Gowalla is an application that claims to be “the easiest way to share places you go with friends”. The application runs on iPhone and Android devices, and uses your GPS location to create “Spots”, and allow you to Check In at a Spot. You can tie your gowalla account to your twitter account, or your facebook account, so that updates are automagically posted to these services. When Adam pointed out the research he had done with decloaking a user’s private checkins, I noticed that part of the information posted was the GPS lat and long. This got me wondering if I could go ahead and post a false lat and long to checkin from someplace other than where I was currently sitting (which is usually my couch). Some discussion ensued, and shortly Adam sent me a couple scripts he had hacked up that would allow me to create a Spot, then checkin from that Spot. All I need to provide is GPS coordinates, and associated trivia like a comment, a name for the spot, etc.

So I took a trip to Mt. Everest. One of my followers on twitter (Hi Adam!) retweeted my checkin, and within a very short time (definitely less than 30 minutes, but I can’t be more exact than that), my account had been removed, along with my Spot for Mt. Everest.  This irritated me a little bit. In my eyes it would have been appropriate to at least contact me and say “Hey, you’re bending the rules, knock it off,” but they didn’t, it was just wholesale account-slaughtering time. After reading through the Terms of Service and not finding anything that I could see that I had violated, I went ahead and created a new account, “gowalla sucks”, using the same email address and twitter account I had used on my previous account. Then I went to Antarctica.

After confirming that the spot was created, checking in, and making sure it posted to my twitter feed, I went about my business for awhile. A short time later I came back to gowalla, to see if they had trashed my new account, only to discover that my name was now “gowalla isyournewbestfriend”, which I think was a much more appropriate response than just removing the account, and pretty funny, to boot.

It is worth noting at this point that I don’t have an iPhone, nor an Android device. These scripts interact with the Gowalla API directly from the webpage. Which brings us to the moral of the story: much has been said about the wisdom of advertising your location to the whole wide world (check out pleaserobme.com if you haven’t yet), but little so far about advertising false locations, which could be just as problematic. The day is not far off when a criminal will try to use a facebook status update, or a gowalla post as an alibi, stating “I couldn’t have killed my wife, I was across town, here is proof!” (if it hasn’t happened already). Of course, the flipside actually adds a layer of obfuscation: Need to fool your stalker? Just post a bunch of bogus updates, and she’ll run herself ragged trying to track you down. Food for thought, nothing more…

Thanks to Adam, Adam, and the penguins in McMurdo Sound for their support and assistance bringing this (sort of)important issue into the light.

UPDATE: While I was typing this up they removed my spot for McMurdo Station Ice Runway. Shame on you gowalla! There’s nothing in your terms of service that says I have to check in from WHERE I ACTUALLY AM.

Do you own a computer? Since you’re reading this let’s assume that you do. Does your computer have anti-virus software? Since you’re a reasonable, intelligent human being, let’s assume that it does. Do you also run something like Malwarebytes or SpyBotS&D? Since you’re a responsible netizen, let’s assume that you do. Does this mean that your computer is “secure”? Since your computer is on 24 hours a day, 365 days a year, let’s assume that it isn’t.

I can hear all of you now: “My antivirus is up to date! I’ve got nothing to worry about!”, “My spyware definitions are current, I’m protected!” The problem lies in a couple of factors; First, your antivirus was up to date the last time it was updated. Ten minutes later, you are still vulnerable. Second, I can’t count how many times I have been asked to look at a computer that was “running slow” or “acting funny”, only to find that it had been all but taken over by malware. These are computers with updated anti-virus, owned by people just like you and I who religiously check their systems for evil bits and eradicate them. Just kidding! Most of the time, I find the anti-virus software is out of date (usually because the subscription expired), and nobody has ever taken the time to check for malware.

The truth is, anti-virus software is, at best, an arms race. The companies who make anti-virus software are forever playing catchup to the people who write the viruses. They are perpetually one step behind, by design, because their technology is REACTIVE rather than PROACTIVE. Anti-virus software can not protect you until the bad stuff has already made it to your system, by which time it may be too late. In addition, if you don’t know what you’re doing you can actually harm your system by trying to run too many of these anti-malware applications at the same time, or worse, reduce productivity while people try to work around a system that is not optimized for your environment. If your system is too aggressive people will get in the habit of “clicking ok to make the box go away”, which can actually leave you more vulnerable to attack than if you didn’t have the software in the first place.

