Showing posts with label personal information. Show all posts
Showing posts with label personal information. Show all posts

18 February 2019

Surviving the Byte of the Cobra, part 2


by Leigh Lundin

The exemPlum doesn’t fall far from the tree…

Yesterday, we discussed password problems. Today, we look at those subversively risky personal questions used to zero in on you and perhaps your wallet.

A fair lot of crap programming comes out of Bangalore, so it’s befitting software designers call this particular law of unintended consequences ‘the cobra effect’.
The Cobra Effect
During British Crown Rule of India, legend says administrators grew concerned about the numbers of vipers infesting Delhi. The colonial governor offered a bounty for every dead cobra brought in. However, the plan’s short-term success was undermined by enterprising locals breeding cobras to collect bounties. The British governor terminated the program. Disappointed cobra farmers subsequently released their breeding serpents into the wild, far worsening the problem… or so the parable goes.
Character Reference

Last week, I needed to register on-line with a county agency. (No, my readers, NOT the Department of Corrections as the snarky amongst you might suspect.)

The first hint of difficulty lay in the most restricted character set to date, merely letters and numbers, no punctuation whatsoever. This thoughtfully provides bad guys huge hints: “Psst. Save time, fellas. Don’t bother testing the lock with those difficult oddball characters.”

The next clue… You know those personal identifying questions in case you forget your password? Questions like naming your favorite cheese or your first juvenile parole officer? These questions mask some of the greatest risks in computerdom. Anyone who knows the least bit about you can guess the answers.

Worse, I’ve encountered sites that provide convenient drop-down menu answers, a selection of eight or so choices. One of the most popular questions with a handy menu is, “What’s your favorite color?”

Presumably this helps the spelling-challenged, but what a gift to bad guys. Immediately black-hat hackers rule out black and white, rarely anyone’s favorites. That leaves six or eight choices, hardly a burden for the least capable password cracker. They need not guess if they notice the blue shirts and blue cell phone cover ordered on Amazon and now appearing in your latest Facebook pose.

Moral: Never answer a question with a menu choice.

Orange County registration questions
Orange County Registration Questions
 Your Government at Work

At left, notice the personally identifiable questions from the aforementioned county agency. Anyone with the slightest knowledge about you can guess the answers. Anyone who doesn’t know you, can easily google your name, learning where you attended high school, your favorite team, your pets, and your mother’s maiden name.

What can you do about it?

Don’t play the game.

First, of course, avoid Q&A with drop-down menus. That’s a given.

If the web page doesn’t feature drop-down menus, you can answer your favorite color of yellow, orange, or red with “sweet cream banana pie yellow”, “fancy freckle-farm fulvous fantasy,” or “notorious red dye number 2”.

If you know French, Spanish, or Romanian, you might utilize that knowledge, perhaps in combination with the verbose suggestion above. Answer your favorite color as ‘rouge’, ‘rojo’, or ‘roșu’. If you don’t know a foreign language, try Pig Latin, e.g, ‘edray’ or ‘ellowyay’.

But I never could abide by the rules. There’s an easier way than such hard-to-remember replies.

You can boost security if you make your answers– every answer– a non sequitur, a nonsense phrase. Remembering will be easier if you use the same response, such as “None of your damn business.” For example:
© BBB
Favorite author?
None of your damn business.
Favorite color?
None of your damn business.
Favorite team?
None of your damn business.
Web sites like Apple’s recognize and object when an answer is repeated while populating a questionnaire. One solution is to exactly echo the question with leading or trailing words. For example, “Favorite author?” can be answered with, “My favorite author is none of your damn business,” or more simply, “Stuff my favorite author,” and “Stuff my favorite team,” etc.

Most importantly, choose a method that fits your style, then keep that information to yourself. Not playing by their dictates helps keep your data safer.

Don’t play the game.

Make up your own rules.

Password Security Question

Q. What’s your favorite security question?

A. ______________________________

17 February 2019

Surviving the Byte of the Cobra, part 1


by Leigh Lundin

Shibboleths and Shinola

As you may know, I spent years computer consulting for major corporations. I developed low regard for the so-called security found in many businesses, banks and brokerage houses, and lesser government agencies. Many so-called safety ‘features’ introduce unintended vulnerabilities.

Stick with me today and tomorrow. I’ll show you a method or so to help plug one or two security holes and help protect yourself.

