[SecurityRatty] tag: mailboxes

OAuth for Secure Mashups

Tue, 18 Nov 2008 14:41:00 +0000

Posted by Eric Sachs, Senior Product Manager, Google Security

A year ago, a number of large and small websites announced a new open standard called OAuth. This standard is designed to provide a secure and privacy-preserving technique for enabling specific private data on one site to be accessed by another site. One popular reason for that type of cross-site access is data portability in areas such as personal health records (such as Google Health or Microsoft Healthvault), as well as social networks (such as OpenSocial enabled sites). I originally became involved in this space in the summer of 2005, when Google started developing a feature called AuthSub, which was one of the pre-cursors of OAuth. That was a proprietary protocol, but one that has been used by hundreds of websites to provide add-on services to Google Account users by getting permission from users to access data in their Google Accounts. In fact, that was the key feature that a few of us used to start the Google Health portability effort back when it was only a prototype project with a few dedicated Googlers.

However, with the development of a common Internet standard in OAuth, we see much greater potential for data portability and secure mash-ups. Today we announced that the gadget platform now supports OAuth, and the interoperability of this standard was demonstrated by new iGoogle gadgets that AOL and MySpace both built to enable users to see their respective AOL or MySpace mailboxes (and other information) while on iGoogle. However, to ensure the user's privacy, this only works after the user has authorized AOL or MySpace to make their data available to the gadget running on iGoogle. We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs. In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards. Once that is in place, these new OAuth-powered gadgets that are available on iGoogle will also work on those other sites, including many of the gadgets that Google offers for its own applications. This provides a platform for some interesting mash-ups. For example, a third-party developer could create a single gadget that uses OAuth to access both Google OAuth-enabled APIs (such as a Gmail user's address book) and MySpace OAuth-enabled APIs (such as a user's friend list) and display a mashup of the combination.

While the combination of OAuth with gadgets is an exciting new use of the technology, most of the use of OAuth is between websites, such as to enable a user of Google Health to allow a clinical trial matching site to access his or her health profile. I previously mentioned that one privacy control provided by OAuth is that it defines a standard way for users to authorize one website to make their data accessible to another website. In addition, OAuth provides a way to do this without the first site needing to reveal the identity of the user -- it simply provides a different opaque security token to each additional website the user wants to share his or her data with. It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a social security number or account number. In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorize utility companies to perform direct debit from the user's bank account without that person having to actually share his or her bank account number with the utility vendor.

The OAuth community is continuing to enhance this standard and is very interested in having more companies engaged with its development. The OAuth.net website has more details about the current standard, and I maintain a website with advanced information about Google's use of OAuth, including work on integrating OAuth with desktop apps, and integrating with federation standards such as OpenID and SAML. If you're interested in engaging with the OAuth community, please get in touch with us.

OAuth for Secure Mashups

Tue, 18 Nov 2008 14:41:00 +0000

Strange Russian Spam

Thu, 07 Aug 2008 12:11:55 +0000

Vaguely weird piece of EMail spam seen appearing in mailboxes:

Click to Enlarge

A bunch of regular text (in Russian, obviously) with an image overlaid on top of it. Putting the text in an image has been around for a long time, but I haven't seen it pasted over the top of normal text content before.

Humorously, the link in the email takes you to....

Click to Enlarge

....The Hobo E-Shop. No word yet if you get free bourbon bottles wrapped in brown paper bags and a barrel filled with flammable oil but we're looking into it.

CNN Daily Top 10 Videos Spam

Tue, 05 Aug 2008 14:50:01 +0000

Like me, you've probably had quite a few "CNN Top 10" emails through over the last day or so. Here's just two of the many, many mails I've had through to various mailboxes:

If you opened up any of the mails, you'd have seen this:

Click to Enlarge

The first clue that something might have been amiss is the strangeness of some of the titles ("Michael Jackson sued by his own dog" isn't something I'd expect to see on CNN, at least not yet). Of course, the giveaway is that regardless of what link you click on, each one takes you to a website that isn't CNN.com - in fact, they all point to the same "video".

