I Am Not a Security Rockstar

Posted: May 8, 2017 by IntentionalPrivacy in Conferences
Tags:

I recently attended BSides Austin 2017, an information security conference. It is a wonderful conference! I greeted friends and met some great people. It was difficult to choose which presentations to attend there were so many interesting ones. I wanted to go to all of them! I also went to the Fire Marshall Talks, named for a memorable talk one year where the number of occupants were more than the fire marshall thought safe for the room size. Anyone who wants to speak can talk for ten minutes on any information security topic.

One of the talks this year dismayed me; the speaker spent his 10 minutes talking about all the “Security Rockstars” in the audience and how they refused to help him.

Since he did not give specific instances, I am not really sure what that meant to him. I looked around the room and saw many people I knew, security people who were passionate  about sharing with the security community through presentations or classes, online blogs and videos, and even mentoring. While I saw people who were notable contributors to InfoSec, I did not identify a single person I would call a “Security Rockstar.”

In spite of being a woman in security and information technology (over 20 years), I have rarely experienced a situation where someone would not help me. In fact, people have gone out of their way to give me assistance when I asked for it. Austin is that kind of place! Before I ask, I try everything I can think of and I have a focused question so I do not waste the person’s time. I attend conferences, such as BSides and LASCON, and meetings put on by OWASP, ISSA, and InfraGard to keep my skills current, learn about things I do not know, and to network. I often go to the weekly OWASP study sessions, which has given me some excellent ways to hone my skills. There are many opportunities for assistance if someone looks for them and is willing to put in some work.

I also contribute as much as I can. If I cannot help you, I will tell you that. If I know someone who knows more about your question, I will point you in their direction. I write this blog. I provide mentoring to anyone who wants to become a security professional. I think it is important because I believe that helping people work towards their goals helps the entire security community. But I cannot do the work for you. I will answer your question or point you toward resources I know about. What you do with them is up to you.

For instance, I met the speaker—a student on the brink of starting on his career—the evening before. I gave him my card, asked if he was looking for mentoring, told him about my blog, and said I would value his opinion about it. I have yet to hear from him.

To anyone who has run into an unhelpful person, I suggest you consider why the person asked may not be able to help:

  • It might be a temporary problem—they might be available at another time. For instance, if they have just given a presentation, they might need decompression time.
  • They might be worried about a personal problem: a lost client or position, money troubles, a work situation, or a family or pet illness or death.
  • They meant to help at a later time, but could not because they had no method of contact. Carry business cards or exchange email addresses.
  • Information security encompasses a wide range of skills and knowledge bases. The question asked could be outside their expertise, and they are too embarrassed to say so.
  • The question might be too general. If they tell you LMGTFY (“Let me Google that for you”), it means they believe you can figure it out yourself. Maybe you can clarify the question to better explain where you are stumped.

Of course, they really could be a Rockstar.

Also consider what you have to offer in exchange. One of the few times I have experienced a situation where someone would not help me was at a position where I was doing security assessments. One of my coworkers had a difficult time with reports. He copied and pasted sections from other reports to speed up the reporting process. I often read his reports to fix discrepancies, incomplete sentences and missing words, as well as spelling and grammar issues. One time he forgot to change the IP addresses to match the client’s. When I had a problem with the scanning software, I expected his help. But since he did not value my help with his reports; he said that I should figure it out myself. I was not asking for him to fix it (I was at a client site in another state) although I would have appreciated any suggestions he could give me. I thought I should at least have a contact with the software company so that I could put in a trouble ticket, but he—the administrator of the software—would not even give me that. Our boss finally made him give me the ability to turn in a trouble ticket.

While I did figure out a temporary solution (it was a software issue), it made for a very tense evening. I eventually left the company with great relief. I loved the work, but the company culture did not suit me.

I once read an article about how a bad situation can be a gift, because it can make you see that you need to change something—attitude, positions, relationships. Furthermore, Rockstars who will not help someone are their own worst enemies because everyone needs help sometimes. Their karma will catch up to them! Shake your head, send them a blessing, and find someone who will help you.

Remember to be grateful when someone does help you. They do not owe it to you.

But I am not a rock star! I do not want to be a rock star. I am merely someone doing a job to the best of my ability to help make the world a safer, more secure place.