All of that being said, most anti-virus software does an excellent job of protecting you from known threats. Anti-malware software helps to clean your computer up after the evil bits have been installed. Both of these are important pieces of the security puzzle, but anyone who tells you, “Install this piece of software and you’ll be completely secure!”, is trying to sell you something. Any “security assessment” that only looks at whether your anti-virus software is up to date and you have the latest Microsoft patches installed is not a security assessment.

A lot of people today sell software wrapped up in a package with SECURE!!! written all over it, the number of people who can actually help you secure your priceless data is far lower.

One of my clients uses a large Business Solutions provider to manage payroll and benefits over the web. This provider requires that each user with access to their system has a personal certificate, as well as a userid and password in order to access their site. This is outstanding! Two-factor authentication is great!

Unfortunately, when you will reissue the certificate based solely on a phone call, to a caller-supplied email address, your two factor authentication doesn’t work so well. We recently migrated this client to a new domain. During this process, one user’s certificate was somehow corrupted. She could no longer access the website. After trying to re-import the certificate from a backup, we wound up calling support. The support staff was friendly and helpful, until they discovered that I was not an “approved contact”, at which point they told me the call could not proceed until they got authorization from an approved contact. Bravo! This company clearly pays attention to security. And with access to so many people’s PII, they should!

On a whim, I asked the support representative who was authorized to approve me, and to my dismay, he gave me three names. “Hold on a sec, I’ll get $approved_contact_1,” I said. I walked into the next office, got her, and returned. “Here’s $approved_contact_1,” I told him, and hit the speakerphone button. The rest of the dialog went like this:

SR: “Is this $approved_contact_1?”

AC1: “Yes.”

SR: “Is Aaron authorized to contact me regarding your account?”

AC1: “Yes.”

SR: “Ok, thanks for your time.”

My jaw dropped. He didn’t offer to call the number they had on file for the company and speak with one of the approved contacts. He didn’t ask the approved contact to answer any of her security questions. He didn’t do ANYTHING to verify that the call was legitimate, or that the approved contact was who I said she was.

At this point, we went through several troubleshooting steps, none of which addressed the problem. The support rep finally decided that the best way to fix this problem was to reissue the user’s personal certificate. Imagine my surprise when he asked me what email address I would like the certificate request sent to. Wondering if they could be this silly, I gave him one of my email addresses, one that clearly did not belong to any of the approved contacts, let alone the user who had a problem. Now imagine my astonishment when the certificate request shows up in my inbox. Surely they can’t be this cavalier with access to their site?!?

I went through the process as outlined in the certificate request email, and at some point was prompted for the user’s credentials. She had stepped out for lunch by then, so I couldn’t have her type in her password. I offered to call back when she was available, but this support rep was REALLY helpful, so he went ahead and reset the user’s password for me. Wait…What? I didn’t ask him to do that. So now I have the user’s personal certificate, the user’s userid (provided in the certificate request email), AND her password. Wow. It’s a good thing they use two-factor authentication…

The moral of the story:

Customer service is very important in today’s marketplace, and I hate to bag on a company for providing support that is too helpful, but seriously, you don’t go around providing access to sensitive resources without doing SOME kind of verification. Had I been an attacker, I would have the keys to the kingdom, and all the social security numbers and other information I could eat. If you’re going to be working with PII, please make sure your support staff knows how to deal with these types of situations.

So my wife manages a retail store. Some time ago they were the proud recipients of a new safe for storing important things, such as money. This left their old safe languishing on a shelf, never to be used again. There sat the safe, for many moons, until one day my wife’s regional manager asked her why they had an extra safe sitting on the shelf. My wife explained that the replacement safe was more than adequate for their safe-having needs, and furthermore, it had been so long since anyone had used the little safe on the shelf that nobody knew the combination anymore. “Get rid of it,” says the regional manager, “I don’t care what you do with it, but make it disappear.”

