Sunday, December 13, 2009

YAMMERing about security

Recently some colleagues signed up for using Yammer (yammer.com).
Perhaps a little paranoid i decided to register myself, in order to have a look at the security they provide. After all i'm supposed to do some sort of monitoring, control and provide reasonable advice on security issues affecting me, colleagues, friends, customers as well as providers of various services.

What is Yammer?
 Yammer describes their service as "enterprise microblogging". Think of it as a combination of Facebook and Twitter (if you've tried those services). The ability to "microblog", create groups of users and topics for discussion etc, is really a good idea for releasing creativity and aid co-workers in finding each other, and collaborate together.

Free to use as many other similar services, but if you want additional features, including security (and some control of it), you have to pay. Really not bad for a business concept; try it for free, if you like it you can use the basics for free or pay up a monthly fee per user to get the whole range of features.

Your e-mail address is your username, and if this is to be used for work purposes you really need to use your work e-mail. From my perspective it means that if somebody tells me they're using yammer, you instantly know their logon id. What you need to figure out now is their password to gain unauthorized access.

So Yammer, how's your default password policy? Here's a screenshot:

















Uh... Yeah, and? That's it? Nothing else?
Well, the length requirement is correct, I'll give them that. However (for the free version);

1. There are no complexity requirements
abcde or 12345 works perfectly as your password

2. There's no password history
You can use the same password over and over - if you decide to change it in the first place.

3. There doesn't seem to be any account lockout
I tried 10-15 incorrect passwords, the account still worked after that with the correct password.

Of course, this applies to the free version of Yammer. If you choose to pay either USD 3,- or 5,- (silver/gold) per user per month, you can probably change some or all of these parameters yourself (i haven't paid, so i haven't seen any documentation for it...)

In my opinion a serious breach of good practice recommendations for password policies, where 8 characters is the typical minimum length along with complexity requirements (upper/lowercase + numbers or special characters), as well as some sort of history and frequency of required password change. (do they ever delete any accounts due to inactivity?). Anyway, you get what you pay for, so no violations here from a legal perspective. Be aware of this one though:





The screenshot is taken from the page describing their silver and gold features. Essentially Yammer claims ownership to anything and everything you post on their service (...), until you pay their monthly fees. THEN you are considered the owner of the data posted by your users on Yammer.

Getting serious with YAMMER
So you've tried Yammer for some time, and you decide to use it with all the bells and whistles in the paid subscription options. Of course you want to take of security as well, setting your own password policy among other parameters. Well; I've documented numerous times that changing your written and your implemented policy doesn't automatically fix all the non-compliant passwords overnight.

What you essentially will have to do is to force a password change overnight for all users in order to become compliant with your policy. Well, people are on leave for many reasons, you have inactive users etc (which you must pay for anyway), so the initial password problem will stay with you for a LOOONG time after signing up for the paid service. All that because Yammer in the first place didn't have anything near a decent good practice password policy implementation for your users in the free version. Well worth YAMMERING about i would say.

So dear YAMMER, here's some advice for free:

1. Inform all existing and new users about the current policy
...and the risks associated with it


2. Implement a common "best practice" password policy
Applies to both the free version as well as your silver/gold subscriptions

3. Enforce a change of all (non-compliant) passwords
To ensure the security of all users and accounts. Tip; reserving the right to do password audits for internal security monitoring may be an idea - protect your customers!

Yes, i do know that number 3 here is kind of radical and may cause quite a bit of yammering, but that's the cost of starting out with bad security and then try to fix it afterwards. (Been there, done that).

... And now i'll change my abcde password into something which should be good enough. :-)

--
End note: initially when i signed up for Yammer just a few months ago, their password length requirement was 1 (one) single character. After i put out a Tweet (on Twitter...) complaining about this serious lack of security they responded very quickly, and they changed their minimum/default policy into 5 characters length approx 2 weeks later. Will they respond to this blog posting as well?

3 comments:

  1. One clarification that should be made is that even for the Basic/Free account Yammer does not make any claims on data ownership. It is either owned by the individual employees (at the free level) or the company (at the paid level).

    It states in the Yammer privacy policy: "Companies who claim their network own the User Content created by their employees. Until that point, Users own their own User Content. Yammer does not own User Content."

    https://www.yammer.com/company/privacy

    ReplyDelete
  2. Once a company claims their network they are able to set significantly more secure password policies, which include a larger minimum password length with complexity requirements, a password history, as well as requiring users to change their password periodically.

    Here is a screenshot of the password settings for claimed networks.
    http://twitpic.com/tewdp

    ReplyDelete
  3. Also, to address your other concern about password lockout. Password lockout is not a good solution for Yammer for a couple of reasons. First, since Yammer is an Internet facing service, it would be very easy for an external attacker to perform a denial of service attack against a company’s Yammer network, by locking out all their employees. All they would need is a list of email addresses. Second, under the free version of Yammer there is no administrator to unlock accounts, so you’d need to have the account automatically re-enabled after some period of time, which is not really account lockout, but login attempt throttling.

    Yammer does use a login attempt throttling mechanismsfor all accounts, both free and paid, to mitigate against password brute-force attacks. We actually use an exponential backoff algorithm, that increases the lockout period exponentially the more bad passwords attempts are made, so a brute force attack of even a few thousand passwords wouldn’t be possible in any reasonable amount of time.

    So given this fact, I fail to see why an 8 character password minimum is much better than a 5 character password minimum. 5 characters gives over 2.3 trillion possible password combinations. Unnecessarily requiring longer and more complex passwords can in some cases reduce security, since it forces users to write down their passwords or reuse the same password across multiple services in order to remember it.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.