Morning sports fans! No, I don't care if it's not morning here nor where ever you are, but it's morning somewhere. Also it will eventually be morning, so I'm counting it. Well, my recent increased blogging is due to me being constantly mentioned on the HappyFace podcast, which is done by my friends. They have challenged me to post at least once a week so that they can talk about me more, so let's see how long I can keep it up. Now first (and only) order of business today is ethical hacking.
So, recently this happened (All the articles I have found say pretty much the same thing, so I won't link to anymore). Glenn Mangham has been sentenced to 8 months in prison for computer misuse, more specifically hacking Facebook. "But, wait! He's an ethical hacker. He's one of the good guys!" You say excitedly. No, dear reader, not quite. Yes, yes, there is the whole £7,000/$7,000 from Yahoo! and whatnot, but there is a slight twist to this little tale. So, lets start by clearing up exactly what we are talking about.
An ethical hacker, or white hat, is a hacker who spends their time finding vulnerabilities in systems, applications, websites and pretty much anything that's connected to anything. Once they find such a vulnerability, they record the details of what they did and send it to the creators and/or maintainers of this product. Companies respond in many ways to this, ranging from a thank you e-mail to cash rewards to a job offer.
A malicious hacker, or black hat, is not so nice. Upon finding a vulnerability, they will try and exploit it for personal gain, normally for money. Of course they can record the details and share it with others, but now with the makers of the product. Once they are found out, the companies tend to come down on them pretty hard and fines and jail time normally ensues.
So, that's all nice and clear cut and very much black and white, if you will pardon the pun. Sadly, the real world is not so clear cut, as evidenced by this case. There are times when a person will at times be a black hat and at times be a white hat, somewhat of a grey hat if you will. A white hat may use their skills for some personal gain, in a very black hat kind of way and on the flip side, a black hat may actually do some white hat work.
To illustrate this further, let's look a bit more at Glenn Mangham. He did some white hat work for Yahoo!, which is all well and good. But then he hacked into Facebook in a very devious manner. Now from what I gather, he uploaded some malicious code to the puzzles server which Facebook uses to test potential employees and gained access to the internal system. Now, here's where it gets really devious.
From what I have read it seem he managed to impersonate a Facebook employee, get his password reset and thus gain access to all of Facebook's servers. He then proceeded to download important data to an external drive and delete all evidence of his little visit, or so he thought. Turns out that Facebook actually found out about this and it cost them something to the tune of $200,000. Now that's a pretty penny and a chunk of change.
Two very important things come to my mind here and those are:
1) To the best of knowledge, Glenn Mangham didn't inform Facebook, thus disqualifying him as an ethical hacker
2) He entered a guilty plea
Having considered that, he is definitely guilty of hacking, or computer misuse in legalese, and should be punished for his crime. The whole argument that he is an "ethical hacker" hold no water whatsoever. There's not much more to say, so I;m going to leave it at that. Good night sports fans! (Again same argument as above :P)
Showing posts with label facebook. Show all posts
Showing posts with label facebook. Show all posts
Sunday, 26 February 2012
Sunday, 9 October 2011
Privacy? Is that a vegtable?
So, here we are opening this can of worms. Yeah I know there are other stories that going on, but I'm working on a couple of posts, which should surface sometime soon. OK, so let's talk about privacy on the Internet. It's the one thing you will hear over and over again "There is no privacy on the Internet." Which is part of the truth, but not the whole truth.
This is normally the cry of the anti-social narwhal (not an actual meme, yet!) against social networks, but it is a smidge unfair. The main complaint people have is that all your information is out there and anybody can see it and so on and so forth. Well, yes because you put it out there. It's like complaining that your diary contains all these personal and embarrassing things about you. Yes, in this case the diary is actually owned by somebody else, but you knew what you were getting into. There really is no way around, except you know not posting stuff like that on social networks.
Another issue regarding matter of posting stuff is visibility. People seem to be unable to comprehend the very basic fact that stuff you post will be visible to other people. You can control who those people are, granted it is not always in the most obvious way. There always exists some mechanism to limit the visibility of your post. There are countless stories of students putting up statuses about teachers they added and employees doing the same with employers.
