Category Archives: (in)security

Security done right

Just got a message from LivingSocial.

LivingSocial

The bad news is that somebody apparently hacked into their server and got their hands on names, e-mail addresses and passwords.

The good news is that the passwords were salted and hashed.

I’m not worried.

And even if I was, the password they stole is quasi-random and never used anywhere else.

Nicely done, chaps!

Advertisements

Shame on you, Microsoft

Or: No, Microsoft, you’re not FaceBook

This post started as a rant at Microsoft. Last patch Tuesday, one of my machines auto-patched and auto-rebooted, causing data loss and corrupted files. However, the damage was minimal, and I got over it. Since then, however, something quite worrying has happened.

I have an old Hotmail address that I occasionally check; I used it before I moved to GMail, which is superior in every way, some years ago. I use the Android Hotmail app to access it from my phone. Some time within the past few days it auto-updated, and when I ran it this morning, it instructed me to “upgrade” to the Outlook.Com app.

Brain Dead Hotmail

Hotmail no workie no mo!

So… I Installed the new shiny Outlook App. Surprisingly, the new app did not remember my login credentials. That is because it is also not an “upgrade” at all – it is a completely different app – the old, now-useless and completely brain-dead Hotmail app was left in place.

When I entered my credentials, it took me to another screen where it asked for permission to access my data.

Outlook wants Permissions

Wow… that’s asking for a lot of personal information. mail, contacts, calendar, tasks, e-mail addresses, gender, picture, contacts, friends…

But I don’t want another FaceBook clone, just an e-mail client, so naturally I said “No”. And then…

Authentication Failed

You! Cannot! Pass!

I checked the password. It was OK. Note that this request for information is in the app itself, NOT in the Play store. And before you ask, yes, you can “change these settings at any time”, but any app that is given access to your phone’s information can scarf all the data it wants in half a second, changing permissions later would be like locking the barn door after after the horse had bolted and was merrily cavorting in the next county.

This looks like Microsoft is trying to scarf my personal data by stealth, without going through the Google Permission screens. If so, they should be soundly spanked in public for this. How can you tell? Simple. If Microsoft are not trying to… er… “borrow” your data, they will fix this so the app can be used without those “permissions”. If they don’t, just like Verizon’s broken-for-eight-months-with-no-fix-in-sight data-usage widget, we will know precisely where they stand.

Until then… Shame on you, Microsoft.

Big Red goes South

My story begins about seven years ago. I was sick and tired of Sprint. Six months in a row they had gotten the billing wrong. Naturally, they claimed that this was just a sequence of random errors, but if that were the case, at least one of them would’ve been in my favor. Unsurprisingly, that was not the case ; all were in their favor – a one in sixty-four probability.

So we left and moved to Verizon. The first month, they overcharged me by $10. When I called them on this, they double-refunded me. Impressive. There were no more mistakes. For many years, I was happy with them. Although they had the crappiest selection of phones, they had the best coverage – I have done a thousand-mile road trip with no loss of connectivity (besides one brief outage in the Smokey Mountains in Tennessee, which is understandable), and their Customer Service was very good – and there are the good folks in the Verizon Stores that have sprung up over the last few years.

Recently, however, I have noticed an encroaching tide of evil coming from Big Red.

