About Security
There are rarely talks about security breaches and problems that did or could result from those breaches in the public. The reason for that are simple, it is often embarrassing for the owner of the compromised account to admit the breach and for the solution provider to get possible flaws exposed that could result into a loss in confidence by existing or future clients into the safety of the clients data that were entrusted to the provider.
The fact is that there is in most cases no reason for embarrassment, if the account owner and the solution provider did everything they could to prevent breaches in the security to the extent that is justifiable and practical considering the type of data that need to be protected and the possible consequences for the involved parties if a breach does occur.
Of course are breaches because of disregard of fundamental does and don’ts embarrassing and not worth to be the subject of a public debate. I am referring to things like the use of “guessable passwords”, such as “password”, “master”, “root” or the first name of the child of the account owner or the fact that factory/system default passwords were not changed, even though the owner was aware of the existence of such things. Also the deployment of fundamental security measures such as firewalls, anti-virus and anti-spyware, proper encryption of data and communication between server and clients and the deployment of the latest security updates to the software that is used on any side, the users and the software provider’s side.
There is NO such Thing as 100% Secure
Even if you do anything right, does it not mean that you are 100% safe and invincible against security attacks, that are targeted or untargeted. You would be a fool who is disconnected from reality if you would believe that.
There is no 100% security! Most security relies on the fact that the amount of time and resources necessary to breach the security does it not make worthwhile for an attacker to attempt to break the security of a system or account. If the benefits or gain of breaking into a system or account are worth less than what it takes to actually do it, most attackers are compelled and your system can be considered pretty much safe. The problem is always the type of attackers who don’t want to gain anything but the exploitation and detection of security holes in systems they choose to attack. Those folks are commonly referred to as ethical hackers or “white hat”; because they help companies to make their systems more secure and improve on the implementation of the right security precautions.
Having a Plan If the Unlikely Does Happen
Since nobody can ensure 100% security, is it vital to have a plan and process in place and ready to deploy in the event that a breach does happen. I am always amazed (in a bad sense) to learn that even large companies fail in this respect and do not have plans or procedure to follow in case the unlikely but possible event does actually happen. Google seems to be one of those companies who fail to have a plan for such events. This is disturbing to me, because Google increased their efforts to consolidate and integrate the accounts of their various services into as few accounts as possible and eventually into a single master account that allows access to everything, from AdSense to YouTube.
Real World (BAD) Example
How do I know this? Well, I experienced the unlikely event myself with a personal YouTube account, which I did not link to any of my Google accounts yet, except for a one-way connection to my Google AdSense account. The account is not critical to me (thank god) and also does not expose much access to personal data due to the way how I use the account and the fact that I did not link it to a Google account that would enable the attacker to access data that are critical to me.
How the breach happened is still uncertain. I never exposed my user credentials anywhere, my password was not guessable, and I run anti-spyware and anti-virus software and keep them up-to-date. All latest security updates for the operating system and browsers used are installed. Does this exclude the possibility that the attacker was able to exploit vulnerability on my side to be able to break into my YouYube account? No, it does not.
The attacker locked me out of my account by changing the password to something else and the email address behind the account to a throw away Yahoo! email. It does not seem to be a targeted attack, in a sense that somebody wanted to gain access to my account in particular. What the attacker wants with my account is also not clear. He logged into the account only twice so far and relatively little was changed in my account.
I became aware of a problem with the account on January 3, 2008, contacted YouTube support on January 4, 2008 and realized after the initial response another day later on January 5, 2008 that my account was compromised.
I immediately responded to make YouTube aware of this fact as well as provided as many information I could to a) establish that I am the rightful owner of the account, b) contact details to check my claims even further and to have something in their hands against me, if I would just be a prankster who makes wrong claims. I also suggested blocking access to the account to prevent any further damage to the content and allow further exploitation of the unlawful access to the account. I also wanted to make sure that any abuse of the account that could get me or Google into trouble will be possible, such as using the account to publish illegal content.
The account was not blocked. I noticed that a login to the account occurred again 4 days later on January 9, 2008. I sent another email to YouTube without getting a response. This became a troublesome pattern, because response of support declined since I raised the bar by claiming a security breach.
I was going to the extent to submit another support request via their web form to get a new ticket number. I referred to the existing ticket number in that request. I also used the “report background graphic” form to raise additional awareness of the problem.
I used the only direct phone number I had at Google support, the service number for Google Apps, where I am a paying customer to get a hold of somebody and to reinforce my claims, plus provide additional identifiable information about by identity. After that phone call I did get an email from the Google Apps support team, requesting additional details in writing to back up my story. I responded with the requested information and again stopped hearing back from anybody. That was on January 9, 2008.
I wrote a long and nasty email (without swearing, I promise) to several email addresses at Google and YouTube, including YouTube and Google support, YouTube and Google Security and Google Feedback on January 11, 2008. Only the email to Google support bounced. I did receive an email on the next day, with the request to provide 5 things to identify my rightful ownership of the account. I did this already directly or indirectly prior to that, but I did not complain and provided the requested things in the order and format they wanted. This was on January 13, 2008.
I sent an email to support again today, asking about the status. I received an email four and a half hour later, that acknowledged that my account appears to have been compromised and the new password for the account. They also suggested that I should update the email address back to an account under my control. This is a multiple step process where the attacker was given the opportunity to gain control of the account again. If the attacker would have tried to login to my account again and noticed that the password he set does not work anymore, he could have simply used the “forgot password” form to retrieve the new password and then change it again.
Fortunately did this not happen and I was able to gain control over my account again, 12 days after the breach occurred and 11 days after YouTube was notified about the breach.
Conclusion
Boy, I am glad that I did not link my YouTube account to my Google account yet and I also do not plan to do so, until I was reassured that the cause for the breach was determined and that the hole was closed.
I offered my assistance to the YouTube/Google team to investigate the incident and to determine where and how the breach happened. I also hope that this incident and how it was handled will trigger a review or instatement of procedures that deal with those kinds of problems. This becomes even more critical when it comes to security breaches of users Google accounts where the breach can have much greater and severe consequences. The amount of damage possible, if your Google account was hijacked and if you use several of Google’s services under that account, is exponentially greater than the damage possible, if the breach is isolated to only one of the Google services.
Take Away and the Lesson to be Learned
This incident also serves as an example to other companies of how NOT to handle such things and a reminder to double check to double check if and what type of procedure you have in place in case the unlikely does happen. This addresses especially those of you who are responsible for those things in one way or another and are unaware of such procedures. This includes executive level employees and others with a stake in the company who are not directly involved with the security of their companies services. It does not hurt to ask what the plan is if a breach gets reported.
If you don’t have plans, you better start working on one, rather sooner than later, before it is too late.
Carsten Cumbrowski
Internet Marketer and Entrepreneur, owner and editor of the internet marketing resources portal at Cumbrowski.com