A recent article in Wired called “Radio Attack Lets Hackers Steal 24 Different Car Models” at https://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/ talks about how thieves can steal some car models by attacking keyless entry fobs.

It is a very informative article, but they do not talk much about possible solutions. Want to wait around while your automobile manufacturer comes up with a solution?

Our own cars—a 2015 Honda Accord and a manual-everything 2005 Honda Civic—are not on the list of vulnerable vehicles. While the 2005 Honda, which does not have keyless entry, is not susceptible to this type of radio attack, the 2015 Honda Accord might be. Although it was not one of the vehicles listed in the article, it might not have been one of the models tested. I looked at my key fob to see if there was some easy way to shut off keyless entry. Aside from taking out the battery, none was apparent. A switch on the key fob in a location that is not easily turned on or off (maybe inside the battery case) would be a great solution to this problem. Another possible plus? It might make the battery last longer!

When I Googled “2015 Honda Accord turn off keyless entry,” there were not many new solutions. Possible solutions include:

  • Removing the key fob battery. According to a YouTube video by Honda Pro, https://www.youtube.com/watch?v=kXiyku7Ye-c, the car will not start when the key is not in the car. However, it will still start when the key fob is present even if the battery is inoperative or removed. The key fob also contains a manual key, so entry is still available.
  • Making or buying a faraday cage. There are several types of faraday cages. According to Wikipedia, a faraday cage “is an enclosure used to block electromagnetic fields.” I tried wrapping my key in aluminum foil. Standing next to the 2015 Honda with the key wrapped in aluminum foil, I could still unlock the car. However, while I did not test it, it might limit the accessible distance for the key signal.

I do not like the option of putting my keys in the freezer, which is often touted as an easy faraday cage. For one thing, the moisture and the cold could be hard on the key electronics. Replacing the key is expensive and you would still have the problem with the new key. Another problem with this solution is that it only works when you have access to a refrigerator. Probably would not work at Starbucks!

Amazon.com offers Faraday pouches for sale for as little as $9 (plus shipping). There is a DIY faraday cage Instructable at http://www.instructables.com/id/Faraday-Cage-Phone-Pouch/ if you would like to make one yourself.

If anyone has other ideas about possible solutions to a keyless entry attack, leave a comment and I will update the article.

Remember, always lock your car, do not leave extra keys in hidden places on the vehicle, and remove or hide your valuables before you leave your car. It is also a good idea to remove your garage door opener from the car, especially if you leave the door between the house and the garage open.

A member of my family has recently been having some medical issues, and has been making the rounds of doctors and other medical practitioners. It is bad enough when someone doesn’t feel well, but what can make it worse? A medical professional being careless with our personal health information in spite of the medical privacy laws (HIPAA and HITECH). A visiting nurse called to make an appointment for a home visit, which turned into a SMS text dialogue. A question from the nurse left me speechless, “Have you received your {INSERT PRESCRIPTION BRAND NAME HERE} yet?”

Really? She really put part of the treatment plan in an unencrypted text message?

Text messaging by a medical professional should be limited to location and time of appointment.

I informed her that in my opinion putting a prescription name in an unencrypted text message was a violation of HIPAA, especially since the patient had never met the nurse or signed any HIPAA disclosures. She said she deleted the messages from her phone and gave me the name of her supervisor. I called the woman, who wasn’t available. I left a voice mail message, saying that I was concerned because putting treatment details in an unencrypted text message was a violation of HIPAA.

Strike two: A week later, no one from the nursing service has called me back.

I called the company that ordered the nursing service, explained what happened and asked that the service be cancelled. I took the patient to the doctor’s office—much less convenient—but a better option in this case. I was concerned that the nurse might be using a personal phone that did not have encryption on it, that she might have games installed (a common source of malware), that she did not use a pass code to lock her phone or that her phone did not automatically lock, or any of 100 different bad scenarios. What further concerned me is that I did not receive a call back from the nursing company. They are supposed to have a HIPAA Privacy Officer, who should have returned my call and explained what they were doing to protect the patient’s information in the future. At the very least, the nurse should have been required to re-take HIPAA Patient Privacy training (which is mandated to occur yearly anyway by the Office of Civil Rights).

Why is this such a big deal?

