The Tom Kyte Blog: What I learned about "Security"

Friday, May 21, 2010

What I learned about "Security"

I travel a lot. Because of that, I use 'hotspots' all over the place. I am connecting through Germany right now and had to sign up for a T-Mobile hotspot. They require you set up an account - to buy a 60 minute pass (I don't really like that, I don't want an account but they make you).

So, I set up my account - username, password - credit card information, etc. Get logged in and immediately receive an email. I've received this email before (because I always have to set up a new account since I can never remember what my 'old' account was) . It was the standard "welcome to T-Mobile" sort of email, but it always contains this (I've written to them before - that is like sending email to a bit bucket, no response, no action). Here is the email (xxxxx represents information I:

From - Fri May 21 09:05:34 2010
X-Account-Key: account5
X-UIDL: AHxxafafdafda
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                
X-Apparently-To: xxxxxx@yahoo.com via 206.190.49.114; Fri, 21 May 2010 00:04:39 -0700
Received-SPF: none (mta1056.mail.mud.yahoo.com: domain of noreply-wlan@t-mobile.net does not designate permitted sender hosts)
X-Originating-IP: [193.254.174.32]
Authentication-Results: mta1056.mail.mud.yahoo.com  from=t-mobile.net; domainkeys=neutral (no sig);  from=t-mobile.net; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO wlansmtp.t-mobile.net) (193.254.174.32)
 by mta1056.mail.mud.yahoo.com with SMTP; Fri, 21 May 2010 00:04:39 -0700
Received: from kxsnsrg2 (kxsnsrg1 [172.28.76.134])
 by wlansmtp.t-mobile.net (Postfix) with ESMTP id 37BDD6716
 for ; Fri, 21 May 2010 09:04:37 +0200 (CEST)
Date: Fri, 21 May 2010 09:04:37 +0200
From: noreply-wlan@t-mobile.net
Message-Id: <1274425477.9165@kxsnsrg2>
To: xxxxxxx@yahoo.com
Subject: T-Mobile welcomes you to your new HotSpot Pass Account

T-Mobile welcomes you to your new HotSpot Pass Account.  The password for your
new account is XXXXXXXXX

Yes, that is right, they emailed my password - over unencrypted email, for no apparently good reason at all. Why??? Why would they do this??? What is the point? What is the reason?

Why am I posting this? Well, maybe they'll read or hear about it this way and change it. I found this funny - this is their FAQ:

https://hotspot.t-mobile.net/TMD/en_GB/web/security/index.html#1

Is the HotSpot registration (log in) secure?

Yes, because the access details are transmitted in code to the T-Home / T-Mobile HotSpots. The code that is used is SSL. The software for this is integrated into the browser. If this is not the case, you can update your browser. The relevant downloads are available from the browser provider.
By using our HotSpot Manager, which automatically logs onto T-Home / T-Mobile HotSpots, you can be assured that the registration details are only transmitted to a confidential hot spot web portal.

Well, that is not quite true is it. You can also be assured that your password will be transmitted to everyone on the planet in clear text via good old email.

In the year 2010, you would think we'd know better.

They shouldn't be STORING my password let alone EMAILING IT to me. Sigh....

Now I've got some passwords to change, ugh....

20 Comments:

Dalibor Carapic said....: He he, now I have your passwords :); Fri May 21, 03:18:00 AM EDT
Noons said....: One of the rules I always use:
two types of passwords.
First type is for really secure connections, like bank accounts, investments, etc.
Second type is for online regos or instant regos where I'm forced to use a password over open comms.
The two are completely different and follow different gen rules.
It's a pain, but also avoids having to change the secure ones everytime someone plays a "T-mobile" on me...; Fri May 21, 03:37:00 AM EDT
Jérôme Radix said....: I think you should use a tool like Keypass ( http://keepass.info/ ) to generate harsh password, to store all passwords. With such tool, you can have a different password for every account, you don't have to remember it (only remember a password to open your keypass file). I have currently 60 login/passwords ...; Fri May 21, 03:58:00 AM EDT
Peter Raganitsch said....: This happens quite a lot, especially for smaller Platforms.
Though, i wouldn't have thought that T-Mobile does it too...

This is the reason i have some special passwords for unsecure Services like this :-); Fri May 21, 06:38:00 AM EDT
jimmyb said....: Isn't T-Mobile the company that lost all of their customers data a while back; due to server failure and no backups?; Fri May 21, 09:39:00 AM EDT
Tamas Fabian said....: This comment has been removed by the author.; Fri May 21, 09:46:00 AM EDT
Tamas Fabian said....: Have you heard about http://www.ma-galerie-marchande.com (it is a French site)? I registered on the site and later on I wanted to change my password. Guess how it is possible... You have to call them by phone, tell them your new password and they will register it in their system. Funny guys, aren't they?; Fri May 21, 09:48:00 AM EDT
Ed Crotty said....: Yahoo mail seems to be unencryted? (except for the part where you enter your yahoo password) - everything else is in http ( not https ) and there does not appear to even be an option?

All of Gmail is encryted (https) by default.

