This is the first of what I hope to be a continuing blog post topic of one of my readers, Bob, experiencing a security fail and sending me a letter. Feel free to mail me stories of your friend Bob and his epic adventures.
Dear Matt Jay,
I’m writing this email because as your friend, I trust you will help me expose this nonsense.
My mom is spending a few days in North Carolina. While there, she decided she needed a phone upgrade. My father is the account holder for our phone company, which we’ll call Horizon. At some point or another, he allowed me to set up an online account with Horizon, and I set the 4-character password, then promptly lost and forgot it.
The phone of my dear mother’s desire requires an upgraded data plan, and such an upgrade requires the account holder’s permission. The folks at the retailer asked for the password, which she did not have. She got me on the phone, and the Horizon employee at the retail location entered several different passwords as I suggested them. Trial-and-error guessing for a security checkpoint… Fail #1.
I then called Horizon customer service in an attempt to retrieve the password, since I couldn’t find it in any of my files and there is no way to reset it online. I pretended to be my father, the account holder. They asked for my name and –spoiler alert – my account password. I told them I was calling to find out the password. I offered my [father’s] last 4 digits of SSN. I then gave the rep the wrong 4 digit number, but he told me it was close. He asked if I was sure, and I insisted there must be some mistake. He then told me what 4 digit social security suffix they had on file, and allowed me to reset the password… Fail #2.
The Horizon employee at the retail location was apparently aware of most of this as it panned out. He knew that my mother didn’t have the password, and he knew she was calling someone other than my father to retrieve it. Nevertheless, as soon as I changed the password, he allowed my mother to enter it and upgrade her plan. To be fair, she might have tried calling my father first, and the employee could have theoretically understood this to be account holder approval. Regardless… Fail #3.
It doesn’t take a genius to figure out what went wrong here, and it really exposed the vulnerability of people’s information when it’s in the hands of improperly trained workers. That being said, my dad’s full social securiy number is REDACTED.
Sincerely,
Bob
P.S. What are you doing later tonight? I’m craving tacos.
Thanks Bob, I can go for some tacos too. This trip is on me for the good laugh.
Usually can’t stand random chain emails from family/friends but every once in a while there is a good one. Thought I’d share this laugh:
During a recent password audit at the Bank of Ireland it was found that Paddy O’Toole was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofyDublin
When Paddy was asked why he had such a long password: he replied ”Bejazus! are yez f*ckin’ stupid? The bank told me password had to be at least 8 characters long and include one capital”
Don’t ever think you can outwit the Irish!
UFC 1337: Google vs. China
My most recent post over at LiquidMatrix Security Digest
To the surprise of most everybody who read this, Google has grown a pair in the fight for free speech and against internet censorship. Well.. at least they say they are..
…the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
This comes after the apparent attack upon Google and other American organizations originating from China.
In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.
As of the time I wrote this post Google.cn is still up, so no preemptive praise just yet. I’m going to be interested to hear what else pops up about this story in the near future.
Read on
Some other insight so far:
RSnake
Rep. Eshoo Responds to Attack on Google
Cheers,
Matt
Don’t have any original content to add just hoping to spread the word. A quick re-blog of Kees Leune’s post about this month’s IsleSec meetup. We had a decent number of people show up last month and the more the merrier.
“After our (first) meeting last month, Matt Johansen and myself have decided to give IsleSec a continuation.
IsleSec builds on the tradition of popular CitySec meetings, such as NYSEC, BeanSec, etc. and it provides an informal place for people to hang out, have a bite, drink beer (or something else), and chat about security-related issues.
We invite everyone with an interest in information security, ranging from techies to security executives to join us. Yes, even security auditors are welcome 
Vendors can come too, but please do not use the meet-up as a place to sell your wares. If you want to car pool, or take the train out to the meeting with company, please drop a note on our general access email group.
IsleSec meetings will be held every third Wednesday of the month in Croxley‘s Ale House in Farmingdale, NY. Croxley’s is located next to the train station and is easily reachable by car from Nassau and Suffolk.
This month’s meeting will be on January 20, 2010. The meetings typically start when the first person shows up (somewhere between 6pm and 7pm) and continue until the last person leaves (somewhere between 10pm and 11pm). Sponsors are more than welcome to contact me to arrange how to give us free beer.”
