Tuesday, August 14, 2012

Is the Help Desk the New Perimeter?

    Unless you've been under a rock, you've read about the unfortunate hack of tech jounalist Mat Honan's home iPhone, iPad, Mac, Gmail, iCloud, Amazon and Twitter accounts (not necessarily in that order).  You can read the details in Mat's Wired article here.  Also, some great twit.tv podcast coverage on TWIT, TWIG and Security Now!.

   I won't rehash what others have said on this matter.  But I do have a couple of different thoughts.  A number of people have written takes on what you should do to protect yourself.  I have some thoughts on this that I'll share in a future post.

   The goal of the hack was to take over Mat's @Mat twitter account.  To accomplish this, processes at Google, Amazon, but mostly Apple were exploited.  These process-hacks, exploited weaknesses in the authentication mechanisms available through live and automated help-desk functions.

   The most basic process that is vulnerable is the ability to click on a "forgot my password" link and receive either your old password (very bad!) or a link to change your password.  This message comes to an email address you registered with the site.  When you register the address, most sites will have you prove you have access to it by emailing a link.  You need to have the access to the email account to receive that link.  Of course, if you can somehow add an email address you own to an online account you don't own, you can own the account.  This is what happened through Amazon.  Simply by knowing the account owner's name, an authorized email address and billing address the hacker added a (fake) credit card to the account.  Then immediately calling back and providing the name, billing address and last four digits of a credit associated with the account (the one provided minutes before) allowed the adding of a (hacker-owned) email address to the account.  Now, the "forgot my password" link can be used to change the password on the account.  Owned.

   Another key process vulnerability is secret questions.  Often a site will ask one or more questions for which you need to provide answers at registration time.  These include things like: where were you born?; on what street did you grow up?; what was your HS mascot?; what was the make of your first car?, etc.  Sometimes you choose the questions off of a list.  Sometimes you can write in your own question.  You can always write in your own answer.
   This process has a number of vulnerabilities.  First and foremost, the answers to many of these questions can easily be looked up, for instance, on your Facebook page.  In fact, there are those Facebook quizzes in which people are asked to list some kind of favorite thing or other personal info, all of which can be used to figure out answers to security questions.  Also, users often don't remember their answers to secret questions.  So even though they are asked, some help desk personnel skip them if the customer is unable to provide an answer.

   So is the help desk the new perimeter?  In security, we consider the perimeter to be a process or device (or perhaps physical gate) that is in the space between what we can (or should be able to) control and what we can't.  The help desk uses internal systems and processes we control, to help customers (who we don't control).  But there is always a delicate balance between security and convenience.  The help desk is measured on their ability to help customers.  Help desk personnel want to help.  And this might involve skipping steps in a process.

   Now let me be clear that I am not bashing help desk workers.  There are very dedicated people who work on help desks.  It's a hard job!  Most users are not happy when calling for support.  The help desk workers must work through a flood of questions, extract information to find out what the customer's real issue is and figure out a solution... all as quickly as possible and, hopefully, with a smile.  If any shortcuts are taken, it's usually in the name of customer service... and that can lead to trouble.

   Does your workplace have a help desk?  What kind of processes are in place?  Does your security team review these processes? ...test these processes?  What creative methods to you use to authenticate help desk inquiries?

   Perhaps the help desk isn't itself the new perimeter, but is a key component in a complicated multi-layered perimeter?  What do you think?

No comments:

Post a Comment