As you may or may not know, I have previously had a few not so pleasant words for people's activities on Facebook (cf. this post). I'm sure most people will agree that some people post unbelievable things on Facebook. Granted some of it user error, some of it is the interesting phenomenon called "Facebook rape" or simply "frape", but most of it is intentional. This has lead to the development of two very similar sites lamebook and failbook. The content is not all about people posting inexplicable things, but that is the gist of it. These sites have provided me with many hours of entertainment.
Now, you may be wondering what this has to do with password storage. This post is the link. So Ally stored all her passwords in a file, which I will for the sake of argument call pwd.doc. Now at this point that's a really bad idea. But then Ally thought about securing this file so she password protected it. Of course the most brilliant part is putting the password into the file itself, which as stated in the comments is like locking a copy of the key into a treasure chest. The pointlessness of that aside, Ally has now forgotten the password for pwd.doc, which is a bad thing.
What Ally has done is essentially a quick and easy password locker. The security of it debatable as Word document passwords can be relativly easily cracked. That aside, it is an excellent solution for what is just a bad situation. A recent study has shown that people have about 25 accounts requiring passwords and an average of 8 passwords. Each of these accounts has varying specifications for length, characters used, frequency of change and so on. This leads to sheer overload for the human brain.
The instant response is for people to write down all these passwords (as shown in the comments on the posts) which then creates a security threat. So the natural solution the that is a password locker. Instead of writing it all down on a piece of paper, you store it digitally and encrypt it. Which is is a password locker. There are several of these available on the net, ranging from free to £15 to any amount somebody thinks they can get away with. There are several issues to consider when creating a password locker, but that is for a later post. So Ally has essentially got a DIY password locker, which is now locked.
However, this was posted on Facebook, so that means that either:
a) Ally's Facebook password is stored in the browser,
b) Ally has the "Remember me" option ticked,
c) Ally remembers the password.
Going through each option one at a time, first up we have browser storage. Most people use their browsers password storage system, which stores passwords and then fills them in automatically to forms in web pages. This is an issue because a browser exploit could find all your passwords and we all know where that leads to. So door 1 has a goat behind it (for those of you unfamiliar with that reference cf. The Monty Hall Problem)
Lets look at the next option, "Remember me" which was covered in a previous post, in the 6th paragraph. So another goat
Finally, we assume Ally remembers the password. Well then, we can safely say it is more memorable that the password for pwd.doc. If we assume both passwords are equally memorable, then we can rule out this option. So we have a car, sort of. Lets say a goat-pulled car.
I could go on and on at length about passwords and their implications, but let's be honest, you'd rather hear it from someone. Bruce Schneier has several posts about passwords on his blog. Have a read through there if you are interested.
---NOTE: I will still post something about password lockers---
Saturday, 17 July 2010
Wednesday, 7 July 2010
Another side-note
Well, I have previously pointed out how TV tries use cryptography as a plot point and fails massively, but I found a counter-example. I have recently started watching Numb3rs, and by recently I mean I'm only on Season 1 Episode 5. Which is the exact episode I want to talk about, well not really talk about in as much as I want to mention that they pretty much got the details of how cryptography works. There was a slight lack of finesse in it, but overall the general idea was conveyed. Needless to say this made me happy. Apart from that, as far as I can tell most of the math they do/show/explain on the show is fairly accurate. Looks like I have a new TV show to watch.
*EDIT*
Season 1 Episode 6, same as above.
*EDIT*
Season 1 Episode 6, same as above.
Sunday, 6 June 2010
Really, Google? Really?
So it has recently come to light that Google will, according to this article, phase out Microsoft Windows in favour of Mac OS-X or Linux on the company machines. They are claiming that this is a security measure, citing the attacks on Google's Chinese operations recently. At this point in time I really have to wonder, what in the name of the seven deep dark pits of Hell are you not thinking Google? you could not be more wrong if you tried (yes, this annoys me so greatly my grammar is out the window.)
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
If you will allow me to explain for a moment. A few months ago, Google, amongst other large tech companies, was attacked by what became known as the Aurora Attack. An employee in Google China clicked on a link he received in an e-mail. I will assume it claimed to be an amazing picture of the Aurora Borealis or something of that nature. By clicking this link, he then infected his system and this spread throughout Google's network.