Click to Enlarge

If you download and install the file offered up, horrible things will start happening to your PC. Let's put it this way - anyone expecting to see Michael Jacksons dog in a courtroom is going to be severely disappointed.

Before long, your desktop will look like this:

Click to Enlarge

You'll have warnings like these:

And a rogue antivirus product will magically appear on your desktop:

Click to Enlarge

Worst of all, look at the name of one of the fake infections they try to scare the user with.

There's subtlety, then there's this:

....if you want to avoid your computer contributing to the "terrorist threat", don't open up any emails claiming to contain CNN videos.

Even if its Michael Jackson and his dog.

An Old Classic Doing The Rounds...

Mon, 30 Jun 2008 04:09:11 +0000

Seen filling up mailboxes en masse....

Click to Enlarge

It goes without saying, but when people send you random EMails asking for the specifics of your login details.....just say no :)

Crypto-Gram Tenth Anniversary Issue

Thu, 15 May 2008 07:13:10 +0000

Ten years ago I started Crypto-Gram. It was a monthly newsletter written entirely by me. No guest columns. No advertising. Nothing but me writing about security, published the 15th of the month every month. Now, 120 issues later, none of that has changed.

I started Crypto-Gram because I had a lot to say about security, and book-length commentaries were too slow and too infrequent. Sure, I was writing the occasional column in the occasional magazine, but those were also too slow and infrequent. Crypto-Gram was supposed to be my personal voice on security, sent directly to those who wanted to read it.

I originally thought about charging for Crypto-Gram. I knew of several newsletters that funded themselves through subscription fees, and figured that a couple of hundred subscribers at $150 or so would sustain itself very nicely. I don't remember why I decided not to -- did someone convince me, or did I figure it out myself -- but it was easily the smartest decision I made about this newsletter. If I'd charged money for the thing, no one would have read it. Since I didn't, lots of people subscribed.

There were 457 subscribers by the end of the first day. After that, circulation climbed slowly and steadily. Here are the totals for May of each year:

1999	15964
2000	33827
2001	45832
2002	58046
2003	66368
2004	75907
2005	83835
2006	87839
2007	92488
2008	98618

Those numbers hide a lot of readers, like the tens of thousands that read Crypto-Gram via the Web. I also know of people that forward my newsletter to hundreds of others. There are many foreign translations that have their own subscription list. These days I estimate that I have about 25,000 newsletter readers not included in those numbers.

I have no idea where the initial batch of subscribers came from. Nor do I remember how people subscribed before the webpage form was done. I do remember my first big burst of subscribers, though. It was following my special issue after 9/11. I wrote something short for the September issue, but I found that I couldn't stop writing. Two weeks later, I published a special issue on the terrorist attacks. Readers forwarded that issue again and again, and I ended up with many new subscribers as a result.

Reader comments began earlier, in December 1998. I found I was getting some really intelligent comments from my readers -- especially those that disagreed with me -- and I wanted to publish some of them. Some of the disagreements were nasty. In October 1998, I started a column called "The Doghouse," where I made fun of snake-oil security products. Some of the companies didn't like being so characterized, and sent me threatening legal letters.

Turns out that publishing those sorts of threats as letters to Crypto-Gram was the best defense, even though my lawyers always discouraged it. None of these incidents ever went past the threatening stage, even though court papers were occasionally filed.

Over the years, Crypto-Gram's focus has changed. Initially, it was all cryptography. Then, more computer and network security. Then -- especially after 9/11 -- more general security: terrorism, airplanes, ID cards, voting machines, and so on. And now, more economics and psychology of security. My career has been a progression from the specific to the general, and Crypto-Gram has generalized to reflect that.

The next big change to Crypto-Gram came in October 2004. I had been reading about blogging, and wondered for several months if switching Crypto-Gram over to blog format was a good idea or not. Again, it was about speed and frequency. I found that others were commenting on security stories faster, and that by the time Crypto-Gram would come out, people had already linked to other stories. A blog would allow me to get my commentary out even faster, and to be part of the initial discussions.

