Showing posts with label Internet security. Show all posts
Showing posts with label Internet security. Show all posts

18 February 2019

Surviving the Byte of the Cobra, part 2

by Leigh Lundin

The exemPlum doesn’t fall far from the tree…

Yesterday, we discussed password problems. Today, we look at those subversively risky personal questions used to zero in on you and perhaps your wallet.

A fair lot of crap programming comes out of Bangalore, so it’s befitting software designers call this particular law of unintended consequences ‘the cobra effect’.
The Cobra Effect
During British Crown Rule of India, legend says administrators grew concerned about the numbers of vipers infesting Delhi. The colonial governor offered a bounty for every dead cobra brought in. However, the plan’s short-term success was undermined by enterprising locals breeding cobras to collect bounties. The British governor terminated the program. Disappointed cobra farmers subsequently released their breeding serpents into the wild, far worsening the problem… or so the parable goes.
Character Reference

Last week, I needed to register on-line with a county agency. (No, my readers, NOT the Department of Corrections as the snarky amongst you might suspect.)

The first hint of difficulty lay in the most restricted character set to date, merely letters and numbers, no punctuation whatsoever. This thoughtfully provides bad guys huge hints: “Psst. Save time, fellas. Don’t bother testing the lock with those difficult oddball characters.”

The next clue… You know those personal identifying questions in case you forget your password? Questions like naming your favorite cheese or your first juvenile parole officer? These questions mask some of the greatest risks in computerdom. Anyone who knows the least bit about you can guess the answers.

Worse, I’ve encountered sites that provide convenient drop-down menu answers, a selection of eight or so choices. One of the most popular questions with a handy menu is, “What’s your favorite color?”

Presumably this helps the spelling-challenged, but what a gift to bad guys. Immediately black-hat hackers rule out black and white, rarely anyone’s favorites. That leaves six or eight choices, hardly a burden for the least capable password cracker. They need not guess if they notice the blue shirts and blue cell phone cover ordered on Amazon and now appearing in your latest Facebook pose.

Moral: Never answer a question with a menu choice.

Orange County registration questions
Orange County Registration Questions
 Your Government at Work

At left, notice the personally identifiable questions from the aforementioned county agency. Anyone with the slightest knowledge about you can guess the answers. Anyone who doesn’t know you, can easily google your name, learning where you attended high school, your favorite team, your pets, and your mother’s maiden name.

What can you do about it?

Don’t play the game.

First, of course, avoid Q&A with drop-down menus. That’s a given.

If the web page doesn’t feature drop-down menus, you can answer your favorite color of yellow, orange, or red with “sweet cream banana pie yellow”, “fancy freckle-farm fulvous fantasy,” or “notorious red dye number 2”.

If you know French, Spanish, or Romanian, you might utilize that knowledge, perhaps in combination with the verbose suggestion above. Answer your favorite color as ‘rouge’, ‘rojo’, or ‘roșu’. If you don’t know a foreign language, try Pig Latin, e.g, ‘edray’ or ‘ellowyay’.

But I never could abide by the rules. There’s an easier way than such hard-to-remember replies.

You can boost security if you make your answers– every answer– a non sequitur, a nonsense phrase. Remembering will be easier if you use the same response, such as “None of your damn business.” For example:
© BBB
Favorite author?
None of your damn business.
Favorite color?
None of your damn business.
Favorite team?
None of your damn business.
Web sites like Apple’s recognize and object when an answer is repeated while populating a questionnaire. One solution is to exactly echo the question with leading or trailing words. For example, “Favorite author?” can be answered with, “My favorite author is none of your damn business,” or more simply, “Stuff my favorite author,” and “Stuff my favorite team,” etc.

Most importantly, choose a method that fits your style, then keep that information to yourself. Not playing by their dictates helps keep your data safer.

Don’t play the game.

Make up your own rules.

Password Security Question

Q. What’s your favorite security question?

A. ______________________________

17 February 2019

Surviving the Byte of the Cobra, part 1

by Leigh Lundin

Shibboleths and Shinola

As you may know, I spent years computer consulting for major corporations. I developed low regard for the so-called security found in many businesses, banks and brokerage houses, and lesser government agencies. Many so-called safety ‘features’ introduce unintended vulnerabilities.

Stick with me today and tomorrow. I’ll show you a method or so to help plug one or two security holes and help protect yourself.

Just Say No

Recently, I found myself unable to create an on-line account with my insurance company. The business published no  password restrictions, so I started with something like §103NádražníBeržųStraße – I’m not kidding – I take the security of my most critical sites seriously. The system didn’t accept that, a big clue that password and privacy isn’t a high priority with them. I whittled away diacriticals and then the leading special character §, but still nothing. After reduction to a plain vanilla password, and still no access I contacted customer service, asking how to solve the problem.

Naturally the customer service lady wouldn’t put me in direct touch with IT, the people who should know. She spent roughly 15 minutes piecing together the requirements: no more than ten characters from a measly set of the 62 alphanumeric characters plus underscore and hyphen.
“You’re kidding,” I said.

“What do you mean?”

“Those are the weakest password requirements I’ve come across in a long time.”

“Oh no, sir. We’ve never been hacked, so we’re very pleased.”

“You mean you haven’t drawn the attention of hackers.” The more restrictions placed on passwords, the easier for miscreants to breach the walls.

I could feel her bristle through the phone line. “Our staff understands our needs very well, I’m sure.”

Uh-huh. I thought dryly. They could withstand a concerted attack for, well, hundreds of seconds.
The only safe solution was not to use their on-line ‘service’ at all. In the future, what little information I might need will come by telephone and US mail.

It’s 1980, No Pasting Allowed

Ever encounter a web site that won’t allow you to paste in your password? Sure you have, and it’s frustrating as hell. Worse, it adds vulnerabilities rather than resolves them.

Years ago, some misguided ‘expert’ decided password paste prevention sounded pretty cool, and lo, he advised others about his really cool hypothesis. It turned out wrong, dead wrong.

Preventing pasting discourages visitors from using long, complex passwords, prevents utilizing password managers, and makes it easy for cracking hardware and software ‘keyloggers’– to monitor what you type in. Even the task group within NIST, the US National Institute of Standards and Technology, advises against disabling password pasting.

Clearly a number of corporations didn’t get the memo. What can a trapped user do? A few suggestions come to mind.

The web page may disable pasting keyboard shortcut but not disable the menu paste entry. This occurs often enough, it’s worth trying first.

A second possibility is to temporarily disable JavaScript. After doing it a couple of times, it doesn’t take long, certainly less time than blindly typing in a long string. Simply bring up the web page. When you reach the field that won’t let you paste, disable JavaScript by invoking Preferences, click Disable JavaScript in the Security or Privacy tabs, paste your password, and immediately re-engage JavaScript. (Note: This doesn’t work with Firefox, which won’t let users disable JavaScript.)

If that fails, try to resist using a short and simple password, one reason why this disagreeable ‘feature’ is so dangerous.

When It’s All About Length

I came across a bug in a popular web site. The registration web page happily accepted my lengthy password, but would not allow me to sign on.

I learned the site used an unadvertised maximum limit of 20 characters. Further investigation concluded it didn’t limit or validate the length of the password string. The registration page stored a function of the first 20 characters, no matter how many were entered. The sign-on page also didn’t check the limit of characters, but simply compared its value with the stored value, resulting in a mismatch.

In other words, I tried to register AbCdEfGhIjKlMnOpQrStUvWxYz, but the program stored AbCdEfGhIjKlMnOpQrSt. When I tried to sign on, the page compared the stored AbCdEfGhIjKlMnOpQrSt with the sign-on value of AbCdEfGhIjKlMnOpQrStUvWxYz and failed, a stupid programming error. (Engineers will note I’m grossly simplifying a hash encryption function.) Bad, bad program design.

© BBB
Mine’s Smaller Than Yours

A web site’s failure to validate the length of a password allowed me to pull off a silly little trick of questionable value. In the early days of the Web before it came under attack by Russian crackers and North Korean ransomware, I’d registered at a particular web site with a short password.

Years later, alarmed at attacks occurring worldwide, the site instituted stricter registration policies, including using lengthy password minimums double the length mine. They validated new password lengths at registration, but not during sign-on.

The site wasn’t critical for me, which led to an idiosyncratic decision to keep my old, deprecated password. A brute-force attacker would likely note  updated site rules that passwords must run at least twelve characters in length. If so, my dinky little password ought to sail under their radar. (And if not, I could live without the site.)

Tomorrow… Cobras and those pesky and perilous personal mystery questions.

10 February 2019

The New Playground of Criminals: Sexting and Phishing.

by Mary Fernando


Amanda Todd was in grade seven when an online stranger convinced her to expose her breasts. Then he attempted to blackmail her, saying he would send Amanda’s naked image to family and friends if she didn't provide him with more nudes. She refused. He sent her nudes and, from that point on, she was ridiculed and bullied. 

After making a heartbreaking video, Amanda took her own life at fifteen.

Research looking at 110,000 children, all younger than 18 and some as young as 11, found that one in four young people had received sexts, and one in seven reported sending them. 


This is the new back alley rife with predator crime: the internet.

Darren Laur spent 30 years of his life as an inner city policeman. He retired three years ago, got certified in Open Source Intelligence and now specializes in online investigations.

“To date we have saved 186 youth who were considering suicide and self-harm in response to bullying and a full third of these were because of sexting,” says Darren in a voice that marries authority and empathy in equal measure. “We have the resources to do these investigations and put a package together to bring to law enforcement.”



As a policeman he wants to do what he has always done - he wants to put the bad guys away. He also wants to continue the work he did in the inner city - to help people by steering them in the right direction. Through his company - White Hatters - he does outreach for teens. His research shows that 1/4 of teens have sent nudes by the age of 16, and the youngest one was in grade 4. 79% of them were pressured into sending these nudes - often in the context of relationship building.

So, while explaining the dangers of sexting, Darren also recognizes a painful truth: preaching abstinence will only work for some. Just like with sex education with young people, an abstinence-only message is not as useful as giving a more robust message of safe sex and protection. With sexting that is the message he offers. Safe sexting.

If you are going to sext- because young people will - Daren teaches harm reduction. Sexting should be done without your face, or anything that can identify you like tattoos, clothing, background. This way,  if it goes public it is not evident it is you and there is deniability. He also teaches how to scrub any metadata that identifies the individual.


Darren explains that safe internet interaction applies to a far wider area than sexting. Those of us on the internet might want to be aware of another internet crime: Phishing. 

This is the use of a phishing link on twitter, email or texts, where a simple click can open you up to identity theft and fraud. Fraudsters will use social engineering to assess our likes and dislikes and use them to fool us into clicking links.

“According to Symantec’s 2018 Internet Security Threat Report (ISTR), a whopping 54.6% of all email is spam. Even more to the point, their data show that the average user receives 16 malicious spam emails per month”

“There were two bits of very bad news for consumers in the recent annual survey of identity-based fraud. First, there were 16.7 million victims in 2017, easily the most ever, fuelled in part by a series of high-profile data breaches. But even worse, criminals are migrating to more sophisticated, multistep frauds, with the rates of new account fraud and noncredit credit card fraud soaring. Why should you care? Those are the crimes with the most potential to hurt your credit score.”



Darren explains, “We can strengthen internet security, but the weakest link is always the human link.”

Every day, I join many others in clicking sites on searches, opening emails and texts and clicking interesting URLs on Twitter - oh, a cute dog video! Click. Click. 

 I agree with Daren. I’m a weak link. Wandering around like Bambi in the wild west of the internet. 



 I’m grateful that we have Darren Laur and investigators like him to educate us and – if we become a victim of identity theft or a number of other crimes – we have someone to fish us out.

Pun intended.