Some time ago I wrote an article about the topic "Opensource and the security of the IT environment". In that article I pointed out that the internal/external use of assumed (!) relatively secure Open source systems does not help very much if some parts of the surrounding IT environment - especially the client environment - do not follow equally high security standards or if parts of this environment must be regarded as a a natural target of a broad and continuously evolving range of attack vectors. Which in my opinion e.g. is the case for current mobile technologies and a broad range of windows clients - besides several detailed aspects of web technologies in general. I took a rather technical view when writing the article.
However, due to a recent personal experience, I was reminded again that any risk analysis of a given IT landscape must also include security ignorant behavior and advice of the personnel of suppliers as Internet providers - especially such that are not ISO 27000 certified. Here is what happened to me lately:
I wanted to arrange the transfer of a Denic administered ".de" domain, which I administered in one of my web provider contracts, from an old customer to his legal successor. This domain was part of a contract of mine which regarding business and price conditions was in turn associated with yet another of my contracts with this provider. The web hosting provider - one of market dominating big ones in Germany - offers every customer a web access to an administration interface for all (!) of this customer's contracts with the provider and associated domains, mail addresses, ftp, ssh access rules etc..
In Germany and with the DENIC a web domain transfer between the old and the new registered owner is formally and legally handled by a procedure called "KK Transfer". To be able to handle the transfer relatively safely via Internet some of the big providers issue an KK "authorization code" which the old owner should give to the new owner. In addition the old owner has to explicitly and twice to accept the domain transfer on web administration interfaces - one time in general and the for a specific new contractor.
As I was abroad at the time of the intended transfer I asked my customer to get information from our common web provider company about the steps required to transfer the domain. My intention was to get some detailed information about the steps to be done on the contract and domain administration interface of the provider to generate he authorization code and related steps to agree to the domain transfer. Note, that his problem only is about a domain transfer. It does not touch any other aspects of my contracts with the web provider.
What happened afterwards was interesting in several aspects. The steps initiated by the provider without any authorization from me or any previous consultations with me included
- the demand to change my passwords online within 24 hrs
- the request to transfer my complete contract with all rights to the customer
- the request to send my password of the web interface for the administration of my contracts to my customer by mobile from abroad so that the customer could proceed with his/her planned changes of the website
- the request to sign a prepared PDF electronically and thereby to confirm a contract owner change.
Believe me, I was and am totally shocked. I have seen many strange and questionable things with web providers but this sequence of steps recommended to my customer included several severe security breaches and demands to ignore security aspects. And most of all it included a direct and severe breach of my contracts and its related confidentiality rules. Note again: None of the steps listed above is required to handle the KK transfer of a domain. But some of the requested steps touch also other domains for other companies plus license rights of software running for these other domains.
Because the whole thing is so severe, let me go into some details:
When my customer rang to the provider its accountant or service person obviously had a look into the contract associated with the domain and saw that this contract was discharged for November 2014. This special contract also contains several other ".de" AND international ".dom" domains which will be given back to the DENIC and international registration organizations in November but not before. Up to this point in time, there is software with license rights running for these domains.
The service person may have had the following "ideas" in mind when he/she suggested to my new customer to overtake the whole contract:
- The web provider company could charge the standard fees for the (old) running contract without any 6 or 12 months price reduction which at this time are offered in association with new contracts.
- The contract included other domains which in case of a contract transfer would stay registered with the provider - which of course is good for advertisement.
- The new customer would have a big advantage - because the domain(s) could be run as before without any changes and so the business of my new customer could start without any major interruption.
- As the whole contract would be transferred I as a provider customer would at once loose some of the price reductions I get for having several contracts with the provider.
After the telephone call of my new customer I consistently got an email with a request to change the password for my account administration web interface at the provider. Ironically, I furthermore got in addition several automatic mails to assess the quality of the service provided for me. Note, it was not me who contacted the company but their and my new customer.
After I contacted my customer by email about all this nonsense he came with a detailed description of the suggestions the web provider had suggested to him - the ones which I have listed above. In addition:
The password for [my !] web administration should be changed as soon as possible and then directly be transferred to my new customer via a mobile telephone service. Even before signing the PDF mentioned above....
Of course, I have not done any of the steps the provider suggested. But, if I had done what the provider had suggested the consequences would have been dramatic. Tere is a whole bunch of them; I only mention the most important ones.
- If I had sent my new customer the password to my account administration interface my new customer would gotten access to all of my contracts I have with the provider, all related domains, blogs, etc. He could have initiated a variety of contract changes and extensions in a legally binding way.
- He would have gotten direct access to any ssh, ftp and other access configurations of all of my web sites and web services hosted at the provider. He could have set up new user accounts and manipulated existing.
- My new customer would have had direct access to my and customer related databases, web pages, web software run on my own web sites and (more important) on domains for other customers.
- He could have changed web site contents; he could have stolen web server software with license rights developed for other customers.
- I would not only have lost all rights on the domains (not only the one to be transferred but also ones associated with web sites of other customers), but also on associated existing web space contents, databases, software etc. at once without a chance to backup and delete this contents before the aspired domain transfer.
I mean these are enough points to be shocked. But there are more aspects:
A view into the DENIC registration entries by the web provider#s personnel would have shown that some of the domains administered via my contracts are registered for other customers. The provider cannot release any contract associated with these domains without also contacting the legal owner of the domain.
A view into the web space would in addition have shown that there is still server SW running with associated databases. This automatically leads to the question who has the content and the license rights associated with this SW. This is something a provider must not ignore under any circumstances.
And then 2 obvious security aspects:
- The unencrypted sending of password reset links to mail addresses is in my opinion unfortunately common use of many web service providers. However, this is of course a security risk.
- The request to send a central and important password of a web administration interface for several interconnected provider contracts via mobile email service and/or mobile SMS from abroad to my new customer is, however, so blatantly security ignorant that I do not need to elaborate that further.
Incredible, isn't it? And all of it completely unnecessary. The question remains:
How can a service person of one of the 2 big web providers in Germany be so ignorant - for not to say stupid - to suggest such measures to a customer to handle a simple KK transfer? The suggested steps would have lead to a security and a legal mess.
I just needed to know where and how I could generate a "KK authorization code" and the following steps on my side. Which are simple, relatively secure steps and all of them require an interaction on my side, only, with my contract administration. "&nsbp;" How can this happen in a country that right now had to learn that nothing is save and genuine confidential in the Internet any more?
I do not get it! It provides a despairing insight. This may have been the failure or blunder of just one person. But it is an indication of the IT quality management at a whole of this web provider:
If specialized front personnel for the management of customer contracts of one of the biggest German web hosting provider is not trained to handle the steps and legal questions of a simple web domain transfer - what does this tell us about other security measures of such a company? What does it tell us about the security situation in this market in general?
I shall have of course a dialog with the customer relationship department of this company. After previous experiences I must admit I will do without much hope for any kind of understanding and/or improvement of the obvious disastrous lacks of understanding how to handle confidential contract information by the personnel of this company.
So, my real personal consequence is:
- Whatever you do on the Internet: In the assessment of every step take into account the utmost imaginable grade of ignorance of your provider and its personnel. However big the provider company may be.
- Whenever you have to judge or assess a security situation of an IT environment where web providers are involved regard these providers as a major source of potential security risks and analyze exactly what effects any mismanagement on the provider's side may mean for the security situation and the assets of your customers.
- Look even more closer if you yourself provide services for customers which in turn rely on provider services which you yourself rent.
- Have a look at the security certifications of the web provider company.
- Test your provider but asking it's service personnel how they would handle typical security relevant situations.