When you consider that your medical record is worth more to an identity thief than your credit card, it is a very big deal. A CNBC article published on March 11,2016, “Dark Web is fertile ground for stolen medical records,” stated:

While a Social Security number can be purchased on the dark Web for around $15, medical records fetch at least $60 per record because of that additional information, such as addresses, phone numbers and employment history. That in turn allows criminals to file fake tax returns.

Your credit card might be worth one or two dollars at most.

Another informative article, “Is Texting in Violation of HIPAA?,” appears in The HIPAA Journal.

If you feel that your medical privacy has been violated, you can file a complaint with the Office of Civil Rights.

I’m going to call the nursing service again on Monday and ask to speak with their HIPAA Privacy Officer and try to explain my concerns.

The Bottom Line: They lost a client!

The number one rule for safely using a debit card: Don’t! But, if you have to use a debit card, here are some suggestions from two of Austin’s leading computer security experts.

Michael Gough and Brian Boettcher are co-creators of LOG-MD, a sophisticated analytical tool used by computer security professionals. I recently had a conversation with them about how to use credit cards and debit cards more safely.

They said: Limit debit card use to only one local grocery store chain, especially if it has gas stations and stays open 24 hours a day. That way you can get cash without using the card in an outside ATM. Of course, the risk of being robbed is also much higher at an ATM. If you always use the same grocery store, then if the number is stolen, you know where it happened.

They said: Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

(Brian Krebs, who writes the blog KrebsOnSecurity, talks about card skimmers in this series of articles. Krebs updates these articles on a regular basis and they are well worth reading. In fact, as I have mentioned before, his column is a great place to find out about security issues.)

They said: You may also be able to buy store gift cards with your debit card to use at their gas pumps without having to pay a fee to use them the way you do with MasterCard or Visa cards. And the cards may even be reloadable. The one drawback? If the card is lost or stolen, the money on it is not replaced the way it would be if you used a credit card.

They said: Do not use a debit card at a restaurant. You have no idea if the person is using a hand-held skimmer on your card. Someone may have placed a skimmer on the restaurant’s card terminal.

 (Restaurants are weak in security because the staff holds your cards out of your sight and out of your control. The authors of this blog each had fraudulent charges placed on their cards after two visits to the same restaurant in the same week. We usually take turns paying. We had different servers each night. We think that they had a little ring going.)

They said: Debit cards are less secure than credit cards because debit cards are directly hooked to a bank account or credit union account. If a debit card gets compromised, your account can be drained. It may take some time—even months—to get the money replaced in your account. And the money may not be replaced at all since it is not insured as it is with a credit card.

They said: Most banks and credit unions are helpful about getting a new debit card, but if a credit card gets compromised, usually a new card can be received in 2 or 3 days, maybe even faster if you can pick it up at your financial institution.

Here are their recommendations for safer credit-card use:

They said: Get a second card with a low limit. This card should be mainly used at less safe locations: public kiosk use (think train tickets or parking) and online shopping, as well as automatic payments. If you have to use self-service checkouts, use the second card. Avoiding self-service checkouts is the best strategy.

They said: That second card can be a handy back-up, in case your main credit card is lost or stolen.

They said: Look over your statements on a regular basis for transactions that you did not make.

They said: Patronize companies that use chip and signature (in the US) card terminals, which in most cases was supposed to be in place in the US by October 2015. Europe uses chip and pin. If a company still has not upgraded from magnetic stripe terminals, tell them why you do not want to shop there. (Or only use cash there.) Gas pump card terminals are required by major credit card brands to be updated to use chip and signature (in the US) by October 2017.

They said: Keep a list of automatic payments, and when they renew. Cancel automatic payments as soon as possible when you switch to another card.

One problem with automatic payments is that they may move to a new card even if you did not authorize it.

They said: Some cards (American Express is one example) will allow you to set a daily limit on spending. They usually alert you as soon as possible if spending goes over that limit.

They said: Replace your cards at least every two years.

They said: Put a credit freeze on your credit. The FTC explains the pros and cons of credit freezes here. There may be a small charge for freezing and unfreezing your credit file, but it is cheaper than credit monitoring, which will not tell you about a breach until after it has already happened.

Michael said: Using credit monitoring is like going to a dentist who only monitors your teeth, but does not fix any cavities found.

They said: Get a copy of your credit report from each of the three credit bureaus yearly. You can cycle them so you get one every four months.

