May 20, 2006 at 11:24 am

I am stunned by this and I'll have to try it with one of my stubs the next time I fly. Using an old boarding pass, a journalist was able to find out a great deal of personal information from an airline's website and database.
Now this could be a serious problem; I guess time will tell and I'll be watching to see if Mr. Schneier catches any followups, but the problem is larger than just airline ticket stubs.
This is a case where probably the application works, there isn't any SQL Injection vulnerability, and no buffer overflows or other hacking techniques have been used to penetrate security. Everything seems to be working well, but still we have a security issue.
This is an architectural overflow bug. The design of the system hasn't really anticipated how people in the real world could misuse the system and gain access to personal information about its clients. This, in my opinion, is much worse than SQL Injection or a software vulnerability. Those can be easily fixed. Redoing the architecture is hard, especially if people have come to expect that it functions a certain way.
I don't think this one is easy to get around. There are relatively few programmers that are good at writing secure code without vulnerabilities and I'd guess that there are even fewer architects that understand how to design a secure system outside of the technical issues. The workflow, authentication, and privacy pieces of software are barely understood and I think it will be a long time before we see very secure designs for many web sites.
I just wonder how Secunia and other bug reporting services will classify this one.
Steve Jones
May 22, 2006 at 6:34 am
As a victim of fraud and identity theft (and former law enforcement), I can say that most identity thefts start with exactly such low tech means as the linked article describes: leave the wrong receipt or piece of identification lying about and you're asking for trouble.  A magazine subscription number from a piece of snailmail junk (that you didn't even request) might be enough to start with... I personally equate using someone else's computer to read my Hotmail to just writing down my password and left it lying on the desk. Come to think of it, I really don't use "free" email services for the same reason. I shudder to think that people actually use library or "cyber cafe" computers to check bank balances or trade stocks (like they do in the stupid commercials).
 A magazine subscription number from a piece of snailmail junk (that you didn't even request) might be enough to start with... I personally equate using someone else's computer to read my Hotmail to just writing down my password and left it lying on the desk. Come to think of it, I really don't use "free" email services for the same reason. I shudder to think that people actually use library or "cyber cafe" computers to check bank balances or trade stocks (like they do in the stupid commercials). 
All too many web applications are totally insecure (even with SSL installed): passing user names, email addresses and passwords as part of the URL in the clear, etc. My experience has been that many developers are aware of these issues, but unreasonably tight timelines and unsympathetic management result in systems deployed to production with flaws "overlooked."  Typically, management will do a woefully inadequate "risk assessment" and determine whether their gut tells them that it's worth slipping three weeks 'just to fix some security bugs.'
 Typically, management will do a woefully inadequate "risk assessment" and determine whether their gut tells them that it's worth slipping three weeks 'just to fix some security bugs.'
I started to register with a nationally syndicated radio show's website (who shall remain nameless) earlier this month, and the Phishing Filter Add-in freaked out -- completely preventing me from completing the registration process. I don't know what wacky redirect or JavaScript hack they're using that caused the add-in to alarm, but I contacted the host who promised to forward it on to the "web guys" that I've never heard from since. I still haven't signed up for their pay-for service, and probably never will if their "web guys" are that sloppy and clueless. 
May 22, 2006 at 7:59 am
Please tell me that the real name of the man on the ticket stub was changed to protect his identity. His real name is not relevant to the article's point, and using his real name in a widely viewed internet article could give this guy far more grief than the original security hole might have.
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
May 22, 2006 at 11:19 am
These ability to abuse mailing labels, boarding passes and the like scare me. But there is one thing that scares me even more. Ironically, it is something that is supposed to increase security, but in many cases can open up a can of worms. In NYC, since 9/11, practically every building requires that employees use a 'prox card' to enter. Most of these prox cards are set up as a basic photo id as well - they have your name, picture, company name and building address on them. However in most locations, those prox cards are never checked physically by security guards, and many people keep them in their pocket, purses, etc and simply swipe the purse over the sensor. Because of this, if I lost my card, anyone else could easily use it to get into our building. For this to happen, I wouldn't need to even drop it close to the office, because even if I dropped it a hundred miles away, the card still has the office's address on it.
Of course, I wouldn't need to lose my card for someone to steal my identity or use it to gain access to our corporate servers - if I hang it from my neck or wear it attached to my waist, someone could easily read that info and use it as a stepping stone to identity theft, or to convince an unsuspecting corporate IT staff that I was Bob in marketing and needed my password reset (in fact, I wouldn't be surprised if some corporate issue prox cards had the IT Helpdesk number to call on the back in case there were problems).
And for all of those advocates of two-factor authentication, in many ways, it doesn't help much either. I once sat across from someone on the train who worked for a large media conglomerate. He had an id badge with his name, company and address on it, and a hardware token around his neck, he also took a nap on the train. I wouldn't have been to difficult to begin attempting to gain access to his servers given some of that information.
And all those folks in corporate america are worried if their kids are exposing too much information on myspace.com
I am Doing it with .Net, are you?
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply