Slashdot Mirror
Identity Theft and Social Networks
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
Guess it doesn't matter if you just stay anonymous.
you're far from safe. SSL connections are vulnerable /.) to realise
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of
that anything they transmit over the net is sniffable
with a little effort.
In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.
GNAA!
All the more reason to allow "anonymous", one-time use of purchased credits.
Like phone cards - pay cash and use it online as you wish without easy tracking.
Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.
Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.
In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.
But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.
Seems like a rather immutable Catch-22 to me...
Blogging Weight Loss, Distance Education, and more at verlin.com
As you said, it's cheaper to do it right the first time, design good comprehensive security in from the ground up.
Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.
It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.
Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.
It's even easier to sit back and scoff, "you should have done it in the beginning".
Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs. That, and given the value of the Internet is to allow people to connect in new ways unencumbered by worrying how to pay for it suggests that the problem here is not how to provide technically secure transactions.
The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don't stare at other guys for too long. That is how they are personally secure, not because the mall guards have guns.
So a more interesting question is not "how can you make other people more secure?" but "how do you make yourself more secure?" Publish your results, and best practice will win.
An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.
Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Actually, it's easy just to stick Apache in front of an app, buy a certificate, and turn on SSL. These securityfocus guys are engaging in yellow journalism here, trying to make a story where one doesn't really exist.
Indeed. My wife was the victim of identity fraud. The police caught the perp with my wife's ID -- and LET HER GO. She's been stealing cars from rental agencies and running up Sam's Club credit and cell phone bills ever since -- and the cops know who she is, and how much of a scourge she can be...
While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.
After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)
Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source)
Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.
MoFscker
This little site happens to implement exactly the kind of javascript digest challenge/response he's talking about.
This sends a non-replayable authentication token over the wire from which the password cannot be derived.
You can certainly "mutate" the script to send your password in the clear, but an even better attack would be to write your password in big letters on a web page, and post the URL here.
I'm looking forward to hearing more of your brilliant scheme to let the world know your password in spite of this mechanism.
However keep in mind this is really meant to protect legitimate users from attacks, not stupid people from themselves.
Not trying to troll, but how do we know you're the real Brad Fitzpatrick?
;-)
Ha ha, only serious. But your profile is blank, and I can't see your PGP key - which might be construed as ironic under the circumstances
"And the meaning of words; when they cease to function; when will it start worrying you?"
Most banks only require you to recite your SSN before you enter any transaction
damn.. i love sweden. everyone has an identity card; no photo = no identity card. you cannot do anything without your identity card; everything is based around your personal number (like social security id), but, if you want to do anything serious/transaction/bank stuff/use credit card - you have to flash that lovely little bit of plastic.
no problems with identity theft here. oh well.
Kinda. I was going to say that thats certainly a misuse of 'Theft', stealing it isn't you're right but what is it? Copying is impersonation fraud in a legal sense.
:)
I think it's quite unique because the 'victim' can actually play no role whatsoever in the crime.
The person being attacked is the idiot whos beleif (security) is so slack that s/he takes an impersonator to be you. If you lose money as a result of this your real beef should be with that person who failed to apply proper scrutiny.
Thats one way of seeing it. But Imagine you are a small business whos customers are regularly sloppy with their security and leak easily to imposters. Who should bear the resposibility now?
There are potentially 2 victims to every crime and since it can't be proven easily who was to blame its quite a sticky situation.
My thoughts end with this...
Certain comapnies like Verisign have set themselves up as 'certificate providers' and their pitch is all about 'trust'. But when you analyse it all logically they actually do jack shit, they simply say 'trust us' and make a killing selling random numbers to people, if ever there was a money for nothing scam these guys have got it licked!!
What certificate providers should ACTUALLY be is third party intermediates in a 3 way transaction whereby they VALIDATE that both parties are who they claim at the time of transaction and UNDERWRITE the transaction (insure it as well as assure it).
Selling random numbers and commanding trust will not help anyone, or am I completely misunderstanding SSL?
These cards can't be faked? We've seen perfect fake IDs (Drivers' Licenses) here in the States.