ISP: Your login detail is insecure. (Clientzone)

[waroop]

especially not the part about plain text passwords being low-risk.

I agree with you, and we're going to see how we can tighten this up - like Kev said wherever we can improve security in a practical way we'll absolutely do it, but heres another one; what about email or IM? Sensitive information is transmitted via those (and many other mediums) almost universally across the internet, and its by and large unencrypted, what can we do about those?

[Pr⊕phet]

Not much to add after HavocXphere and Centaur already said what I would have said.

[waroop]

Not much to add after HavocXphere and Centaur already said what I would have said.

Noted. Thx for the help guys, leave it with us and we'll get it patched up first thing next week.

This has actually sparked some interesting internal discussions around potentially making the entire site https - what are your thoughts on that?

[HavocXphere]

I personally used to want a strong "Confident Sounding Message^TM" from the top brass

As I see it there are two things that companies must get right. 1) Security 2) Perceived security.

So perhaps security isn't majorly threatened in this case...but a bit more grace in handling it would be good. Meaning either "We're going to fix it by doing X" or "It is not possible because Y". The responses above fall right between those two - the worst of both worlds.

And yes, I'm quite aware of the fact that in the real world security is always going to fall short of 100% & solutions often contain a fair amount of duct-tape.

mweb.

I know that internally they don't store passwords as hashes (anyone in the call center can view any account password in plaintext)

OMG I hope you're joking. The issues mentioned in this thread so far are largely cosmetic, but passwords stored in plaintext is totally not cool. Has to be hashed & salted - no exceptions. LinkedIn just found that out the hard way (they skipped the salted part).

[Centaur]

Noted. Thx for the help guys, leave it with us and we'll get it patched up first thing next week.

This has actually sparked some interesting internal discussions around potentially making the entire site https - what are your thoughts on that?

Ahm, I don't understand why you are actually asking this. From the previous posts on this thread, and my previous post. I think you should already have gathered that making everything connect via https is probably the best way to go. Also one of the easiest.

I wonder if this is your main reason for lack of innovation. You always look at what other companies are doing, but then you look if there are still some companies that do the same as you and then you decide upon that. Like how you tried to cover your lack of "security", by stating things like other sites aren't secure, so we don't have to be secure. Even though this solution isn't perfect, it is at least much more secure than it is currently.

I really hope you store your db info encrypted with a hash and salt. And hopefully not just md5.

edit: I just had a look at your Customer Logs page when you log into the WA client area. And I noticed something interesting. You state all the logins with the username, and then you give a part of the login password ending characters. This means, it is highly likely that you don't one-way encrypt (hash) your passwords, and that all the passwords can be decrypted by using the same key.

[Pr⊕phet]

Noted. Thx for the help guys, leave it with us and we'll get it patched up first thing next week.
This has actually sparked some interesting internal discussions around potentially making the entire site https - what are your thoughts on that?

Ahm, I don't understand why you are actually asking this. From the previous posts on this thread, and my previous post. I think you should already have gathered that making everything connect via https is probably the best way to go. Also one of the easiest.

I agree with Centaur, HTTPS is a start but there is a few things you need to do additionally. Waroop were you asking my opinion on it or how to do it?

[zamrg]

Noted. Thx for the help guys, leave it with us and we'll get it patched up first thing next week.

This has actually sparked some interesting internal discussions around potentially making the entire site https - what are your thoughts on that?

IMO, SSL across the entire WA site is overkill - performance vs security.

Why not stick the login form inside an embedded iframe with the target page hosted on SSL?

[Pr⊕phet]

Are we backtracking?

[ranger]

I know that internally they don't store passwords as hashes (anyone in the call center can view any account password in plaintext), but it was quite funny to notice that their mailserver had been specifically modified to only check the first 6 characters of a password (if you put more, they are discarded silently - almost certainly they are not using hashes here either) - some sections of their pages also choke on punctuation. Pretty sure the mailserver still only checks the first 6

There are some old but common password hashes which only store sufficient information to validate the first 8 characters, such as DES (sometimes referred to as crypt). I am not aware of any that only support 6, but if if was 8 characters, then most likely MWEB's mail platform was using crypt.

Unfortunately, upgrading hashes is difficult, especially if the clear-text isn't stored anywhere (as in our case). So, while we don't use crypt anywhere, and don't store clear-text anywhere, we will be working on hash upgrades at some point in the future (after some other projects are completed).

[ranger]

BTW., here is an article I thought might be interesting, regarding the weak account practices of respected companies, that, even though they may have SSL etc. in place, still allow accounts to be compromised with devastating effects.

This is why my primary backup is in my house, under my, and only my, control, and secondary backups are optical media with family.

Cloud is for people who don't care about the security of their data ...

[ranger]

Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

Don't run on separate domains.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

All of TIs apps are SSL. Yes, we don't have a "global login" at present, but that is because we have been prevented from building a portal because the fixed-line guys want *their* portal to be *the* portal (because they've thrown so much money at it), but haven't been able to support us integrating to them until now.

[ranger]

what about email or IM? Sensitive information is transmitted via those (and many other mediums) almost universally across the internet, and its by and large unencrypted, what can we do about those?

All decent mail applications and platforms support PGP/MIME and S/MIME, and all decent IM protocols (e.g. XMPP) support PGP and/or OTR, and you should use clients that support those if you intend passing any confidentail information over them.

Are you trying to change the subject here? Why?

[Pr⊕phet]

All of TIs apps are SSL. Yes, we don't have a "global login" at present, but that is because we have been prevented from building a portal because the fixed-line guys want *their* portal to be *the* portal (because they've thrown so much money at it), but haven't been able to support us integrating to them until now.

Stupid question... who is this we ?

[coralsea]

There are some old but common password hashes which only store sufficient information to validate the first 8 characters, such as DES (sometimes referred to as crypt). I am not aware of any that only support 6, but if if was 8 characters, then most likely MWEB's mail platform was using crypt.

Yeah, I'm pretty sure it was 6 characters — I don't have a mailbox to test anymore, but it could be 8, which would make sense with 'ol crypt. But given that they have capable mailservers and the ease of setting up things to use stronger hashes if applicable, it still stinks of bad security design and complete lack of proactive attention.

But it doesn't really help that 2 years ago I went to pick up a friend who was doing some work at a call-center and showed me that the main account passwords are just sitting around in plaintext. Things might have changed, but they have never called for old accounts to update their passwords.

One only has to remember their blunder in transferring business accounts a few years back.

Obviously it's tricky to upgrade hashes for infrequent users - but at the same time, it's something that should be promoted and made clear to people. I like knowing that companies which I use are taking logical steps to look after my data and are confident enough to be open about it.

But hey, standard bank don't offer optional SSL for their main pages because its 'bad for the environment' and as such 'irresponsible' and then link a study from 1996 about the additional cpu time required (They also require that you use the link on the non-https front page to access internet banking, failure to do this means they will accept no responsibility for anything going wrong.). Pentium Pro's sure are relevant today Also according to them, XML does not require ampersands within a node to be stored as an entity — it's merely unrelated that their portal chokes on them!

A bag more of those which sadly are too terrible to disclose publicly.

[Pr⊕phet]

I guess WA has gone on vacation for the week.