Well, let's say you mastered all the above, there is still one small problem. The people you are sharing this content with may not be so discerning. This is especially true for "amusing" content, exemplified best by the sites Lamebook and Failbook. Both these sites allow users to post screenshots of post on Facebook, or any other social network in the case of Failbook, that they found amusing. The best are then shared on these sites for consumption by the general public.
Even as I write this I can hear the anti-social narwhal (this should totally be a meme) bellowing in my ears "BUT WHAT ABOUT THE PRIVACY!!!" Well these sites do apply some discretion and redact names and profile pictures so as the preserve the identity of the posters. This does not always work. The trouble is that most posts get submitted to both sites. The really good ones show up on both. And well if you mess up the redaction then it gets a bit hinky.
A perfect example of this is the following post on Lamebook and Failbook. Lamebook redacted the surnames and Failbook redacted the forenames. The end result is that you found the original people and the original post. In all fairness this post is public so there is not really much of an issue of privacy at this point, but try tell that to a narwhal (don't ask, I'm just going with it now).
So, in conclusion children: be aware of what you post on the Internet, for there are no secrets. Also, always brush your teeth before going to bed.
This is normally the cry of the anti-social narwhal (not an actual meme, yet!) against social networks, but it is a smidge unfair. The main complaint people have is that all your information is out there and anybody can see it and so on and so forth. Well, yes because you put it out there. It's like complaining that your diary contains all these personal and embarrassing things about you. Yes, in this case the diary is actually owned by somebody else, but you knew what you were getting into. There really is no way around, except you know not posting stuff like that on social networks.
Another issue regarding matter of posting stuff is visibility. People seem to be unable to comprehend the very basic fact that stuff you post will be visible to other people. You can control who those people are, granted it is not always in the most obvious way. There always exists some mechanism to limit the visibility of your post. There are countless stories of students putting up statuses about teachers they added and employees doing the same with employers.
Well, let's say you mastered all the above, there is still one small problem. The people you are sharing this content with may not be so discerning. This is especially true for "amusing" content, exemplified best by the sites Lamebook and Failbook. Both these sites allow users to post screenshots of post on Facebook, or any other social network in the case of Failbook, that they found amusing. The best are then shared on these sites for consumption by the general public.
Even as I write this I can hear the anti-social narwhal (this should totally be a meme) bellowing in my ears "BUT WHAT ABOUT THE PRIVACY!!!" Well these sites do apply some discretion and redact names and profile pictures so as the preserve the identity of the posters. This does not always work. The trouble is that most posts get submitted to both sites. The really good ones show up on both. And well if you mess up the redaction then it gets a bit hinky.
A perfect example of this is the following post on Lamebook and Failbook. Lamebook redacted the surnames and Failbook redacted the forenames. The end result is that you found the original people and the original post. In all fairness this post is public so there is not really much of an issue of privacy at this point, but try tell that to a narwhal (don't ask, I'm just going with it now).
So, in conclusion children: be aware of what you post on the Internet, for there are no secrets. Also, always brush your teeth before going to bed.
Monday, 13 June 2011
Something that has been bugging me for a while
Do you have a facebook account? Rhetorical question, of course you do. If you don't well then you can leave now because this post is all about *drumroll* FACEBOOK! Seeing as how it is on my blog, one can safely assume that it is about facebook security. So, what have facebook done now? They are protecting your from them.
Confused? So was I. Basically they have started up this new scheme to prevent Cross-Site Scripting(XSS) and Clickjacking and other scripting based vulnerabilities. Some of you may be unfamiliar with scripting and the vulnerabilities therein. Most modern webpages serve up dynamic content, making the experience different for each user. A good example of this is your facebook newsfeed, which is different from your friend's feed.
This is all achieved using scripting. A script is essentially some sort of program code that runs within your web-browser. The catch is, you never explicitly execute the scripts like you do programs. They are embedded in the webpage and are executed when you open the webpage, or at some other suitable trigger. The problem then is that people could embed malicious scripts into pages and you will not realise they have run, until it's too late.