Now if we focus on the attack itself. Aurora is a Windows-based IE6-specific buffer overflow attack. This gives us 3 things that are needed for this attack to work:
- Windows
- IE6
- Buffer overflow attack
Next point is IE6, the all too famous Internet Explorer 6. The Bane of all web developers and the love of all its users. As with XP, it does not have any real security features built into it. in IE7 and IE8, there are some security features added in, but I am not sure what they are as I have not done a proper study, nor have I looked for any details. The point remains both IE7 & 8 were available at the time, as were Mozilla Firefox, Opera and of course Google's own Chrome browser. So not only were they using an unpatched OS, they were using an old outdated internet browser, despite having a browser of their own, which they will smugly tell you is more secure. It is undoubtedly more secure, so as to why it was not used escapes me totally.
Then we move on to buffer overflow attacks, which are well explained by my colleague in his blogpost. Also would recommend his post on ASLR/DEP.
There is also the matter of the Chinese activists getting their GMail accounts hacked. Well, what happened there is simple. Ever wonder how websites "remember you" and all your details? Simple, when you check the "Remember me" or "Keep me logged in" box, what the website does is store a small text file, called a cookie, with all your details on your computer. When you next visit the website, the browser loads up the cookie, passes on your details to the site and thus in a manner of speaking does the log in or you. Until recently GMail was based on HTTP and not HTTPS, meaning all cookies were passed around in the clear, as were all other communications. Given this situation it is fairly easy to intercept the packets going between GMail and your target and thus hack into their accounts.
Now, if we look at the choices of OS the employees have, we see Mac OS-X and Linux. Google seems to think there are more secure. Well, here's news for you Google, THEY'RE NOT!!! Honestly! As much as Apple advertisements would like to convince you that there are absolutely no viruses/malware for Mac, there are, just not as numerous as for Windows. "Why?" you ask me? Well, it's simple 80% of OS's out there are Windows, so its a numbers game, more targets means a larger chance of succeeding. Its pure and simple statistics. The same applies for Linux. Linux, on the other hand has a more unique problem. Since all the code is open source and freely available, someone could use the code to find a really nasty vulnerability. Granted that the code is a gajillion pages long, but the possibility still exists.
So, all in all, it really doesn't matter what Operating System Google uses, they all have vulnerabilities. Furthermore, if they don't keep up to date with the software patches and use secure versions of software, well then in my opinion they deserve to be attacked. Repeatedly. Citing "security reasons" for changing from Windows is the worst possible excuse Google could have come up with. Really, Google? GROW UP!
Tuesday, 1 June 2010
Yes, I know I've been gone for a while, but I was busy. My apologies. Now that I am back, I will update more frequently. Now down to the matter at hand.
I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.
Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."
However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.
Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.
What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.
Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.
Right, so having been a bit scared, what do we do? Simple:
I'm sure most, if not all of you use or are aware of Facebook. Just as a brief recap, Facebook is a social networking site that allows you to add friends, communicate with them, play games, blah, blah, blah. To explain the problem at hand, we need to discuss some features of Facebook. The first one is Groups. Now a Group is basically a group of people brought together by some common theme, such as this group about potatoes. What people soon did was make groups for celebrities, fictional characters, TV Shows, movies and so on and so forth. Facebook thought "Well, this can't be right!" Thus were born fan pages. Its essentially a group with limited functionality, such as no messaging to all members.
Now, when a friend becomes a fan of something you get a message in your newsfeed saying "Friend is now a fan of Something." With your friend's name as a hyperlink to their profile page and similarly the name of the page links to the page itself. Of course Facebook changed "Become a Fan" to "Like", thus making it "Friend now likes Something."
However Facebook did not stop there. No, that would be easy and the sensible thing to do. They then went and did possibly the worst thing possible. They allowed the fan page hyperlink to direct to you to an external website!!! So now you can click on a page and you would be whisked of Facebook and taken to some other website.
Now where's the problem you ask? Surely Facebook checks all of these sites and ensures that they are safe and all that jazz. Sadly not. A large number of sites exsist where simply visiting the site makes you Like it on Facebook and publishes that your friends newsfeed, who the click on the link and so a worm is born. This has a non-destructive payload, but it is definatly proof of concept.
What's even worse, in a reaction to exceptionally long page names, somebody posted a page on how to remove them from your newsfeed. This lead to site, which then issued a pop-up saying "I don't know either!" Really funny right? Yes, because these sites can actually execute arbitrary code and do essentially anything. The main concerns here are Clickjacking and Cross-Site-Scripting. These can be used to do well potentially anything to your system.
Ironically as I am writing this post, I have come across this blog post from Sophos' Graham Cluely. This shows that it is possible and it has been done. I will leave you to read that, as well, his post is probably better then mine will ever be.
Right, so having been a bit scared, what do we do? Simple:
DO NOT LIKE RANDOM PAGES!!!
DON'T DO IT!!!
