Scott has been receiving emails from Sprint for several months now. The emails are kind and courteous and they thank him for his payment. They’re in plain text, no links. It’s not spam. It’s a real email from Sprint. The problem is that it’s not for Scott’s account. The emails are intended for another Sprint customer, but are for some reason being sent to Scott. Scott emailed Sprint’s customer service about the situation, but armed with only Scott’s email address that they had been sending payment receipt emails to, they just couldn’t figure out who should actually be getting the emails.

So Scott and I decided to set out and see what we could find out from just the email address. First, we went on to Sprint’s site and saw the login area of the webpage:

The "forgot username" link looked inviting, so we clicked there. Now all we have to do is enter the email address:

Email address entered and sent. Shortly afterward we received an email with the username. Success! But wait, what’s this? The email conveniently contained a link to the forgot password page:

Ok, Sprint, now you’re just making this too easy. We entered the email address and username and then received another email with a customized link to set a new password. Yes, that’s all it took. We now have full access to this guy’s account and all because he put in the wrong email address. We’re nice guys and all, so we logged out and sent an email to Sprint with the username to see if they would finally rectify the situation.

So here’s the question of the day: Is Sprint’s site truly secure? Should an email address really be treated as the key to the kingdom and allow anyone with access to the email address access to everything else? Shouldn’t at least one security question (no matter how secure (or insecure) they actually are) have been asked somewhere in this process? The concept of security and usability being at odds has been floated around a lot. Making something more secure tends to make it less user friendly and vice versa and while everyone wants their web site and application and product to be as easy to use as possible, security simply shouldn’t take a back seat.

In a world where multi-factor authentication is readily available, something like this just shouldn’t happen. There are plenty of different one time security tokens (some with screens and some that act as virtual keyboards), finger print scanners, and many other solutions that are orders of magnitude more secure than a password (especially passwords with an email address backdoor).

So when you’re designing your next web site, or web application, or regular desktop application, stop and think through all the different avenues that deal with authentication and security. Think about what can be done if an attacker has only one authentication factor, or if an attacker gains control of the email address associated to a user’s account, or if an attacker figures out one or more answers to your security questions. Are you comfortable with what the attacker can or cannot access? Is a little loss in usability and ease of use worth the extra security to prevent these sorts of attacks?

What scares me is that had Scott and I been not so nice of guys, we could have signed this poor sap up for Sprint’s Family Locator service and tracked him and his family right on their web site:

Now tell me how secure that is…

Have you heard about REAL ID?

This is basically the US government’s way to turn state drivers licenses into national ID card and link them through one huge national database. And how will these IDs be used?

Once the IDs and database are in place, their uses will inevitably expand to facilitate a wide range of surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been coopted by private companies to create massive databases of personal information. A national ID poses similar dangers; for example, because “common machine-readable technology” will be required on every ID, the government and businesses will be able to easily read your private information off the cards in myriad contexts.

Social Security numbers are one of the worst privacy and security threats out there. Way too many businesses use them as IDs and as a means of authentication even though they are nothing of the sort. You might be saying, “Ok, Mike, yeah that sucks, but at least we’ll be more secure with REAL ID cards, right?”

And what will you get in return? Not improved national security, because IDs do nothing to stop those who haven’t already been identified as threats, and wrongdoers will still be able to create fake documents. In fact, the IDs and database will simply create an irresistible target for identity thieves.

So basically they’ll just become another way for you to lose your identity… and cost you money… and lose your privacy. As RealNightmare.org puts it, REAL ID is:

• REAL INVASIVE - Will create America’s first national identity card, increase the thread of identity theft, enable the routine tracking of individuals, and propel us toward a surveillance society
• REAL RED TAPE - Will mean bureaucratic nightmares, long lines, repeat trips, and higher fees for individuals trying to get licenses and IDs
• REAL EXPENSIVE - With a cost in the billions, REAL ID is a hidden tax increase that will force Americans to either pay higher fees to get their IDs, or pay more in state taxes.
• REAL POINTLESS - Will do little if anything to protect against terrorism

Sounds pretty hopeless, eh? At least, the second version of REAL ID isn’t as bad as the first version:

Original legislation contained one of the most controversial elements which did not make it into the final legislation that was signed into law. It would have required states to sign a new compact known as the Driver License Agreement (DLA) as written by the Joint Driver’s License Compact/ Non-Resident Violators Compact Executive Board with the support of AAMVA which would have required states to give reciprocity to those provinces and territories in Canada and those states in Mexico that joined the DLA and complied with its provisions. As a part of the DLA, states would be required to network their databases with these provinces, territories and Mexican states. The databases that are accessible would include sensitive information such as Social Security numbers, home addresses and other information. The foreign states and provinces are not required to abide with the Drivers Privacy Protection Act (DPPA) and are free to access and use the sensitive information as they see fit.