Just Say No

Recently, I found myself unable to create an on-line account with my insurance company. The business published no password restrictions, so I started with something like §103NádražníBeržųStraße – I’m not kidding – I take the security of my most critical sites seriously. The system didn’t accept that, a big clue that password and privacy isn’t a high priority with them. I whittled away diacriticals and then the leading special character §, but still nothing. After reduction to a plain vanilla password, and still no access I contacted customer service, asking how to solve the problem.

Naturally the customer service lady wouldn’t put me in direct touch with IT, the people who should know. She spent roughly 15 minutes piecing together the requirements: no more than ten characters from a measly set of the 62 alphanumeric characters plus underscore and hyphen.
“You’re kidding,” I said.

“What do you mean?”

“Those are the weakest password requirements I’ve come across in a long time.”

“Oh no, sir. We’ve never been hacked, so we’re very pleased.”

“You mean you haven’t drawn the attention of hackers.” The more restrictions placed on passwords, the easier for miscreants to breach the walls.

I could feel her bristle through the phone line. “Our staff understands our needs very well, I’m sure.”

Uh-huh. I thought dryly. They could withstand a concerted attack for, well, hundreds of seconds.
The only safe solution was not to use their on-line ‘service’ at all. In the future, what little information I might need will come by telephone and US mail.

It’s 1980, No Pasting Allowed

Ever encounter a web site that won’t allow you to paste in your password? Sure you have, and it’s frustrating as hell. Worse, it adds vulnerabilities rather than resolves them.

Years ago, some misguided ‘expert’ decided password paste prevention sounded pretty cool, and lo, he advised others about his really cool hypothesis. It turned out wrong, dead wrong.

Preventing pasting discourages visitors from using long, complex passwords, prevents utilizing password managers, and makes it easy for cracking hardware and software ‘keyloggers’– to monitor what you type in. Even the task group within NIST, the US National Institute of Standards and Technology, advises against disabling password pasting.

Clearly a number of corporations didn’t get the memo. What can a trapped user do? A few suggestions come to mind.

The web page may disable pasting keyboard shortcut but not disable the menu paste entry. This occurs often enough, it’s worth trying first.

A second possibility is to temporarily disable JavaScript. After doing it a couple of times, it doesn’t take long, certainly less time than blindly typing in a long string. Simply bring up the web page. When you reach the field that won’t let you paste, disable JavaScript by invoking Preferences, click Disable JavaScript in the Security or Privacy tabs, paste your password, and immediately re-engage JavaScript. (Note: This doesn’t work with Firefox, which won’t let users disable JavaScript.)

If that fails, try to resist using a short and simple password, one reason why this disagreeable ‘feature’ is so dangerous.

When It’s All About Length

I came across a bug in a popular web site. The registration web page happily accepted my lengthy password, but would not allow me to sign on.

I learned the site used an unadvertised maximum limit of 20 characters. Further investigation concluded it didn’t limit or validate the length of the password string. The registration page stored a function of the first 20 characters, no matter how many were entered. The sign-on page also didn’t check the limit of characters, but simply compared its value with the stored value, resulting in a mismatch.

In other words, I tried to register AbCdEfGhIjKlMnOpQrStUvWxYz, but the program stored AbCdEfGhIjKlMnOpQrSt. When I tried to sign on, the page compared the stored AbCdEfGhIjKlMnOpQrSt with the sign-on value of AbCdEfGhIjKlMnOpQrStUvWxYz and failed, a stupid programming error. (Engineers will note I’m grossly simplifying a hash encryption function.) Bad, bad program design.

© BBB
Mine’s Smaller Than Yours

A web site’s failure to validate the length of a password allowed me to pull off a silly little trick of questionable value. In the early days of the Web before it came under attack by Russian crackers and North Korean ransomware, I’d registered at a particular web site with a short password.

Years later, alarmed at attacks occurring worldwide, the site instituted stricter registration policies, including using lengthy password minimums double the length of mine. They validated new password lengths at registration, but not during sign-on.

The site wasn’t critical for me, which led to an idiosyncratic decision to keep my old, deprecated password. A brute-force attacker would likely note updated site rules that passwords must run at least twelve characters in length. If so, my dinky little password ought to sail under their radar. (And if not, I could live without the site.)

Tomorrow… Cobras and those pesky and perilous personal mystery questions.