I had a account hanging out there for a few years. I wasn't looking for a new position so all the privacy controls were turned on. Along comes the second data breach in under two years. I decided I didn't need that account anymore. I know, closing the barn door after the horse is already gone.

Anyway, I went to log into my account to have it removed and couldn't remember my password. No problem. I clicked on the 'Forgot my password' link and received a nice email with url in it to reset my password. Slight problem. The URL didn't point to an SSL encrypted page.

I decided to give them the benefit of the doubt by assuming I would be redirected to a secure page to actually reset my password. Nope. The reset page was also unencrypted. To reset my password I had to let it flit across the hostile internet in cleartext. I went ahead and did it since I was deleting the account anyway.

That made me a little curious and I decided to poke around a little more to see if anything else obvious popped up. Didn't take long.

The sign up page wich asks for your full name, email address, password, location and current employment status is also not encrypted. Once again, I decided to give them the benefit of the doubt and took a peak at the page source to see if maybe they posted the information to a secure page. Nope. At least not that I can find.

What this says to me is that there is a serious lack of understanding of information security in's organization. If as basic a tenet as encrypting passwords when in transit and at rest is not understood and enforced, what else are they missing.

</hops off soap box>


Reblog this post [with Zemanta]

{ 1 comment }

In yesterday's Interesting Information Security Bits post, I pointed to an article that indicated that the U.K. had implemented policy changes that allow police officers to "hack" into a suspect's computer without a warrant.

According to this article. That is not true. While there have been discussions about expanding the police force's latitude in this arena, nothing has been enacted at this time.

From the article:

A spokesman for the Home Office told the Reg that UK police can already snoop - but these activities are governed by the Regulation of Investigatory Powers Act and the Surveillance Commissioner. He said changes had been proposed at the last Interior Ministers' meeting, but nothing has happened since.

I have pointed this out in it's own post because I dislike being responsible for spreading fud. I apologize for misleading you with my post yesterday.


{ 1 comment }

But, that was fiction, wasn’t it?

by kriggins on October 17, 2008

in Privacy

In this post, I talked about Cory Doctorow's fiction book Little Brother.  I briefly mentioned the excessive surveillance implemented by the government as a result of an event that occurred in the book. However, the focus of that post wasn't the surveillance, but that any system can be designed in such a way that the designer cannot break it.

I think that is still a valid point, but let's look at the issue of excessive surveillance today.  In the book, everybody in the San Francisco area is essentially watched all the time.  Through tracking of how people move around via public transit id cards, to the laptops provided to students at school which monitor and report on the students online activities, to spending patterns based on credit and debit card usage and through the the populace itself.

The government has convinced a large portion of the populace that this level of daily scrutiny is for their own good.  It is necessary so that the terrorists can be caught. Furthermore, it is the people's responsibility to report suspicious activity.  We are talking about a situation in which essentially all rights to privacy have been suspended. Now, in Little Brother, this is only occurring in the San Francisco area because of a terrorist attack.

In this post, I talk about a mini-series being aired in the United States right now by PBS called "The Last Enemy."  In this fictional program, we have moved beyond a locality being under constant watch.  The entire United Kingdom is being watched by a program called T.I.A or Total Information Awareness.  T.I.A. is fed data from every system the government has and many public sector systems too.  It gives the government the ability to see every move of every person within its database.  It is even able to infer the existence of someone who has not gotten their national identity card by the interactions of people who do have their card.  Again a situation where all rights to privacy have been suspended, whether the people know it or not.

By now, I am sure you are saying to yourself, "What is the point you are trying to make?" Well, apparently, there is a possibility that fiction could quickly become truth. This article on the BBC news website talks about a bill that will be introduced in November in the United Kingdom.  From the article:

Details of the times, dates, duration and locations of mobile phone calls, numbers called, website visited and addresses e-mailed are already stored by telecoms companies for 12 months under a voluntary agreement.

The data can be accessed by the police and security services on request - but the government plans to take control of the process in order to comply with an EU directive and make it easier for investigators to do their job.

Information will be kept for two years by law and may be held centrally on a searchable database.

So, it seems that we are moving beyond fictional representations of this type of behavior.  And lest we forget, the United States has been dealing with issues along these same lines for some time now. We hear about wire taps being put in place without warrants and Internet Service Providers allowing governmental agencies to install equipment that monitors all data moving over their backbones.

Let's look at one final fictional rendition of a totalitarian state which controls its populace ruthlessly, George Orwell's 1984. I leave you with two quotes from this book and let you draw your own conclusions as to where we are headed if we are not careful.

"The thought police would get him just the same. He had committed—would have committed, even if he had never set pen to paper—the essential crime that contained all others in itself. Thoughtcrime, they called it. Thoughtcrime was not a thing that could be concealed forever. You might dodge successfully for a while, even for years, but sooner or later they were bound to get you."

"It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself—anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face… was itself a punishable offense. There was even a word for it in Newspeak: facecrime…"



What happens when there is no privacy anymore…

by kriggins on October 1, 2008

in Privacy

I am a huge fan of Masterpiece Theater's productions.  Almost without exception, they are well written, directed and acted. The shows they produce are separated into three themes:

  1. Classic - Shows based on classic literature and/or set in historic contexts.
  2. Mystery! - Mystery based shows. These may be set in historic contexts or reflect current times.
  3. Contemporary - This is a new theme this year. These are dramas set in more contemporary times, although not necessarily current times.

Now I am sure you are asking yourself "what has this got to do with information security?" Well, the first program in the Masterpiece Contemporary schedule is called "The Last Enemy." It starts airing October 5th, here in the United States on your local PBS station. It's a fictional story set in London about a man who finds out just how much the government knows about him, and everyone else, as he delves into the life of his brother who recently passed away.

I am looking forward to this show in hopes that it will help people realize that we need to be very careful when we start hearing that we need to surrender more and more of our civil rights in order to ensure the "safety" of everyone. Don't get me wrong, I am not saying there is a huge conspiracy to track each and every move we make.  However, we could end up there very easily if we are not careful and as the saying goes.

"Absolute power corrupts absolutely."
John Emerich Edward Dalberg Acton


{ 1 comment }