Which would mean if you were on gmail - the password would not be in clear text ( because everything is encryted ) - please correct me if I am wrong.; Fri May 21, 10:36:00 AM EDT
Pierre said....: Maybe the next time you can try a McDonalds restaurant. In Switzerland first you can free Wifi connection
(well if you buy something of course) second they send the password by SMS on your mobile phone.; Fri May 21, 11:34:00 AM EDT
dario boring said....: [OT] Did you know Sql Developer 2.1 is defaulted to search asktom.oracle.com as search tool?

I will be saving a lot of "alt tab" :-); Fri May 21, 03:33:00 PM EDT
Thomas Kyte said....: @Ed Crotty

Yahoo isn't "email" really - SMTP is "email".

Yahoo provides an endpoint and a user interface. But to send or receive mail - your mail uses SMTP (simple mail transfer protocol) which goes on the public internet and is 100% unencrypted.

You must expect that every single one of your emails - every single one you've ever sent - has been read by someone else (if they are interested). It just flies over the internet in the clear.

Yahoo gives a user interface to read and create email - but what happens to the email in between someone sending it to you and you getting it is totally outside of your email clients control.

Gmail - would not 'fix' this. That is JUST a user interface. It matters not what I read the email with - the email was already quite readable to many people way before I ever got it.

Yahoo only needs https to login (to protect your credentials). All email that was sent to you unencrypted was already readable by the entire planet way before you got it.; Sat May 22, 06:19:00 AM EDT
koen said....: Hello Tom,
Just like Jérôme, I'm using keepass to generate passwords. One password per account, never share passwords, never forget passwords for old accounts. Takes 2 minutes to setup a new password.
I use it to store OS passwords, database passwords and personal passwords. Very convenient.; Wed May 26, 02:49:00 AM EDT
dharma said....: Oh wait, There is this security consulting company, nss labs that does the same (sending clear text passwords), I sent them an email asking where their security is while they can not help their clients passwords. Havent heard a word from them.

Ironic eh!; Wed May 26, 04:21:00 PM EDT
Anonymous said....: @jimmyb:

T-Mobile employees stole customer data:
ttp://news.bbc.co.uk/1/hi/8364421.stm

But that was an amateurish attempt. For a Masterclass in Identity Theft, you'd have to go a loooooonnnnngggg way to beat these numbskulls:
http://news.bbc.co.uk/1/hi/uk/8066609.stm

http://news.bbc.co.uk/1/hi/uk/7103911.stm

http://news.bbc.co.uk/1/hi/uk/7123285.stm

Yes! When it comes to being utterly brain-dead, the UK government and public services are the winners, every time.; Thu May 27, 03:09:00 AM EDT
Ronald Bradford said....: I so hate sites that do this. I wish there was a site we could name and shame these people, but I guess that would draw the hackers to simply monitor all that unsecure email more.; Fri May 28, 01:00:00 PM EDT
Tommy Fox said....: > All email that was sent to you unencrypted was already readable by the entire planet way before you got it.

Sometimes. There is a movement among many many companies to use SMTP over TLS to encrypt the connection now. The only way to truly know is by examining the headers.

However, even if TLS has encrypted the connection, if the mail client (in the case of web mail) is using an unencrypted connection, you just exposed the information. With gmail, it's HTTPS, so it is still secure. With Yahoo, you're retransmitting that same information over another unencrypted channel: HTTP.; Fri Jun 11, 01:09:00 PM EDT
Thomas Kyte said....: @Tommy -

posted headers, no encryption - nothing, all in the clear.

And if some point along the way doesn't do encryption.... no mail for you (which will slow adoption - especially for something like this)

and it still doesn't do client to server or server to client. So, https gets server to client - but if you use IMAP you better have IMAP over TLS setup - and the client that sent it originally; Fri Jun 11, 01:50:00 PM EDT
Tommy Fox said....: Oh I saw your headers, and it was definitely unencrypted. I was just letting you know of some changes that _may_ make it mainstream.

It's interesting how quick some things that don't matter to a hill of beans become mainstream (YouTube, Facebook), yet anything dealing with security takes the long, slow road.; Mon Jun 14, 07:05:00 AM EDT
Xenofon said....: Tom, you know, you sure are causing a big problem for some people at T-Mobile. T-Mobile is the biggest Telco in Germany and one of the two biggest in Europe. This company actually has experience in running hundreds of Oracle databases and among them some of the biggest
on the continent. The fact that they are not equally experienced in security issues is frightening. Selling "security" is always a tough job, I guess.; Sun Jul 11, 02:16:00 AM EDT
thedatabasezealot said....: Tom - Isn't there an alternative to using the T-Mobile hotspot? Or are they king of the hill in Germany?

One thing I've noticed with MANY organisations I've worked with is: Security is commonly an element under appreciated and misunderstood. That and capacity planning. I seem to always have to fight against the SAN managers for disk capacity so the databases can GROW. Shocking.

I say burn them all at the stake or is it, let them eat stake? Something like that!

Viva la revolution!; Wed Sep 01, 07:19:00 PM EDT

The Tom Kyte Blog

Friday, May 21, 2010

What I learned about "Security"

20 Comments:

About Me

Previous Posts