Sunday, January 09, 2011

No good security @StepStone Solutions!

ERRATA:
I've received a reply to this blog post by private e-mail (Thx Pål!), and I will update it to reflect the difference between the two separate companies StepStone and StepStone Solutions. Erroneous text/links has been changed to strikethrough italics, while new text is written in blue.

I got an e-mail just before the new year from noreply@easycruit.com, a service from StepStone StepStone Solutions. It reminded me that I hadn't changed or updated my CV in their database for 6 months. They recommended that I updated it, otherwise they would delete it in two weeks. The e-mail also gave me my current username and password - in cleartext:

(Forgive me for my censorship here :-) Click for full size. Text in Norwegian.)
Now, for those of you who have been following this blog for some time, you might have seen some references to RFC3207, an RFC specifying the use of STARTTLS for automated, opportunistic and user-transparent encryption of SMTP traffic between mail servers. With the incredible help and efforts from my friend and colleague Jan Fredrik (KluZz), we (our employer) even released a survey in April 2010 that made some headlines in Norway.

Not that this one matters much, but inspection of the mailheader showed what is still the standard for most Internet mail today, namely clear-text transmission:

(E-mail received from sending-only SMTP server with ESMTP, no SSL/TLS encryption)
To save you the lookup, the 62.209.53.0/25 is used by Stepstone, as a customer of Telecity.com.
So here I am, without forgetting my password or any other action that could somehow justify sending my complete login credentials and all necessary information required to compromise my account at Easycruit / StepStone through unencrypted e-mail.
Now, lets do the game of risk analysis first.
Of course, as a security professional, I would hope and believe that StepStone are doing their part in this area. My CV isn't that valuable, is it? At least not worth protecting like a secret, right? You can find parts of it publicly available at Linkedin.com/in/thorsheim anyway? Somebody messing it up, would that be a much of a problem? Well, as many other online things, NO, not really, just ... annoying. At least for me. On the other side: Many Human Relations departments love to say that their most important asset are their employees, so do they really want all CVs from applicants and employees to be easily accessed, copied and stolen?

How do my employer - any employer - look, when recruiting security professionals (and others), asking them to register their application through a system that is fundamentally flawed on the security side? It may be hard to set a monetary value to your public appearance, but this doesn't really help on the positive side, that's for sure.

--

Easycruit is an online recruitment tool, a product, that corporations can purchase and custom fit for their own purposes, at least as far as I can interpret their info page. I got this e-mail because my employer uses easycruit, and I've registered my CV there earlier.

Looking at bullet 11, data security, in their privacy policy (translation from NO to EN), they are using SSL, firewalls, monitoring and manual security procedures to safeguard my privacy. Looking at their privacy policy (under "Data Security"), they seem to have copied the policy from StepStone, removed parts of it and we're left with even less details that they can be held responsible for. Unlike Stepstone, they do not list any particular person or mail address as responsible for any questions on their privacy policy.

For registration and password reset issues, I can understand the need for sending a one-time-password (OTP) in unencrypted e-mail. Not the best way, but sometimes the easiest, cheapest and only solution available. But I have changed my password, and without any reasonable sense they seemingly store it unencrypted in their systems, or at least decrypt it before sending it to me!

So dear StepStone Solutions: With this blog post I ask you to remove my profile and any associated data ASAP, including removing me from any mailing lists or other services where you have registered me. I will of course also notify you about this in accordance with your privacy policy, by calling you by phone since you don't have a specific e-mail address listed., and send the same request using unencrypted e-mail to to the contact listed by you.


I will also notify my employer about these issues, and highly recommend them to demand a meeting with you, requesting actions and time frames for these actions to be implemented. If this cannot be done within reasonable time and free of charge to my employer, I will recommend ending any agreements they may have with you, and seek other providers of similar services - AND a better security level.

--
Addendum Monday 10, january 2011:
In the reply I got by e-mail, I also received a link to this page at StepStone: Fordi din sikkerhet teller ("Because your security matters"). 


Basically they are saying that from now on (unknown date, probably somewhere in 2010), you won't be able to log in if your password was less than 3 characters in length. From this point on your password must now be at least 4 characters in length, passwords will be case-sensitive, and their service now has a password strength meter for you when you change your password. (Read my earlier blog post: Never trust password meters!).


Of course I couldn't resist (today; Jan 10, 2011), so I chose to reset my password from the link provided on this web page. After typing in my correct e-mail address, I got an e-mail with a HTTPS link valid for 30 days to change my password.


They only require 4 characters (1234 is accepted), but it's labeled "insecure". They also have low-medium-strong-very strong, and my PCI-DSS compliant super-duper password Password1 gets a STRONG rating:




No wonder I say you shouldn't trust password meters.


As for the clarifications received by e-mail I'm thankful for that. Considering the additional information provided as well, I'd say my overall impression of StepStone's password security didn't change much for the better. As for StepStone Solutions.... Well, I'm looking forward to any reply you may provide.

1 comment:

  1. Some years ago I participated in a focus group. In the focus group, it became clear that a large Norwegian company planned to convert your customer relation with them to a household account. Their product was intended to be shared and used by all members in the family.

    No a good practice without asking the customer, but that's not the worst part.

    They planned to first merge the customer accounts to one account, then inform the new customer, the household. And to make the proccess easy for the customer, they would pick one logon and passord from the old accounts and include in the letter send to the household!

    I got pretty upset but no one else in the focus group seemed to react. Until I said, "what if I have my old girlfriends name in my password? I wouldn't like you to show that too my current wife." There was silence for a short while before they said, "We didn't think about that".

    I'm still a customer with this company, and I have not been sent my password from them too.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.