customer service representative was willing to let them go on guessing as long as they liked.
So GoDaddy’s ‘security check’ offered no real security at all, but the problems didn’t end there.
Once the attacker had changed Hiroshima’s account settings, GoDaddy notified him with a message that said that the change had been made. He wasn’t asked to confirm that he wanted to make that change: he was told that the change had been made, and he needed to act if he wanted to undo it. That’s an ‘opt-out’ rather than an ‘opt-in’. Moreover, undoing it turned out not to be an option, because GoDaddy’s subsequent checks stonewalled Hiroshima’s attempts to regain control.
To use an analogy, it’s as if a thief broke into your house, changed all the locks, and the police refused to allow you to get back in because your key didn’t fit the new locks. The difference here is that while the police can’t compare your key to the old locks, GoDaddy should have been able to confirm that Hiroshima’s credentials matched the previous settings on the account. If GoDaddy’s procedures offered real security, that should have been sufficient grounds to revert the account to the previous settings and lock it pending resolution of the issue. But apparently that’s not how they do things.
There are possible problems with prioritizing prior account information. An unscrupulous domain owner might, for example, sell a domain to someone else and then reclaim it by claiming theft. Nevertheless, the potential risks seem smaller than a system that essentially favors thieves.
Reading between the lines, it sounds as if GoDaddy’s procedures are designed not for security, but for customer support. Their system is set up to help the customer who calls up and says "Oh, I’ve forgotten everything, can you get me back into my account?" And with a claimed 6.5 million customers, many of whom are probably not technically savvy, it’s easy to see why GoDaddy might take this approach — which minimizes support time and probably makes most of their customers happy — rather than offering stronger security.
What can be done?
Hiroshima offers various suggestions for increased security (aside from not trusting Paypal or GoDaddy with anything). One is to increase the TTL on your domains — the thief’s initial attempt to gain control of the Twitter handle failed because delays in DNS propagation meant that emails sent to an address at Hiroshima’s domain still went to his own mailserver rather than the thief’s.
Another is not to use email addresses at your own domains for registration of anything valuable. If an attacker can gain control of the domain — and Hiroshima isn’t the first person to lose control of a domain registration in this way — then they control the email address, and if they control the email address, they control anything registered with it.
That’s sound advice, although I’m unconvinced by his recommendation to use Gmail instead. I’m not prepared to assume that passwords for webmail services such as Gmail, Yahoo or Hotmail are immune to theft. I’ve certainly seen plenty of stolen webmail accounts over the years, probably the result of phishing or keylogger attacks. Better security might come from ensuring that anything you want to protect isn’t registered with a publicly-known email. If the attacker doesn’t know which email they need to control in order to take possession of an asset, their task becomes harder. In the case of domain names, that’s an argument for taking advantage of any ‘private registration’ service offered by your registrar, and setting it to auto-renew.
In Hiroshima’s case, that wouldn’t have saved him. The attacker’s attempt to obtain the asset (his Twitter handle) via his email address failed, so he switched to plan B, which was simply to bargain one asset (Hiroshima’s domains) against another (the Twitter handle). GoDaddy had given the thief leverage over the first asset; Hiroshima weighed up the risks and concluded that he had no option but to hand over the other, less valuable asset.
Things that we own online have real value. The value can come from rarity (such as a Twitter handle consisting of a single letter) or from the potential to exchange for hard cash (Bitcoins, in-game currency or virtual artifacts), or because they’re crucial to your business. Loss of control, even temporary, over a domain could be badly damaging to a small business, exposing it to anything from loss of revenue or customers to theft of secret information. Loss of an email account can have similar consequences: if you depend on an email address at a service such as Gmail to send and receive essential communications, you’re hostage to anyone who can take control of it.
The weak link
The deeper bottom line is that our security is in the hands of others. You can use multiple email addresses and multiple dissimilar passwords (and you should) so that an attacker who gets hold of one of your assets doesn’t get the set. You can store your access codes in an encrypted password safe rather than writing them on a Post-It note. You can use secure connections and shredders. But at the end of the day, if you share that information with someone else, then your security is only as good as their security procedures. And if their security procedures involve storing your password in plaintext, or letting malware run riot on their PoS terminals, or handing over your credentials to anyone who asks, you’re essentially screwed.
I have never liked the idea of Digital Rights Management (DRM), but it was a bad encounter with Adobe’s eBook DRM that eventually hardened my profound distrust into frank loathing. I won’t go into the details but suffice to say that I ran into everything that anti-DRM advocates like Cory Doctorow have always warned us about: getting locked out of content that I naively believed I ‘owned’, waves of incomprehensible error messages and baffling ‘permissions’ dialogs, being forced pretty much at gunpoint to use only their chosen e-reader, and so on. In the end, it all led to a simple resolution: if you use Adobe’s DRM (or any similarly intransigent proprietary DRM scheme), the sale is off. It’s just not worth it to me.
I don’t feel this way because I think that I or anyone else has a sovereign human right to run out and upload everything we buy to the Pirate Bay. I am almost neurotic about paying for the digital content I enjoy, and about expecting others to do the same. I don’t give away what isn’t mine. But I don’t want to waste even a minute more wrestling with poorly-implemented software that treats me as a criminal, I don’t want to be told that I can’t use the software or hardware of my choice, I don’t want to find that everything I thought was ‘mine’ is suddenly lost to me because of a glitch or a change in corporate policy or technical obsolescence. Punto, e basta.
