Shostack + Friends Blog Archive

 

Authenticating Alan Shimel is Certifiably Hard

Alan-Shimel.jpgAlan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us.

One of the themes of these posts is the difficulty of resolving the cases, especially when your password has been changed and your email accounts have been compromised. Alan’s spent a lot of time on the phone getting stuff cleaned up, and I’d like to look at that process a little.

Alan has various business relationships with organizations who know him only via email and credit cards, or perhaps with a PO. How should they handle a claim that an account has been hacked? How are they supposed to authenticate someone calling who doesn’t know the password, and wants to tie a new email account into the system? Doesn’t that sound like fraud? These organizations likely don’t know Alan’s driver’s license # or passport.

This problem isn’t hard because we lack technology, it’s hard because a networked system has emerged which makes it easy to do business all around the world with people you don’t really know. If Alan had a client cert, maybe that would have been stolen, too. If he had a smartcard, maybe that would have been attacked via a client-side trojan. He ran into these troubles, and documents them at Yahoo, in “Why Google is now my homepage instead of Yahoo:”

I have written and called to every address you can think of. They have asked for copies of my drivers license. They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe. Don’t ask me where, but somewhere safe). Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won’t give me the question they want to answer. I sent them the hackers post bragging about getting my email account.

There may well be multiple guys named Alan Shimel out there-just seeing a faxed copy of a license isn’t very good authentication.

All we have in distant and simple relationships is persistence and that’s not that strong. We also have what Alan used, which is webs of trust. He called people who knew him and had them call people he knew:

As I have written earlier, I was lucky in that I was able to call on people to help me out. For instance my friends at FeedBurner/Google, Matt Shobe and Dick Costollo, quickly took control of my FeedBurner accounts, including the SBN feed. They were also to get someone live at Typepad to allow me to take back the blog. This took more time than it should have though. Until the Feedburner reached out to someone, the Typepad support team just kept sending a new password to mailboxes that the attackers controlled, even though I was mailing them from my stillsecure mail box! You could not get any of these people on a phone. Very frustrating! (“Our web infrastructure needs to be at public utility levels“)

Now, persistence and webs of trust seem like bad business models. They’re not easy to manage with regards to liability and contracts, but they are a great representation of how the world really works.

Closely related: “Certifiably Silly,” and “I’m certifiably wrong.”

7 comments on "Authenticating Alan Shimel is Certifiably Hard"

  • Zach says:

    It’s funny that Google, with their eyebrow-raising stance toward privacy, is chosen over Yahoo! in this case. Though I suppose that’s not what the concern is.
    The whole situation became a bit unsettling for others when the e-mail (posted to FD) called out other…”targets”.
    Oh, and is there a joke behind having *Rothman’s* photo up there? 🙂

  • shrdlu says:

    Well, you know how it is, we all look alike …

  • David Brodbeck says:

    I suppose this is an argument for having a vanity domain, and sending all your critical email to it…if one email account gets compromised, you can just point the domain somewhere else. Of course, that just moves the problem around — now you have to worry about domain hijacking.

  • Jim Burrows says:

    Of course, that just moves the problem around — now you have to worry about domain hijacking.

    And of course one of Shimel’s problems was that they stole both his email and his domain — see his rant about Go Daddy here.
    After reading his various postings on this, I am left with two basic questions:

    1. What would he (or you) do to avoid future identity theft?
    2. What would he (or you) do to improve the chances of recovery from future identity theft?

    In “I’m back“, he writes,

    Where before I viewed security as a business that I was in, security from here on in will be a much more passionate endeavor for me. In many ways this has made me truly a security person. You will see a much deeper commitment by me in keeping the slime of the world from being successful. I am going to do everything I can to making myself, my family and all of us more secure. Security for me has gone from a business to a way of life.

    That’s a lovely sentiment, and I’m sure that many people leave their “Wall of Sheep” experience feeling the same way, but what does it really mean?
    After 9/11, the US as a country said much the same thing. And then we entered into a security plan that centers on identity. To stop terrorists. You might be able to stop known terrorists with an identity-based solution, but identity won’t do squat about stopping unknown terrorists, and in fact the ideal story for a terrorist is to go from unknown terrorist to world famous successful terrorist. Identity helps achieve that.
    And as Bruce Schneier recently pointed out, an MI5 reports suggests, profiling to identify terrorists isn’t likely to work, at least not with our current understanding of profiling.
    I hear a lot of people these days declaring a devotion to “better security”, and “better practices”, but what are those practices?
    Shimel himself, pointed out that the biggest problem, the “clowns” in the security circus are the software implementers. He begs us not to blame the security people but the masses of coders who build the vulnerable products.
    Consider this in light of Schneier’s comment that security engineering is “programming Satan’s computer” and harder than just creating reliable software on “Murphy’s computer” and way harder than “straight forward” computer programming.
    What makes Shimel’s harried programmers “clowns” is that they are just programming generic computers and not either Murphy’s or Satan’s. But is only the cream of the elite are doing it right and the great unwashed masses of programmers are clowns, building in vulnerability, what’s a “security person” going to do?
    How do we answer the two questions above?
    Just asking.

  • Ryan Russell says:

    Yeah, the name/license isn’t always good enough. At Black Hat & Defcon this year, there were two Ryan Russells and a Russell Ryan. Not as in people impersonating me, those are our legitimate names.

  • Adrian Lane says:

    Looks like site defacement to me … perhaps Adam has been hacked as well.

  • Adam says:

    Zach–yes, it’s a joke, about how hard it is to keep track of who’s who. Perhaps a little too obvious. I’ll be curious to see how it impacts image searches for a while. 🙂

Comments are closed.