  • First they got rid of “New Every Two”, the program that gave you a new phone free every two years with a two-year contract extension. Instead, they offered a $50 discount off the cost of a new phone after 20 months… but if you drifted out of contract and kept waiting they would send you additional discounts to get you to commit to a contract.
  • Then they started charging “upgrade” and “activation” fees. This would be reasonable if you took your new phone into one of their stores and had them connect it for you, but charging you for work you do yourself is ridiculous. If you ask them persistently but nicely, they would waive the fees, a process that involved a manual account credit, which meant more work for them. Their “everybody’s-doing-it” rationale was specious at best – you want to be doing better than the competition, not continually coming down to their level.
  • Complex bills – Every time they change the bill layout it gets harder to understand.
  • Belated refunds. If you find an error in your bill, they will happily refund your account… but not until “the next billing cycle”.
  • They declared war on “Unlimited Data”. During the first half of 2011, they were offering a $30 unlimited data deal to all new smartphone customers. This was presumably designed to woo iPhone business away from AT&T, who were offering a similar deal at the time. But having persuaded them to switch, it seemed like they were hell-bent on getting rid of them. Last July, they discontinued the deal – which is reasonable. They said that existing customers were grandfathered in – which is also reasonable. Then they changed the definition of “Grandfathered” – which is not reasonable. Until this point, the deal that they and every other cellco was offering was a cheap or free phone in return for a two-year commitment. That was a reasonable trade-off; one which we have all come to accept as normal over the years. What they did was to give their faithful users the choice between keeping their Unlimited Data Package or getting a Cheap phone. I upgraded my phone just before the new rules came into effect; it will most likely be the last “subsidized” phone I ever get from Verizon.
  • They then introduced “share everything” plans that may work out cheaper if you have four or more phones, but if you have only one phone it is the most expensive Data plan around ($50 for the first 2GB). Old Customers keep their plans (for now) but new customers are stuck with the share Everything plan.
  • While they were doing this, the “My Verizon” widget on their Android phones “broke” – they no longer updated automatically — so now you have to run the app every time you want to update your data usage. It is almost like they want you to blow through your data allocation by accident – but they wouldn’t do that deliberately, would they?
  • Judge for yourself: Six months later, it still hasn’t been fixed.
  • They have the distinction of being the only phone company in the world that sells a Samsung Galaxy SIII with a locked bootloader – a “feature” that prevents users from easily flashing their phones with Custom Software. When phones are unlocked, users win. Anyone else can do this – but not Verizon’s Customers. They then tried to blame Samsung – a claim that makes no sense, given that no one else has a locked bootloader.
  • Fortunately, some very smart people figured out how to unlock the bootloader (this is nothing new – they did the same thing with my previous phone – the Droid X2, a wonderful phone, hampered by Verizon’s “Lock-’em-all-down” policy. Of course, they made vague promises that an unlocked Bootloader would be made available one day… but it never happened.
  • They have also done everything in their power to make it difficult for their users to “Root” their machines, which makes it possible to do many cool things, including backing up their phones and removing the odious pile of crapware that they shovel onto every phone before they roll it out the door. And every update they bring out for the Galaxy SIII breaks root. They call it “Security”. I call shenanigans – all they have to do is ask the user “Did you root your phone?” when updating and if so, leave it there, but they are not interested in doing what the customer wants – they are interested in doing what is profitable.

This stuff does not affect most of Verizon’s customers – well over 99% of cellphone users neither know nor care about Rooting or Bootloaders. What they have done is annoy a very tiny percentage of their user base – those few who understand technology and know what they want. That is not a demographic that any technology-based company should want to make enemies of.

Their “Better Customer Experience” excuse is, to put it bluntly, a steaming pile of poo. This is about control… and I don’t like it.

I am still with them, for now. Once my contract ends or they take away my Unlimited Data, I will take my business elsewhere. I don’t change horses easily, but when I do, I don’t easily go back to the old one; I left Sprint seven years ago, AT&T nearly a decade ago. I still haven’t gone back.

I am not the only one – I know of friends and relatives who are abandoning Verizon like the proverbial rats leaving a sinking ship. Many are reporting getting better service and paying less. A single 4G-smartphone on Virgin Mobile costs $55/month. No Contract, no commitment, no lock-in. A single 4G smartphone on Verizon costs $40 for the phone service and $60 for 2GB of Data. That’s $100/month – for Two. Measly. Gigabytes.

No thanks.

Yes, Verizon has the best, fastest network out there. But the others are catching up, and as customers realize that there are better options out there they will vote with their dollars and their feet.

There will be a day of reckoning for Verizon Wireless, and when the smoke has cleared, their massively overpaid corporate officers will shrug their shoulders and say that they didn’t see this coming.

At least, Dear Reader, you will.

eBay/Paypal is at it again

I found this in my mailbox yesterday afternoon.

Yes, it’s a real card. No, I didn’t ask for or sign up for it. I have seen ads for it on PayPal’s website, but did not want one, so I ignored it. Apparently they don’t take “no” for an answer, and decided that I needed one whether I wanted it or not.

This is truly evil, and here’s the main reason why.

That’s right – if you activate the card, you set yourself up for nearly $60 per year in charges and fees before you have even used the card… all for the privilege of being able to spend your own money. I have two bank debit cards, and neither one costs me a penny – if they did, I would drop ’em like a hot brick.

eBay is a de facto monopoly on the web, and PayPal is a de jure monopoly on eBay – they no longer allow other methods of payment. And their behavior stinks. For instance, as a seller, you are required to link your PayPal account to a real-world bank account. In the event of a dispute, PayPal can lock the linked bank account for up to six months without warning or explanation. they can also reverse transactions. This is the main reason that I stopped selling things on eBay and closed my eBay seller account.

PayPal is not a bank. And they like it that way. There are several reasons/excuse for this:

  • PayPal does not “move money around”
  • PayPal does not engage in fractional reserve banking.
  • “PayPal doesn’t have a charter, thus it is not a bank”, say the FDIC
  • “PayPal does not physically handle or hold funds placed into the PayPal service”. (er… neither do my accounts with ING direct or Perkstreet Financial – and they are both banks).

I don’t know whether or not PayPal is technically a bank. Maybe they are, maybe they are not. But there are few businesses in the world in more dire need of oversight and regulation than eBay/PayPal.

If you are as outraged about this as I am, feel free to leave a comment – and write to your Congressman.

DNS Changer explained

Once upon a time…

About a year ago, a piece of malware was released. One of the things that this did was to change your computer’s DNS settings.

All computers on the Internet have a numeric address (known as its IP address). But humans are not good at remembering numbers, so the DNS system was designed to convert human-readable characters (like “www.google.com”) into the number that your computer can understand. This is done by a dedicated computer called a DNS server. Your computer’s DNS server is usually provided by your ISP. Actually, there are two – a primary and secondary DNS server, just in case. Think of a DNS server a a giant phone-book. You can change it if you wish, and that is what this malware did.

Why would it do this? One reason might be to send you to “drive-by download” sites that try to load more malware onto your computer. Another would be to misdirect you to bogus sites that pretend to be your bank, steal your passwords and empty your account. But in and of itself, DNS changer does not do any major harm.

What the media failed to tell people us that most anti-malware programs have been able to detect and remove this malware for many months.

Anyway, the FBI was able to catch the folks behind this and roll up their operation. They were also able to get hold of the DNS servers. But simply pulling the plug would have left those with infected computers without internet, as they would have been looking for servers that weren’t there. So instead they decided to take the most painless option – they turned these “evil” DNS servers into “good” ones.

They needed a court order to do this, and the court order ran out last Monday. They had to shut the machine down. That’s a little different than the “your internet access can be turned off on Monday by the government!!!” crap that is being circulated by the Newsies.

In spite of the screaming hysteria from the Media, very few people have been affected. Some 277,000 computers worldwide are still infected, including a trifling 64,000 in the US. “DNS Changer is last year’s malware… Only about 0.01% of Internet users are affected by it.”

The moral of this story? Don’t tech tech advice from talking heads on TV.

Hobson’s Choice

I recently tried to send some money overseas through Western Union. I went to their website and put in all the requisite information, including my Credit Card information. At the end of the process, almost as an afterthought, I was presented with this dialog.

That’s right, folks… MasterCard wants to improve my security. This is a good thing. Visa have a similar feature – “Verified by Visa” – which I have been offered several times in the past and politely refused on every occasion. Unlike them, however, MasterCard would not take “no” for an answer – there was no way to decline this “feature” and still continue to execute the transaction.

Security is a good thing – I am all about security – but issuing me with yet another PIN that I have to remember is not security. Most people will probably write it down, and some will probably write it on the back of the card, which nullifies the security in the first place. On an infected computer, the PIN can be sniffed or keylogged, and be on the other side of the world before the customer has lifted their finger from the mouse button.

If MasterCard were really serious about security, they could have a person or a machine call or text the customer on their cellphone. This could be inconvenient, but I would rather have real security, even if it meant a little inconvenience. Or they could use a hardware key like the Yubikey. But that kind of solution costs money (about $5 per key, when purchased in thousand-up quantities), which makes it unacceptable to the banks.

Some of you may remember when Bank of America offered Credit Cards with the customer’s picture printed on the card. Now that was good security, at least for retail transactions – a quick glance was enough to see that the person was at least superficially similar to the picture. But they don’t make them like that any more. Why not? Because of two small problems: the first was that many cashiers simply did not look at the card, but that could be cured with training and penalties.

The main reason was that the pittance that it cost to put pictures on cards added up to many millions of dollars. Since neither the customer nor the bank was on the hook for fraudulent transactions, this was a cost that the bank was unwilling to bear. So rather than bear the cost of security, they scrapped it to save a dollar and a half per card… and offloaded the cost of the fraud on to the merchants. Problem solved.

And there, as Jack Sparrow might say, is the rub; the only security that is acceptable to the bank is cheap security. And yet another PIN for you to remember is cheap security indeed.

So what did I do? I closed the browser and, after verifying with Western Union that no transaction had occurred, I installed their app on my smartphone. Ten minutes later, the money was on its way, paid from the same card. Quickly, conveniently, and without the usual kerfuffle or flummery from MasterCard.

Cos that, dear reader, is how we roll…

The LastPass Breach, and why I’m not worried about it

Years ago, when the net was young, I, like many others, used one password for everywhere I went.

Before long, I realized that this was not a good plan, so I went to Plan B: a handful of passwords; one for “Important” sites (i.e., where money is involved), a second one for less important sites (such as shopping and utility-billing sites), and… a third password for anything else.

