About five years ago I got a very strange letter in the mail. It seemed the US Department of Veterans affairs had lost a laptop
, and. with it, the social security number and contact information of every single American Veteran.
This is especially weird because I was in the national guard for like, two years, before I got out of the guard to accept and ROTC scholarship. I was never deployed, and was never anything more than in a reserve component on initial active duty for training. (IADT)
Now this was five years ago, and hard drives just weren't that big. If you think about what they claimed to steal: Name, SSN, Date of Birth, Home Address, plus some records, I expected about 1K per person. With 26 million-odd people who served their country in uniform in some way, that's about 26GB - bursting at the seams for any laptop from that time period.
Working for a big database shop at the time, this theft just didn't make any sense
. I mean, why would anyone fill up a hard drive with the contact information for every single American verteran? A 'select * from vets' query would likely take overnight to run, then you've got to actually store the data in a file somewhere. A typical issues laptop at the time just could not fit the data; you certainly wouldn't have any room left over to do anything with it.
Now it could be that someone actually planned to steal this information and wrote a simple program to pull the data, perhaps storing it in an encrypted form or getting a super-big hard drive for the laptop. This makes some sense; a list like that would be the kind of thing you could sell to any vendor that might make money selling to veterans, from fake charities to "get the benefits you deserve" lawyers and everyone in-between. It might be that the Veteran's Administration regularly stored the entire contact information for all American Veterans on multiple machines -- or, what I suspect happened, was that they didn't really know who's data was on the laptop and they were being careful.
Isn't it interesting that thirty years ago, this kind of theft would not have been possible? Yes, you could walk out of the building with print-outs of addresses, but then someone would have to type them into another machine to re-use the list, and the cost would make such an attack much less valuable.
Enter the world wide web, stage right.
In April I wrote an article called quick attacks for web security
. These were simple attacks, things anyone could do with a web browser and keyboard. One of the examples was URL guessing. That is to say, if I log into a website, look at the URL. If you see something at the right like &user_id=1024, and you know that is you, change it to 1023 or 1025 and see if you can find someone else's supposedly private information. If you can, you've found a security flaw.
Another way to do that is to send bad information to the input fields, like username. So you could try to login as other names until one "hits." Of course, most of the tine, the username also has a password associated with it -- but not always. It turns out that last week there was an AT&T website that took your iPad's serial number as an input, then showed you your personal screen - including the email registered to that serial number.
So, for example, if you have a iPad and know the serial number is, say, an eight-digit number, you could go that type site and type in:
And so on.
For that matter, once you know the length, writing a computer program to simulate the 'submit' button click with a variable as the value of the serial number is trivial.
Whoops. Looks like somebody did just that
. Not just with AT&T's iPad site either; self-appointed watchdogs have been finding privacy and security issues with sites all over the internet.
And this is a second issue with Software As A Service - having piles of personal data are is longer limited to big government agencies, and theft of that data might not require getting an ID badget and special access. Today it can be from home by anyone with an internet connection and a little critical thinking skill.
Slaying the Web Security Beast
One way to stop the problem of web security is to not participate. Get your news froma newspaper, buy your books from a physical store (with cash
!) and give up on any site that requires a login. Somehow, I suspect for the majority of us have decided that the benefits of the technology outweigh the risks.
Another approach might be to integrate with existing authentication systesm - say PayPay, or Google, or OpenId to manage the login fiddly-bits. That way we only have to register in one place, and instead of requiring a separate login, 3rd party developers can re-use the login API. Microsoft, for example, has been trying to do this for about ten years, in an initiative it used to cal Microsoft Wallet, then Microsoft Passport, which is now Microsoft Live ID
But using that scheme - if someone does manages o hijack your account - now all your eggs are in one basket. A single sign-on scheme means that bad guys now can get to your email and
your online bill pay and
your credit cards.
I don't have an easy answer to this. What I can say is that the skills that make us valuable as testers - the critical thinking, finding weak links, curiosity, finding patterns and open skepticism - those skills translate into the world of security and privacy and are increasingly valuable.
Career, Shameer. The big corporate office needs us.
They just don't know it yet. We've got some PR work to do.
And if you don't believe that, I've got some cheap knock-off 3rd party iPad apps to sell to you -- and to the three million other iPad customers I harvested off the web.