One of the interesting parts of my job is that I’m expected to “think ahead”. One of my favorite things to ask myself in this role is, “What could go wrong?” Not surprisingly, my education helps frame this examination–a broad understanding of issues makes it easier for one to understand the actors at play. And of course, even those with strong academic backgrounds in a subject still make stupid mistakes. But one really bad mistake was recently written about in the Washington Post.

Call me crazy on this one, but there are some big corporate names included as victims of this one–doesn’t anybody think about the implications of their actions? Haven’t we all gotten E-mails that have “do not reply” addresses or E-mails where somebody hits “reply all” by mistake? Put them together and you have this! This has got to be one of the best tactical-media-projects-that-should-have-been of all time!

I think the letter copied below explains the situation better than I can repeat it here, but during a recent interaction with UPMC Health Systems, I was surprised to find a lack of good security practice. How many more security breaches or information leaks need to happen before somebody starts auditing these systems for security issues?

Edward McCallister
UPMC Health Systems
200 Lothrop Street
Forbes Tower, Suite 10072
Pittsburgh, PA 15213

Dear Mr. McCallister,

I’m writing you as an information security professional because, during a recent interaction with your organization, I encountered behavior that could possibly lead to a breach of confidentiality.

Recently, I had trouble logging into the “MyHealth” portal to complete the necessary steps to receive my “Health Reward” offered through the University of Pittsburgh (where I work) and UPMC. I called the help desk, and was told that my account was locked. The operator (who was very nice, by the way) then confirmed my password with me. By confirming my password, I mean she read what I had originally entered as a password back to me over the telephone.

What is troubling is that she (or anybody) has access to my plain text password. This is not standard industry procedure. In this circumstance, operators can typically reset passwords to something known; the end-user is then usually forced to change passwords upon login. My point is that telephone operators (and anybody else) cannot see what the password is currently set to. This type of handling of passwords is even reflected in many operating systems’ password entry fields; the fields show asterisks instead of the actual characters as you type into them.

What makes this particular problem worth your attention? Passwords are usually authentication tokens tied to individual people; only I know my password. Administrators, for instance, may have access to my data under their own “administrator” credentials (accesses that are probably logged with their username for auditing purposes), but with the system as you currently have it set up, anybody can pose as what the system thinks is (and therefore logs as) “me”. It would be impossible for anybody to prove who “me” really was; it could be anyone that knows (or can find out) my password—me, any telephone operator or a system administrator.

What makes this even more dangerous? If a malicious individual were to gain access to your database, he or she could potentially have a list of plain text passwords. This would make it trivial for them to login using any of the compromised credentials, without the difficulty of having to “crack” a hashed password.

I take the confidentiality of my health information seriously and, as a steward of health information, I’m sure UPMC does, too. Part of enterprise security processes (and auditing), as I know from my education, is knowing who accesses what information when (and perhaps from where). Your system has security lapses of a type that prevent a reliable “mapping” of accesses back to the who I describe (assuming your system is secure otherwise).

I hope that you find time to discuss this issue with your information security team, and at least let me know that you received this letter and are working on resolving the issue.

Sincerely yours,

Jeffrey Maki

Just an FYI: in light of the recent Monster.com leak of customer information, I wanted to delete my user profile. You can’t do this yourself from the website, but if you E-mail siteabuse@monster.com, they will delete it for you. I found this on another blog, but lost the link. Anyway, just wanted to confirm that it does work!

Today, I got a glimpse of what the webopticon is really about, besides being my blog. So today, I got an E-mail from my old supervisor at SSI Services. As you may or may not know, I worked on the Knowledge Center project, a system to coordinate emergency responders, when I was there.

Anyway, so today I get an E-mail telling me that the “City of Pittsburgh” (nothing more specific) “noticed” me when I was taking pictures of the water main break last week. They then contacted SSI to “ask what our relationship was”.

The reason that this is so interesting to me is that I never gave my name out–nor did I really talk to anybody at the scene. They either recognized me from my time at SSI when I went to client meetings (the “client” including some of the same emergency responders who were at the water main break), or, more likely, they used Google to look for information on the water main break.

They then likely found my photos on Flickr and noticed themselves, or remembered me being there. Finding my Flickr photos, they got my name, Googled that, found my resume, and then saw that I worked at SSI (phew!). They then must have called SSI to ask what was going on.

What’s also interesting is that my photo of the PEMA/DHS guy at the scene has 10 more views than any other photo of the incident. Was it him who found the photos on Flickr? I’ll never know, but it’s interesting how Google has turned the Internet into a true panopticon (”webopticon”). Viewers can remain anonymous and get a glimpse into my life, to such a level that they can piece together my movements on a given day, and even my past work/jobs. I guess divulging that information is *my* choice, and I’m not trying to explicitly hide, either. There have also been other examples of Google panopticon-ness.