As they see fit? Mexico can do with my social security number as they see fit? Ugh…

If you’re sick and tired of all the identity problems and privacy invasions that already exist and don’t want to see the US become any more Orwellian, help repeal the REAL ID Act. There are states and congressmen that recognize this as a flawed system, but the gov’t isn’t backing down yet. There are several other resources like UnRealID.com, RealNightmare.org, and NO2RealID.org. Do yourself a favor and find out the truth about REAL ID before it’s too late.

I attended the Microsoft DevCares event here in Indianapolis a few weeks ago. It might not be on par with MIX, but whatcha gonna do? Anyway, the event was broken up into two sessions: security and Office.

In the security portion of the event, we looked at some common web exploits, how they work and how to fix them in your code. We went over cross-site scripting, cross-site request forgeries, SQL injection, insecure direct object references, information leakage and improper error handling, and broken authentication and session management. The presenter demo’d each one with a fictitious product website and some exploit code. It was pretty interesting although I had seen most of the demos already when I attended the previous month’s MSDN event on IIS7 and ASP.NET 2.0 application services.

We then broke in the Office integration session. Mostly talk around VSTO, WWF, Ribbon development and ClickOnce deployment. Not too bad, but not my cup of tea.

Anyway, I couldn’t get the exploit code, but I have the PowerPoint slides for anyone that wants them:

• Securing Web Applications
• Security Best Practices
• Visual Studio 2008 and Office Business Applications

It’s not a particularly new idea. Microsoft even got into some hot water a couple days ago for this very thing. Can something as inherently malicious (or eeeeevil) as an Internet worm be used for good? It’s kind of like the One Ring. The bearer of the worm would want to use the power to do good, but by the very nature of the worm it would simply compel the bearer to use the power to spread evil throughout the lands. Anyone with me on that?

Geeky comparison aside, could a worm really be used to hop from vulnerable machine to vulnerable machine patching up their holes along the way? Despite the fact that it’s still illegal no matter how virtuous your intent, is it a good idea?

It would definitely accomplish the goal. A worm going from machine to machine could easily spread in the same way that malicious worms spread and could patch them up to prevent any baddies from getting in. However, what this leaves out is the user. The user doesn’t get to give their consent or even notified that anything is going on as Bruce Schneier points out:

And that’s exactly why it’s a terrible idea. Patching other people’s machines without annoying them is good; patching other people’s machines without their consent is not. A worm is not “bad” or “good” depending on its payload. Viral propagation mechanisms are inherently bad, and giving them beneficial payloads doesn’t make things better.

I agree with him in principle. Not letting the user consent to the fix isn’t good no matter how you spin it. I wouldn’t want my system unwillingly (and unknowingly) patched. I wouldn’t know if the patch was good, if it came from a reputable source or even if the patch might introduce any other vulnerabilities, holes or simply any other functionality that I might not want…

But let’s get real.

Users just don’t patch their computers. Regular users don’t keep their systems up to date. They don’t regularly patch their machines. Heck, they don’t even maintain their systems well. How many times have you acted as the family IT guy and tried to fix a relative’s computer that had never been defragmented, had tons of unknown or never used applications installed and was last patched not weeks ago, and not months ago, but years ago? Most users either don’t know how to patch, don’t want to learn, don’t care or can’t keep up. Worms, viruses, trojans and lots of other malware are still floating around the web that exploit vulnerabilities that have been patched for years. Yes, years. These infected systems just aren’t being maintained.

So has the time come to force patches upon users?