They said: As soon as you hear about a mass data breach that could involve your accounts, call your bank or credit union and request a new card. Do not wait for a notification.

They said: Keep records of each card, the card numbers, the customer service phone numbers and addresses. (It is pretty easy these days to make blow-up copies of the fronts and backs of your cards.)

Michael Gough has worked in the IT and Information Security field for over 18 years. He has a wide variety of experience that includes positions as a security analyst for the State of Texas and the financial and health-care sectors, and security consulting with Hewlett Packard. Michael currently works in the health-care sector as a Blue Team Defender, incident responder, and malware fighter.

Michael has created or co-created several tools used in the security industry, such as LOG-MD, which is a logging tool, and the “Malware Management Framework,” which is used to discover and manage malware. In 2012, Michael discovered a type of malware called Winnti that continues to plague gaming and pharmaceutical companies.

 Brian Boettcher, co-creator of LOG-MD and co-host of Brakeing Down Security, has worked in the IT and Information Security fields for a number of years. Brian currently works as a senior security engineer and incident responder. He is a member of several security groups and presents regularly at security functions.Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

Graham Cluley released an article today called “200 MILLION YAHOO PASSWORDS BEING SOLD ON THE DARK WEB?” about various web sites that have had stolen passwords recently posted on criminal web sites (the “dark web”).

While not really news—new password breeches are revealed quite often—but it brings some questions to mind. How do you know if your passwords have been stolen? And, what do you do about them?

If you haven’t changed your important passwords recently, you could just assume they have been stolen and change them.

Or, you can look up your email address or user name at a site like LeakedSource.com. When you put in a user name or email and click Search, it will show you possible accounts and the types of information contained in their databases for free, but not the actual information contained. You have to pay to see that.

Do you actually need to see those old passwords? Probably not; what you really need is the accounts that were compromised. If you look at those accounts and you have not changed your password in a while, here’s what to do:

  1. Install some kind of password manager on each of your devices, something well known, such as KeePass 2 or LastPass. Come up with a password for the manager that you will not forget. If you forget it, the password probably cannot be recovered (99.99% chance of no recovery). Keep a copy of the master password somewhere safe—your safe deposit box or even in your wallet if you need to. (Note: this may not protect you against family members or friends who want to know your secrets.) If your wallet gets stolen, you only have 1 password to change.

You can download those applications from the following sources. Note: Only download applications from the original site:

Personally, I prefer KeePass, but LastPass is much easier to synchronize between devices because it is web-based. LastPass has had recent vulnerabilities however.

The nice thing about a password manager is that it will autotype your password (unless the username and password are on separate pages, such as some bank accounts and credit card sites use). Even in those case you can drag your username and/or password to the proper place.

  1. Change your important passwords—email, Facebook, MySpace, LinkedIn (for example)—to something at least 15 characters long. Do not reuse it anywhere! A password safe will generate a password for you and you can customize length and character types.
  1. If the site offers some kind of multi-factor authentication (MFA), take advantage of it. Yes, it is painful! But you can often set it so that your devices will remember for at least 30 days (unless you clear your cache).
  1. Do not share your passwords with anyone! Not your spouse, kids, friends, boss, coworkers, or someone claiming to be from Microsoft support.
  1. Last, change your passwords at least yearly. A good day to change them? World Password Day at https://passwordday.org/ celebrates password security on May 5 every year. They have some funny videos starring Betty White! Check them out!

Save your information and your privacy. Practice safe MFA like Betty White!

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

Beware; Honda Cares!

Posted: January 24, 2016 by IntentionalPrivacy in Historical and future use of technology
Tags:

I have watched the YouTube video “United Breaks Guitars” several times, and while it makes me laugh every time I see it, I have come to understand that the issue is really bigger.

“United Breaks Guitars” is the story of a man who hands over his Taylor guitar to United baggage and watches from inside the plane, helpless to protect it while United baggage handlers deliberately break it.

Stories like this often start with “I shoulda …” as if it is somehow our fault that we unwittingly entrusted someone whom we paid—yes, PAID—to treat us and our belongings with respect. Instead when they abuse our trust—when they lie, do not deliver on their promises, or worse, deliberately break something that has been committed to their care—we are supposed to accept it and move on with our lives.

