After a search [for what I expect should be a Yahoo!-like portal] on the [dot] GOV network, I found USA.GOV. The URL itself holds significant marketability and it makes for top billet and easy recognition in a web search. But, after entering the USA.GOV site, I was sent off into an one-way labyrinth of chaos and calamity.

Navigation through the site kept me moving and busy — but not in a clear direction. What’s wrong? I believe the initial breakdown is not conveying the organization of government’s main and tertiary departments — not displaying them on the landing page as an intuitive user-friendly layout.

First off and very basic: Visitors to USA.GOV are presented with a multilevel horizontal navigation bar that does little in the way of reflecting actual US departmental hierarchy. Then — after the landing page — the site does no more than put visitors on what looks like an alphabetical ’site map.’ If not a site map-like page, visitors will find themselves on a URL totally *outside* the USA.GOV portal with yet another design, look and feel.

A lot of great information links off USA.GOV. Just not in a manner that feels consistent with ‘one’ portal. The site and ALL its sub links are prime for consolidation and unification — an agenda item I believe President-elect Barrack Obama spells out in his Innovation and Technology fact sheet — “Create a transparent and connected democracy.”

Following these highly publicized incidents, such as the recent Twply issue followed by the widespread phishing scam aimed at Twitter users, one has to wonder what, if anything, Ev and Co. are going to do to improve Twitter’s security.

But is mitigation ultimately Twitter’s responsibility? I say no.

While Twitter certainly shares a portion of the blame for the Twply exploit, the other incidents were straight-up, everyday phishing expeditions. Users visiting the phishing sites consciously chose to hand over their Twitter credentials. It is up to the users to start acting responsibly online, to be held accountable for their actions.

These incidents highlight a problem emblematic of the web in general - phishing is a huge exploit which affects almost every web-based application available. By no means are these types of problems restricted to Twitter.

Phishing is relatively easy, especially for skilled attackers who are looking to cause major damage. But even n00b’s can construct a simple phishing site in mere minutes. Crafting a phishing attack is as simple as stealing a site’s design, placing it on another domain and writing a small script to capture and store the credentials potentially typed in to the logon form. This could literally be thrown together in 10 minutes!

The bulk of the blame has to be placed on users. While most people are not savvy enough to know the in’s and out’s of network security, recognizing phishing is a relatively easy task. As with anything, all it takes is a little education!

I have noted a few problematic user behaviors which lead directly to phishing. All of these area easily mitigated through education.

• The method people use to determine what web site they are currently viewing is a direct contributor to phishing. Sites are commonly identified by familiar visual characteristics - the color, design structure and very specifically defined elements of the site are used to form a quick judgment of the site’s authenticity.
• A lot of people do not bother to look at the address bar to determine their location and will mindlessly click links without ever realizing they have been mislead. Those that do look at the URL do not inspect it deep enough. Seeing twitter.access-logins.com was enough to deceive many people in to handing over their Twitter credentials.
• Blindlessly trusting unfamiliar third-party web-site operators with the keys to your online kingdom is just plain stupid. Far too often people will hand-over their user name and password without ever thinking of the possible implications of such actions. This can be due to excitement over the possibility of playing with a new toy, the false promise of some exciting prize or nifty worthwhile feature you feel you need, or any number of other reasons – people give up their password believing they are receiving something valuable in return.
• Constructing strong, difficult to guess passwords is vital in ensuring your online identity stays intact. All too often people create weak passwords which are easy to remember but are not adequate enough to protect the user accounts to which they are attached. Using insufficient password strength is a vulnerability which is often exploited; this is the attack method used in the most recent Twitter security incident affecting President-elect Obama’s account. The attackers used a dictionary attack to gain access to Twitter administrative tools, which were then used to gain further access to additional user resources. Dictionary attacks are generally only successful against weak passwords.

These behaviors can be stopped once you recognize they exist, and realize these techniques are the vectors attackers use to trick innocent users in to doing things they normally would not do otherwise. Security is a mindset, a culture. Making the conscious decision to start acting secure is easy – following-through is the hard part!

To use an old but very applicable cliché - knowing is half the battle. Now that you are educated on these flawed behaviors, take the time to make the necessary adjustments to your surfing habits to ensure your online identity is not compromised!