We’ve been hearing about all those undersea cables that have been cut recently (and yes, that’s five) and all the conspiracy theories surrounding them. So here’s a map of all the Internet undersea communication cables to get some perspective of the situation:

And I thought that since I’ve already posted maps on late night bandwidth, root servers, Internet address space, and global bandwidth, one more shouldn’t hurt…

I don’t know why, but I just find a good social engineering story riveting. Maybe I actually enjoy the human aspect of security more than the technical aspect, or maybe it’s the whole secret agent thing of sneaking into places that you’re not supposed to be. Either way, I like it. And I just heard a good one in a letter to Steve Gibson on the Security Now! podcast.

Basically, a security penetration testing firm used a commercially available radio scanner to listen in on employees talking on wireless hands-free headsets. They sat across the street and could get good enough signal to hear and record the conversations. They then used what they heard to pose as a remote employee who came into town:

“I put on my best suit and then went to work. When I entered the building, I was greeted by security. I indicated I was an employee and was in town to work. I handed the security guard a business card and was welcomed with a smile. After escorting me to a cubicle, the guard showed me where the restroom was, where I could get a cup of coffee, and how to go about getting a building access card.”

It was just that easy. He goes on to tell about how he spent three whole days going into and out of the building, getting an access card, and getting into plenty of rooms he shouldn’t have been able to.

So what’s the problem here?

Was it that security guards didn’t check for a valid state issued ID instead of a simple business card? Was it that the security department didn’t investigate him further before issuing a key? Was it that the wireless headsets were being used in the first place? Probably every single one.

You should read (or preferably listen to) the whole story in episode 130. It really is fascinating. I’m also reading a book in the same vein called “The Art of Intrusion” by Kevin Mitnick of hacker fame. It documents a handful of real stories of hackers (or crackers depending on how you look at them) who used various techniques including social engineering to get into what they wanted. There’s stories about phreaking and getting Internet access from prison, being hired by terrorists, and cheating casinos out of a lot of money. Every story in there would make a great movie.

There’s countless other stories where social engineering is no harder than wearing the right clothes and saying the right things. Here’s a story of people sneaking almost a hundreds boxes of materials into the Super Bowl. Here’s one of a guy sneaking into a bank posing as a pest control inspector. And another of people easily getting through the security at the APEC Conference.

Why is this so easy?

Is it because we’re lazy, untrained or just plain stupid? Again, it’s probably every single one.

I first received one of these plastic bags with something I ordered from Amazon a couple months ago. On the surface it looks like a good idea. You send your old cell phone in and supposedly it will be given to the soldiers overseas so that they can call home. I won’t even get into the technology compatibility issues here…

But what I will get into is with all the recent news of people being reported for relatively benign things and with people reporting totally innocent acts to help fight the war on terror, is sending used cell phones in little plastic bags through the mail a good idea? Isn’t this exactly what people are reporting? Random electronic equipment that lights up or beeps? And we’re being encouraged to send these through the US postal service? Worse yet, would post workers start to ignore odd shapes and odd sounds coming from these bags since they all supposedly contain used cell phones?

With knee jerk overreactions to non-threats becoming more and more commonplace, and “report all suspicious activity” becoming the mantra nowadays, it seems strange that we’re being encouraged to put little electronic devices into little plastic baggies and mail them en masse…

Recently I’ve been working on the membership provider that I talked about in my last ASP.NET post. I know it was mad secure already, but I figured a little extra beefing up probably wouldn’t hurt. So I create a user class derived from MembershipUser and override some more methods in my derived MembershipProvider class. I fire up the page, login and then bam!

Configuration Error

Ok, well how about we set some breakpoints and see what’s going on. I hit F5 and get a welcome dialog in return:

You want Windows auth? I’ll give you Windows auth. Back into Visual Studio. Open up web.config. Change it from Forms auth to Windows auth:

<authentication mode="Windows">

Ok, let’s F5 again…

Ok, looks like I’ll need a little more help. I hit Google with the error and get a wide variety of help. After a few wild goose chases and clicking through IIS Manager a lot, I finally come across a page actually talking about this problem in Vista and IIS 7. It says to go to the “Turn Windows features on or off” dialog. I go. As directed, I click IIS -> WWW Services -> Security, and then check “Windows Authentication”:

Ok, seriously. What the heck? The option that the IIS 7 help page for my exact error is telling me to check an option that isn’t there. Peachy. I go back to IIS Manager and go to the Authentication section for my site. I click on help and find the answer to my questions (but not my prayers):