I'm sure you've all had that one friend who has posted the same spam link to everybody and 10mins later warned you not to click it. That is basically what these malicious scripts do. So, facebook decided that they need to address the issue, which they did pathetically.
What they have done is now they "read" your URLs and check it for any script. Again, ANY script. That means that if any script is detected, you will be logged out of facebook instantly as a security precaution. You may wonder why this is a problem. Well, as eluded to earlier, almost all actions on facebook are scripts. See more items in your news feed, liking a post, commenting on a post, writing on somebody's wall, the chat feature. Everything is a script. So now, facebook sees you trying to do something legitimate and decides to kick you out. It doesn't always happen, but it's often enough to be mildly aggravating.
It's bad enough that you have to re-login, but what's even worse is that you go through the following twp screens: (full size images here and here)
and then a 3rd asking if you would like to share a link explaining how great facebook security is. Honestly, I would rather have a red-hot iron bar slapped onto my arm. This is because if you read the messages carefully, you will notice a couple of "< br >" tags popping up.
This is not a security issue, but it does mean that whom so ever wrote those pages is probably a moron! "< br >" was/is the tag used in HTML to induce a line break. However, newer standards such as XHTML and HTML5 insist on using "< br />" for technical reasons. Believe me, it's a good idea. So, this lead me to the conclusion that most facebook web developers have written sloppy HTML/PHP/JScript/Whatever else they use and that is causing the "safety filter" to go off at least twice a week on my account. Also, I'm not sure how good the code for the "filter" is. I have very low expectations.
The first time I was logged out by this "filter", I was impressed that facebook had implemented such a feature. I guess that they had some bugs in it, which was understandable. With each subsequent occurrence of me being "filtered out", I grew more sceptical. Then when I saw the horrendous HTML code in the warnings, I gave up hope and waited for it to happen again to make screen shots.
I didn't have to wait too long. Most people would say "Well at least they tried!" To which I reply, "Welcome to cyber-security, where a half-assed attempt doesn't count!" Really, facebook, get your act together and actually make an attempt and then maybe I'll be impressed and stop writing evil comments on the your security fan pages.
Confused? So was I. Basically they have started up this new scheme to prevent Cross-Site Scripting(XSS) and Clickjacking and other scripting based vulnerabilities. Some of you may be unfamiliar with scripting and the vulnerabilities therein. Most modern webpages serve up dynamic content, making the experience different for each user. A good example of this is your facebook newsfeed, which is different from your friend's feed.
This is all achieved using scripting. A script is essentially some sort of program code that runs within your web-browser. The catch is, you never explicitly execute the scripts like you do programs. They are embedded in the webpage and are executed when you open the webpage, or at some other suitable trigger. The problem then is that people could embed malicious scripts into pages and you will not realise they have run, until it's too late.
I'm sure you've all had that one friend who has posted the same spam link to everybody and 10mins later warned you not to click it. That is basically what these malicious scripts do. So, facebook decided that they need to address the issue, which they did pathetically.
What they have done is now they "read" your URLs and check it for any script. Again, ANY script. That means that if any script is detected, you will be logged out of facebook instantly as a security precaution. You may wonder why this is a problem. Well, as eluded to earlier, almost all actions on facebook are scripts. See more items in your news feed, liking a post, commenting on a post, writing on somebody's wall, the chat feature. Everything is a script. So now, facebook sees you trying to do something legitimate and decides to kick you out. It doesn't always happen, but it's often enough to be mildly aggravating.
It's bad enough that you have to re-login, but what's even worse is that you go through the following twp screens: (full size images here and here)
and then a 3rd asking if you would like to share a link explaining how great facebook security is. Honestly, I would rather have a red-hot iron bar slapped onto my arm. This is because if you read the messages carefully, you will notice a couple of "< br >" tags popping up.This is not a security issue, but it does mean that whom so ever wrote those pages is probably a moron! "< br >" was/is the tag used in HTML to induce a line break. However, newer standards such as XHTML and HTML5 insist on using "< br />" for technical reasons. Believe me, it's a good idea. So, this lead me to the conclusion that most facebook web developers have written sloppy HTML/PHP/JScript/Whatever else they use and that is causing the "safety filter" to go off at least twice a week on my account. Also, I'm not sure how good the code for the "filter" is. I have very low expectations.
