HPE Community
Operating System - OpenVMS
1823355 Members
3020 Online
109654 Solutions
New Discussion юеВ

Re: Security Issues and Bad Forum Admins

 
SOLVED
Go to solution
Austin Walton
Advisor

тАО01-27-2006 04:24 AM

тАО01-27-2006 04:24 AM

Security Issues and Bad Forum Admins

This is a little off topic, but I wanted to post it in the OpenVMS forums because I like the people around here, and wanted you to hear it.

I was posting on a forum and trying to get some help with MS SharePoint development that IтАЩve been doing. Anyhow, I noticed some security flaws in the forum site, mainly the following.

1) Passwords were not encrypted using hashing or one-way encryption. This means anyone with access to the password database (including forum admins) can see user passwords in plain text. One-way encryption is a pretty basic thing, I learned about it when I was a freshman in college. You can allow admins to reset passwords and send users the new ones, but you shouldnтАЩt be sending users their passwords in plain text in an email. These guys were doing exactly that, and thatтАЩs how I knew they didnтАЩt use one-way encryption.

2) In the user profile, changing the password does not require that you supply the old password. Changing the user e-mail address does not require password verification.

As a result, my posts were removed within 10 minutes and my account was disabled within 15 minutes. Extremely unprofessional. Censoring forum posts wonтАЩt make their security problems go away, and security by obscurity always fails eventually.

In case you donтАЩt think the above problems are a big deal, let me lay out a little scenario for you:
We all know that weтАЩre not supposed to use the same passwords over again, but almost everyone does. YouтАЩll make a really strong password with a good mix of letters and digits and special characters, none of them dictionary words. Then what do you do? You use it over and over, because multiple strong passwords are hard to remember and writing them down completely defeats the purpose of having a strong password in the first place. So, say youтАЩre on a business trip and have to use a public computer. You log onto the aforementioned forum with your strong password, and check some technical questions you asked last week. Did I mention the forum has a тАЬremember meтАЭ setting. You usually access the forum from your work computer, so you donтАЩt really notice that itтАЩs turned on. Some blackhat has been looking at your screen from across the room out of curiosity. When you leaves, he goes over and goes to the last site you were at via the History listings of most browsers. He notices that youтАЩre still logged in. He goes to your profile and changes the e-mail address to his after writing down your email address. He then fills out the тАЬforgot my passwordтАЭ form that requires only and email address. Seconds later, your strong password is sitting in his inbox in plain text. He then notices that changing the password doesnтАЩt require user verification, so he changes it and has completely hijacked your account. He googles your name and email address and finds out local banks in your area and begins to try to guess your username, figuring that with such a strong password, you must reuse it.

Security is important, even for sites that donтАЩt store particularly valuable information about the users. Anyhow, IтАЩve been banned from the forum for discussing some pretty basic security topics. Do you folks think I should do anything, try to let other users know? Give me some feedback.

By the way, the URL of the forum is : http://www.tek-tips.com/
This is a much better forum. :)
"It's only funny 'till someone gets hurt, then it's hilarious!"
0 Kudos
Reply
8 REPLIES 8
Hein van den Heuvel
Honored Contributor

тАО01-27-2006 05:07 AM

тАО01-27-2006 05:07 AM

Solution

Re: Security Issues and Bad Forum Admins


fwiw,

I also find passwords stored in plain view offensive and indicative of an organization that 'does not get I.T.'

When i notice this happening, I will always complain with with a nice enough comment to support but the general responses vary from
- huh?
- mind your own business (It _is_ my password, my business)
- we have always done it this way (And how does that make it right?)
- go away leave us alone

The last reply I received in this space:

" I'm sorry that you do not approve of the way LHH handles the user names and passwords for the CRN. We send a confirmation email with full user name and password so the client has a full record of their account. It is no less secure than any other web mail/site when you request a lost password. You would be amazed how many people still can't login for some reason with their user ID right in front of them. This system has proved to keep the number of initial emails of clients who mistyped their passwords (twice) down to a minimum."

Clueless.

So many windmills, so little time...
Regards,

Hein.