What? What?!? So Windows Home Premium isn’t good enough to debug with? For something as “esoteric” as debugging you have to go all out and buy Windows Vista Ultimate? Please… Sure I can still debug by opening up my project as a file system solution rather than an HTTP solution and then debug with Cassini, but that’s just annoying and just shouldn’t be necessary. You shouldn’t need the end-all-be-all ultimate-of-ultimates version of Vista to debug. However, since there’s little choice, I may just be upgrading to Vista Ultimate after all:

At least this gives me a more compelling reason to upgrade than the “Vista Ultimate Extras”…

Creating a login page with ASP.NET is almost ridiculously easy. First create a page called “Login.aspx”. If you want to use a page named something other than “Login.aspx”, you can specify that in your web.config file:

<authentication mode="Forms">
  <forms loginUrl="member_login.aspx" />
</authentication>

After that, add an <asp:Login …/> control inside your page. The how to use the ASP.NET login control article from MSDN has more details (if you need it). After a successful login, the user will be redirected back to the page they were originally trying to access before being redirected to Login.aspx. If the user went straight to Login.aspx, they they will be sent to your Default.aspx page. If you don’t have a Default.aspx page or simply want to send them somewhere else, add this attribute to your asp:Login tag:

DestinationPageUrl="~/YouLoggedIn.aspx"

Easy enough, huh? Well, how about the actual authentication? By default, ASP.NET will try to authenticate with the AspNetSqlMembershipProvider as specified in your machine.config file:

<membership>
  <providers>
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web,
               Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer"
               enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/"
               requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
               minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
  </providers>
</membership>

If you want to use your own database provider, just specify it in your project’s web.config:

<connectionStrings>
  <add name="GlamRock" connectionString="server=skidrow;database=motleycrue;uid=poison;pwd=warrant;"/>
</connectionStrings>

<membership defaultProvider="MySQLProvider">
  <providers>
    <add name="MySQLProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,
               PublicKeyToken=b03f4a8e571d503a" connectionStringName="GlamRock" enablePasswordRetrieval="false"
               enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"
               passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
               minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
  </providers>
</membership>

Or if you want to make your own provider you can easily do that too. Again, in web.config you add:

<membership defaultProvider="Simple">
  <providers>
    <add name="Simple" type="SimpleMembershipProvider, App_Code"/>
  </providers>
</membership>

Then add a new class declaration for SimpleMembershipProvider under App_Code, override ValidateUser and put your super complex code in it:

public class SimpleMembershipProvider : MembershipProvider
{
  public SimpleMembershipProvider()
  {
  }

  public override bool ValidateUser(string username, string password)
  {
    return (username == "mike" && password == "foo");
  }

…and of course you need to define all the rest of the abstract functions from the MembershipProvider base class. If you want to read in a flat file with all the account info you can do that or maybe read in a file that’s been encrypted with .NET’s encryption mechanism and then decrypt it. It’s really up to you. Although, I’m awfully fond of my implementation up above…

No, not *this* site, but sites that show up in Google’s search results just might:

See the little warning underneath the title up there? Well apparently this message shows up under search results that Google has “identified as sites that may install malicious software on your computer”. You can even try to click the link, but Google will warn you once more just to be sure:

If you’ve protected yourself like I’ve talked about before, then you’ll probably be ok, but most people don’t. (Disclaimer: Don’t hold me responsible if you get h4ck3d anyway. You’ll be the one that has to fix it!)

I just have to wonder how Google is deeming these websites as “virus-y”. Does it have a farm of machines armed with various browsers visiting all sorts of different sites and then seeing if they come out without a scratch? Or does Google go test the site right after it gets added to their database? But then what if a site was originally clean, it gets added to Google’s database, but then a week or so later it either gets infected or even intentionally starts installing malware to unsuspecting visitors? Then you have Google results that indicate that the site is safe to visit even though it really isn’t. And that’s probably worse: having a false sense of security. Then what if Google in their infinite wisdom says that my site “may harm your computer”. What am I to do? Would I be stuck with this stigma forever?

However, it’s still probably a good idea for Google to provide this type of service. Most people still can’t tell a malicious website from a hole in the ground and wouldn’t be able to tell if anything had been installed even if their system is totally infested with trojans, worms and the like. What’s worse is that some people seemingly don’t care or even want to get infected. And with malware variants on the rise, don’t expect things to get any better…