The first time I was logged out by this "filter", I was impressed that facebook had implemented such a feature. I guess that they had some bugs in it, which was understandable. With each subsequent occurrence of me being "filtered out", I grew more sceptical. Then when I saw the horrendous HTML code in the warnings, I gave up hope and waited for it to happen again to make screen shots.
I didn't have to wait too long. Most people would say "Well at least they tried!" To which I reply, "Welcome to cyber-security, where a half-assed attempt doesn't count!" Really, facebook, get your act together and actually make an attempt and then maybe I'll be impressed and stop writing evil comments on the your security fan pages.
Sunday, 13 February 2011
Passwords/phrases and client side storage
So, after we discussed this, we now move onto the promised post on where and how you should be storing your passwords. But before we get into that, we need to define the importance of passwords and password strength. But, we first need to discuss the term password, mainly the word part. People think, quite intuitively, that a password should be a single word, which is not the best idea. I prefer the term passphrase, implying multiple words and/or numbers and/or symbols. I will use the term passphrase from now on. With that out of the way, I think the next logical step is to discuss password strength.
Password strength is defined by 3 characteristics. The simplest is length, which is fairly obvious. The longer the password the harder it is to guess. I recently stumbled onto these figures, but take them with a grain of salt. They do not specify what kind of hardware was used to make these figures, so its all a bit iffy. Next is complexity, which is illustrated in the afore mentioned figures. (but just the general trend, the actually figures are still questionable). Simply put, if you have more complex passwords, with a combination of lower case, upper case, numbers and symbols, you increase the search space hugely. The third is memorability. There is no point of having "ASddeu43548&^&^ßß" as your password, because you will never remember it. A good password should be easily recalled. The higher each of these characteristics are, the stringer the password.
Now we move on to the classification of passwords. People have varying opinions on what the exact classifications are, but I use a 4-tier system, detailed below. For each tier we define the suggested password strength wrt the 3 characteristics using the terms High(H), Medium(M), Low(L). We express these as a 3-tuple of the form {Length, Complexity, Memorability} e.g. High length, medium to high complexity and low memorability is written as{H,M-H,L}
TIER I: The big guns; these are passwords for your financial accounts. Online banking, online shopping, or any account which has you financial details, PIN numbers for your ATM/debit/credit cards. These must be very memorable, hard to guess and very strong. You lose one of these, you will lose all your money.
Strength: {H,H,H}
TIER II: These are next in line in terms of importance: Login credentials. This is your school/university/office login name and password. This is how you login to systems at work (wlog) either when you are on the premises or remotely. If you lose these, then you can kiss your professional life goodbye.
Strength: {H,M-H,H}
TIER III: The mid-level identity theft type passwords: email and asocial networking. So your Facebook, HI5, LinkedIn, MySpace, GMail, Y!Mail, Hotmail, thismail, thatmail, and so on and so forth. Depending on how many e-mail addresses you have and what kind of emails you receive on them, the effects of the loss vary. If you lose your primary account's password, then the likelihood of identity theft is significant.
Strength: {M-H,M-H,M}
TIER IV: The throwaways. This is all the stuff you couldn't care less about. Logins for sites that you created just so that you could read certain articles for example. These do carry some risk, but there is a very small risk involved. This depends on several factors, which we will get into in a moment.
Strength: {M,M,L-M}
Now, we need to lay down some ground rules. No passwords should be shared across tiers. This is based on the principle of least privilege. Secondly, passwords from one tier are never stored with passwords from a lower tier. Thirdly, realisability limits; Tier 1 passwords should be unique, tier 2 & 3 should be reused sparsely, Tier 4 can be reused infinitely. Finally, each tier's passwords should be of similar strengths, as explained above. These rules and system in general are a guideline, which I try to follow, but there are grey areas. When in doubt, go for the safest option.