DON'T DO IT!!!
Seriously, don't!
Friday, 9 April 2010
The Digital Economy Act (it's not a Bill anymore, get your facts straight)
I will apologise straight that this post is disjointed, but I am slightly annoyed and really don't care at this point in time.
Right, I have had it up to here with people whining and complaining about the "draconian", "oppressive", "suppressive", "unrealistic" and "unreasonable" UK Digital Economy Act (full text of the Act available here). I have two words for you:
SHUT UP!
No really, STFU. As far as I'm concerned it' about time something was done. If you do not support the Act, you are welcome to skip to the last few paragraphs.
Basically as I said in my post about the Nobel Peace Prize Fiasco, the Internet quickly evolved into something that it was not intended to be. People have grown accustomed to it and assumed that it is their right to have free access to everything. Sadly, that's not how reality works.
The P2P programs of yesteryear, such as Napster, Kazaa, etc, are gone. These basically allowed users to share files with anybody on the Internet. In theory a good idea, but the problem was they were sharing illegal copies of music, movies, TV shows etc. Now that is blatantly illegal. There is no two ways about it, it's ILLEGAL.
ILLEGAL as in IT'S A CRIME as in 5 YEARS IN PRISON OR $100,000 FINE. Now I'm sure all of you have some music/movies/TV shows/whatever that you downloaded from the Internet. Well good for you, now STOP.
For too long people have just assumed that it is fine for you to download content from the Internet instead of paying for it. People think that it is their right. People think that the Internet is a place where no rules apply and they can get away with everything. Well guess what, it's NOT.
Fine we've had a good run till now, but the honeymoon period is over. The Internet needs to be regulated. It's not up for debate, it has to be done. Most of the problems caused by the Internet could be solved with simple regulation. As a security professional I welcome this Act, in the essence of it.
This is a fairly comfortable middle ground. Now all you nay-sayers out there, consider this: security experts (as in real experts) have said that no person should be allowed to connect a computer to the Internet without having due cause and having being ascertained to be capable of doing so in a secure manner. You would need to apply for some sort of Internet User Certificate, which would allow to go online. Still think the DEA is "draconian"? Really things could be worse.
Whether you like it or not, there needs to be regulation and oversight of the Internet. Until now, it has mostly been governed by mob rule and good faith. Well we've just about run out of that and there's a new sheriff in town. You may not like it, you complain about it till the horses come home, but he's not going anywhere. The sooner you accept it, the better.
Yes, lots of ISPs have opposed it and complained. In fact TalkTalk has said it will not comply with the provisions of the act (cf this article). Now as most people may cheer this, they may soon find that TalkTalk will change its tone. If they do not comply they will be shut down. It's a statutory requirement. You don't have to like it, you just have to do it.
Now the actual text of the Act is not quite perfect. They was a large lack of technical expertise when creating the Bill, which shows in its text. And, yes it was rushed through Parliament, but I watched part of the debates, there were a handful of MP's present. So anybody who complains it wasn't given enough debate, ask them where they were during the reading of the Bill.
It is not a perfect legislation, nor is it ideal, but it's a start. As with most Laws, it will be revised and revisited and amended, hopefully with more technical oversight. f course the interesting thing is with a General Election less than a month away, it means any sort of debate/modification of this Act may be done under a new Government, but that remains to be seen.
Right, I have had it up to here with people whining and complaining about the "draconian", "oppressive", "suppressive", "unrealistic" and "unreasonable" UK Digital Economy Act (full text of the Act available here). I have two words for you:
SHUT UP!
No really, STFU. As far as I'm concerned it' about time something was done. If you do not support the Act, you are welcome to skip to the last few paragraphs.
Basically as I said in my post about the Nobel Peace Prize Fiasco, the Internet quickly evolved into something that it was not intended to be. People have grown accustomed to it and assumed that it is their right to have free access to everything. Sadly, that's not how reality works.
The P2P programs of yesteryear, such as Napster, Kazaa, etc, are gone. These basically allowed users to share files with anybody on the Internet. In theory a good idea, but the problem was they were sharing illegal copies of music, movies, TV shows etc. Now that is blatantly illegal. There is no two ways about it, it's ILLEGAL.
ILLEGAL as in IT'S A CRIME as in 5 YEARS IN PRISON OR $100,000 FINE. Now I'm sure all of you have some music/movies/TV shows/whatever that you downloaded from the Internet. Well good for you, now STOP.
For too long people have just assumed that it is fine for you to download content from the Internet instead of paying for it. People think that it is their right. People think that the Internet is a place where no rules apply and they can get away with everything. Well guess what, it's NOT.
Fine we've had a good run till now, but the honeymoon period is over. The Internet needs to be regulated. It's not up for debate, it has to be done. Most of the problems caused by the Internet could be solved with simple regulation. As a security professional I welcome this Act, in the essence of it.
This is a fairly comfortable middle ground. Now all you nay-sayers out there, consider this: security experts (as in real experts) have said that no person should be allowed to connect a computer to the Internet without having due cause and having being ascertained to be capable of doing so in a secure manner. You would need to apply for some sort of Internet User Certificate, which would allow to go online. Still think the DEA is "draconian"? Really things could be worse.
Whether you like it or not, there needs to be regulation and oversight of the Internet. Until now, it has mostly been governed by mob rule and good faith. Well we've just about run out of that and there's a new sheriff in town. You may not like it, you complain about it till the horses come home, but he's not going anywhere. The sooner you accept it, the better.
Yes, lots of ISPs have opposed it and complained. In fact TalkTalk has said it will not comply with the provisions of the act (cf this article). Now as most people may cheer this, they may soon find that TalkTalk will change its tone. If they do not comply they will be shut down. It's a statutory requirement. You don't have to like it, you just have to do it.
Now the actual text of the Act is not quite perfect. They was a large lack of technical expertise when creating the Bill, which shows in its text. And, yes it was rushed through Parliament, but I watched part of the debates, there were a handful of MP's present. So anybody who complains it wasn't given enough debate, ask them where they were during the reading of the Bill.
It is not a perfect legislation, nor is it ideal, but it's a start. As with most Laws, it will be revised and revisited and amended, hopefully with more technical oversight. f course the interesting thing is with a General Election less than a month away, it means any sort of debate/modification of this Act may be done under a new Government, but that remains to be seen.
Friday, 26 March 2010
Small side-note
As I have been very busy the past couple of weeks, I haven't been keeping up-to-date with most of my TV viewing. I just recent managed to watch FlashForward S01E11. What made me laugh was the part where Dr. Simon Campos is trying to "brute force" an encryption algorithm. Their attempted accuracy made me laugh a little. As with the portrayal of most computer-based security in the media, they try, but fail at accuracy. Points for trying though.
More complaints about the iPhone (from other people this time)
As anybody who knows me will tell you right away, I abhor the iPhone (cf. my previous post). Now it has emerged that security professionals rank the iPhone as the "worst workplace risk." Essentially all "smartphones" are a risk in a secure environment, however some are more so than others. The iPhone came 1st with 57%, followed by the Android phones at 39%, BlackBerry at 28% and Nokia Symbian smartphones in last with 13%. (Please note these figures are straight from the article and I am not exactly sure how the
Apple's constant "bare-minimum" approach to security is what has landed them in this position. This philosophy of "just enough security to keep us afloat" is actually the worst idea ever. Throughout its relatively brief history, Information Security professionals have realised one thing very quickly: The weakest get attacked the most.
Its simple, if your system is constantly being attacked, you should then upgrade your security. This means, if you did it right, there is now somebody who is less secure than you are. No prizes for guessing who the most attacked person is. Theoretically, by being the least secure and then upgrade should eventually push everybody up to a decent threshold level of security and the world would be a better place. Of course, not every sees it that way or don't care.
As far as I am concerned, all mobile devices should not be allowed to enter a secure environment. There is a plethora of possible security risks involved there (which I will cover in another post). As it says in the end some companies are discouraging or even banning iPhones in the workplace. It's a start, but I think that all smartphones should be discouraged or banned. Just in case people are thinking I don't like smartphones, I own a smartphone. Even so they are still a security risk.
Apple's constant "bare-minimum" approach to security is what has landed them in this position. This philosophy of "just enough security to keep us afloat" is actually the worst idea ever. Throughout its relatively brief history, Information Security professionals have realised one thing very quickly: The weakest get attacked the most.
Its simple, if your system is constantly being attacked, you should then upgrade your security. This means, if you did it right, there is now somebody who is less secure than you are. No prizes for guessing who the most attacked person is. Theoretically, by being the least secure and then upgrade should eventually push everybody up to a decent threshold level of security and the world would be a better place. Of course, not every sees it that way or don't care.
As far as I am concerned, all mobile devices should not be allowed to enter a secure environment. There is a plethora of possible security risks involved there (which I will cover in another post). As it says in the end some companies are discouraging or even banning iPhones in the workplace. It's a start, but I think that all smartphones should be discouraged or banned. Just in case people are thinking I don't like smartphones, I own a smartphone. Even so they are still a security risk.
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments