Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Sure, Security Is Hard, But....

From: InfoSec News <isn () c4i org>
Date: Tue, 4 Jun 2002 03:41:23 -0500 (CDT)
http://www.oreillynet.com/cs/weblog/view/wlg/1482

by Marc Hedlund
Jun. 1, 2002
URL: http://www.nytimes.com/ref/membercenter/help/qpass_redir.html

...this is ridiculous. The New York Times recently switched from one 
paid membership management system to another, and they changed the 
username and password of every paid account. For some reason, they've 
posted the system they used to choose new usernames and passwords on 
the Web for anyone to see. Security is certainly a difficult problem, 
and password management is even harder than most security problems, 
but it's much worse when you don't even try. If you have a paid 
nytimes.com subscription, be sure to read this. 

The New York Times' Web site offers some excellent paid features, 
including online archive searches and crossword puzzle downloads. In 
the past, they used a horrible service called Qpass to manage their 
paid accounts. Qpass was hard to use and unreliable, and many 
nytimes.com members (myself included) complained about it frequently. 
Apparently the people at the Times agreed, because in March they 
dropped Qpass and moved to a new account management system. The new 
system is a big improvement in usability and reliability. 

My jaw dropped, however, when I got the email from nytimes.com telling 
me how to access the new system. It read: 


Now enter the following Member ID and password which we have created 
for you and click the "Log In" button. You will need to use this 
Member ID and Password to access your NYTimes.com premium products in 
the future.

Member ID: marc_hedlund
Password: Your password is your Qpass User Name.
I quickly wrote them a note pointing out that usernames are easily 
guessable (my Qpass username was "mhedlund") and often repeated across 
many sites, and were often not kept as secrets (for instance, message 
board posts are often tagged by username). Furthermore, I wrote, I 
thought this message violated their privacy policy, which states: 


Data Security: To prevent unauthorized access, maintain data accuracy, 
and ensure the appropriate use of information, we have put in place 
appropriate physical, electronic, and managerial procedures to protect 
the information we collect online.

I certainly wouldn't count sending password-guessing instructions to 
all of their users as "appropriate [...] managerial procedures." I 
asked if there had been some mistake, and suggested they revoke all 
the guessable passwords and send out new, random passwords as a 
stop-gap. They replied that there was no mistake and that I could 
always change my password if I found myself concerned about security. 
(And I did.) Today I noticed that the same instructions I had been 
emailed are available on the nytimes.com FAQ page, 
<http://www.nytimes.com/ref/membercenter/help/qpass_redir.html>. 

It's always disappointing when a site is negligent with security. 
What's a little more surprising about this case is that this is a 
prominent commercial site -- the New York Times is paid by each of its 
premium subscribers -- so you'd think (or hope) they would care more 
about protecting their customer's security. If I can get access to 
your account, I can buy articles from the New York Times' archive and 
have them charged to your credit card without you knowing about it 
(particularly, but not exclusively, if you've enabled one-click 
checkout on your account). That right there is the core definition of 
an ecommerce vulnerability, and here's one of the premier media 
organizations in the world making such an attack trivial. 

How hard would it have been for the New York Times to send random 
passwords to its premium users rather than easily guessable passwords? 
They were already sending a customized email to each subscriber, and 
they already had to write a password update system. Alternatively, 
they could have had each subscriber choose a new password for 
themselves the next time they logged in. The cost of doing things much 
more securely instead of insecurely would have been $0.00. 

If you are a premium subscriber, you should definitely change you 
password so that it is something hard to guess. You can change your 
password at <http://www.nytimes.com/mem/profile.html>. Information 
about the importance of choosing a good password can be found at 
<http://www.nytimes.com/2001/12/27/technology/circuits/27PASS.html?ex=1010480> 
-- yup, that's right, in an article published by the New York Times. 

Marc Hedlund was co-founder and CEO of Popular Power, the first 
commercially released P2P distributed computing platform. Before 
Popular Power, he founded Lucas Online, Lucasfilm's Internet division. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: