17 February 2019

Surviving the Byte of the Cobra, part 1

by Leigh Lundin

Shibboleths and Shinola

As you may know, I spent years computer consulting for major corporations. I developed low regard for the so-called security found in many businesses, banks and brokerage houses, and lesser government agencies. Many so-called safety ‘features’ introduce unintended vulnerabilities.

Stick with me today and tomorrow. I’ll show you a method or so to help plug one or two security holes and help protect yourself.

Just Say No

Recently, I found myself unable to create an on-line account with my insurance company. The business published no  password restrictions, so I started with something like §103NádražníBeržųStraße – I’m not kidding – I take the security of my most critical sites seriously. The system didn’t accept that, a big clue that password and privacy isn’t a high priority with them. I whittled away diacriticals and then the leading special character §, but still nothing. After reduction to a plain vanilla password, and still no access I contacted customer service, asking how to solve the problem.

Naturally the customer service lady wouldn’t put me in direct touch with IT, the people who should know. She spent roughly 15 minutes piecing together the requirements: no more than ten characters from a measly set of the 62 alphanumeric characters plus underscore and hyphen.
“You’re kidding,” I said.

“What do you mean?”

“Those are the weakest password requirements I’ve come across in a long time.”

“Oh no, sir. We’ve never been hacked, so we’re very pleased.”

“You mean you haven’t drawn the attention of hackers.” The more restrictions placed on passwords, the easier for miscreants to breach the walls.

I could feel her bristle through the phone line. “Our staff understands our needs very well, I’m sure.”

Uh-huh. I thought dryly. They could withstand a concerted attack for, well, hundreds of seconds.
The only safe solution was not to use their on-line ‘service’ at all. In the future, what little information I might need will come by telephone and US mail.

It’s 1980, No Pasting Allowed

Ever encounter a web site that won’t allow you to paste in your password? Sure you have, and it’s frustrating as hell. Worse, it adds vulnerabilities rather than resolves them.

Years ago, some misguided ‘expert’ decided password paste prevention sounded pretty cool, and lo, he advised others about his really cool hypothesis. It turned out wrong, dead wrong.

Preventing pasting discourages visitors from using long, complex passwords, prevents utilizing password managers, and makes it easy for cracking hardware and software ‘keyloggers’– to monitor what you type in. Even the task group within NIST, the US National Institute of Standards and Technology, advises against disabling password pasting.

Clearly a number of corporations didn’t get the memo. What can a trapped user do? A few suggestions come to mind.

The web page may disable pasting keyboard shortcut but not disable the menu paste entry. This occurs often enough, it’s worth trying first.

A second possibility is to temporarily disable JavaScript. After doing it a couple of times, it doesn’t take long, certainly less time than blindly typing in a long string. Simply bring up the web page. When you reach the field that won’t let you paste, disable JavaScript by invoking Preferences, click Disable JavaScript in the Security or Privacy tabs, paste your password, and immediately re-engage JavaScript. (Note: This doesn’t work with Firefox, which won’t let users disable JavaScript.)

If that fails, try to resist using a short and simple password, one reason why this disagreeable ‘feature’ is so dangerous.

When It’s All About Length

I came across a bug in a popular web site. The registration web page happily accepted my lengthy password, but would not allow me to sign on.

I learned the site used an unadvertised maximum limit of 20 characters. Further investigation concluded it didn’t limit or validate the length of the password string. The registration page stored a function of the first 20 characters, no matter how many were entered. The sign-on page also didn’t check the limit of characters, but simply compared its value with the stored value, resulting in a mismatch.

In other words, I tried to register AbCdEfGhIjKlMnOpQrStUvWxYz, but the program stored AbCdEfGhIjKlMnOpQrSt. When I tried to sign on, the page compared the stored AbCdEfGhIjKlMnOpQrSt with the sign-on value of AbCdEfGhIjKlMnOpQrStUvWxYz and failed, a stupid programming error. (Engineers will note I’m grossly simplifying a hash encryption function.) Bad, bad program design.

© BBB
Mine’s Smaller Than Yours

A web site’s failure to validate the length of a password allowed me to pull off a silly little trick of questionable value. In the early days of the Web before it came under attack by Russian crackers and North Korean ransomware, I’d registered at a particular web site with a short password.

Years later, alarmed at attacks occurring worldwide, the site instituted stricter registration policies, including using lengthy password minimums double the length mine. They validated new password lengths at registration, but not during sign-on.

The site wasn’t critical for me, which led to an idiosyncratic decision to keep my old, deprecated password. A brute-force attacker would likely note  updated site rules that passwords must run at least twelve characters in length. If so, my dinky little password ought to sail under their radar. (And if not, I could live without the site.)

Tomorrow… Cobras and those pesky and perilous personal mystery questions.

7 comments:

janice law said...

Oh, the costs of convenience!

In my experience banking has gotten seriously worse in general with the switch to on line and digital banking instead of nice tellers with pen and ink.

Paul D. Marks said...

I agree with Janice, the human touch is definitely lost. And even when you talk to a real person today you might as well be talking to a machine. They know little about how to deal with customers.

As to the security issues, all of that is just scary as hell.

Leigh Lundin said...

Janice, there is something very machine-like about today's banking. I wrote not long ago about a foreign-sourced attack on a friend's Chase Bank account. Chase blames her(!) instead of their own self-admittedly, way-too-easy 'prove it's you' questions.

Paul, you nailed it. The rare human available by phone often knows no more than a constipated ATM.

Yesterday, I discovered to my dismay that an on-line speciality insurance I thought I'd ordered on-line hadn't kicked in at all. You would think the great computer expert (me) would be less susceptible to such errors, but, perhaps because of ADD, I can on-line err just like anyone else.

Lawrence Maddox said...

I'm changing my passwords today. Thanks Leigh for the wake-up call!

Leigh Lundin said...

You're welcome, Lawrence, and thank you. Generally make passwords as long as possible, then if the web site allows oddball punctuation and symbols, go for them!

Melodie Campbell said...

Thanks for that advice, Leigh! As you know, I was part of the Yahoo hack three years ago, and they also got into amazon. Horrible lemon situation for me for a while, but I did manage to make lemonade by using that experience in The Goddaughter Does Vegas (out two weeks ago!)

Leigh Lundin said...

Melodie, that's a great way to squeeze a negative situation into a positive. I've read some of the Goddaughter stories and they are funny! Love 'em!