Insecure security survey



  • OK, I know students are usually exempt from WTFs, which is why I'm posting this one to the sidebar.

    As a student at a major London university, I'm always getting emails asking me to take some survey concocted by a final year student for their dissertation. I usually do the ones which promise a free prize draw. I haven't won yet, but you never know. Anyway, I recently got this email:

    Subject: *First Prize £100, Second Prize £50* - Challenge Question Study
    From: [lets call him H]
    Date: 09/07/2010 10:18
    To: students@cs.myuniversity.ac.uk
    Dear All,

    I am currently conducting a study into the use of Challege Questions which have increasingly been used for password resetting. The survey only takes a few minutes and will be available online, it will be repeated once more after two weeks.

    *Win £100 or £50* for taking part in the study

    Please send me an email if you are interested stating whether you are an Undergraduate or Postgraduate on h@myuniversity.ac.uk . Your responses are greatly appreciated!

    If you have any questions, feel free to contact me on.

    Best wishes,

    H
    MSc Information Security

    I responded and got a link to the survey. After a couple of demographic type questions we got to the meat of the study, and these questions:

    1. Please select ONE question you would like to answer [dropdown containing list of security questions, what was your first pets name, mother maiden name etc]
    2. Please enter your answer here
    3. Please provide a Hint for your answer to aid you with recalling your answer.

    I wrote something along the lines of "I'm certainly not going to tell you that!" in the answer box. The rest of the survey was more of the same, asking me three times to pick a security question and provide the answer. Each time I didn't provide the answer (I may have got a little snarky by question 3.) Then ensued the following email exchange:


    Date: Tue, 13 Jul 2010 10:28:24 +0100
    From: Misha
    To: H
    Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study

    H wrote:
    > Hi Misha,
    >
    > Here's the link for the survey, If you have any undergrad friends that will be interested please pass it on to them. Thank you :)
    >
    > http://www.surveymonkey.com/s/REDACTED
    >
    >
    >
    I've taken your survey, but I suspect I'm not of use to you, since I
    have refused to provide any secret answers on security grounds. If you
    don't want to enter me into the prize draw, I understand.

    Regards,
    Misha


    From: H
    Date: 13/07/2010 10:29
    Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
    Oh ok, i totally understand

    What most people are doing is that they give the uni emails ie (ucabham@live.myuniversity.ac.uk) so no personal email is known..if you do not want to take part that is fine...I cant really put you in the prize draw though cause i need both phases to be complete.sorry :( .

    Date: Tue, 13 Jul 2010 10:45:48 +0100
    From: Misha
    To: H
    Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study

    H wrote:
    > Oh ok, i totally understand
    >
    > What most people are doing is that they give the uni emails ie (ucabham@live.ucl.ac.uk) so no personal email is known..if you do not want to take part that is fine...I cant really put you in the prize draw though cause i need both phases to be complete.sorry :( .
    >
    Well if other people want to give away private information it's no skin
    off my nose, but I'd be interested to hear if I'm the only person that
    this rang alarm bells for, especially since you are surveying people
    from the CS department (and I wouldn't consider my ISD username to be
    anonymous.)

    I'm not sure how you could do this study in a secure or anonymous
    manner, or more importantly how you could convince a paranoid user like
    me that it was anonymous. But good luck with it.

    Misha

    From: H
    Date: 13/07/2010 10:34
    Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
    lol I just looked at your answers, I have found it sooo difficult to make it anonymous as i need people to come back and answer the questions again in two weeks time..

    The study is to find out what questions people pick and how they answer and how secure those answers really are..Im an information security masters student, if i wanted to hack into emails i dont think i would need secret answers lol! i just need to get this study done for my thesis :(

    From: H
    Date: 13/07/2010 10:47
    Subject: Re: *First Prize £100, Second Prize £50* - Challenge Question Study
    Thank you,

    Ive just started it up today so hopefully not everyone is as paranoid :s ..to be honest if i had to fill it out i would think the same thing!

    Bear in mind that this guy is doing a *masters* in Information Security. Anyway, I thought that was an end to it, until I got this last email today:


    From: M R <m.r@myuniversity.ac.uk>
    Date: Mon, 19 Jul 2010 11:38:03 +0100
    To: all-postgraduates@myuniversity.ac.uk, all-undergraduates@myuniversity.ac.uk
    To: All post-graduates and all under-graduates.


    You would have received an email from Postmaster last Thursday about a survey being carried out by H into the use of Challenge Questions. We have received complaints about the nature of the questions asked and would like to warn you about giving out such information. Questions such as these are used for providing a second level of authentication to sensitive data/systems and as such should be guarded with the same level of care as your password. You are reminded of the Computing Regulations which state that you must not disclose passwords to others.

    We will be discussing this matter with the parties concerned to try to come up with a solution that allows them to do the research without compromising security.

    In the meantime, as a matter of best practice, we would recommend you change any challenge questions/answers you use if you have passed on the information as the information is currently on a 3rd party site over which we have no control. We understand about 200 people responded to the survey.

    M

    -- M.R. Head of Computer Security Team, Information Services Division


  • @misha said:

    Bear in mind that this guy is doing a masters in Information Security.
    You don't know what his thesis is. It could actually be a demonstration of the effectiveness of phishing and the importance of anti-phishing education.



  • Remind me to try this the next time I go phishing.



  • Hilarious.

    I actually work for that University, in that division (though not that particular group - something completely unrelated).

    We get targeted emails from phising groups on a regular basis, claiming to be from "The Helpdesk" (with an email address @hotmail or something stupid like that) and wanting you to send them an email with your username and password. The number of people who just blindly comply is shocking - at one point my inbox was filling up each night with crap from @theuniversity.ac.uk addresses that had been compromised. Thankfully most of the phising attempts get filtered now...



  • I wondered about that myself. I reckon it could be a much more interesting result than "It turns out people can't remember security questions." There were a couple of studies done a while ago, where researchers offered commuters a choccie bar in exchange for their password. Maybe H was doing something similar. Pretty sure he wasn't though.



  • There are certainly plenty of ways that this guy could have done legitimate research without requiring you to disclose personal information; and without even being online.  Psych people conduct these types of experiments all the time.

     For example, instead of being online, he could have had you do paper-and-pencil in an office someplace.  And since the nature of the study is "how well do people remember their answers", you should not need to provide answers to actual secuirity questions.  How about this one:  "what is your favorite item from this picture (a picture taken from a magazine, for instance).  Two weeks later, ask "what item did you name from the picture" without showing the picture.  There is no way that can compromise your online security.

     And one important  outcome of this study should be some statistics -- like, which kinds of questions are easy to remember, but hard to guess.  Real, hard numbers based on data collected.  Its hard to see how this guy's methodology would lead to any ability to get scientifically valid data from this activity.  

    Typically you have an experimental group and a control group; the groups are selected randomly from a population; and usually you do double-blind so that the researcher isn't influenced by preconceived notions of how the experiment should turn out.

    My guess is that this is really an phishing attempt.  The fact that you were involved in a real email conversation with the guy is surprising, though.



  • I routinely fill in the first question in the list with random keyboardmashing and forget about it. If I deem the site important enough I might make a note about it somewhere, but that partly defeats the purpose.

    Anyway, whoever thought this kind of 'personal' information was a good way to verify who I am has obviously never been on Facebook. Just send me a verification-link via e-mail and reset the password already FFS.



  • I'm pretty sure it wasn't an actual phishing attempt for a couple of reasons. The first email I got was addressed to the "students" distribution list, which fortunately can only be sent to from inside the CS department. And then later the whole university got a copy from postmaster, and you need to be a real student to get the postmaster to do that.

    Also, the guy's name corresponded to a real person doing MSc ISec, but since the list of students is publicly available that doesn't prove anything.


Log in to reply