Security Ripcord

Okay, I just canceled my Monster.com account.  I’m not really too upset about it because I have never gotten a job through it or any other online service.  The closest I have come is a local newspaper ad.

While I was looking for their method of canceling the account I noticed the “Help and Security” link in the upper right hand corner of their site.  So I clicked it.  After activating (reluctantly) javascript I clicked it again and received a pop-up window with information about how to augment the information on my account.  Helpful from a help stand point, but where was the “security” portion.  I hit Cntl-F and searched on security.  As you can see from the image below the only information about “security” had to deal with “security clearance.” The highlighted word is the last instance of the word “security” on that page.  Nice, this just reinforces my decision to cancel the account.

Since this page did not provide me with any information about how to cancel my account, I started hunting around my account’s profile page.  Under “Preferences” I found “Cancel membership” in the “Resume Privacy” section.  To help here is another image.

Do you see the “Learn more about membership cancellation” link.  Well, who could resist understanding what Monster.com thinks about membership cancellation.  Are you ready for a surprise?  WAIT FOR IT…..

HEY!!!  There is the information about how to generate a good password.  I’d say that is “security” worthy.  So they do care!!!  Reading through I now see that it is important to not use “simple” passwords.  But they did not mention anything about storing passwords in the clear or with weak encryption methodologies so I guess that is not really an issue when it comes to protecting information.

Once I was done familiarizing myself with password basics I moved on to cancel my membership.  From a customer service stand point at least Monster.com is concerned about why I am leaving their site.  From the image below you can see that I let them know that I am concerned about privacy.

If my input is too fuzzy to read, here you go.

The recent rash of security breaches associated with monster.com and usajobs.com is very concerning to me.  Encrypted storage of passwords has been an industry standard for years now and your lackadaisical attitude towards the protection of your customer’s personal information has forced me to remove me to remove [sic] my information from your systems.  Good luck.

Hehe, now that I read back over it, good luck to me and my editorial review methods in the future.  Hopefully they get the gist.  As long as they remove my information from their databases I don’t really care.

Now, that we have all of that out of the way, let’s talk about the risks involved here.  Am I really at risk because of the information that I provided to this service?  Maybe a little, but not much more.  Because the information that I provide there I provide in many other ways across the Internet.  Some by my choice, some not.  For instance, you can get to know me a lot by the things I write about and also from the Linked In and education information that I provide via this site.  You can get my address from the local property tax website and you only need to call the operator to get my telephone number.  So what is the concern?

The concern is that this is one stop shopping for the criminally minded.  Monster.com has made their jobs very easy.  Although there are plenty of services and methods to obtain the information stored by Monster.com a little bit of work was required.  And when you start multiplying the number of people to the work required your man-hours increase significantly.  So, the time spent on hacking into Monster.com is cost effective.  The bonus is plain-text (I assume from the language of the disclosure information I have reviewed online) passwords.  I can almost see the person’s reaction in my mind as they reviewed the information they pulled from the database.

Hmm, okay. Yup, script worked.  Hmmm, all the account information.  Nice.  What the f***?  HOLY CR**!!!!  Hey, <insert hacker name here>, check this out!!!  F***ing plain-text passwords.  F***ing Score, baby!!! Thank you, Monster.com.  w00t!!!!

So, my recommendation.  Remove your information from Monster.com.  Hell, for that matter.  Remove your information from all websites you are not using on a regular basis.  Speaking of which, I need to start reviewing my list now.

UPDATE: LB Huston of MSI and I were thinking out loud and alike on Twitter about how this information will also be helpful to government and (as LB pointed out) industrial espionage.  The information coming from the USAJOBS.gov site will contain information about the duties individuals performed in other government positions, their clearance levels, and so forth.  Hopefully not too much more information, but we all know how people like to be informative, especially when they are trying to impress for a new position.  Unfortunately, even if the information is vague and and hard for most people to piece together, governements and businesses have people who are trained on how to correlate various information sources to get a bigger picture of a situation.  This is exactly the information they are looking to obtain.  Right now people around the world are scrambling to try and find a method to obtain access to the information that was obtained from this breach.