Most of all - do not give your password out to unknown, untrusted web sites! Do a little due diligence and verify the quality of service the web site provides before handing over a key to your online kingdom. Doing so will go a long way in ensuring the safety of that kingdom.

Let me explain.

Waaaaay back in the day, on April 1, 2004, when Google originally published their press release regarding Gmail, announcing the company was testing a preview release of their web-based email product I was ecstatic. The holy grail had arrived – Google, our saviour, to rescue us from the evil web-based email providers has surely devised a far superior product, right?

At the time, I was a long time opponent of web-based email. I despised how Microsoft, Yahoo! and others riddled their products with huge and obnoxious advertisements. Suddenly a new thrill was thrown down my spine at the thought of a new web-based email system which did not append “crap” to every email sent, nor were users disturbed with unwieldy advertising on every page.

It sounded like heaven so I sought out a mission to grab a Gmail account and be part of the “in crowd” at the time. I was lucky, got my account and the rest, as they say, is history. Ever since Gmail was released I have faithfully awaited Google to release new, useful web-based products which can be used to dislodge me from my local workstation and move me to the cloud. Each time Google released a new piece of the cloud puzzle, I was there to jump on top of the offering and adopt it like the fanboy I am.

First there was Gmail, then Google Reader, Google Calendar followed by Google Docs. For the most part I have been in seventh heaven (on a side note, why does it have to be the seventh? Something wrong with the fifth, sixth or eighth? I digress) with Google’s products. Even through all this delight there are still a couple items missing from Google’s cloud puzzle.

• Google sorely needs a “Google Tasks” of sorts. I’m referring to a full-fledged task manager, similar to what you see in Microsoft Outlook. One that offers advanced features like tagging, reminders, reoccurring tasks, etc. Google Labs recently added the lightweight “tasks module” to Gmail but it is far too simple. It was designed to be just that - lightweight so it will unobtrusively fit in to the existing Gmail interface. Unfortunately, tasks does not have notifications or any type of power use; it is just a simple task lists and nothing else.
• A “Google Dashboard” is really what I am after - an application which would solve a huge missing productivity shortfall. I envision Google Dashboard to be a single window whereby Gmail, Google Calendar, Google Docs and the uncoded, unreleased Google Tasks are married in to a single pane, ala Microsoft Outlook’s “Today” page. The goal would be to present users with a view of their world as Google knows it to be. This can be partially done in Gmail already, again through Google Labs, by adding the Google Docs and Google Calendar modules. But again, as with their tasks offering, it is far too simplistic and needs a lot of work. Google Dashboard, in my mind, would be designed specifically for people who are looking to migrate from Outlook and move in to the cloud – it is one missing piece of the business puzzle.

I really believe a Google Dashboard will help ease the migration from Outlook to Google’s cloud offerings, especially if they expect to move business to the cloud. Google’s products are just as polished, if not more so in many ways, than what Microsoft currently offers, but with the added benefit of being tied to the cloud. Yes, there are downfalls and I recognize the problems associated with moving business operations to the cloud. Either way, accessing your data from wherever you are is the wave of the future, a future which is just around the corner. Google is leading the charge with their productivity offerings and even the long-fabled Gdrive.

In true addict fashion, I can forgive Google for the time being. I realize they are busy making a million bazillion dollars and have to focus on their core competencies. But I am serious when I say Google Dashboard is a missing piece of the puzzle. This product will allow users to be more productive while retaining Google product “stickiness.”

It may not be the Holy Grail, but it sure is a start!

A closer peek at this social network mayhem and we notice all sites try very hard to do one thing — keep you social. ‘Try‘ being the keyword. With the advent of AJAX and site design improvements now happening everywhere — quite justifiably — social networking has become an awkward gob of repetitive bells and whistles (some cool and others weak) that make one social site [not so] different from the other.

What we need–

A true master portal. Or, portal(s). A site or site(s) secure and efficient in that they allow users to sign-up and attach to multiple social networks in one sitting — accessing them all through, say, one system control panel. Then [in an ideal world] users would aggregate and utilize the legions of options off their favorite social sites — possibly creating a hybrid site of their own. This [dream] would afford us socialites the best of all social networking worlds and empower us with a web experience beyond what Facebook ever imagined. But no.

Rather than socializing nicely, what you have is infighting — Facebook battling organizers like Power.com; strong-arming their consolidation efforts into the ground. This monster monopoly-like behavior does nothing but hurt the social user.