I went back and forth. Several people advised me to change, that blogging was the format of the future. I was skeptical, preferring to push my newsletter into my readers' mailboxes every month. I sent a survey to 400 of my subscribers -- 200 random subscribers and 200 people who had subscribed within the past month -- asking. My eventual solution was the second smartest thing I did with this newsletter: to do both.

The Schneier on Security blog started out as Crypto-Gram entries, delivered daily. And the early blog entries looked a lot like Crypto-Gram articles, with links at the end. Over the following months I learned more about the blogging style, and the entries started looking more like blog entries. Now the blog is primary, and on the 15th of every month I take the previous month's blog entries and reconfigure them into Crypto-Gram format. Even today, most readers prefer to receive Crypto-Gram in their e-mail box every month -- even if they also read the blog online.

These days, I like both. I like the immediacy of the blog, and I like the e-mail format of Crypto-Gram. And even after ten years, I still like the writing.

People often ask me where I find the time to do all of that writing. It's an odd question for me, because it's what I enjoy doing. I find time at home, on airplanes, in hotel rooms, everywhere. Writing isn't a chore -- okay, maybe sometimes it is -- it's something that relaxes me. I enjoy putting my ideas down in a coherent narrative flow. And there's nothing that pleases me more than the fact that people read it.

The best fan mail I get from a reader says something like: "You changed the way I think." That's what I want to do. I want to change the way you think about security. I want to change the way you think about threats, and risk, and trade-offs, about security products and services, about security rhetoric in politics. It matters less if you agree with me or disagree, only that you're thinking differently.

Thank you. Thank you on this 10th anniversary issue. Thank you, long-time readers. Thank you, new readers. Thank you for continuing to read what I have to write. This is still a lot of fun -- and interesting and thought provoking -- for me. I hope it continues to be interesting, thought provoking, and fun for you.

Technical glitch blamed in The Princeton Tower Club breach

Tue, 13 May 2008 05:20:10 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really? A technical glitch? These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again". We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person. It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)? I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant. I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business. The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off. Identity thieves are not all stupid. Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point. Have you ever thought of all the times you have given out your Social Security number? All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number. The same number used for identification and authentication. A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations. It seems like they just didn't know any better. It sometimes makes me nervous.

Past Breaches:
Unknown

Wayport Tops 10,000 McDonald's Locations

Tue, 29 Apr 2008 05:25:32 +0000

Ten thousand is an arbitrary place to put a stick in the sand, but significant nonetheless: The milestone of 10,000 McDonald's wired up--a few hundred have back access only, due to being stores within WalMart centers--is a vindication of Wayport's long-term strategy, dating back to 2004. Wayport switched at that point from a slightly more public-faced, public-access company to one that understood that back-office operations could be just as valuable, if less sexy, than front-facing consumer networks. Dan Lowden, Wayport's long-time marketing and business development chief, said yesterday, "In a lot of these venues, the back office comes first. The Wi-Fi public access for some is a big priority, but for others it's a nice to have, great thing to have, but the priority is the back office."

Although several other quick-service restaurants like McDonald's lack any comprehensive Wi-Fi plan--Burger King, Wendy's, and Subway to name three of the largest--Wayport is locked out of working with direct competitors. This opens the potential for another firm to handle a several-thousand-location network. Wayport has worked with both McDonald's corporate-owned stores (about 2/3rds of stores in the U.S.), as well as reaching out to franchisees, who Lowden noted pay a predetermined flat rate for the service via McDonald's. "It's made them incredibly efficient to be able to offer this to their franchisees at one price, instead of variable pricing," he noted. Wayport acts as the layer between various telecom providers, applications and services, and the stores.

Wayport provides several kinds of back-office services, although credit-card processing was the first thing htey rolled out. They've extended to remote video feeds for security, Redbox DVD rental systems that are found in some McDonald's, and kiosks used for job applications. Lowden said Wayport offers things as straightforward but critical as a dial-up fail-safe when a broadband connection drops.

