Big company, crap security

Choicepoint, T-Mobile - oh dear, oh dear

  • alert
  • submit to reddit

SANS - Survey on application security programs

I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of Wi-Fi. I find it a great way to take a break.

You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot - their internet connection must be down. I quickly fired up tcpdump and was surprised to see the screen light up with packets flowing back and forth. That's odd, I thought, so I opened a browser. But instead of my usual homepage I was greeted with a stern, legal warning. My wireless coffee shop was now all grown up.

At some point since my last visit, they had implemented a rather slick wireless authentication system. The homepage explained that people had been abusing the free access, doing all sorts of nefarious things. To combat this and to protect their customers, the owners were now requiring a username and password authentication that could be obtained from a barista. Hah - I thought, they must be handing out the same name and password to everyone. I was shocked again as the gentleman behind the counter confidently explained that they had implemented randomly generated combinations "for better security".

I wandered back to my seat, a little stunned and a little proud. People, businesses, even small coffee shops - they were finally starting to understand the value of security. I entered my randomly generated name and password, fired up my browser and began to catch up with the geek news I had fallen behind on.

With a tinge of irony, I read about three recent security breaches at large organizations who, at first glance, appear to be less secure than my neighborhood coffee shop.

Choicepoint, one of the nation's largest information aggregators, had mistakenly allowed criminals to access the private identity and credit information of thousands of individuals. Approximately 50 "fake" companies had a crack at the billions of records the company stores on almost every citizen in the US.

Bank of America announced that it had "lost" tapes containing information on over 1.2 million federal employee credit cards -- exposing the individuals involved and the government to fraud and misuse.

T-Mobile is in the news again with another celebrity cellphone hack. The cause of this breach remains unknown, but combined with other high profile leaks, one involving a Secret Service agent - T-Mobile's internal security is not looking good.

The irony of the situation has everything to do with size and resources. Here I sat in a small, local coffee shop that had just shelled out a decent chunk of change for someone to implement a relatively sophisticated authentication system that protects both themselves and their customers. Then I read about these massive companies, with almost endless resources and many years of security experience completely dropping the ball.

Each incident is troubling for different reasons. In the case of Choicepoint, their business is quite literally in information. Yet they have continually failed to protect our personal information, as this is certainly not their first security breach. Two things about this situation terrify me. First, we have no choice in our involvement with Choicepoint. If you have a credit card, have filled out credit forms and applied for credit, or bought something on credit - you're in their system. We're not customers to them, we are merely bits of information and records in their massive database. What incentive do they have to protect us? Secondly, the only reason Choicepoint was obligated to release this information on the security breach is due to a California law that requires a company to inform California residents that their identity might have been compromised. If that law did not exist would we have ever heard about this? It's doubtful.

Bank of America's data loss is alarming too. Certainly, as a bank they have experience in fraud and obviously understand how costly it can be. Perhaps this was a logistical error and the tapes will turn up in a few weeks. But look at it like this: let's assume someone did get hold of this information, say, 10 per cent of it. And of that 10 per cent (120k records), 10 per cent of those records get used in some sort of scam for a mere thousand dollars each, a very conservative estimate. That's 1.2m dollars in fraud. Let's compare this story to one where armed robbers intercepted a bank truck and made off with more than a million dollars. You can bet it would be headline news across the nation. Now, let's factor in the manpower and time lost for the individuals and companies involved - such a sum is nothing to scoff about. Identity theft is quickly becoming the modern criminal activity, with a low risk and high reward. I can confirm first hand how devastating this can be for the individuals involved. Time, money, reputations are lost or put on hold in definitely. And in this case we have a major company that accidentally loses 1.2 million credit profiles. That is simply unacceptable.

T-Mobile has had a security problem for several months. The press got wind of three high profile breaches recently, but how many more are there? And why have the problems not been fixed? Once again, we may not be getting the full story, and perhaps these hacks were the result of some rather low-tech errors. But if they aren't, how poorly does this reflect on T-Mobile and their reaction time?

Each company above has an obligation to protect our information while it is in their possession, but too many seem to be failing. What will it take for them to resolve their security issues? Drops in revenue, class action lawsuits or congressional regulation? Security, both for a company and its customers, is a necessity and a selling point in today's economy. We see normal people taking this into account everyday. I have neighbors calling me about spyware protection, relatives recognizing what SSL enabled websites are, clients requesting more security layers, and friends shredding their private mail. Why then is it so hard for the big companies to take security seriously? When will these companies "get it?"

Copyright © 2004, SecurityFocus logo

Matthew Tanase is president of Qaddisin, a services company providing nationwide security consulting.

Related stories

Fraudsters expose 100,000 across US
Paris Hilton's Sidekick hacked
T-Mobile to probe Paris' security breach

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.