After giving it a significant amount of thought, I finally decided to switch my blog from Serendipity (s9y) to WP. The administrative backend is nicely polished, and highly extensible. The problem that pushed me to make the jump was that I started getting the dreaded “No data received” error at seemingly random times. After trying to find the solution to the problem, and continuously coming up empty handed, I switched. So far, I’m really liking the change, but now I need to customise and definitely do everything possible to increase the security. 😉
Mar 31 2012
Equifax sends passwords insecurely in plain text leading to potential identity theft
The credit bureau Equifax claims to take various precautions regarding their customers’ personal information, and attempts to combat identity theft. However, if you ever need to contact their customer service for any reason (being locked out of your account, resetting your password, et cetera), they will send you your password in plain text. You might wonder why this is a problem, so let me tell you. When an individual sends an email, they type it in an email client like Thunderbird, Mail, Outlook (all known as Mail User Agents [MUAs]). The MUA then sends that email to a mail server running software to relay mail, such as Postfix, Exim, Qmail (known as Mail Transfer Agents [MTAs]). These MTAs then relay the mail to the recipient mail server, and the recipient’s MUA connects to his or her MTA in order to retrieve it. Basically, it looks like the following flowchart:
Sender’s MUA –> Sender’s MTA –> Recipient’s MTA –> Recipient’s MUA
or with examples, it may be:
Thunderbird –> Gmail –> Apple’s .me mail server –> Mail application in Mac
In between the sender’s MUA and the sender’s MTA, the email (which is broken down into packets of data) may pass through many different switches, routers, and other networking equipment. In between the sender’s MTA and the recipient’s MTA, the data will pass through even more networking gear. And you guessed it, it will pass through even more pieces of networking equipment from the recipient’s MTA and the recipient’s MUA. During this chain of transfers, if the data is unencrypted, the text contained in the email can be intercepted and read without any problem. Therefore, sending a password in plain text provides many opportunities for that password to be intercepted, read, and subsequently, used by the interceptor to log in to the account.
Equifax, a purportedly reputable firm that handles sensitive financial and personal information about its customers, sends passwords to their customers’ respective email addresses in plain text (without encryption)! They are trying to help prevent identity theft, but don’t seem to safeguard their customer accounts very well! This HUGE oversight makes me wonder if they are also storing customers’ credit card numbers in plain text in a database, or even Social Security Numbers (SSNs).
Add Equifax to the list of companies that really should hire a security consultant before being trusted with personal information.
|:| Zach |:|
Mar 22 2012
Goodbye Aristotle
Today, I am retiring one of my previous servers, Aristotle. It has been a good machine, but I no longer need it because it has been replaced by a newer machine in a different datacentre. It had a good run of a couple years, with a nice uptime:
bsbc-aristotle aristotleadmin # w
18:22:34 up 475 days, 20:43, 1 user, load average: 0.00, 0.00, 0.00
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
aristotl pts/1 18:22 0.00s 0.02s 0.00s sshd: aristotleadmin [priv]
|:| Zach |:|
Thought for the Moment