Go forth and do good things,

Don C. Weber

So, I was recently asked by a client to recommend a good password generator so that the company employees didn’t have to think of their own passwords. Well, I told him that if they knew the standards for a good password they should be able to do it themselves.

These standards include using at least three of the following criteria:

• minimum of eight characters,
• upper and lower case letters,
• at least one number, and
• at least one special character

But he insisted so I started asking around. I found out that my friend and colleague, Monty McDougal, has recommended Password Safe in the past, so I decided to check it out. A little research got me the application from Sourceforge and I downloaded it and quickly ran the executable. A few minutes later I had created a database and then associated a password with a username and URL. Nice. My next thought was, “If this could only run directly from my USB thumbdrive I’d be all set.” Well, it does. Excellent. As you can tell I was getting fairly excited, so I stepped back and started thinking about the security implications.

• Is the password database encrypted?
• Dah!
• Are you sure? Here it is -

---

PWS3�*=��WH�{���b��Ċ�V��edY*E�t�  �k��wKP_�d7��ľ=F}A�˺�JR�<�Э�f���acv�(���n��>bD���<��+7���������-Qx������G8ǿ4w����e��
��.�z�h
���
՛_]"�.H�,��q�Rq����o��Zk�@��3J��{&H���i�|����������ܘ��?b��AĪ��U`��r5b*++�u�>�Ls’ ����^��>ms�
g�� ��6�:��hX�
�D�5G��M�zV
�� �->���02Je�mM�X�v���o�XP�����:���)�r�Fh<e#�'�R9�?6�3
S��ߪu�틁T�H��SpE�:��� N��V/4�<���J��!��}��-��#�} ��gV>)��=!{V{U���Z>�
�PWS3-EOFPWS3-EOFȻ�K���E��7�4����Ii�W�\g�h��

---

• Can others see the password -
• As I type it? Yes – don’t set it up while somebody is looking over your shoulder.
• When I open the database – No, the passwords are kept hidden unless you choose to unhide them. See the previous bullet.
• When I paste the password? Yes and no. If you paste it into a form box that is designated as a password box then it shows up as astericks, but if you paste it into a text document then it will show up. So, don’t do this unless you forgot what the password was and you really want to know.
• Can the password protecting the database be Brute Forced?
• Of course it can. Got some time on your hands and an extra CPU or three?
• Does it have a password generator?
• Yes it does, but it does not automatically adhere to the strong password standards. To get strong passwords the options have to editted and the password policy updated.

Dang that was easy. And to top it all off, it turns out that Password Safe is a project that is supported by Bruce Schneier. What more could you ask for? Satisfied, I moved on and started looking at a few of my security feed subscriptions. Right off the bat I noticed that Larry Pesce had updated his blog, haxorthematrix. Instantly my bubble burst when I saw the title “Bugtraq: PasswordSafe 3.0 weak random number generator allows key recovery attack.”

Great! But after reading the article I’m not as worried as I thought I would be. Let’s think about what the real threats are for our password database.

• Shoulder surfers
• Password on paper, on wall, on ceiling, and/or in plain text file
• Stolen/Lost password database
• Decrypted password database

Now associate these with the likelyhood that they will be exploited.

• Shoulder surfers – Low
• This is low because it can be done but it takes some skill and practice.
• Password on paper, on wall, on ceiling, and/or in plain text file – High
• This is high because it is the easiest to discover and use.
• Actually, properly using this software would successfully mitigate this risk and move the likelyhood of exploitation to low.
• Stolen/Lost password database – High
• This is high because somebody using this will probably have it on a USB thumbdrive….Flush….opps!
• It is more likely that a stolen USB thumbdrive will be wiped and used for something else.
• Decrypted password database – Low
• This is low because it will take some technical expertise and time to set this up and crack the key.

So, all in all the risk is not very high and can be mitigated by remembering that this software is just a designed to help and it has its own limitations that are also associated with every other information storage schemes. By creating backups and treating any removable media as security items an individual or organization can safely deploy this useful software even with the recent vulnerability concerns.