[ISN] Sure, Security Is Hard, But....

From: InfoSec News (isnat_private)
Date: Tue Jun 04 2002 - 01:41:23 PDT

  • Next message: InfoSec News: "[ISN] Coming Clean on Patches"

    http://www.oreillynet.com/cs/weblog/view/wlg/1482
    
    by Marc Hedlund
    Jun. 1, 2002
    URL: http://www.nytimes.com/ref/membercenter/help/qpass_redir.html
    
    ...this is ridiculous. The New York Times recently switched from one 
    paid membership management system to another, and they changed the 
    username and password of every paid account. For some reason, they've 
    posted the system they used to choose new usernames and passwords on 
    the Web for anyone to see. Security is certainly a difficult problem, 
    and password management is even harder than most security problems, 
    but it's much worse when you don't even try. If you have a paid 
    nytimes.com subscription, be sure to read this. 
    
    The New York Times' Web site offers some excellent paid features, 
    including online archive searches and crossword puzzle downloads. In 
    the past, they used a horrible service called Qpass to manage their 
    paid accounts. Qpass was hard to use and unreliable, and many 
    nytimes.com members (myself included) complained about it frequently. 
    Apparently the people at the Times agreed, because in March they 
    dropped Qpass and moved to a new account management system. The new 
    system is a big improvement in usability and reliability. 
    
    My jaw dropped, however, when I got the email from nytimes.com telling 
    me how to access the new system. It read: 
    
    
    Now enter the following Member ID and password which we have created 
    for you and click the "Log In" button. You will need to use this 
    Member ID and Password to access your NYTimes.com premium products in 
    the future.
    
    Member ID: marc_hedlund
    Password: Your password is your Qpass User Name.
    I quickly wrote them a note pointing out that usernames are easily 
    guessable (my Qpass username was "mhedlund") and often repeated across 
    many sites, and were often not kept as secrets (for instance, message 
    board posts are often tagged by username). Furthermore, I wrote, I 
    thought this message violated their privacy policy, which states: 
    
    
    Data Security: To prevent unauthorized access, maintain data accuracy, 
    and ensure the appropriate use of information, we have put in place 
    appropriate physical, electronic, and managerial procedures to protect 
    the information we collect online.
    
    I certainly wouldn't count sending password-guessing instructions to 
    all of their users as "appropriate [...] managerial procedures." I 
    asked if there had been some mistake, and suggested they revoke all 
    the guessable passwords and send out new, random passwords as a 
    stop-gap. They replied that there was no mistake and that I could 
    always change my password if I found myself concerned about security. 
    (And I did.) Today I noticed that the same instructions I had been 
    emailed are available on the nytimes.com FAQ page, 
    <http://www.nytimes.com/ref/membercenter/help/qpass_redir.html>. 
    
    It's always disappointing when a site is negligent with security. 
    What's a little more surprising about this case is that this is a 
    prominent commercial site -- the New York Times is paid by each of its 
    premium subscribers -- so you'd think (or hope) they would care more 
    about protecting their customer's security. If I can get access to 
    your account, I can buy articles from the New York Times' archive and 
    have them charged to your credit card without you knowing about it 
    (particularly, but not exclusively, if you've enabled one-click 
    checkout on your account). That right there is the core definition of 
    an ecommerce vulnerability, and here's one of the premier media 
    organizations in the world making such an attack trivial. 
    
    How hard would it have been for the New York Times to send random 
    passwords to its premium users rather than easily guessable passwords? 
    They were already sending a customized email to each subscriber, and 
    they already had to write a password update system. Alternatively, 
    they could have had each subscriber choose a new password for 
    themselves the next time they logged in. The cost of doing things much 
    more securely instead of insecurely would have been $0.00. 
    
    If you are a premium subscriber, you should definitely change you 
    password so that it is something hard to guess. You can change your 
    password at <http://www.nytimes.com/mem/profile.html>. Information 
    about the importance of choosing a good password can be found at 
    <http://www.nytimes.com/2001/12/27/technology/circuits/27PASS.html?ex=1010480> 
    -- yup, that's right, in an article published by the New York Times. 
    
    Marc Hedlund was co-founder and CEO of Popular Power, the first 
    commercially released P2P distributed computing platform. Before 
    Popular Power, he founded Lucas Online, Lucasfilm's Internet division. 
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 04:45:26 PDT