Light at the end–

Groups are active in bringing the web together — again, Power.com, they consolidate usernames and passwords for users of some social sites — affording one-stop login for all-round socializing. Or Meebo.com where your IM logins are consolidated in one web app — displaying your IM conversations in one true universal chat experience. Then there’s RSS: A -standardized- file format that aggregates and brings you all your preferred news feeds from around the web.

Whether they deliberately mean to or not, most social networking sites are doing a poor job in giving users a standard and centralized portal experience. Instead of sites like Facebook and MySpace actually working together towards a social networking standard, they just as soon continue to grow their monster, proprietary platforms.

• Nearly three million USD in projected technology costs
• Almost two million USD in projected accounting and administration costs
• Salary for 23 folks on staff
• 300+ servers on the farm
• And more

One of the most respectable moves a company can make in gaining outside interest and support is to display their operations as transparent as possible. Wikipedia [does] and did a great job conveying their transparency through info pages like their annual fiscal plan document or their frank Q&A page.

Interestingly, Wikipedia admits not having a budget plan per se until fiscal 07-08. And they also show that their books from 2006 to 2009(projected) reveal significant increases in spending — definitely a noteworthy trend as it was uncovered quickly after the first budget plan.

Wikipedia’s apparent spending increase uncovers another meaningful point — that spending increases after first implementing a budget plan may indicate an organization is making up lost ground. That in fact spending was ‘needed,’ but the ‘need’ went unrecognized or was not clearly identified. Certainly a positive side-effect of installing a budget.

In any regard, the benefits of transparency outweigh any of its drawbacks. Wikipedia saw a windfall of support with making company financials [and strategies] available to the masses. Jimmy Wales’ skillful appeal was ultimately met with a huge capital injection [donated] by Wikipedia followers.

If you have received, or do receive a DM directing you to a malicious web site using an access-logins.com domain, I encourage you to not enter your Twitter credentials at the site, should you opt to visit. If you use Firefox, the site has already been added to their phishing database and should be automagically blocked by default.

Even though the site is a phishing site, and designed to trick you in to entering your Twitter credentials, it is entirely safe to visit the site without ever entering a username and password. Even though the design is identical to twitter.com, the site is completely innocuous until you hand over your Twitter login information. Simply put: do not hand over your Twitter password.

As mentioned in our coverage of Twply, you should never hand over your credentials to an unknown, untrusted third-party.

The Twitter team was made well aware of the scam early on and has posted a message on the Twitter Status blog, informing users of the attempt to phish their Twitter credentials. Additionally, a message on Twitter, directly above the timeline,

If you receive an email notice saying you’ve received a Direct Message with a link that redirects to what seems like Twitter.com, be careful about entering your Twitter credentials. Instead, look closely at the URL to see if it’s not really Twitter but a sketchy phishing site like http://twitter.access-logins.com. If this has you feeling a bit weirded out, feel free to change your Twitter password.

I am not entirely convinced this scam was designed to exploit Twitter’s missing authentication scheme. This was a classic case of phishing for user credentials, which may ultimately be exploited elsewhere. Had this scam been designed to elevate the visibility of the missing API component, there would have been no need to direct users to a site using the twitter.com design. There are better ways of doing that, such as the method Twply opted to use.

What this phishing scam has identified is that Twitter usage has been elevated to critical mass. Even though Twitter was primarily used by the savvy early adopter crowd, many average, every day, unsuspecting users now partake in the service daily. The phishers obviously believed phishing Twitter users to be a good opportunity. Who can argue with that?

I will continue to say this until I am blue in the face, but it is imperative to not use the same password on multiple sites. When you use the same password across sites, you open up your online identity to being stolen quite easily. Maybe that is the real lesson for Twitter users: immediately change your Twitter password so it is no longer “in sync” with other sites?

Well, in the latter half of 2009 [as reported by Redmond on their PressPass site] the software giant will finally launch their no-cost comprehensive protection software for Windows XP, Vista and Windows 7. And Microsoft offered these shocking words in their news release-:

“To address the growing need for a PC security solution…..

Growing need? This tells me that the folks at Microsoft don’t yet get security.

