Rusty Divine

Live, Love, Learn, Teach

Don’t use Social Security Numbers as Usernames

Under Practices To Avoid: "Never have a computer log-in system where a person has to use their SSN", and "Organizations should avoid using Social Security numbers (SSNs) as identifiers for any type of transaction. The SSN should only remain in a database as a secondary identifier. Organizations should exercise limited use of an individual’s SSN", and "Organizations that maintain SSNs in their system of records should consider encryption of this data."

The government is cracking down on bad security practices including a $150,000 fine for HIPAA violation, and taking a closer look at themselves.

That was the TL;DR; version of the simple advice given by the Social Security Administration website and the Office for Civil Rights who levies fines. You would think a health insurance benefits company would know better than to play fast and loose with their customer's personally identifiable information, but imagine my surprise this autumn when I got an email with the following instructions:

FirstEmail

WAT? My username is my SSN followed by 624, and my password is the last four of my SSN? You just emailed me…why didn't you use my email address as my username? What is with the 624, is that some sort of security-through-obscurity so that if someone had my SSN they couldn't log in? When I went to their website, I saw that no, the 624 was used for everyone and the username and password pattern was put on their home page for any would-be hacker to see.

WebsiteInstructions

Ok, so there are only one billion possible SSNs, and about half of those have been assigned, and there is a pattern you can use to narrow that down, so a potential hacker could probably pretty quickly gain access to a valid SSN by a brute force attack that just tried different combinations of SSN on their website until one worked. What could they do then? Well, they'd see their victim's name, address, birthday, and voila they could steal their identity. An angry ex could add themselves as their victim's beneficiary and enroll them in some life insurance that would be paid out of their victim's pay check.

I contacted the benefits provider to let them know this was a bad practice and that I wanted my information either removed from their system or my username changed. Their response to me was that I shouldn't worry because their website was secure, and that I could change my username and password in a few weeks when the open enrollment began (which means my SSN-username and last-4-password have probably been sitting on this site for a year without me even knowing it).

SiteIsSecure

I can only assume by "secure" they mean it was encrypted with SSL. What about line-of-sight vulnerability of a co-worker seeing me log in? The website does use autocomplete="off" on the username input to tell most browsers not to cache that information. What about a disgruntled employee who has query access to the database? Is the username hashed and salted? I'm guessing it is not since that isn't a common practice for a username, so any disgruntled employee could potentially walk out with a disk full of SSNs, names, addresses, and dates of birth.

When open enrollment came, I noticed that there was no way to change my username; I did change my password though, so I let the benefit provider know and their response again was to assure me their site was secure.

Secure2

I started wondering if their site had been vulnerable to the Heartbleed bug, so I checked LastPass' website tool to find out. LastPass says they were using open SSL prior to July 2014 and may have been vulnerable to the Heartbleed bug prior to that (the vulnerability became public in April).

heartbleed

Finally, I filed a complaint with the Office for Civil Rights, even though I'm not certain if the benefits company is under the jurisdiction of the OCR (they did levy the large fine mentioned above). I will also send a link to this blog post to their company and hope that they take this situation seriously.

A coworker of mine also complained to our employer, and they said their security team and VP is taking a look at this issue.

What should you do if your identity is stolen?

I have heard from friends that having your identity stolen is a burden that lasts for years as you try to repair or just out-wait the damage it causes to your credit and your ability to rent, borrow, and buy. I hope you never have to deal with something so awful, but if you do or are, check out this guide for What to do if your identity is stolen.

If you're a developer, here are some guidelines from the Office of Personnel Management to safeguard SSNs. Also, you should check out the OWASP website and find your local chapter to meet other security-conscious IT folks.

I'd like to thank a colleague of mine, Rob Temple, a security analyst and OWASP member who provided some of the links for this blog post.

Tech Training–Hour of Code, CSS3 Selectors, new Team Goal

TechTrainEvery Friday our team meets for two hours to work on something together. We’ve scratched the surface of many topics to get a feel for what is possible and dug deeper into others that we want to implement on our project. The adjacent mind map shows about a year’s worth of training (taken from our PM’s whiteboard for his talk on why we do technical training).

 

Hour of Code

Today our PM presented some things his young daughter did in the recent hour of code – a fantastic event to get kids (and adults) interested in programming. We also took a look at the similar Santa Tracker by Google where like an advent calendar there’s a different programming game or puzzle available every day in December leading up to Christmas. We had a ton of fun navigating our elves through mazes and flying them through the sky to pick up presents.

CSS3 Selectors

We’re always looking into fun ways to practice our skills, and what better way than a rewarding little game of CSS3 selectors! If you do any web programming, you should try this out: http://flukeout.github.io/. It took our group anywhere from 30-45 minutes to complete the 26 challenges and along the way you could hear many quiet refrains of “Yes!” and “oh-yah!”. It’s great to hear everyone having a great time and learning, too.

I gave the team some more resources to read up on in their own time, too:

Docs - http://devdocs.io/css-selectors/

Interactive - http://www.w3schools.com/cssref/trysel.asp

Tutorials - http://www.w3schools.com/css/css3_intro.asp (work through the menu on the left or click Next Chapter)

Team Goal

Our team works on personal goals and team goals. An example team goal was to upgrade our source code tool (TFS) and development tool (VS) to the latest versions. That took a major effort because it ended up getting bundled with an operating system upgrade (Win 8.1) and pushed out across our organization.

