I saw an article that talks about best practices of vulnerability disclosure. White Hat Security follows me, and this blog post » Best Practices for Vulnerability Disclosure is written by Matt Hutchinson
who has some great ideas.
If I were ever to be breached, you bet I’d want to notify the people who were effected as quickly as I could. At MENVI internal discussion took place on how we can protect our roster from people who shouldn’t get them. The reason was because potential actors can fill out the application just like a legitimate user can, and if clever enough, the roster can go to them. This can’t be good for MENVI as a whole.
Our processes are as sound as I can make them, but there is always the potential for a mistake. Thats why we’ve discussed just an additional step for membership.
Here is one such application we’ve gotten where it is clearly spam.
/>
Below is the result of your feedback form. It was submitted by
() on Thursday, March 05, 2020 at 07:24:30
update_type: I’m a new member – “first time” registering with the network
Parents_Name: LelandTweft
Student_Name: LelandTweft
Address: http://www.annakarinnyberg.se/atarax.html
Address2: Piran
City: Piran
State_Province: Slovenia
Country: Slovenia
Zip: 122423
Phone: 87777757251
Educator_or_transcriber: I am an educator and transcriber
Educator_Name: LelandTweft
Educator_Affiliation:
Educator_Position:
educator_address_type: school
Educator_Address: Piran
Educator_Address2: Piran
Educator_City: Piran
Educator_State_Province: Slovenia
Educator_Country: Slovenia
Educator_Zip: 113142
Educator_Phone: 85831368572
educator_email:
Musician_Name: LelandTweft
Musician_Address: Piran
Musician_Address2: Piran
Musician_City: Piran
Musician_State_Province: Slovenia
Musician_Country: Slovenia
Musician_Zip: 132111
Musician_Phone: 89957593386
musician_email:
online_method: I would like e-mail delivery (menvimail)
Discussion_Llist_Subscription_option: I prefer to subscribe at a later time
Email_Discussion_Subscription:
Comments: natural herbal diuretics http://www.annakarinnyberg.se/atarax.html remedies for hemmoroids
submit: Send this form to the MENVI Online team for processing
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
REMOTE_ADDR: 51.15.15.164
Please do not click links! The HTML was coded directly in to the form, and this may not be safe! This application is many that we get. You can also tell that they fill out everything, and in a normal application, it is not given. I’m talking about the line within the processed form that says: “submit: Send this form to the MENVI Online team for processing” This is not in a legitimate form.
Lets say that MENVI had a breach with this applicant violating our policies and selling our entire roster. We’d have to find a way to get everyone notified of the issue, because MENVI is very protective of our members and we do not want them to be harmed by these types of actors because of our neglegance and stupidity.
To show you the difference between a bogus application and a real one, I’ll show it to you in a way where I’ve already removed information that I don’t want made public, but you’ll see the difference between that application and the one above.
From: “nobody”
To: menvi-webmaster@menvi.org; jacobsexton@menvi.org; jrimer2010@gmail.com; jessica.cabot@menvi.org
Subject: MENVI application form submission
Date: Wednesday, February 09, 2011 7:35 PM
Below is the result of your feedback form. It was submitted by
() on Wednesday, February 09, 2011 at 20:35:16
MusicianName: Alvino Alberto
Musician_Age: 26
MusicianMusical_Instruments: Piano, Organ, Accordian, Saxiphone, Clarinet, Flute.
MusicianAddress: (blocked out for example purposes)
MusicalCity: (blocked)
musical_state_province: Quebec
musicalcountry: Canada
MusicalZip: h3t1b6
Musician_Phone: (removed)
musician_email: (removed)
Newsletter_Type: online
online_method: I would like e-mail delivery (menvimail)
update_type: I’m a new member – “first time” registering with the network
subscription_option: I would like to subscribe to the MENVI discussion list
Email_subscription: (removed)
comments: I found you through an email sent to me by Mr. Richard Taesch.
HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0C)
REMOTE_ADDR: 24.122.166.217
I removed information on purpose, but the information on address, email address, and other information for us to mail and communicate with the applicant was in the original application. The applications are stored and backed up in case of a hard drive failure, but we’ve never had any issues with people like this applicant having their data exfiltrated because of our stupidity.
The article I link to above is one I’m happy to share, because it shows how I’ve done the best I can not to be part of the problem.Did you know that breaches are occuring every 39 seconds? The linked article here talks about a study in which it repeats various practices that people are still doing including using various common usernames and passwords, and what not to do.
Do you have any thoughts on what the best practices are for your particular situation whether personal or business? Just because you don’t have databases of people like I do, doesn’t mean that you don’t store numbers and other info someone may want once they get in. Its a big problem that everyone should get behind to try and fix or even reduce the chances the information they have isn’t taken. Its continuing to happen, and these articles and the samples of what I see may help you tell between something legit, and something not legit.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.
I’m not in disagreement with these comments.