Reply
Austin Walton
Advisor

тАО01-27-2006 05:42 AM

тАО01-27-2006 05:42 AM

Re: Security Issues and Bad Forum Admins

Glad someone else out there agrees with me. It's offensive to me that my information is worth so little effort at security on their part. Not surprizingly, after a few hours I'm still blocked from the forums and still have not recieved a response from Admins/Management as to why.

Anyone that reluctant to answer about an issue and that desperate to shut anyone up who's talking about it makes me suspicious.
"It's only funny 'till someone gets hurt, then it's hilarious!"
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО01-27-2006 06:18 AM

тАО01-27-2006 06:18 AM

Re: Security Issues and Bad Forum Admins

for security concerns here it would be best to contact itrc_support@hp.com or use the form on the web site.

I would hope the problems you list are not present here.
____________________
Purely Personal Opinion
0 Kudos
Reply
Austin Walton
Advisor

тАО01-27-2006 06:35 AM

тАО01-27-2006 06:35 AM

Re: Security Issues and Bad Forum Admins

As I said in my post, I'm talking about ANOTHER forum, not the HP forums, which, in my opinion have quite good security measures.
"It's only funny 'till someone gets hurt, then it's hilarious!"
0 Kudos
Reply
Willem Grooters
Honored Contributor

тАО04-30-2006 09:26 PM

тАО04-30-2006 09:26 PM

Re: Security Issues and Bad Forum Admins

Austin,
Another one you can add to your list of "I agree"!
The lack of commitment towards security is far more widespread that anyone can imagine; A good security policy - in the broadest sense of the word - requires more than the management wants to admit and is willing to pay for. Security measures like the ones you would like to be implemented, does (in their view) not contribute to higher number of visitors. It might even contradict.
As for facilities - The "remember me" feasture, built-in in some OS's can be very handy - but has it's dangers as well. It should be possible to disable it - remove it completely, eventually. If that is not a feature, it's lack of commitment to security with the developers - and you will end up with bandages to stop the bleeding, where bleeding shouldnt have started in the first place....

(Personal opnion only)
Willem
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО04-30-2006 11:47 PM

тАО04-30-2006 11:47 PM

Re: Security Issues and Bad Forum Admins

Austin,

While it is inconvenient, I prefer to have a "RESET PASSWORD" function that then emails (to the email account of record" the new password. While these generated passwords are a nuisance, they are not too difficult to type.

Sending your real password is admittedly not a particularly sound idea. Sending a long click-to URL presumes that you have embedded hyperlinks support in your email client, which is also a presumption, and, for a variety of reasons, not the best possibility.

Finally, a lesson from military security measures (this has been in the movies since at least the middle of World War II, so it is a SECRET). When a unit has a mission which may result in a higher than acceptable risk of compromise, you remove the classified equipment BEFORE the mission, not deal with the consequences later. With classified equipment you remove it if it is not needed. With cryptographic keys, you switch the "at risk" unit to a special set of keys, which if compromised, do not endanger others. It is simple common sense.

I would not recommend using a high-security password used for critical systems as your password on an outside www site.

- Bob Gezelter, http://www.rlgsc.com
Contributing Editor, Computer Security Handbook, 4th Edition, http://www.computersecurityhandbook.com
0 Kudos
Reply
comarow
Trusted Contributor

тАО05-03-2006 11:45 AM

тАО05-03-2006 11:45 AM

Re: Security Issues and Bad Forum Admins

A comment about security concerns.

It would seem it would be best not to post
a security problem you want to protect people from, but rather to let the appropriate people know, quietly.

If they don't respond, go up the chain.

But never announce a security problem.
0 Kudos
Reply
Willem Grooters
Honored Contributor

тАО07-09-2006 11:35 PM

тАО07-09-2006 11:35 PM

Re: Security Issues and Bad Forum Admins

@Comarow:

In principle: You're right. Don't wake sleeping dogs ;-)
On the other hand: DO wake them up. It might waken the responsible managers.

First mention the concern to the site admin. But if they don't respond, or in the way as stated, you will need to know who's in charge of security, to go up the chain. The main problem there is WHO to contact....

But I like the idea to be warned. (this site is now skipped from my list of usable sites)
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.