Now that we know how to classify our passwords, we now move onto storage of said passphrases. For tier 1 passwords, we need a highly secure storage, i.e. a password locker. These are programs that will store all your passwords for you in an encrypted form. To decrypt these, you need a master passphrase, which you define when you setup the locker. This passphrase can be thought of as as a tier 0 passphrase, which a mild abuse of notation. This master passphrase has to live in your head and must be of high length, complexity and memorability.
Next we go onto tier 2. These can be stored in programs, but need to be encrypted or locked with another master pass phrase. These should not as a rule be stored with the tier 1 passwords, but that rule tends to be broken for practicality's sake. It is quite annoying having multiple password lockers and it wouldn't be the worst thing if your most important passwords were kept together. If we do have a second password locker, we should treat the master passphrase as tier 1 password.
Now for tier 3, it you can save them in your browser, BUT, they must be encrypted with a master passphrase under all circumstances. Also you should avoid the use of cookies storing the session, caused by checking the "Remember me" check box. This is a big no-no. It's convenient, but it's not really secure. Alternately you could have a third password locker and store them there, encrypted with a tier 2 passphrase (I'm sure you can see the general trend here). If you have your tier 1 and 2 passphrases in a single locker, then this would be a second locker.
And now, tier 4. We all have a billion passwords for a billion sites that we that we use once a month or even less frequently. Theoretically, you could create a new password for each, but you will never be able to remember them all. These you can have your browser remember for you. This way you can have a unique arbitrary password for every single account. There is no real need for a master passphrase encryption, but it is recommended. As you may have guessed, this master passphrase would be a tier 3 passphrase.
These rules are quite rigid, but they are designed from a security point of view rather than a usability point of view. What is an acceptable loss of usability is very much a personal preference and that is up to you. You are welcome to bend and even break some of the rules, to make life easier for yourself. But, remember, you sacrifice security for usability and only you can strike the right balance for yourself. (I avoided saying "you have the power" because it sounds really cheesy) And so, there you have my guidelines for password storage. If in any way this makes the web just that much more secure, then I will have done my job.
Password strength is defined by 3 characteristics. The simplest is length, which is fairly obvious. The longer the password the harder it is to guess. I recently stumbled onto these figures, but take them with a grain of salt. They do not specify what kind of hardware was used to make these figures, so its all a bit iffy. Next is complexity, which is illustrated in the afore mentioned figures. (but just the general trend, the actually figures are still questionable). Simply put, if you have more complex passwords, with a combination of lower case, upper case, numbers and symbols, you increase the search space hugely. The third is memorability. There is no point of having "ASddeu43548&^&^ßß" as your password, because you will never remember it. A good password should be easily recalled. The higher each of these characteristics are, the stringer the password.
Now we move on to the classification of passwords. People have varying opinions on what the exact classifications are, but I use a 4-tier system, detailed below. For each tier we define the suggested password strength wrt the 3 characteristics using the terms High(H), Medium(M), Low(L). We express these as a 3-tuple of the form {Length, Complexity, Memorability} e.g. High length, medium to high complexity and low memorability is written as{H,M-H,L}
TIER I: The big guns; these are passwords for your financial accounts. Online banking, online shopping, or any account which has you financial details, PIN numbers for your ATM/debit/credit cards. These must be very memorable, hard to guess and very strong. You lose one of these, you will lose all your money.
Strength: {H,H,H}
TIER II: These are next in line in terms of importance: Login credentials. This is your school/university/office login name and password. This is how you login to systems at work (wlog) either when you are on the premises or remotely. If you lose these, then you can kiss your professional life goodbye.
Strength: {H,M-H,H}
TIER III: The mid-level identity theft type passwords: email and asocial networking. So your Facebook, HI5, LinkedIn, MySpace, GMail, Y!Mail, Hotmail, thismail, thatmail, and so on and so forth. Depending on how many e-mail addresses you have and what kind of emails you receive on them, the effects of the loss vary. If you lose your primary account's password, then the likelihood of identity theft is significant.
Strength: {M-H,M-H,M}
TIER IV: The throwaways. This is all the stuff you couldn't care less about. Logins for sites that you created just so that you could read certain articles for example. These do carry some risk, but there is a very small risk involved. This depends on several factors, which we will get into in a moment.
Strength: {M,M,L-M}
Now, we need to lay down some ground rules. No passwords should be shared across tiers. This is based on the principle of least privilege. Secondly, passwords from one tier are never stored with passwords from a lower tier. Thirdly, realisability limits; Tier 1 passwords should be unique, tier 2 & 3 should be reused sparsely, Tier 4 can be reused infinitely. Finally, each tier's passwords should be of similar strengths, as explained above. These rules and system in general are a guideline, which I try to follow, but there are grey areas. When in doubt, go for the safest option.
Now that we know how to classify our passwords, we now move onto storage of said passphrases. For tier 1 passwords, we need a highly secure storage, i.e. a password locker. These are programs that will store all your passwords for you in an encrypted form. To decrypt these, you need a master passphrase, which you define when you setup the locker. This passphrase can be thought of as as a tier 0 passphrase, which a mild abuse of notation. This master passphrase has to live in your head and must be of high length, complexity and memorability.
Next we go onto tier 2. These can be stored in programs, but need to be encrypted or locked with another master pass phrase. These should not as a rule be stored with the tier 1 passwords, but that rule tends to be broken for practicality's sake. It is quite annoying having multiple password lockers and it wouldn't be the worst thing if your most important passwords were kept together. If we do have a second password locker, we should treat the master passphrase as tier 1 password.
Now for tier 3, it you can save them in your browser, BUT, they must be encrypted with a master passphrase under all circumstances. Also you should avoid the use of cookies storing the session, caused by checking the "Remember me" check box. This is a big no-no. It's convenient, but it's not really secure. Alternately you could have a third password locker and store them there, encrypted with a tier 2 passphrase (I'm sure you can see the general trend here). If you have your tier 1 and 2 passphrases in a single locker, then this would be a second locker.
And now, tier 4. We all have a billion passwords for a billion sites that we that we use once a month or even less frequently. Theoretically, you could create a new password for each, but you will never be able to remember them all. These you can have your browser remember for you. This way you can have a unique arbitrary password for every single account. There is no real need for a master passphrase encryption, but it is recommended. As you may have guessed, this master passphrase would be a tier 3 passphrase.
These rules are quite rigid, but they are designed from a security point of view rather than a usability point of view. What is an acceptable loss of usability is very much a personal preference and that is up to you. You are welcome to bend and even break some of the rules, to make life easier for yourself. But, remember, you sacrifice security for usability and only you can strike the right balance for yourself. (I avoided saying "you have the power" because it sounds really cheesy) And so, there you have my guidelines for password storage. If in any way this makes the web just that much more secure, then I will have done my job.
Saturday, 17 July 2010
Password Storage
As you may or may not know, I have previously had a few not so pleasant words for people's activities on Facebook (cf. this post). I'm sure most people will agree that some people post unbelievable things on Facebook. Granted some of it user error, some of it is the interesting phenomenon called "Facebook rape" or simply "frape", but most of it is intentional. This has lead to the development of two very similar sites lamebook and failbook. The content is not all about people posting inexplicable things, but that is the gist of it. These sites have provided me with many hours of entertainment.
Now, you may be wondering what this has to do with password storage. This post is the link. So Ally stored all her passwords in a file, which I will for the sake of argument call pwd.doc. Now at this point that's a really bad idea. But then Ally thought about securing this file so she password protected it. Of course the most brilliant part is putting the password into the file itself, which as stated in the comments is like locking a copy of the key into a treasure chest. The pointlessness of that aside, Ally has now forgotten the password for pwd.doc, which is a bad thing.
What Ally has done is essentially a quick and easy password locker. The security of it debatable as Word document passwords can be relativly easily cracked. That aside, it is an excellent solution for what is just a bad situation. A recent study has shown that people have about 25 accounts requiring passwords and an average of 8 passwords. Each of these accounts has varying specifications for length, characters used, frequency of change and so on. This leads to sheer overload for the human brain.