This is where I come in… I volunteered to take the safe off her hands for the very reasonable fee of $I’llcomegetit, which she happily accepted. “But Aaron,” you’re probably saying to yourself,”nobody knows the combo. This safe is useless unless you spend a bucket full of money to pay someone to open it!” At least that was the general consensus among my friends and family when I bragged to them that I had a safe I couldn’t open. But I have a secret. A good friend of mine is a locksmith. He has this really neat gadget called an autodialer. It’s basically a stepper motor hooked up to a microcontroller that cycles through all the possible combinations until it finds the right one. Easy-peasy, right? Wrong.

We hooked the autodialer up, found the drop point for my dial, and set it to run. My locksmith friends told me that it could take up to 48 hours for the autodialer to find the right combination, so I left it in the garage, dialing it’s little mechanical heart out. As it turns out, the alignment on this device has to be spot on, because the stepper motor detects when it can no longer turn the dial and assumes that it has found the combination. Then it stops trying. Due to the mechanics of hooking the dialer up, it’s very easy to get it slightly out of alignment, especially when the dial on your safe doesn’t turn completely true, as was the case with my safe. This results in a dialer than thinks it found the combination, when it hasn’t. To make a long story short(er), we didn’t have the dialer lined up properly. We didn’t have it lined up correctly the second or third times, either. The fourth time, I thought we had it, and it dialed for about 25 hours before it stopped. Still no combo.

Fast forward three days… I’ve reset the dialer numerous times. Each time it dials for longer stretches, but always stops short of finding the combination. Somewhere in the middle of all this, we decide to call the safe manufacturer to inquire about drill points for this model, just in case. While on the phone with their friendly and helpful support staff, we discover that this safe uses a right-hand dial lock, rather than the standard left-hand dial. Which means we’ve been dialing the wrong direction for two days. Crap. We reset the dialer for right-hand dialing, and let it run for almost two full days. Still no combo.

At this point, we make the decision to drill the safe. I’ve seen lots of movies where people drilled into a safe and manipulated the lock, how hard can it be, right? Turns out it’s pretty hard. Even if you have the right equipment. And a lot of time. I mean a LOT of time. The actual drilling of the safe wasn’t too bad. The Locksmith has a nifty rig that attaches to the safe and holds a drill bit in exactly the right spot. You hook a drill motor up to this apparatus, and run the bit in slowly, so as not to break it. This particular door is 7/16″ thick, and has a 1/4″ hardplate, which is high carbon steel, behind it. Then there’s the lock body. Once you drill the hole, you stick a borescope in, line up the wheels, and you’re off to the races. Easy-peasy, right? Wrong.

First, you have to know where to drill the hole for the particular lock on your safe. If you’re a locksmith, this isn’t so hard. I was surprised to discover that if you’re not a locksmith, it isn’t so hard either. As I mentioned earlier, we called the manufacturer to ask about drill points. On the initial call, we were told that we needed to provide several forms of proof that we were either a) the legitimate owners of the safe, or b) qualified locksmiths working for the legitimate owner of the safe. We gathered the necessary info while the dialer ran it’s last run, and when it failed, we called them back. We should have just called back, since the second person we spoke with didn’t bother to verify any of our information. Instead, he gave us the “try-out combination”, which is the default combination as shipped form the factory. All safes have try-out combinations, and you would be surprised to find out how many people never change this default combination. He also gave us the drill points for a borescope, and for the fence. Without verifying any information. So if we HAD stolen this safe, we would now have the default combination, as well as the drill points. The default combo didn’t work, so we decided to drill for the borescope method. Easy-pe…oh forget it, it’s not easy.

You see, looking through the borescope and trying to line the wheels up is like trying to tie your shoes while looking through a telescope. Everything is so close, it’s hard to tell what you’re looking at. You also don’t get a perfect look at both the wheels and the fence, so you have to keep shifting back and forth, all the while keeping the wheels lined up. This requires patience, a steady hand, and patience. To make a long story short(er) again, we did finally get the safe open.

It is entertaining to me that the safe manufacturer would give out information such as the try-out combo or the drill points without any verification that the person on the other end of the phone was legit. It goes to show that social engineering is an important aspect of your security. If an attacker can compromise your security by making an anonymous phone call, do you really have any security at all?