I watched this video again while I was writing this article. I was thinking of words to substitute for the song lyrics to fit my recent problem with my new 2015 Honda Accord, which I purchased in September. Unfortunately, most of the words I thought of were not printable.

While I have bought a couple of new cars, they were practical and did not have any extra features. The only thing that I have ever purchased that cost more was a house. I fell in love with this car. It had amazing technology. It was a beautiful Obsidian Blue Pearl. The doors close with a very solid thunk. It drives great and it is comfortable. It has many other features that I enjoy.

However, it has some features that I do not enjoy. One such feature is that you cannot unlock the passenger door from outside the car with the key fob if the car is parked and running. I was told that was a safety feature. That one is annoying, but I can live with it. Other features are not so acceptable.

I am stuck in traffic every day for a couple of hours. I download audio books to my phone, and I was very happy to discover that I could hook my phone into the car’s Bluetooth and listen to my current book on my long commute. Unfortunately, if I receive a text message while my phone is connected, the text message replays every time I use my right turn signal until I turn the car off.

Imagine: When I get in my car after leaving work, I text my husband to tell him I am on my way home. I’m driving down the road and he texts me back “ok.” There are at least five right-hand turns on my route home. Ok … ok … ok … ok … OK!

The first time it happened, I almost drove off the road. The next time, I pulled off the road and tried to figure out how I could fix it. I work in technology and there must be some option I could change, I thought. As I explored the options, I decided the user interface was terrible and counterintuitive. I got the manual out; it did not explain the options at all. The manual actually only refers to the iPhone, but it does not explain the options there either.

But no, none of the available options made a difference in the car’s behavior.

I was sure there was something I was missing in the settings or maybe the dealership could install an update that would fix the problem. I drove to the dealership. I took a service writer for a ride in my car and let him experience the text message problem. He told me that it was supposed to work like that. My choices were to turn off the right-hand camera or not attach the phone to the car.

Spending that much on a car and not being able to use the features I bought it for seemed ridiculous to me.

Next, I talked to his boss, who also dismissed my issue and me.

My phone is a Samsung Galaxy S5 and my carrier is Verizon. Yes, they are both on Honda’s list of approved phones and carriers.

car-3

Then we discovered that my husband’s iPhone 5 does not connect at all, even though it is also on Honda’s approved list.

I went home and wrote a letter to Honda America. A month later I heard from “Crystal,” who said she would contact the dealership and then call me back. That was in early November, and I have not heard from her since.

The car has pale gray velour seat covers. I drink coffee in the car and I knew what those seats would look like in six months without stain repellent. I purchased the Auto Butler interior stain repellent as well as the exterior coating to protect it from the Texas sun.

As I was driving to work one morning, my coffee tipped over. Instead of the coffee beading up the way the loan officer had shown us so I could pull over and wipe it up, it soaked right in. I was furious.

I called the dealership and asked to speak to the General Manager. The switchboard told me it wasn’t convenient for him to talk to me. I told her that it wasn’t convenient for me to have spilled coffee all over the inside of my car either. She switched me over to the Service Director.

I explained my problems with the car.

He told me to bring it in and they would make it right.

That was the week before Thanksgiving. They did clean the seat (although I swear I can still see coffee stains). When I picked up the car, the new, pale green bathmats I use as seat protectors were wadded up on the floor with great big, greasy footprints on them.

The Service Director (I’ll call him “George”) gave me a 2015 Honda Accord loaner. The loaner—with a different user interface—did not have the text message issue.

They kept my car for two weeks, claiming they put in updates and reset everything. When I got the car back, George sent me a link that explained how to reset Bluetooth on my phone to fix connection issues. I applied the Verizon update to my phone that had come out the day before. Even though I did not have a connection issue, I deleted the HandsFree link from my phone. I followed the directions for resetting Bluetooth. Then I reinstalled the phone in the car.

It did not help.

Instead, the car had a new problem. I was listening to the radio and the Bluetooth on the phone was turned off. I got a text message, the car turned on Bluetooth and played the message. I turned on the right turn signal and the message replayed.

George told me the Honda engineer said that problems with phones happen because the phone model they work with three years before the car comes out is not the same phone that hooks up to the car. While I can understand that phone models change, the phone uses Bluetooth 4.0, and it is supposed to be a common standard.

I called George and said I wanted it fixed. Fix the car, replace it, or give me my money back. I said if the loaner did not have the problem, my car should not have an issue either.

