- Branding I should have realized from the outset that I was in trouble when the service URL pointed outside of the agency intranet, to a site hosted by a company called TimeTrade. Users should immediately recognize this as being a potential phishing attack and should question the legitimacy of the service. The link then directed me to a web site that contained some text announcing that it was associated with the agency, but gives no additional information to allow the user to validate its authenticity. The site is mostly a generic web page with no linkage to the organization it supposedly supports. Searching the agency intranet also failed to provide any clues. For all I knew, the web site was simply a means to capture my personal information for some other use. These are all signs of a very immature service and a failure by the contracting organization to enforce a minimum set of good security practices.
- Credentialing I'll credit TimeTrade with cautioning users to not use their agency password to log in to the system. However, after directing first time users to a registration page, it fails to include the same warning for a user entering a password for the first time, negating the effectiveness of the warning for all users (since current users have already registered and have likely given their agency password to this unverified external company). The biggest problem, though, comes from the confirmation email that I mentioned at the beginning of this post. While providing a clear text email is a violation of just about every security standard, including NIST SP 800-53, it also points to a host of other violations. Most striking is the failure to protect the password with a very common hashing or encryption process so that even system administrators cannot easily recover it. By applying this very common practice, TimeTrade users would be protected even if they did make the common mistake of using their agency password to access the service. Beyond those violations, TimeTrade also fails to provide an ability to cancel user accounts and to change passwords. The "Forgot Password" function simply sends a new email that contains both the username and password of record for the given user.
Perhaps we've just become immune to security messaging. After all, what real threat is there to divulging little more information than my LinkedIn profile already contains? Given that companies continue to make the same mistakes that their predecessors made in years past, I'm not sure that we're really learning from those mistakes. In this case, TimeTrade is just as at fault for selling a product that demonstrates questionable security practices at the agency that procured it is for not conducting even a cursory security assessment. Users, including myself, are just as at fault for not recognizing the many threats associated with using the site. Being required to use it doesn't mean that we shouldn't ask questions.
Organizations need to take care when moving to cloud services such as this one marketed as a "Software-as-a-Service." While cloud services provide the ability to rapidly deploy simple solutions, organizations should know what they are buying before they sacrifice quality for cheap and easy delivery.
This posting originally appeared on the InfusionPoints blog site on February 8, 2012.