So, on reflection, I’m pretty happy about the news that Adobe has decided to double down and develop a new, even more aggressive DRM scheme. Because I wasn’t going to buy anything protected with their DRM anyway, and when — as it inevitably will — the new version proves to be even more nightmarish than its predecessor, then maybe, just maybe, it will trigger a backlash against DRM that will finally drive a stake through the black heart of the whole concept.
The latest crumb of information to emerge from the Snowden files is a claim that the NSA shares shares raw intelligence data with Israel, including data gathered from US citizens. Use of the data is governed only by a ‘memorandum of understanding’ with no real legal force.
Cynics will not be surprised. Within the US, other agencies including the DEA, Homeland Security, and the Secret Service have also been given access to data collected by the NSA. The official line is that such sharing is limited and subject to strict controls. Reading between the lines, it sounds as if the NSA’s own innate secretiveness may play a bigger role in limiting the unchecked flow of information out of Fort Meade than any official safeguards against misuse.
Once the first steps have been taken to allow a government agency to look where it couldn’t before, any new powers available will quickly be expanded beyond their intended use. In New York, police were given the power to search the bags of anyone entering the subway system as an anti-terrorist measure. The program was not particularly useful for its ostensible goal: a would-be bomber who spotted police at one subway entrance could usually find another station with no checkpoint only a little distance away, or might choose to set off his bomb on a bus or in a department store. It’s doubtful that the program made New Yorkers any safer. However, in the event that a bag search disclosed something else — drugs or weapons, for example — the NYPD was authorized to make an arrest. An ineffective measure against ‘terrorism’ offered the police the opportunity to go fishing for evidence of other crimes.
Similarly, it took less than two years for the anti-terrorist PATRIOT Act to be turned to other purposes, including the investigation of a Las Vegas strip-club owner suspected of bribery. By 2007, a government audit had determined that the FBI was guilty of ‘serious misuse’ of some of the powers given to it by the Act, violations not merely of the spirit but of the actual letter of the law.
So it’s no surprise to learn that all the new powers that the NSA has quietly awarded itself are already being used in ways that go far beyond the agency’s official remit, and that information gathered is being shared, often without restriction, with those that the NSA sees as its natural ‘partners’, including foreign powers. To date, only Israel has been named as a recipient of raw intelligence. You don’t need to be a cynic, merely a realist, to think that it’s probably not the only one, and that raw or processed intelligence derived from the NSA’s broad surveillance of Americans will be or has already been shared with other foreign states, including some that we would consider despotic.
The NSA, of course, isn’t telling, and unless another Snowden comes forward, we’re unlikely ever to hear about it.
If you ever needed any proof that our brave new panoptical world is two parts Stasi to three parts Keystone Kops, consider this quote from Lulzsec’s ‘Topiary’, in his interview page at askFM:
The only communication between LulzSec and WikiLeaks was between an FBI informant on their end and an FBI informant on our end, both trying to entrap each other to incriminate both groups further, and likely both oblivious to the fact that the other was working for the same organization.
It would be funny, except that it points to the way that the ‘intelligence services’ (a term that sometimes looks like an oxymoron) are increasingly involved not just in investigating crime, but also in inciting it. A majority of high-profile ‘terrorist plots’ supposedly uncovered by the FBI since 2001 have been variations on the same tawdry scenario: a small group of marginalized, disaffected and desperately dysfunctional people — often including long-term drug addicts or the mentally-ill — is infiltrated by an FBI informant. Under direction from his controllers, the informant then prods, exhorts, cajoles, bribes or threatens this band of losers until they agree to execute the plan he suggests, using ‘explosives’ provided for them by the Feds. At the 11th hour, the G-men swoop in to arrest the bad guys, and it’s handshakes and press conferences all round.
Of course, it isn’t just government agencies that use infiltration and entrapment. McDonalds hired teams of spies from two separate firms to infiltrate London Greenpeace, an activist group critical of the multinational. This was in the context of the famous McLibel case, in which the corporate giant unleashed the full force of its legal department on two minimum-wage defendants to earn a victory that was in every way Pyrrhic, with a number of the allegations made by the activists being shown to be true in court. Still more disturbingly, it has now emerged that one co-author of the McLibel flyer was actually an undercover police officer. To date, however, McDonalds has not announced any plans to sue the Metropolitan Police for their role in the defamation.
But wait — there’s more. According to the Guardian, the officer who co-wrote the pamphlet also had sexual relationships with four activists and fathered a child with one of them, before abandoning his false identity and disappearing back to Scotland Yard. He didn’t sleep with Helen Steel, one of the ‘McLibel Two’: that was left to his colleague, another police infiltrator from the Met’s Special Demonstration Squad. And the shenanigans don’t end there: it’s been reported that at least one of the corporate spies hired by McDonalds also infiltrated an activist’s bed in order to win his trust.
It’s easy to focus on the farcical aspects of this: the teams of competing spies all busy compiling reports on each other, the terrible seriousness with which senior officials try to persuade us all that a ‘conspiracy’ composed of six addled homeless men constitutes an existential threat to our society, the secret policemen who can’t seem to keep it in their pants. But the methods in use — infiltration of peaceful groups, deliberate entrapment, and yes, the use of sex as a tool for espionage — are also the tried and tested strategies used by repressive regimes everywhere. When they become common currency in self-styled democracies, that’s not funny at all.
Twitter / Search - #clarionbedtimestory -
We came, we got drunk, we took turns reading Laurel K. Hamilton’s “Micah” out loud in silly voices. Hilarity ensued.
This year, I’ve been lucky enough to attend the Clarion Writer’s Workshop in San Diego. Here are my thoughts on Clarion, four weeks in.
Black’s Beach, San Diego, CA.
Window seats and good weather and long plane rides are an amazing combination for anyone who likes to take photographs.