He sighed and told me to bring it in again.

They had it for a week when George called to say that Honda had agreed to replace the audio unit. He made it sound like it cost several thousand dollars to replace and they were doing me a big favor. He finally called me five days later to say it was fixed and I could pick it up any time.

So at noon on Thursday, I drove to the dealership to trade the loaner for my car. Instead of taking five minutes to turn in the keys, get a receipt, and pick up my car, I sat there for 45 minutes. When I was called to the desk finally, a different service writer tried to hand me a bill for $561. I politely handed it backed to him and said it was supposed to be warranty work. He handed it back to me. I said that he had better check unless he wanted me to call my lawyer right then. Another twenty minutes went by. Magically the charges had disappeared when they handed me the receipt the second time. I finally got my keys and my car, and hooked the phone back into the car.

Did they go for a test drive with me to show me it was fixed? No. I got in the car and had someone send me a text message. Problem still there.

In the meantime, my husband had taken our 2005 Honda into the same Austin, Texas, dealership to get it inspected because the power steering was making a noise. They resealed the power steering pump, and replaced the valve cover gasket and the cam plug. When he picked the car up and drove away, the engine light came on. He took it back and they charged him another $65 to tell him that an additional $670 was needed to replace the spark plugs and the induction coils. He went to an auto parts store and picked up four spark plugs for $52. When he pulled out the spark plugs, he found two springs under one of the spark plugs and none under one of the others.

Technology is supposed to make your life easier, better, and safer. I would argue that this car does not make my life easier, better, or safer: its problems are annoying and distracting. I should not have such issues with a brand-new car. I should not have such customer service issues with the dealership either.

The warranty package I bought with this car is called “Honda Cares.” It sounds great!

Honda, do you care? If you do, you will fix my car!

In fact, you should fix both our cars.

 

 

Bleeding Data – South by Southwest workshop

Posted: August 30, 2015 by IntentionalPrivacy in First Steps, Personal safety, Privacy
Tags: ,

We put together a workshop proposal called “Bleeding Data: How to Stop Leaking Your Information” for SXSW Interactive. The workshop will help consumers understand data privacy issues. We will demonstrate some tools that are easy to use and free. Please create a login at SXSW and vote for our workshop! http://panelpicker.sxsw.com/vote/50060. Voting is open until September 10, 2015.

I get my hair cut at the local salon of a famous chain of beauty schools that stretches across the US. They are a subsidiary of a much larger, high-end beauty products conglomerate. I have gotten my hair cut at various locations for years. It’s a good value for the money, and the resulting hair cuts are at least as good as and often better than ones I have received at their full-price salons.

Friday, I called to schedule a haircut and a facial. The scheduler asked for my credit card number to reserve my appointment. I asked if this was a new policy. The scheduler said they only asked for a credit card number for services that had a large number of no-shows. I asked when my card was charged, and she tried valiantly to explain how it worked.

I declined to give her my card and asked her to set up an appointment only for the haircut.

The next day, when I went in for my hair cut, I asked for their written policy on storing credit card numbers:

  • How long is the card stored in their system?
  • Who has access to it and what can they see?
  • How and why is a transaction against my number authorized?
  • What other information are they storing with my credit card number? Name, address, phone number …
  • Are they using a third-party application or does a third party have access to my information?
  • Are they following the best practices (for example, encrypted databases and hashing card numbers) recommended by the Payment Card Security Standards Council, in particular, the Payment Application Data Security Standards, which are available from https://www.pcisecuritystandards.org/security_standards/index.php ?

The receptionist referred me to their call center, where I eventually spoke with a manager, who could not answer my questions. She promised to find out and email me the policy, which I have yet to see.

I mailed a letter to the executive chairman of the beauty products conglomerate and the manager of the local school. I am not going back unless they come up with a satisfactory policy. Any organization that stores credit card information should have a written policy that explains how they protect it, and it should be available on customer request. It is not only best practice from a Payment Card Industry point-of-view, but it avoids misunderstandings between customers, employees, and management.

I’ve been a customer for over 20 years. Privacy matters, data security matters, and if your organization doesn’t think enough of my business to adequately protect my information and be able to show me, I am going someplace that will. No matter how much I like your hair cuts.

