Showing posts with label Internet security. Show all posts
Showing posts with label Internet security. Show all posts

17 February 2019

Surviving the Byte of the Cobra, part 1

by Leigh Lundin

Shibboleths and Shinola

As you may know, I spent years computer consulting for major corporations. I developed low regard for the so-called security found in many businesses, banks and brokerage houses, and lesser government agencies. Many so-called safety ‘features’ contrarily introduce unintended vulnerabilities.

Stick with me today and tomorrow. I’ll show you a method or so to help plug one or two security holes and help protect yourself.

Just Say No

Recently, I found myself unable to create an on-line account with my insurance company. The business published no  password restrictions, so I started with something like §103NádražníBeržųStraße – I’m not kidding – I take the security of my most critical sites seriously. The system didn’t accept that, a big clue that password and privacy isn’t a high priority with them. I whittled away diacriticals and then the leading special character §, but still nothing. After reduction to a plain vanilla password, and still no access I contacted customer service, asking how to solve the problem.

Naturally the customer service lady wouldn’t put me in direct touch with IT, the people who should know. She spent roughly 15 minutes piecing together the requirements: no more than ten characters from a measly set of the 62 alphanumeric characters plus underscore and hyphen.
“You’re kidding,” I said.

“What do you mean?”

“Those are the weakest password requirements I’ve come across in a long time.”

“Oh no, sir. We’ve never been hacked, so we’re very pleased.”

“You mean you haven’t drawn the attention of hackers.” The more restrictions placed on passwords, the easier for miscreants to breach the walls.

I could feel her bristle through the phone line. “Our staff understands our needs very well, I’m sure.”

Uh-huh. I thought dryly. They could withstand a concerted attack for, well, hundreds of seconds.
The only safe solution was not to use their on-line ‘service’ at all. In the future, what little information I might need will come by telephone and US mail.

It’s 1980, No Pasting Allowed

Ever encounter a web site that won’t allow you to paste in your password? Sure you have, and it’s frustrating as hell. Worse, it adds vulnerabilities rather than resolves them.

Years ago, some misguided ‘expert’ decided password paste prevention sounded pretty cool, and lo, he advised others about his really cool hypothesis. It turned out wrong, dead wrong.

Preventing pasting discourages visitors from using long, complex passwords, prevents utilizing password managers, and makes it easy for cracking hardware and software ‘keyloggers’– to monitor what you type in. Even the task group within NIST, the US National Institute of Standards and Technology, advises against disabling password pasting.

Clearly a number of corporations didn’t get the memo. What can a trapped user do? A few suggestions come to mind.

The web page may disable pasting keyboard shortcut but not disable the menu paste entry. This occurs often enough, it’s worth trying first.

A second possibility is to temporarily disable JavaScript. After doing it a couple of times, it doesn’t take long, certainly less time than blindly typing in a long string. Simply bring up the web page. When you reach the field that won’t let you paste, disable JavaScript by invoking Preferences, click Disable JavaScript in the Security or Privacy tabs, paste your password, and immediately re-engage JavaScript. (Note: This doesn’t work with Firefox, which won’t let users disable JavaScript.)

If that fails, try to resist using a short and simple password, one reason why this disagreeable ‘feature’ is so dangerous.

When It’s All About Length

I came across a bug in a popular web site. The registration web page happily accepted my lengthy password, but would not allow me to sign on.

I learned the site used an unadvertised maximum limit of 20 characters. Further investigation concluded it didn’t limit or validate the length of the password string. The registration page stored a function of the first 20 characters, no matter how many were entered. The sign-on page also didn’t check the limit of characters, but simply compared its value with the stored value, resulting in a mismatch.

In other words, I tried to register AbCdEfGhIjKlMnOpQrStUvWxYz, but the program stored AbCdEfGhIjKlMnOpQrSt. When I tried to sign on, the page compared the stored AbCdEfGhIjKlMnOpQrSt with the sign-on value of AbCdEfGhIjKlMnOpQrStUvWxYz and failed, a stupid programming error. (Engineers will note I’m grossly simplifying a hash encryption function.) Bad, bad program design.