The instant response is for people to write down all these passwords (as shown in the comments on the posts) which then creates a security threat. So the natural solution the that is a password locker. Instead of writing it all down on a piece of paper, you store it digitally and encrypt it. Which is is a password locker. There are several of these available on the net, ranging from free to £15 to any amount somebody thinks they can get away with. There are several issues to consider when creating a password locker, but that is for a later post. So Ally has essentially got a DIY password locker, which is now locked.
However, this was posted on Facebook, so that means that either:
a) Ally's Facebook password is stored in the browser,
b) Ally has the "Remember me" option ticked,
c) Ally remembers the password.
Going through each option one at a time, first up we have browser storage. Most people use their browsers password storage system, which stores passwords and then fills them in automatically to forms in web pages. This is an issue because a browser exploit could find all your passwords and we all know where that leads to. So door 1 has a goat behind it (for those of you unfamiliar with that reference cf. The Monty Hall Problem)
Lets look at the next option, "Remember me" which was covered in a previous post, in the 6th paragraph. So another goat
Finally, we assume Ally remembers the password. Well then, we can safely say it is more memorable that the password for pwd.doc. If we assume both passwords are equally memorable, then we can rule out this option. So we have a car, sort of. Lets say a goat-pulled car.
I could go on and on at length about passwords and their implications, but let's be honest, you'd rather hear it from someone. Bruce Schneier has several posts about passwords on his blog. Have a read through there if you are interested.
---NOTE: I will still post something about password lockers---
Now, you may be wondering what this has to do with password storage. This post is the link. So Ally stored all her passwords in a file, which I will for the sake of argument call pwd.doc. Now at this point that's a really bad idea. But then Ally thought about securing this file so she password protected it. Of course the most brilliant part is putting the password into the file itself, which as stated in the comments is like locking a copy of the key into a treasure chest. The pointlessness of that aside, Ally has now forgotten the password for pwd.doc, which is a bad thing.
What Ally has done is essentially a quick and easy password locker. The security of it debatable as Word document passwords can be relativly easily cracked. That aside, it is an excellent solution for what is just a bad situation. A recent study has shown that people have about 25 accounts requiring passwords and an average of 8 passwords. Each of these accounts has varying specifications for length, characters used, frequency of change and so on. This leads to sheer overload for the human brain.
The instant response is for people to write down all these passwords (as shown in the comments on the posts) which then creates a security threat. So the natural solution the that is a password locker. Instead of writing it all down on a piece of paper, you store it digitally and encrypt it. Which is is a password locker. There are several of these available on the net, ranging from free to £15 to any amount somebody thinks they can get away with. There are several issues to consider when creating a password locker, but that is for a later post. So Ally has essentially got a DIY password locker, which is now locked.
However, this was posted on Facebook, so that means that either:
a) Ally's Facebook password is stored in the browser,
b) Ally has the "Remember me" option ticked,
c) Ally remembers the password.
Going through each option one at a time, first up we have browser storage. Most people use their browsers password storage system, which stores passwords and then fills them in automatically to forms in web pages. This is an issue because a browser exploit could find all your passwords and we all know where that leads to. So door 1 has a goat behind it (for those of you unfamiliar with that reference cf. The Monty Hall Problem)
Lets look at the next option, "Remember me" which was covered in a previous post, in the 6th paragraph. So another goat
Finally, we assume Ally remembers the password. Well then, we can safely say it is more memorable that the password for pwd.doc. If we assume both passwords are equally memorable, then we can rule out this option. So we have a car, sort of. Lets say a goat-pulled car.
I could go on and on at length about passwords and their implications, but let's be honest, you'd rather hear it from someone. Bruce Schneier has several posts about passwords on his blog. Have a read through there if you are interested.
---NOTE: I will still post something about password lockers---
Tuesday, 1 June 2010
Yes, I know I've been gone for a while, but I was busy. My apologies. Now that I am back, I will update more frequently. Now down to the matter at hand.
I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.
Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."
However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.
Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.
What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.
Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.
Right, so having been a bit scared, what do we do? Simple:
I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.
Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."
However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.
Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.
What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.
Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.
Right, so having been a bit scared, what do we do? Simple:
DO NOT LIKE RANDOM PAGES!!!
DON'T DO IT!!!
DON'T DO IT!!!
Seriously, don't!
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments