Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Issues and Bad Forum Admins

SOLVED
Go to solution

Security Issues and Bad Forum Admins

This is a little off topic, but I wanted to post it in the OpenVMS forums because I like the people around here, and wanted you to hear it.

I was posting on a forum and trying to get some help with MS SharePoint development that I’ve been doing. Anyhow, I noticed some security flaws in the forum site, mainly the following.

1) Passwords were not encrypted using hashing or one-way encryption. This means anyone with access to the password database (including forum admins) can see user passwords in plain text. One-way encryption is a pretty basic thing, I learned about it when I was a freshman in college. You can allow admins to reset passwords and send users the new ones, but you shouldn’t be sending users their passwords in plain text in an email. These guys were doing exactly that, and that’s how I knew they didn’t use one-way encryption.

2) In the user profile, changing the password does not require that you supply the old password. Changing the user e-mail address does not require password verification.

As a result, my posts were removed within 10 minutes and my account was disabled within 15 minutes. Extremely unprofessional. Censoring forum posts won’t make their security problems go away, and security by obscurity always fails eventually.

In case you don’t think the above problems are a big deal, let me lay out a little scenario for you:
We all know that we’re not supposed to use the same passwords over again, but almost everyone does. You’ll make a really strong password with a good mix of letters and digits and special characters, none of them dictionary words. Then what do you do? You use it over and over, because multiple strong passwords are hard to remember and writing them down completely defeats the purpose of having a strong password in the first place. So, say you’re on a business trip and have to use a public computer. You log onto the aforementioned forum with your strong password, and check some technical questions you asked last week. Did I mention the forum has a “remember me” setting. You usually access the forum from your work computer, so you don’t really notice that it’s turned on. Some blackhat has been looking at your screen from across the room out of curiosity. When you leaves, he goes over and goes to the last site you were at via the History listings of most browsers. He notices that you’re still logged in. He goes to your profile and changes the e-mail address to his after writing down your email address. He then fills out the “forgot my password” form that requires only and email address. Seconds later, your strong password is sitting in his inbox in plain text. He then notices that changing the password doesn’t require user verification, so he changes it and has completely hijacked your account. He googles your name and email address and finds out local banks in your area and begins to try to guess your username, figuring that with such a strong password, you must reuse it.

Security is important, even for sites that don’t store particularly valuable information about the users. Anyhow, I’ve been banned from the forum for discussing some pretty basic security topics. Do you folks think I should do anything, try to let other users know? Give me some feedback.

By the way, the URL of the forum is : http://www.tek-tips.com/
This is a much better forum. :)
"It's only funny 'till someone gets hurt, then it's hilarious!"
8 REPLIES
Hein van den Heuvel
Honored Contributor
Solution

Re: Security Issues and Bad Forum Admins


fwiw,

I also find passwords stored in plain view offensive and indicative of an organization that 'does not get I.T.'

When i notice this happening, I will always complain with with a nice enough comment to support but the general responses vary from
- huh?
- mind your own business (It _is_ my password, my business)
- we have always done it this way (And how does that make it right?)
- go away leave us alone

The last reply I received in this space:

" I'm sorry that you do not approve of the way LHH handles the user names and passwords for the CRN. We send a confirmation email with full user name and password so the client has a full record of their account. It is no less secure than any other web mail/site when you request a lost password. You would be amazed how many people still can't login for some reason with their user ID right in front of them. This system has proved to keep the number of initial emails of clients who mistyped their passwords (twice) down to a minimum."

Clueless.

So many windmills, so little time...
Regards,

Hein.


Re: Security Issues and Bad Forum Admins

Glad someone else out there agrees with me. It's offensive to me that my information is worth so little effort at security on their part. Not surprizingly, after a few hours I'm still blocked from the forums and still have not recieved a response from Admins/Management as to why.

Anyone that reluctant to answer about an issue and that desperate to shut anyone up who's talking about it makes me suspicious.
"It's only funny 'till someone gets hurt, then it's hilarious!"
Ian Miller.
Honored Contributor

Re: Security Issues and Bad Forum Admins

for security concerns here it would be best to contact itrc_support@hp.com or use the form on the web site.

I would hope the problems you list are not present here.
____________________
Purely Personal Opinion

Re: Security Issues and Bad Forum Admins

As I said in my post, I'm talking about ANOTHER forum, not the HP forums, which, in my opinion have quite good security measures.
"It's only funny 'till someone gets hurt, then it's hilarious!"
Willem Grooters
Honored Contributor

Re: Security Issues and Bad Forum Admins

Austin,
Another one you can add to your list of "I agree"!
The lack of commitment towards security is far more widespread that anyone can imagine; A good security policy - in the broadest sense of the word - requires more than the management wants to admit and is willing to pay for. Security measures like the ones you would like to be implemented, does (in their view) not contribute to higher number of visitors. It might even contradict.
As for facilities - The "remember me" feasture, built-in in some OS's can be very handy - but has it's dangers as well. It should be possible to disable it - remove it completely, eventually. If that is not a feature, it's lack of commitment to security with the developers - and you will end up with bandages to stop the bleeding, where bleeding shouldnt have started in the first place....

(Personal opnion only)
Willem
Willem Grooters
OpenVMS Developer & System Manager
Robert Gezelter
Honored Contributor

Re: Security Issues and Bad Forum Admins

Austin,

While it is inconvenient, I prefer to have a "RESET PASSWORD" function that then emails (to the email account of record" the new password. While these generated passwords are a nuisance, they are not too difficult to type.

Sending your real password is admittedly not a particularly sound idea. Sending a long click-to URL presumes that you have embedded hyperlinks support in your email client, which is also a presumption, and, for a variety of reasons, not the best possibility.

Finally, a lesson from military security measures (this has been in the movies since at least the middle of World War II, so it is a SECRET). When a unit has a mission which may result in a higher than acceptable risk of compromise, you remove the classified equipment BEFORE the mission, not deal with the consequences later. With classified equipment you remove it if it is not needed. With cryptographic keys, you switch the "at risk" unit to a special set of keys, which if compromised, do not endanger others. It is simple common sense.

I would not recommend using a high-security password used for critical systems as your password on an outside www site.

- Bob Gezelter, http://www.rlgsc.com
Contributing Editor, Computer Security Handbook, 4th Edition, http://www.computersecurityhandbook.com
comarow
Trusted Contributor

Re: Security Issues and Bad Forum Admins

A comment about security concerns.

It would seem it would be best not to post
a security problem you want to protect people from, but rather to let the appropriate people know, quietly.

If they don't respond, go up the chain.

But never announce a security problem.
Willem Grooters
Honored Contributor

Re: Security Issues and Bad Forum Admins

@Comarow:

In principle: You're right. Don't wake sleeping dogs ;-)
On the other hand: DO wake them up. It might waken the responsible managers.

First mention the concern to the site admin. But if they don't respond, or in the way as stated, you will need to know who's in charge of security, to go up the chain. The main problem there is WHO to contact....

But I like the idea to be warned. (this site is now skipped from my list of usable sites)
Willem Grooters
OpenVMS Developer & System Manager