Security Leaks from Websites

  • Comments posted to this topic are about the item Security Leaks from Websites

  • Another issue with implementing security properly is that it takes thought and time. Given too much pressure on delivery can see these practices thrown out of the window by experienced IT professionals who value their position. It is an issue with the industry that we are allowed to makes these calls.

    Some other professions do not allow this e.g. medical and legal. You would not get some hospital administrator pressuring a surgeon to make that double heart bypass a single bypass because the theatre was required for something else at 5pm.

    We are not the same as the medical profession, however, I feel that in our infant industry we have yet to draw the red lines no one is to cross.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Troy's article is frightening and horribly believable. The case was a senior marketing guy saying that because his company used SSL stuff was secure even though the web feature emblazoned the information across the screen through a legitimate (if moronic) feature of the web site.

    I think project teams and stakeholders need a much higher degree of visibility for the project risk/issue log with clearly stated implications for a particular feature being implicated or technical debt being accepted. At some point someone will have asked "Are you sure you want a mystery visitor to type email addresses into our site and harvest our customer details"? The problem is the asker will be junior and the person who said "Yes" will be senior.

    Why a marketing guy, no matter how senior, would be allowed to make pronouncements on security beggars belief. Sounds like a system organisation failure to me.

  • One of the best defenses (if you can actually use it) is a *perfect* defense.

    Don't store information you don't need, ESPECIALLY personally identifying information. After all, you can't reveal what you don't know. OpSec 101!

    Why do you need someone's birthdate if you are just selling them widgets? If marketing whines about "age demographics" you can store an age *category*, 10 year intervals should be sufficient--and MUCH safer.

    What the heck do you need their SSN for? Why do you care about their gender (of course, their name might reveal that but still!) What in the world do you need their mother's maiden name for?

    And for the love of God, if you *must* have these hot potatos, store (and encryt) the HASH, not the plain text!

    Someone's address can be sensitive, but why store it if you don't need to? And why the hell would you store the entire credit card number???? You can ask them for it each time they want to buy something, get the encrypted result and then THROW IT AWAY when the transaction clears. MUCH safer, and only a little less convenient. You can soothe a lot of ruffled customer feathers by telling them it's for their protection, right? At most, you store the last 4 digits--but I wouldn't even recommend that.

    Growl.

    Sorry, this is a pet peeve of mine.

  • Gary Varga (8/23/2016)


    Another issue with implementing security properly is that it takes thought and time. Given too much pressure on delivery can see these practices thrown out of the window by experienced IT professionals who value their position. It is an issue with the industry that we are allowed to makes these calls.

    Some other professions do not allow this e.g. medical and legal. You would not get some hospital administrator pressuring a surgeon to make that double heart bypass a single bypass because the theatre was required for something else at 5pm.

    We are not the same as the medical profession, however, I feel that in our infant industry we have yet to draw the red lines no one is to cross.

    Well said. Management just wants the software done.

  • I hate "security questions". If I'm a hacker and want to know your grandfather's first name or your mother's mainden name, I can just go to ancestry.com. If I want to know the city where you met your spouse, then it's probably the same city where you went to university or worked your first full time job; information which you prominently display on your LinkedIn profile.

    On the flip side of the coin, ask me a question like "What is your favorite movie?" again two years later, and I'll probably supply a different answer. If I'm trying to login to an utility company's website to pay a late bill, but it was my wife who intially setup the account, then I have to give up and wait until later when I can ask her the name of her best friend from elementary school.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (8/23/2016)


    I hate "security questions". If I'm a hacker and want to know your grandfather's first name or your mother's mainden name, I can just go to ancestry.com. If I want to know the city where you met your spouse, then it's probably the same city where you went to university or worked your first full time job; information which you prominently display on your LinkedIn profile.

    On the flip side of the coin, ask me a question like "What is your favorite movie?" again two years later, and I'll probably supply a different answer. If I'm trying to login to an utility company's website to pay a late bill, but it was my wife who intially setup the account, then I have to give up and wait until later when I can ask her the name of her best friend from elementary school.

    I dislike security questions for the same reason I dislike password strength requirements, every website or tool wants to be it's own special little snowflake and ask slightly different variations of the same question.

    One of the worst experiences was a partner at a company I used to work for, they had about 50+ different accounts(corporate level accounts not personal), they only needed to actually go into them once every few months but the passwords expired something like every month. Resetting them required going through multi long pages of security questions. The end result? they just set all the answers to the name of the accounts and didn't even bother trying to manage passwords, fortunately that was the accounting department's mess.

  • Iwas Bornready (8/23/2016)


    Gary Varga (8/23/2016)


    Another issue with implementing security properly is that it takes thought and time. Given too much pressure on delivery can see these practices thrown out of the window by experienced IT professionals who value their position. It is an issue with the industry that we are allowed to makes these calls.

    Some other professions do not allow this e.g. medical and legal. You would not get some hospital administrator pressuring a surgeon to make that double heart bypass a single bypass because the theatre was required for something else at 5pm.

    We are not the same as the medical profession, however, I feel that in our infant industry we have yet to draw the red lines no one is to cross.

    Well said. Management just wants the software done.

    That's exactly right, and until the cost of deploying insecure software and leaking data is made far higher than the cost of properly securing systems, companies will continue to fail at data security. I just received one of those letters from a company, "oops, we leaked your PID, here's a year of free credit monitoring." A free year of credit monitoring hardly compensates me for allowing my PID to leak out into the world forever.

    Failing at data security is software malpractice, and until society penalizes it appropriately, it will continue to happen.

  • Someone's address can be sensitive, but why store it if you don't need to? And why the hell would you store the entire credit card number???? You can ask them for it each time they want to buy something, get the encrypted result and then THROW IT AWAY when the transaction clears. MUCH safer, and only a little less convenient. You can soothe a lot of ruffled customer feathers by telling them it's for their protection, right? At most, you store the last 4 digits--but I wouldn't even recommend that.

    Well in all fairness that's really only practical if your business only does one off sales, any service industry will need to keep your credit card information and likely your address as well. And at least credit cards storage is somewhat regulated, ie encryption, access to data etc... what should terrify you is that are no rules whatsoever about bank account information.

  • Eric M Russell (8/23/2016)


    I hate "security questions". If I'm a hacker and want to know your grandfather's first name or your mother's mainden name, I can just go to ancestry.com. If I want to know the city where you met your spouse, then it's probably the same city where you went to university or worked your first full time job; information which you prominently display on your LinkedIn profile.

    On the flip side of the coin, ask me a question like "What is your favorite movie?" again two years later, and I'll probably supply a different answer. If I'm trying to login to an utility company's website to pay a late bill, but it was my wife who intially setup the account, then I have to give up and wait until later when I can ask her the name of her best friend from elementary school.

    Absolutely. Actually for many of my bills I've started to go back to paying by checks. You get the bill in the mail, the amount is plainly there, your write a check. No navigating sites all created differently, looking up passwords, having to change password because it's been too long or you can't find it....

    Takes less than a minute to write a check and put it in the mail.

    Similarly I'm tired of creating an account for everything (especially sites I'm not likely to visit regularly). If a product is available locally, I just go there, plunk my cash down and leave with the goods. No account, no password, don't even have to leave my name. Unless there's a huge difference in price it's not worth the trouble.

    ...

    -- FORTRAN manual for Xerox Computers --

  • And security companies fail at security. http://krebsonsecurity.com/2016/05/how-the-pwnedlist-got-pwned/

  • I havn't used eBay in years, but I recall from the past that it was possible to simply drill down on another user's ID and see a history of auctions they had bid on and purchases made. This wasn't a actually a hack, it was a feature of the website. It would reveal stuff that folks would rather keep private like: self-help books, lingerie, erotic videos, and ... accessories.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • David.Poole (8/23/2016)


    Troy's article is frightening and horribly believable. The case was a senior marketing guy saying that because his company used SSL stuff was secure even though the web feature emblazoned the information across the screen through a legitimate (if moronic) feature of the web site.

    I think project teams and stakeholders need a much higher degree of visibility for the project risk/issue log with clearly stated implications for a particular feature being implicated or technical debt being accepted. At some point someone will have asked "Are you sure you want a mystery visitor to type email addresses into our site and harvest our customer details"? The problem is the asker will be junior and the person who said "Yes" will be senior.

    Why a marketing guy, no matter how senior, would be allowed to make pronouncements on security beggars belief. Sounds like a system organisation failure to me.

    I've seen similar nonsense from a development guy. And in my experience development guys are as bad at this as marketing guys and accountants.

    So that experience has resulted in my feeling that I'd rather trust a competent accountant or a competent marketeer on security issues than an experienced developer who regards any security as someting that just gets in the way of development. Especially when the marketing guy has made sure that decent security is included in contracts with customers and the accountant is interested neither in paying good money to lawyers to defend blatantly deliberate breaches of data protection law nor in the company being sued for breach of contract, but all that is boring unimportant red tape to the development manager. I last saw this happening in 2002, when I tok a new job in a fairly new company. Within a week or two the development manager was trying to persuade top management to back him on refusing to include any security after I told them that sorting out security was essential and urgent, and I got total support on the security from ops director, from the CEO (an accountant), from sales/marketing, and from the creative director and his team.

    Tom

  • TomThomson (8/24/2016)


    ...development guys are as bad at this as marketing guys and accountants...

    Ouch...that hurts. (Yes, I saw the caveat.)

    ...an experienced developer who regards any security as someting that just gets in the way of development...

    Or in other words, experienced does not mean good.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 14 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic. Login to reply