© BBB
Mine’s Smaller Than Yours

A web site’s failure to validate the length of a password allowed me to pull off a silly little trick of questionable value. In the early days of the Web before it came under attack by Russian crackers and North Korean ransomware, I’d registered at a particular web site with a short password.

Years later, alarmed at attacks occurring worldwide, the site instituted stricter registration policies, including using lengthy password minimums double the length mine. They validated new password lengths at registration, but not during sign-on.

The site wasn’t critical for me, which led to an idiosyncratic decision to keep my old, deprecated password. A brute-force attacker would likely note  updated site rules that passwords must run at least twelve characters in length. If so, my dinky little password ought to sail under their radar. (And if not, I could live without the site.)

Tomorrow… Cobras and those pesky and perilous personal mystery questions.

10 February 2019

The New Playground of Criminals: Sexting and Phishing.

by Mary Fernando


Amanda Todd was in grade seven when an online stranger convinced her to expose her breasts. Then he attempted to blackmail her, saying he would send Amanda’s naked image to family and friends if she didn't provide him with more nudes. She refused. He sent her nudes and, from that point on, she was ridiculed and bullied. 

After making a heartbreaking video, Amanda took her own life at fifteen.

Research looking at 110,000 children, all younger than 18 and some as young as 11, found that one in four young people had received sexts, and one in seven reported sending them. 


This is the new back alley rife with predator crime: the internet.

Darren Laur spent 30 years of his life as an inner city policeman. He retired three years ago, got certified in Open Source Intelligence and now specializes in online investigations.

“To date we have saved 186 youth who were considering suicide and self-harm in response to bullying and a full third of these were because of sexting,” says Darren in a voice that marries authority and empathy in equal measure. “We have the resources to do these investigations and put a package together to bring to law enforcement.”



As a policeman he wants to do what he has always done - he wants to put the bad guys away. He also wants to continue the work he did in the inner city - to help people by steering them in the right direction. Through his company - White Hatters - he does outreach for teens. His research shows that 1/4 of teens have sent nudes by the age of 16, and the youngest one was in grade 4. 79% of them were pressured into sending these nudes - often in the context of relationship building.

So, while explaining the dangers of sexting, Darren also recognizes a painful truth: preaching abstinence will only work for some. Just like with sex education with young people, an abstinence-only message is not as useful as giving a more robust message of safe sex and protection. With sexting that is the message he offers. Safe sexting.

If you are going to sext- because young people will - Daren teaches harm reduction. Sexting should be done without your face, or anything that can identify you like tattoos, clothing, background. This way,  if it goes public it is not evident it is you and there is deniability. He also teaches how to scrub any metadata that identifies the individual.


Darren explains that safe internet interaction applies to a far wider area than sexting. Those of us on the internet might want to be aware of another internet crime: Phishing. 

This is the use of a phishing link on twitter, email or texts, where a simple click can open you up to identity theft and fraud. Fraudsters will use social engineering to assess our likes and dislikes and use them to fool us into clicking links.

“According to Symantec’s 2018 Internet Security Threat Report (ISTR), a whopping 54.6% of all email is spam. Even more to the point, their data show that the average user receives 16 malicious spam emails per month”

“There were two bits of very bad news for consumers in the recent annual survey of identity-based fraud. First, there were 16.7 million victims in 2017, easily the most ever, fuelled in part by a series of high-profile data breaches. But even worse, criminals are migrating to more sophisticated, multistep frauds, with the rates of new account fraud and noncredit credit card fraud soaring. Why should you care? Those are the crimes with the most potential to hurt your credit score.”



Darren explains, “We can strengthen internet security, but the weakest link is always the human link.”

Every day, I join many others in clicking sites on searches, opening emails and texts and clicking interesting URLs on Twitter - oh, a cute dog video! Click. Click. 

 I agree with Daren. I’m a weak link. Wandering around like Bambi in the wild west of the internet. 



 I’m grateful that we have Darren Laur and investigators like him to educate us and – if we become a victim of identity theft or a number of other crimes – we have someone to fish us out.

Pun intended.