During the last 20 minutes of our tech meeting today we brainstormed what our next team goal should be. It needs to be something that takes a few months to a year and benefits the whole team.

We put up a list on the whiteboard as we brainstormed, and then each team member emailed me their three votes from the list (and they could vote more than once for any idea). The final tally of votes was:

  • Kendo UI upgrade (4)
  • MVC 5 upgrade (3)
  • EF6 upgrade (2)
  • SQL 2012 upgrade (0)
  • Visual studio upgrade (0)
  • Requirements Gathering/Analysis training (6)
  • Mainframe administration training (2)
  • JavaScript testing/improvements in our project (2)
  • Move automation/dev ops for better continuous integration (2)

I was excited to see the team want to work on requirements gathering and analysis training because I really enjoy those (I’ve given a couple of talks and am working on a Pluralsight course on the subject), and because it was one of the soft skills in a team who really loves the tech-side.

We’ll work on how to learn about a problem from our customers, how to ask why enough times to find out the real business reason, practice how to come up with a good plan for a complicated process, and more. We’ll watch some Pluralsight courses and dedicate some training days to getting better – I can’t wait to get started! It’s so good to get a direction set by the team that you know has the whole team’s buy-in; everyone wants to get better, we just need to provide the right environment to make it possible.

A System for Technical Training–How and Why Your Team Should be Learning

Graph drawing on blackboardThere is something you should be doing to help yourself grow - practicing your craft. You may feel like you don't have the time or the energy to do it outside of your regular responsibilities. Maybe you've tried off and on, or maybe the thought of it conjures negative feelings. Sometimes it feels more rewarding to just keep working through tasks and checking them off the list than to switch to work on something that by its nature makes you struggle and thrash and can feel aimless like you are putting in more work and just not having any way to measure a payoff. Sometimes you aren't even allowed to study on the job.

 

You need to remove as many obstacles as you can to make Learning something that you practice consistently. So, what is stopping you? What's getting in the way of your team from spending the time it needs to get better?

 

Common obstacles include the following:

  • Why should we set aside time for learning?
  • When can I study and practice?
  • What do I study? Where do I start?
  • Should it be something directly related to what my company does?
  • How much time should I spend?
  • What's more important, learning or finishing a task?
  • How do I know I'm getting better?
  • Do I have to?

 

Let me tell you what my team is doing to remove most of these obstacles and how it is invigorating us.

 

Hamster Running WheelWe have recognized that there is a significant risk of burn-out if a team has a never-ending backlog of work to do. We need regular breaks that mark and acknowledge the work we've done while allowing our minds to relax and regroup for the next push. Our team plans three weeks of work at a time and marks the end of the cycle with a demonstration to the end users, a retrospective of what went well and what could have been better that helps us continually improve, a day off from our daily 15 minute stand-up meeting, and an afternoon with nothing to do other than learn something new.

 

We also dedicate two hours every week  on Friday mornings from ten-to-noon to group training where the tech lead (that's me for now) prepares something for the team to work on together. It could be improving a skill that helps the team or training on a new technology that we are considering adopting. We've used these meetings to learn and practice TDD, explore Azure, test out new versions of Visual Studio and TFS, start new projects from scratch, and pick a new technology to implement a small prototype in, just to name a few.

 

Our team has MSDN Universal, which comes with $150/month credit to Azure that we can use to run virtual machines and websites. We also all have Pluralsight Annual Plus subscriptions that we are encouraged to use for our allocated training time and also that last 30 minutes of the day that can be otherwise unproductive if you've wrapped up your work.

 

We enter our time in TFS for our stories and we track that we are each entering at least six hours a day. We have set aside time in TFS for training that including the two hours each Friday comes out to at least four hours per week (a little more would not be frowned upon).

 

At one of our retrospectives recently we talked about some problems we were having making ourselves take the allocated time for training instead of just working on tasks. We made some adjustments to our schedule, agreed as a group that training is higher priority than adding unplanned tasks to our iteration, and decided to assess our skills so that each of us can focus on the areas we needed most.

 

We each took the Pluralsight tech pro challenge over at Smarterer and had a lot of fun grousing about the questions and learning how we stacked up to the average developer. Based on each of our lowest scores, we picked courses from Pluralsight to watch that would most help improve our skills. We will then take their assessments to demonstrate our proficiency and also come up with a simple project to present to the rest of the group that covers the new skills we learned. Our progress will be tracked by our supervisor, but also the team as a whole will benefit because each of us will be better at our jobs and each of us will teach what we have learned.

 

Conclusion

 

Sometimes the best solution to a problem is creating a system or process that you can follow where the solution just falls out naturally. We have to learn because we've setup a process that leaves us no choice; we have the time set aside, we have identified what we need to focus on, and we have made ourselves accountable to our supervisor and to each other. We no longer struggle with not knowing what direction to go, or whether or not we should study or find a task to do, and it feels empowering and easy and just downhill.