Relative Sanity

a journal

Everything. Everywhere.

19 June, 2013

I still can’t get into Gmail. My phone and iPads are down (but are restoring). Apple tells me that the remote wipe is likely irrecoverable without serious forensics. I’ve lost at more than a year’s worth of photos, emails, documents, and more. And, really, who knows what else.

Email security is important. Just ask Mat Honan, who ended an article on how he got hacked last year with the above quote.

You should really read the article, if only to convince yourself that even the most tech-savvy of us are vulnerable to a sufficiently determined attacker, and that "sufficiently determined" is actually a pretty low threshold these days.

The article itself sparked quite widespread interest in what people could do to safeguard their email. When it comes down to it, if an attacker has access to your email, they have access to your life. With knowledge of a single password, an attacker can read your life's story: They can find out where you bank, where you do business, who your friends and families and pets are, what your home address is, your phone number, your date of birth, maybe the last four digits of your credit card.

More worryingly, think about all the online accounts that are linked to your email address. Once an attacker is in and has changed your email password, they can start hitting all those "forgot your password" links on every one of your online accounts, getting them in and locking you out.

Gaining access to your email is likely the simplest and most robust way to steal your identity. With that in mind, it's critical to ensure your email is as secure as possible.

Shiny! New!

I spent this last weekend setting up a new MacBook for my mum. She's spent the last decade (literally) using the same creaking Samsung laptop, and until this weekend, considered five-minute launch times for Firefox a fundamental fact of nature, like gravity or taxes.

Needless to say, she was bowled over by her new machine. I got her on the network, set her up with access to her web accounts, showed her around her new electronic home, and then squirrelled myself away with her old and new laptops to play the sadistic game that is "setting up her email".

See, I'd played this game before. Her email address is an old address: long, wordy, overly verbose in the way only email addresses from the late nineties can be. She's still accessing email via POP, and her Outlook Express install still gives me shudders.

I knew what to expect as I had previously tried (and failed) to get her email set up on her iPod touch a few years earlier. This time, though, I was going to sort it out.

The principle issue, really, was that I wasn't sure what her password was. I was pretty sure, but every combination and variation I had tried was being rejected. Some googling suggested that the POP mailserver address may have changed, and so this became the focus of my efforts.

Her account started off as a Freeserve account (remember them? Liberators of the dial-up world in the UK, they were: the first dial-up ISP to gain traction with the idea that all you paid for was your phonecall!), who then got bought by Wanadoo, who then consolidated their brand under sibling Orange. It's an Orange broadband box that now sits in her house.

So digging around suggested a variety of alternatives, but none worked. I became convinced I had the wrong password: it was the only thing I wasn't really sure of.

We was robbed!

Let's take a quick digression into the world of passwords. In the last couple of years, there have been a number of high profile security breaches at some top names in the online world. These all involved the theft (or suspected theft) of databases of user passwords for these services. In most cases, this resulted in those services advising (or requiring) users to change their passwords to something new.

Now, let's be honest: a leak of user password data is a serious thing. Many users re-use passwords, so although your dad's PlayStation Network password may not seem like a big loss, the fact that it's coupled with his email address means that an attacker has a good chance that his email password will be the same as his PSN password. Boom, your dad is now locked out of his email, and there goes your inheritance.

"But!" I hear you cry, "But surely this is terrible? Doesn't that mean that anyone at Sony who might have access to that database also has potential access to every customer's email account?"

Well, no: not really.

First of all, big corporations like Sony likely have processes and procedures in place to ensure that only people who need to access that data can access that data. This might not seem reassuring, but the point is that any employee who tried to do Bad Things would likely be caught very quickly.

Secondly, though, even if an employee did evade detection (or the database was leaked and made public), the passwords themselves would be stored in such a way that nobody with access to that data would be able to simply read those passwords from the database.

"But" you interrupt again — really, where are your manners? "But in that case, if my password can't be retrieved, how does it know I have the right one when I log in?" A good question, and one that has a simple enough answer.

Maths is like violence: if it's not working, you're not using enough of it

Imagine your password is super-secure:

123456

Now, let's say I "encrypt" it by taking each number, tripling it, and replacing it with the first digit of the resulting number:

  • 1 becomes 3
  • 2 becomes 6
  • 3 becomes 9
  • 4 becomes 12 => 2
  • 5 becomes 15 => 5
  • 6 becomes 18 => 8

So now we have:

369258

Finally, I take the last two even numbers and replace them with dashes:

369-5-

This is what I store in the database. Now, when you log in and use your password, I can run your attempted password through the same process, and compare the result. If they are equal, you're in.

Here's the beautiful thing: even if an attacker gets hold of these records, there is no way for them to reconstruct the original passwords from them. And if they get hold of the recipe I used to generate the records, they still can't reverse back out of it to get the original, because the recipe intentionally loses data. The technical term is a "one-way hashing algorithm" or "hash".