I had an interesting experience last week (my life seems to be full of them!). I signed up to take a class that purported to give me a better understanding of what I was looking for in a career.

The first day of class the instructor gave us the URL for an application that he had developed to collect a considerable amount of information about each of us: likes, desires, Myers-Briggs profile, and results from other assessment tests. During the class break, I asked him why the application was not using HTTPS. He said it did, but it used a referrer. I looked at the code of the web site. Hmm, not that I could see.

When I got home, I loaded up Wireshark so I could watch the interaction of the packets with the application. The application definitely did not use HTTPS. I emailed the instructor. Oh, he said, there was a mistake in the documentation, and he gave me the “real” secure URL.

Ok, so this application is sending his clients’ first and last names, email addresses, passwords, and usernames in clear text across the Internet. Not a big deal, you say?

It is a big deal, because many people use the same usernames and passwords on their accounts around the Web. Then add in their email address and their personal information is owned by anyone sniffing packets on any unsecured network they might be using, such as an unsecured wireless network in a coffee shop, an apartment building, a dorm room ….

So, next—because I now had their “secure” website URL—I checked their website against http://www.netcraft.com/, https://www.ssllabs.com/ssltest/, and some other sites—all public information. According to these tests, the application was running Apache version 2.2.22, which was released on January 31, 2012, WordPress 3.6.1 (released on September 11, 2013), as well as PHP 5.2.17 (released on January 6, 2011). It is never a good idea to run old software versions, but old WordPress versions are notoriously insecure.

Please note: I am not recommending either of these websites or their products; I merely used them as a method to find information about the application I was examining.

Not only that, but the app used SSL2 and SSL3, so the encryption technology is archaic. Qualys SSL Labs gave the app an “F” for their encryption, and that was after he gave me the HTTPS address.

(“It was harder to implement the security than we thought it would be,” he said.)

Although I did not find out the Linux version running on the web server, based on my previous findings—which I confirmed with the application owner—I would be willing to bet that the operating system was also not current.

So, then I tried creating a profile. I made up first and last names, user name, and a test email from example.net (https://www.advomatic.com/blog/what-to-use-for-test-email-addresses). I tried “test” for a password, which worked. So, the app does not test for password complexity or length.

He asked me on the second day of class if I now felt more comfortable about entering my information in his application since it was using HTTPS. I said no; I said that his application was so insecure that it was embarrassing, that it appeared to me that they had completely disregarded any considerations about securely coding an application.

He said that they never considered the necessity of securing someone’s information because they were not collecting credit card information.

I said that with the amount of data they collected, a thief could impersonate someone easily. I reminded him that some people use the same usernames and passwords for several accounts, and with that information and an email account, any hijacker was in business.

Then he said that he was depending on someone he trusted to write the code securely.

Although I believe in trust, if it were my application, I would verify any claims of security.

I told him he was lucky someone had not hacked his website to serve up malware. I said that I was not an application penetration tester, but that I could hack his website and own his database in less than 24 hours. I said the only reason it would take me that long is because I would have to read up on how to do it.

I told him I would never feel comfortable entering my information in his application because of the breach of trust between his application and his users. I said that while most people would not care even if I explained why they should care, I have to care. It is my job. If my information was stolen because I entered it in an application that I knew was insecure, I could never work in information security again.

So, what should you look for before you enter your information in an application?

  1. Does the web site use HTTPS? HTTPS stands for Hypertext Transfer Protocol Secure; what that means is that the connection between you and the server is encrypted. If you cannot tell because the HTTPS part of the address is not showing, copy the web address into Notepad or Word, and look for HTTPS at the beginning of the address.
  2. Netcraft.com –  gives some basic information about the website you’re checking. You do not need to install their toolbar, just put the website name into the box below “What’s that site running?” about midway down the right-hand side.
  3.  Qualys SSL Labs tests the encryption (often known as SSL) configuration of a web server. I do not put my information in any web site that is not at least a “C.”
  4. Another thing you should be concerned about is a site that serves up malware: Here are some sites that check for malware:

http://google.com/safebrowsing/diagnostic?site=<site name here>

http://hosts-file.net/ — be sure to read their site classifications here

http://safeweb.norton.com/

  1. Do not enter any personal information in a site when using an insecure Wi-Fi connection, such as at a coffee shop or a hotel, just in case the site doesn’t have everything secured on its pages.