The DigiNotar breach (“Operation Black Tulip”) is certainly likely to be a watershed in Internet security, and possibly in how we perceive cyberwar. But one lesser point may get lost: how vulnerable we are with a single username password to access all Google accounts.
Not only does that single account gain potential access to email and access to other accounts if that email address is used as the default account in the case of a lost password (or if it’s used as the sign-in for other services, a la Chrome web apps), but it also gains access to documents, photos, location information, contact lists and chat records within the Google domain.
This from the Fox-IT preliminary report on the breach:
The list of IP-addresses will be handed over to Google. Google can inform their users that during this period their e-mail might have been intercepted. Not only the e-mail itself but also a login cookie could have been intercepted. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored e-mails. Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in GoogleDocs. Once the hacker is able to receive his targets‟ e-mail he is also able to reset passwords of others services like Facebook and Twitter using the lost password button. The login cookie stays valid for a longer period. It would be wise for all users in Iran to at least logout and login but even better change passwords.
Worth thinking about spreading one’s accounts across several accounts and resisting the urge to use Google as one’s sign-in account for third party services.
A new way to store identities on the Internet and saves you from having to type in your passwords all over the web?
OpenID: an actually distributed identity system is
a distributed identity system, but one that’s actually distributed and doesn’t entirely crumble if one company turns evil or goes out of business.
An OpenID-enabled site/blog lets you authenticate using your existing login from your homesite (whether that’s on your own server or a hosted service) without giving away your password to the 3rd-party site you’re visiting, or making a new account there, or giving away your email address.
And it’s secure, and can run entirely in the browser without extensions, without moving between pages.
Worth a look.
Sorry about the absence of posts in the past few days. I have a good excuse — promise.
Anyway, about a year ago I mentioned a Hong Kong bank that misled customers by telling them, after they had logged off their online account, that they had ‘logged out, but hadn’t logged off’ or somesuch. A silly little gimmick, really, designed to sell a few more services on the theme of ‘off’ (travel insurance and stuff; it doesn’t make much sense even now. Naff is probably the word that springs to mind.)
Anyway, it confused users and the bank later withdrew the offending page, to make it clear users had logged off and their account was safe. Ten months on, and the ad-page is back, making the nervous customer unsure about whether they really have logged out of their account.
I haven’t named the bank involved yet, but I’m seriously thinking of doing so. Why are banks’ marketing departments so dumb when it comes to such things? Do they really think it’s worth baffling the user further to sell them a bit of insurance? And why would they reintroduce this page when they assured me last July that, and I quote, “we’ve already removed the concerned statement put on the logoff page. While our original intention is to draw customers’ attention to our promotional goodies when they log off, we would rather modify it should it cause any potential confusion.” Watch this space.