Single sign-on?
"into a page that is obviously not using single sign-on"
You keep using that word. I do not think it means what you think it means.
Scores of security bods registering for security outfit RSA's Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company's website in what is seen something between bad practice and outright compromise. The registration process for the February 29 event asks delegates to enter their …
...will reduce the world to a mindless swarm of blithering eejits! Just goes to show you how really brain-dead stoopud Twatter minions really are. (And these particular morons are supposed to be the security weenies for the Great Corporate Machines that want to rule the world! The ... mind ... just ... boggles....)
El Reg needs a moron icon
looking on Twitter at the list of so-called 'security professionals' and security decision-makers that handed over the passwords to their Twitter accounts makes me cringe and despair... wtf were they thinking?
some highlights of what i have found:
----------------------------------
https://twitter.com/MichaelMrak/status/645966789386465280
@MichaelMrak
Data Protection, Anti-Corruption and Anti-Money Laundering Expert.
----------------------------------
https://twitter.com/rshullic/status/653999276779925504
@rshullic
Cyber security professional specializing in cybef security, cyber risk, and security architecture. CPP CISSP, ISSAP, ISSMP, SSCP, CCFP-US CISA CIPP, CIPM, CRISC
----------------------------------
https://twitter.com/Todd_Inskeep/status/655812425158029312
@Todd_Inskeep
Todd explores InfoSec, risk management and identity in new business models & emerging tech - e/m-commerce, payments, and social media - personal opinions
----------------------------------
https://twitter.com/RubyZefo/status/656685690567024640
@RubyZefo
Intel Corp. Vice President Law & Policy Group, Chief Privacy & Security Counsel.
----------------------------------
https://twitter.com/TrustedComputin/status/661571533362601984
@TrustedComputin
Trusted Computing Group develops open standards for computing security.
----------------------------------
https://twitter.com/MarkVillinski/status/664275890797441028
@MarkVillinski
Security Industry Marketing Professional for Kaspersky Lab.
----------------------------------
https://twitter.com/lonatherrien/status/666312007696703488
@lonatherrien
PR & Marketing @RSAsecurity
----------------------------------
https://twitter.com/archangelnikk/status/666343331857854468
@archangelnikk
Information Security and Risk Executive #CISO #InfoSec #CSO #cybersecurity #egyptology thecsoblog.com
----------------------------------
https://twitter.com/Stephani_Lewis/status/674287335673040896
@Stephani_Lewis
Social Media with Intel Security. Helping businesses balance the innovation and evolution of technology with security.
----------------------------------
https://twitter.com/klstickels/status/681962465740124161
@klstickels
Americas Field & Channel Marketing Manager for RSA, The Security Division of EMC. Follow me to learn more about EMC & RSA marketing activities.
----------------------------------
https://twitter.com/Kojiro200/status/682108370438995968
@Kojiro200
Trade commissioner at the Embassy of Canada in Tokyo to assist Canadian ICT companies to develop business in Japan.
----------------------------------
https://twitter.com/CyberRiskLady/status/684107363914256385
@CyberRiskLady
Security Professional - Balancing Cyber Risk Management, Business and Strategy. @KatzcyLLC President & VirginiaTech MBA Advisory Board President
----------------------------------
https://twitter.com/BrickDuck/status/686932327465914368
@BrickDuck
Prncipal, Brick Duck Communications. Helping smart organizations float, fly, defy. Media designer and commentator, writer, former CNN executive producer.
----------------------------------
https://twitter.com/jasoncliu/status/687436723358416896
@jasoncliu
Product Marketing Manager at Cisco, MBA from Tepper, USC Trojan. Car | Sports | Technology Enthusiast.
(Note: hmm.. Product Marketing Manager at Cisco and they still gave up their password for a tweet after the NSA scandal?? now we have a lead on how NSA got their fingers in... they just asked one of the Cisco guys to hand over their passwords.. they probably paid them with a bar of chocolate..)
----------------------------------
https://twitter.com/tynanwrites/status/689965980043382785
Dan Tynan (Verified account)
@tynanwrites
Editor-in-Chief, Yahoo Tech. Opinions expressed here belong entirely to me; my pants are another story. RTs = Real Tasty
(woops... Yahoo bigshot there... gave up their Twitter account password. lol)
----------------------------------
/END MAJOR FACEPALM.. and the list goes on..and on... i just highlighted a few.
Works for me. Now that they have identified themselves, we can send the lot on a junket aboard the 'B' Ark and all will be well.
"There is no suggestion that RSA, one of the biggest security companies in the world, would do anything malicious with the credentials; rather, it represents a blatant failure to observe best practice."
My immediate reaction was that this was intentional - an ironic demonstration of how bad end users are at protecting their passwords.
I expect one of the conference papers will be along the lines of "xx% of IT professionals will enter their password into a web page just because you ask them to" - a variation on asking people for their password in exchange for a bar of chocolate.
http://news.bbc.co.uk/1/hi/technology/3639679.stm
It does make good business sense, when you remember that RSA are a big vendor of non-password authentication systems.
... "Executive".
These are management bods with MBAs and absolutely zero clue about actual technology, much less security. My hope is that RSA did it on purpose to name names & ridicule the idiots. Needless to say, I'm not holding my breath.
When I run across this kind of thing (was common a couple decades ago, fairly rare these days), I use "YouGottaBeKidding!" as the handle, and "FuckOff,Assholes!" as the password.
Looking through the Twitter feed, it did strike me that most of those who fell for it are marketing and recruitment. There's some relief that the 'real' security people may have (largely) shown more sense, and can laugh at those people who get paid more, but are now shown to actually know sod all.
Karma?
The registration process for the February 29 event asks delegates to enter their Twitter credentials so that a prefab tweet about their attendance can be sent.
Even if this did use OAuth, or indeed any other mechanism, why would anyone agree to this? "Sure, RSA, I'll let you use my name to advertise your conference!"
Idiots - or at any rate gullible (or narcissistic) fools - indeed.
Of course, as a dedicated curmudgeon, I've never tweeted anything. (I have a couple of Twitter accounts - a personal one and a work one - but only because I was asked to create them in order to follow other accounts. Which, to be honest, I never paid attention to; I stopped even retrieving the things years ago when Twitter made OAuth mandatory and broke Thunderbird integration.) But even if I did, I'd be damned before I let some organization forge messages from me.