Monday, May 26, 2014

Humans are the weak link in security

It may have escaped your notice, but Chinese hackers have been pilfering secrets from the USA and this has been in the news a lot.  The underlying story for the non-technical minded is that the “weak link” in the security chain wasn’t technology, but humans.  That’s where the exploits happened - they were asking people to give up information using some fairly standard means.

I was explaining last week how I discovered something online that also fell into this area of vulnerabilities with banks and ISPs in Canada.  I raised the alarm and I’m still waiting for confirmation that everyone has closed off the hole before I say publicly what it was…  However, I discovered something this morning that continues along the line of “It’s all secure until someone has a lapse of security caused by policy, oversight, or human error”…

This time it’s with Toronto Hydro.

First, I’m going to take a step back and explain something about certain websites where a security design becomes a flaw.  Then you’ll hopefully see the logic of what’s wrong here.  

Many websites have a security feature that locks an account for anything from a minute to a permanent lock, if you get the login credentials wrong several times in quick succession.  This security feature means the site has also given others a simple tool that can be turned upside down and used in a malicious manner.  Lets imagine the website is an online auction site; if I’m bidding against you and you keep upping the bid on an item I really want, I could just wait until we’re a few minutes away from the auction ending, and then I log out of the website and enter your username and any made-up password several times to suspend your account.  Now, I go back in as myself, increase the bid by a penny and you can’t log in to outbid me as you’re on the phone with technical support trying to get your account unlocked, so I win.

This is a classic case of oversight in the pursuit of security.

Today, I walked into the lobby of a building that I was visiting.  I came across this:
(Click for enlargement)


Toronto Hydro put the account number and address on a public piece of card, and then left it for all and sundry to see.  Their way of making sure you're secure by requiring an account number is now the one thing you can reverse for malicious means. This could go wrong in so many ways, especially if you’re in a similar position to me where you know the name of the account holder.  For instance a person that wanted to be malicious could:  

  • Remove the card, so the effectiveness of posting the notice is diminished and the building gets disconnected.
  • Send bad payment information to that account so it incurs fees on that account.
  • Phone up Toronto Hydro, give the name of the account holder and address of the building and claim you’re not going to pay - when they ask to confirm the account number, you’ve got that too, as well as the balance.
  • Send around this information publicly to tarnish the person’s reputation.
  • Hire some people to turn up on the day before the disconnection with official looking paperwork with the correct account number and other information, and say that if you get payment now, you’ll not disconnect.  You’ve now collected the money instead of Toronto Hydro, and they still get disconnected.


These are just the simple things you can do with the information that they’re giving out.   From a technical standpoint, you can wire this up in all manner of ways and do way worse things.

It’s clear that Toronto Hydro doesn’t intend to deliberately post public information to compromise customer security, but it’s equally clear that they’re operating on the same security footing as most banks, ISPs, telco’s and other large institutions where the weak link is now not inside they’re systems, but the things humans do outside them.  No amount of firewalls or other encryption technology is going to catch this kind of policy error.

Hopefully, someone will review this oversight in time.