Well reporting it to your users when you find what has happened.
Also making sure you can answer your user’s question.
For example they will want to know if you followed best practices with this.
If for example, all updates were done, and everything was checked and noted I’s and P’s crossed, etc, no one is going to kill you if you did everything.
If you didn’t they will ask why.
And if they find out that you didn’t or made a mistake, your ass as they say is grass.
And its not going to be the guy that screwed up in the first place that gets the chop.
It will be the guy at the top, you!, so your ass and they will want answers and maybe revenge.
Hiding it well its not a good idea.
Also knowing you did everything you can do.
I have done everything I can do with in reason, backups, updates, etc anything a normal user would.
On this blog not only do I try to keep things updated, I also look at things like how to hack a blog like this, and seeing if we are covered by what we have.
How to avoid certain situations like expiring security certs, domains, etc.
How to better notify admins and protect against spam.
How to safe guard logins without impacting the user to much.
I also know when to leave alone.
Right now the website is as secure as I can make it.
You must be reasonable and thats all you can ask.
Half my time I service systems, I have to deal with the other side, pirating, cracking, not updating, and all sorts of junk.
When I interigate the user in question, I find out in most cases if they can’t afford it or they don’t know or well any other things, but usually somewhere along the line company x has become unreasonable.
Your users will not follow rule x y and z because if they don’t they get penalised.
They will crack your software, install all sorts to stop your getting updated and having things shoved down their throats, etc.
A thing microsoft should really learn.
2 days ago they tried to shove ms hello down my throat on all my win10 systems even to some extent pushed a ms account to my system without asking me.
I was able to remove their interfierence.
I understand why they do this but shove it down and your users will not like you.
They need a reason to do it and a reason why doing it doesn’t work.
Or will cause issues.
Your users will do almost anything if it makes them more secure and or improves their lives.
They will not give you more cash than is absolutely necessary to keep their expensive systems that probably cost them more than enough running!
And if something fucks up they will not appreciate you if they get the blame!
Sadly there are just to many companies and businesses like this.
On several forums and lists I am unpopular because I go against the grain of some of the secure things.
Right now I am against a microsoft account at login.
Why, because you don’t need it.
Using an apps account is far better and you have control.
Unless you subscribe to office 365, use an outlook.com email, or anything like this you don’t need to login.
I have heard that 1drive while its fine for microsoft files is just slow and crappy for anything else.
With microsoft selling its music to spotify now, and bar its movies and apps, there is no point.
The last thing is setting syncing.
Well you don’t strictly need to login with a ms account to do that.
And if your account has a password microsoft will think you are logged in with one of its accounts anyway.
Pluss unless you are on the go and close to the net, you will need the net to sign in.
Maybe not all the time but microsoft will need to verify itself somehow.
I don’t believe that microsoft won’t actually need you to be online for that.
Pluss with all the airport security, its almost worth not having a password on your laptop at all if they will want you potentially to give your password to them.
In fact I go a step further, unless I need it I wouldn’t take my laptop anywhere near an airport or public wifi at all.
Now take that with google.
People complain about privacy a lot and security.
But maybe its because all they get from microsoft are use of its products and unless you need them for business most of us couldn’t give a male cats dong!
In google’s case, I am fully happy to give them my private information and I am happy for them to sell it to whatever they want even if it means some bad guys could get it.
Why?
Because I get so much for it.
Secure mail, maps and gps, all those nice shiny android things.
Voice assistance and more.
My privacy for a lot of services, and stable ones at that.
Sure why not, just keep giving me more and I’ll give more.
Even this site has been plugged into the google network.
What does microsoft give me.
Microsoft windows, office, onedrive storage for documents, an outlook email address and xbox.
Also apps and maybe some movies if I care.
What microsoft does not give me.
Drm free music, third party products, and in short non m microsoft services, they don’t even have books anymore.
They are killing cortana services on smartphones and moving to product based services.
Lets see, enterprises and businesses and maybe some gamers on the side.
They give almost fuck all to the consumer bar their os and thats mostly for businesses anyway.
They have failed with their phone, they have scaled back services when others like google have asked for and added more.
If you are in a certain group you will be happy to give your family to the microsoft collective.
But most of us are probably not in that group.
I am a consumer, yes, but I am not or never will be in big business.
Why should I care about office, why should I care about the microsoft cloud services.
All I know is that I have a big company taking my private information for no gain to me.
The same goes with some of these breaches and such.
Best practice for some of these issues is to make sure your users are happy so they report some hacks to you or other things.
And if you are hacked, your reputation will depend on the users to.
If google got hacked, sure I’d be concerned because they are quite secure.
If microsoft got hacked, sure I’d be concerned but if I had my system with a microsoft account, and microsoft got hacked, well, there goes my computer, and all my files and everything on it potentially.
Users need to trust the companies they use as well.
Maybe some of my fears are unfounded but some companies could do more to assure users they are on the right track as well, it works both ways.