The only thing our attacker can do is start throwing attempts into the recipe one at a time and compare the outputs:

  • 000000 => 000000 dammit
  • 000001 => 000003 dammit
  • 000002 => 000006 dammit

and so on. This essentially gives them no advantage at all over just repeatedly trying passwords in the first place.

Now, there are a couple of issues with the simple recipe I'm using here (for example, it's easy to see that some different passwords will produce the same encrypted value): take my word for it that there exist recipes that don't have these drawbacks, but have all the benefits. These recipes are also in widespread use, and it's essentially trivial to use them if you're a programmer building an authentication system.

And please remember that this is an illustration: it is a bit more complicated than this in real life, but hopefully you're convinced.

Update: it was pointed out to me that I should really link to Jeff Atwood's classic You're probably storing passwords incorrectly so that those who want more than an illustration can find it. Duly linked.

Anyway, the takeaways are:

  • there exist ways to build fully functional user authentication systems where the passwords are essentially unreadable by anyone;
  • these ways are simple to implement and in widespread use;
  • no one-way hashing system is perfect, but even a weak one like the one above can significantly slow down attackers; and
  • there are really no reasons not to hash passwords, given the huge security wins achieved by doing so.

Sorry, why do you need to know that?

So back to my mum's new laptop. I started hunting around for a password reset system: I still had my mum's Outlook Express installation running just fine and picking up email, so I figured I could use that to retrieve a password reset email if needed. When nothing presented itself after a few minutes' searching, I gave in and phoned the support number stuck to the side of the Orange modem.

My first attempt was abortive. The call centre girl was nice enough, but clearly didn't understand what I wanted. I asked her to confirm the POP server address I should be using for my account, and if she could reset the password in some way. Before long, she was getting me to download some Java applet so she could screen share and find out what the matter was. I wasn't far from thanking her for her help and taking a break when the phone suddenly cut out.

I can't deny being a little relieved.

I should confess something here. The internet account is still in my Dad's name. This is a little awkward, given recent events, but it did mean that I was able to provide his address, date of birth, and confirm myself as "Mr Barrett" when running through the security questions with the call centre.

Anyway I called back, this time determined to keep things simple. After the security checks, I asked the young-sounding guy if he could confirm the address I should be using to connect my email client to their POP server. He confirmed the one I had been using, which meant the passwords I had been trying were wrong after all. I then said that I wasn't sure if I had the right password, and wondered if there was a way to have that reset. I braced myself for some arcane process involving them posting out a form that we had to sign and fax back before they'd send some reset code we had to type in to a website before being able to choose a new password.

"I think I must be using the wrong password, then. Is there a way to reset it?"

"Of course sir. I can help you with that. What password are you trying to use?"

"Um, why do you need to know that?"

I'm a little freaked out by this. I'm not really comfortable telling him what I'm using, and tell him so. Remember what I said earlier about reusing passwords?

"I just want to see if it's the right one sir. What password are you trying to use?"

"I'm not sure I'm comfortable telling you that…"

"Is it XXXXXXXX, sir?"

"…"

"Sir?"

So here we are. I've phoned up a call centre, given my mum's email address, my dad's name and postal address and date of birth, and claim to not remember my password, and this guy reads it out to me over the phone.

Worst. Security. Ever.

Let's take a step back here. There are two things wrong with this picture, and the most obvious is the least worrying: this guy has just told a complete stranger my mum's email password after asking minimal security questions, and with virtually no prompting.

It's perhaps easy to get caught up in this aspect of things: this is a training issue, security should be beefed up, this should not be information that can be disclosed so easily and so on. It's also possible that the call centre was able to detect that I was phoning from the same line over which they're providing broadband to my mum.

But that's missing the point.

The real point here is that nobody but the user needs to know their password, and if a member of staff has access to it, all bets are off.

In short:

"I'm sorry, why do you have access to my password?"

"Oh, don't worry sir: we have access to all our customers' passwords: it's not just your password"

"…"

"Sir?"

Joining the dots

I'm not sure what I did next. I think I checked that the password he'd given me was valid. It turns out it was. I think I hung up after that. I remember thinking I should probably change the password, then thinking there wasn't really much point.

What did stick, though, was that I'd phoned Orange's support line, but they hadn't said "Orange support" when I rang: it was EE—Everything Everywhere—and I remember that they had taken over the Orange and T-Mobile brands last year.

I pinged @ee on twitter to ask them about this whole thing, but they seemed reticent to do much more than offer a discussion via direct message. I'm not sure what I expect them to say: it's a bit like asking the barn door for a statement when everyone can see the horses galloping off into the sunset.

My memory nagged at me, though: EE, direct messages, twitter, password security… I felt sure I'd read this story before.

Turns out I had. Last December, EE was responding to customers on twitter who needed to reset their passwords by offering to send them via direct message on twitter. This, clearly, is a terrible idea, and suggested that EE had direct access to users' passwords.

Looks like we just joined the dots: EE support staff members have direct, unrestricted, unencrypted access to their customers' email passwords.

And we've already agreed that's a bad thing, yes?