Wayport also manages AT&T's hotspot network, which puts them in the unwiring seat for the 7,000-odd Starbucks stores that will converted from T-Mobile to AT&T service during 2008. Wayport was once the clear leader in the hotspot builder market, with T-Mobile in the second position. Now, Wayport will be operating through a direct contract or management agreement over 18,000 hotspots in the U.S.; T-Mobile will likely be the second biggest with a couple thousand locations (Borders and FedEx/Kinko's tops among them). The No. 3 player is hard to figure. Panera?

I've been predicting for some time that media on the edge--music, videos, movies, and games stored on servers on the local Wi-Fi network--will be the next big development in venue-oriented Wi-Fi, with Starbucks likely far in the lead. Lowden wouldn't comment on any specific plans in the works, of course, but said generally, "Storing and caching all that content on the edge...hasn't been leveraged in the past, but it will be in the future to create a very unique experience." At Barnes & Noble, Wayport caches some multimedia data that's available to customers in the stores.

The advantage for in-store media storage is that you can leverage the speed of the local network, and add additional access points to distribute network load. The choke point is no longer the Internet connection, but local network speed. I expect--though Wayport, AT&T, and Starbucks haven't said it--that Starbucks infrastructure will be all 802.11n for this reason, likely with both 2.4 GHz and 5 GHz support for the best throughput in the higher-frequency band for media transactions. (In fact, I wouldn't be surprised if you could only buy movies via 5 GHz.)

Lowden also noted that the proliferation of mobile devices with Wi-Fi built in have led to them reaching out to venues that wouldn't have made sense for them to work with previously, and for unlikely candidates to reach out to them, too. Wayport is now working with a number of healthcare facilities that, while they have their own network infrastructure, wanted to outsource public access Wi-Fi (whether they choose to charge or underwrite it), and certain applications that they're not as experienced with running themselves.

A little history: In 2001 and again in 2004, the heat seemed to be on the public side of Wi-Fi: lots of money to be made, ostensibly, lots of partnerships and venues to be built, and an overcrowded supply of infrastructure builders. The year before, Wayport looked to be an also-ran in the hotspot provider business.

Despite being one of the earliest firms to put Ethernet and then Wi-Fi into hotels, and build out hotspots in airports; and despite their survival of the first hotspot meltdown in 2001 during the dotcom crash and brief venture capital shortage; and despite their early entrance into allowing wholesale pricing for hotspot aggregators; the firm seemed about to be eclipsed by apparently deep-pocketed Cometa (with AT&T, IBM, and Intel in various capital and support roles), Toshiba's mom-and-pop focused turnkey system, and T-Mobile, which had the Starbucks contract. What a difference a year makes.

Cometa, Toshiba, and Wayport contended for the contract to build out back-office and public-access service at McDonald's in the U.S., and Wayport won. Within a few weeks, Toshiba passed its few hundred locations to Cometa, which shut its doors in May 2004. Wayport, meanwhile, had cooked up a strategy for McDonald's that it announced later that month.

Their approach involved a fixed-rate charged for unlimited access by retail network partners for all the locations in their pool. This meant that partners had a fixed cost, instead of a per-session cost, and Wayport could obtain specific revenue even before usage by a partner ramped up. Wayport hasn't discussed the details of this arrangement in depth since, but has partnered with Sony with its Mylo, Nintendo with its DS game player, and ZipIt with its wireless messaging appliance.

The McDonald's deal also apparently gave Wayport a way to extend its work with SBC-later-AT&T; Wayport had earlier in 2004 became the managed-services contractor for SBC to build out The UPS Store/Mailboxes Etc. nationwide. (UPS dropped AT&T as its partner in mid-2007, although that didn't appear to have anything to do with Wayport's role.)

AT&T through Wayport developed its large resold/managed footprint that incorporated resale of Wayport's McDonald's locations with the UPS Store and a few hundred other managed locations, including a handful of airports. The Cingular acquisition of AT&T Wireless put more airports in SBC's hands, too. (SBC was once the 60 percent majority owner of Cingular; when SBC and BellSouth, the other owner, merged that put the newly rebranded AT&T in charge of Cingular which it relabeled as AT&T. Confusing, huh?)