Say we briefly consider two points why Microsoft’s comprehensive protection should have happened sooner and why not only Microsoft, but other vendors must follow suit: First off, only the developer knows best how their operating systems and software applications are built. Second, because of their insider-like knowledge, it’s a given that these folks are automatically accountable for providing their customers out-of-the-box protection. Yet, they don’t.

Granted, Microsoft and others have improved significantly with their patching strategies, but let’s not lose sight of what patch releases ‘really mean’ to security — that vulnerabilities preexist and only later are they being uncovered. This is unsatisfactory as a business model and one in serious need of improvement.

Unfortunately, with Microsoft’s very recent ‘growing need‘ comment, they lose much in the way of credibility. And they show their finger is not on the pulse like it should be. Let’s hope their latest security software launch in late 2009 is a good one and all-inclusive for what users desperately needs — protection.

This list is, by no means, designed to be all-inclusive. It is merely a small subset of tips which should help set most people in the right direction. These tips are generally married with more complex solutions, producing a far more comprehensive effort than the mere implementation of these basics.

1. Defense-In-Depth

Defense-in-Depth is the foundation of all information security programs. It is a comprehensive strategy for protecting a network through layers. These layers are generally network areas such as the network perimiters (ie. premise router), DMZ, physical security, authentication mechanisms, auditing, logging and more. This list is by no means inclusive.

By placing multiple layers of defense throughout your network you will increase the complexity required to break through those defenses while simultaneously hardening your network defenses. By itself, the statement sounds like all you do is slap in some defense-in-depth and you’re off and running. That is not the case. An IT shop must have someone on staff who clearly comprehends information security and defense-in-depth for the program to succeed.

As I said, defense-in-depth is a framework. The majority of the remaining tips, while doable on their own, are ultimately layers within this theory. Merely implementing them individually may very well increase your network security posture, however it is advisable to implement all measures to protect your network at the highest degree possible.

2. Network Security Perimeter - Deny by Default, Allow by Exception

All good networks have strong perimeter defenses. Every network connection must have a premise router, the router which is connected to the upstream internet service provider. The premise router should make use of access-lists (ACL) to only allow the minimum required TCP/IP connections both in and out of the network. This is known as a “deny by default, allow by exception” policy.

If your network does not run a web server accessible by the public, there is absolutely no need to allow 80/tcp inbound from the world. If there is no SSL server accessible by the public, do not allow 443/tcp inbound. More than likely, 1024-65535/tcp and 1024-65535/udp are not required inbound at all.

Allowing the possibility for these connections is a huge and unnecessary vulnerability. Essentially, you deny all connections by default and build an ACL which only allows required connectivity in or out of the network.

Along with a strong premise router ACL, all networks should employ at least a stateful firewall sitting right behind the premise router. The firewall should be configured identically to the premise router, following the “deny by default, allow by exception” policy.

The reason a stateful firewall is important is because we need to be able to inspect the packets, and keep track of the state of the network connections traversing the firewall. This allows the firewall to adequately distinguish between legitimate and potentially harmful connections or connection attempts.

3. Anti-Virus

If there is one security application which is a must-have, anti-virus protection is it. Not using anti-virus software will definitely do way more harm than you ever thought possible.

At the minimum, install an anti-virus client on all workstations and servers on the network and have those clients report to a corporate anti-virus server. It is important to install anti-virus software on all servers and clients. If even a single machine is left not running anti-virus software then that one vulnerability may cost you in the end.

These basic information security tips are just that - basic. There are far more advanced techniques for protecting your network. In a future installment I plan on covering some of the more complex methods.

For now, enjoy reworking your premise router to a “deny by default, allow by exception” policy. It will do wonders for the amount of help desk phone calls you are going to receive. After all, if your users are suddenly unable to use bittorrent or instant messaging, after having been able to for so long, they’re going to wonder what’s going on. Be prepared for the onslaught of questions!

Does your network currently employ any of the aforementioned techniques? If not, do you envision ever implementing such measures? Do you do something not mentioned?

1. Don’t assume-

When tasked, engineers need to analyze the task and volley questions early. Even if it means risking listening to an answer you [think you] already know. Questions and answer sessions give both you and your boss a sense of confidence in assuring the task is done correctly — right from the get-go.

2. Streamline your output-

Take a step back and perform a self assessment. More times than not, employees are far from maxed out and often proving they are capable of doing more. Whether it is an issue with time management, reworking current habits or adding resources, streamlining your output is something engineers owe their boss, their company and themselves.

3. Bring solutions to bear-

Proposing that endgame solution [and -of course- implementation plan] for a festering issue is the silver bullet in any good engineer’s arsenal. There is not a single boss out there who appreciates a problem dropped on her desk for management-level resolution when the task can easily be handled at lower levels. Not only is it an engineer’s obligation -say at $100K- it is also a good faith requirement that the engineer make an inspiring effort to provide the ultimate remedy.

4. Mentor others-

There is zero success in burying your head in a monitor all day — especially if you are a qualified team member. Making the rounds and striking up technical conversation with your peers is the quickest way to uncovering someone ripe for a good dose of guidance. Task sharing is another means of mentoring that carries sizable benefits by folding team members into projects and tasks. Stepping on or over your teammates will -not- get you up the ladder any quicker so push people up ahead of you or take them along with.

Parting shot: Outside of receiving salary and benefits, there is no quid pro quo in being employed. Articulating through solutions and ongoing refinement of your service to the company will give your boss and your team a considerable boost in productivity. You are your own business and ‘you’ set yourself up for success — and failure.

As part of a means of promoting the service, framed in the context of “supporting” Twply, when you first sign-up for the service it sends the following tweet from your Twitter account:

Just started using http://twply.com/ to get my @replies via email. Neat stuff!

Twply clearly states on their front page, directly beneath the Twitter username and password fields, “Support Twply on your first login?” followed by a couple of radio buttons: Yep, go ahead! (default) and No thanks!.

The problem is that nowhere is it clearly defined what functions selecting “Yep, go ahead!” will perform. If Twply had clearly spelled out ahead of time that by selecting the default the service will send a tweet from your account in support of Twply then the amount of anger would be minimal and misplaced. The onus would have been on the user. But because Twply failed to clearly demonstrate what selecting that option will do, the spamming onus is on them.

Outside of that issue, there is a larger one at play. Twply asks users to hand over their Twitter username and password. As of this writing, nowhere on the Twply web site is there a link to a privacy policy or terms of service. Nothing stipulates what Twply will do with your Twitter credentials.

Why the hell would you give this unknown, untrusted service your Twitter password? Most people reuse the same password across a variety of web sites. By handing over your username, which is probably the same if not identical on another service, and password you have now given the unknown, untrusted Twply folks the keys to your kingdom.

Based on the nature of the Twitter API, the passwords given to Twply have no choice but to be stored unencrypted. As far as I know Twitter’s API does not make use of hashed passwords. When I coded MailTwitterPHP a couple years ago, the API required unencrypted passwords.

Twply’s response to the password encryption inquiry is incredulous, stating passwords are stored encrypted. If this is the case, the passwords are not hashed but encrypted with a two-way algorithm, which means the passwords are just as unsafe as if they were unencrypted. The reason should be obvious.

More importantly, why doesn’t Twitter support OAuth? With such large penetration, and most use through third-party applications, it is amazing that Twitter can get away with not supporting OAuth or a similar authentication scheme. Flickr is the epitome of a well crafted third-party authentication scheme which can properly protect your account without giving a unknown, untrusted entity full and unfettered access to your data.

To summarize, there are a few takeaways here:

1. In this day and age, if you are giving unknown, untrusted third-parties your password then you have nobody your yourself to blame if, and when, your online identity is stolen or hijacked.
2. Twitter should be ashamed of themselves for not implementing some form of third-party authentication, such as OAuth.
3. If it walks like a duck and talks like a duck, then surely it’s a duck. Twply looks and acts very shady. Do the math yourself.
4. I see absolutely no way to walk away from Twply. The site simply stores a username and password, with no type of account management page whatsoever. Twply is like Herpes and luggage - you have it for life!

Some of the questions I would like to see Twply answer are as follows:

1. Why does Twply have no privacy policy posted?
2. Why does Twply have no terms of service posted?
3. Why does Twply require Twitter passwords when you can merely convert user RSS feeds and email those. Finding @replies is as easy as using the Twitter API, which does not require a users password for most functionality.
4. Does Twply store Twitter user passwords unencrypted, encrypted or hashed?
5. How does a user who signed up for Twply opt out of the service at a later time?

What do you think? Are people overreacting or is this issue a valid complaint? What are your thoughts?