Passwords

So my buddy Shimmy did his best imitation of My Little Pwnie last week. Basically his blog account was compromised, which seemed to yield information on one of his webmail accounts and from there, it was game over. His domain was hijacked, credit card information published, amongst other things.

Basically it's was a nightmare, and agonizing for both Alan and his family to be victimized by what can only be termed as a hate crime.

Alan has talked a bit about it, and hopefully we'll learn more soon since I believe this is a great opportunity to educate a lot of folks about what to do when they've been compromised. The sad thing is that Alan had to call in a bunch of chits to get activity from some of his service providers. This is while his blog is being redirected to a pretty nasty site.

Clearly anyone with a website and/or an email address needs to have a scripted plan when you get pwned. I'm not sure if Alan did or not, but he seemed to handle the situation as well as can be expected. So if you don't have your own containment plan documented, get to work. It's important.

But that's not really what I want to discuss, relative to Alan's issue. It's the dependability of many of these web services. Things like web mail, or your domain registrar, or a DNS service, or your banking/credit card accounts. All of these are online and pretty much all have a "password reset" capability, which probably filter into one (or many) email accounts.

Clearly for anyone that has forgotten a password (happens to me at least once a week), these password resets are a life saver. Anyone who has suffered having to wait a week for their airline to resend a 4 digit passcode to get into their frequent flyer account knows what I'm talking about.

And password reset is also a huge benefit to the web site. Not having to deal with forgetful idiots like me save them a lot of money as well.

Lest we cannot forget that password reset is also one of the bad guy's best friends. The fact is that if someone can own your email account where the password reset requests are routed, then it's game over. They can reset all of your passwords and lock you out of your own life. Now that's a bad day.

Most folks use webmail because it's convenient. I know I do. But with that convenience is this clear and present danger. If via some type of sidejacking, or man in the middle, or XSS, or even CSRF the bad guys get into your webmai, and then start resetting your passwords. You are done.

So what do you do? I guess one option is to pray. Though I'm a bit skeptical that will work over the long term. You can also use strong passwords. That's what I do. Really strong passwords. But that's not a panacea.

You can also hope that most of these websites require some security questions to be answered before they actually reset the password. In my experience, so do and some don't. And I don't want easy questions like my Mother's maiden name. It should be stuff that would be hard to know without being me. Like my 7th grade science teacher. If you can figure that one out, then you deserve to be in my account. You are really good.

What I'm thinking is that we need to protect the email account that does password reset. Optimally I'd like to use an account that is not obvious (like not my typical work or personal address) and not a web based account - so it won't be subject to typical XSS or other web attacks. This is a bit of security by obscurity. If it's a domain you don't know I own, it would be hard to specifically target it.

Then you lock down the account to the best of your ability. Clearly you use a strong password on this "reset" account. And maybe you only use secure IMAP to access the account, only from one of my trusted machines.

You use the "reset" account as the email of record for the sensitive accounts. Things like banking, credit cards, ecommerce (if I have my credit card stored there), DNS, domain registration, web site hosting, etc. Basically any place that if that account is owned, it would be bad. Maybe you have a few "reset" accounts, just to diversify the risk a bit.

And to be clear, this is really a pain in the ass and it is not truly an answer. You can still be compromised. But you would be making it a bit harder. Building walls, so if one account is pwned, you don't fall like a house of cards.

Alan suffered significant pain through this situation. Shame on us if we don't learn some lessons and work a bit harder to make sure it's not us next time.

Photo credit: "berlin_my little pony" originally uploaded by madchenkrawall