The problem with this approach is that if ONE of your “Important” sites is breached, and they try your password on a bunch of banks… there goes your life savings.

I needed a better approach, and I found it… in LastPass.

I was first exposed to LastPass in Episode 256 of the Security Now Podcast, hosted by Leo Laporte and Steve Gibson. Steve loved it, and after trying it out, so did I.

That was almost a year ago. I had been toying with the idea of writing a piece in how good LastPass is, but something more interesting happened.

LastPass got breached

And I am OK with that. Here’s why:

  1. The breach was a relatively minor one — LastPass noticed some anomalous traffic — “we saw a network traffic anomaly for a few minutes from one of our non-critical machines” — and investigated. they went public in short order, (unlike, for instance, Sony, who shut down a compromised network for a week before telling us why). They “also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs” — the amount of “leaked” data corresponds to the encrypted information for a few hundred users. The chances that my data was part of that leak was therefore quite low.
  2. I use a strong master password, containing all four classes of character (upper, lower, numbers, special characters). This would make a brute-force attack very difficult.
  3. LastPass has gone to great pains to point out that no plain-text data is stored. Everything that is stored on their servers is encrypted. In fact, NOTHING unencrypted leaves your machine.

LastPass’ responses were laudable. They informed people early on — if anything they overreacted. They required verification if users were logging in from “unexpected” IP addresses. They encouraged people to change their passwords.

Some users were inconvenienced, claiming that they were locked out of LastPass as a result of a password change that went wrong, or being unable to get into their e-mail because the email password was stored in… LastPass.

There are two solutions to this: First, regularly take an encrypted backup of the password database and keep it on a flash drive with a copy of the “LastPass pocket” program (this allows tou you get to your password when you have no Internet Connection). Secondly, NEVER store the password to your master e-mail address (the one LastPass uses as your username) in LastPass. If something goes wrong with LastPass, you will need to get into this e-mail.

The press have had a field day with this one, and like newsies everywhere they have overplayed the sensationalism and underplayed the facts.

But the security-conscious will still worry, and rightly so. So what are you worrying about? For me, the worst-case scenario is that they have gotten my entire blob and hammer it offline until they figure out the username and password.

LastPass’ advice — change your Master Password — is certainly good advice, but it does not help in this situation; if they have decrypted the blob, they now have all of the passwords for every site without having to go to LastPass.com. Here’s what I recommend:

  1. Use LastPass to generate new passwords for those sites that involve money (Financial Institutions and Web shopping sites that store payment info, such as Amazon). I use PayPal to purchase stuff online wherever possible. This took me less than an hour, and means that the important passwords in the stolen blob are now useless. Most other sites aren’t that critical — if someone wants to go online as me and pay my bills, I say let ’em.
  2. Use two-factor authentication for all non-trusted machines. LastPass supports two types: Grid (free) or Yubikey, that will make it impossible to get in using a non-trusted machine without an extra piece of information or hardware that the bad guys simply will not have. I use a Yubikey, which costs $25 to buy, and requires LastPass premium, which costs $12/year. Well worth it, in my opinion.

Bottom line: LastPass Passes, Sony Fails

Stupid as well as evil

My antipathy towards Sony is well documented, and should come as no great surprise to regular readers of this blog.

My experience with their customer service was less than salutary. I ordered a $20 item online that was mis-priced at 1c. That they canceled the order doesn’t bother or surprise me, but they did so without taking the trouble to notify me, and they gave me the Customer service run-around for three months before finally coming out and telling me that they had no intention of honoring the price. They were willing to lose a customer for life over twenty dollars.

But that’s not all. Their hardware has a tendency to sport expensive proprietary interface that ignore established standards — insisting on Memory Stick while the rest of the world was happily using SD, for example.

In the past they have surreptitiously installed rootkits on their customers’ computers, removal of which could render the computer unbootable. That’s right; they believe that they have a right to fry your computer in order to protect their “content” is more important than your right to a working computer.

They have also paid graffiti artists to create fake graffiti of kids on skateboards playing with PSPs. Graffiti that municipalities had to remove at the taxpayers’ expense

Having established that Sony is Evil, it is now time to move onto the stupid part.

I got a chuckle when I heard that the PlayStation Network was hacked, and the miscreants gained access to names, e-mail addresses and passwords — and potentially credit-card details as well — for up to 75 million users.

The reason that this is particularly egregious is that the passwords were apparently stored as plain-text. In web security circles, this is a HUGE no-no. In the real world, passwords are put through a one-way function, and the resulting “hash” is stored. That is how passwords are stored in the real world, and how, for instance, Windows stores its passwords. A small-scale web application that I build went from plain-text passwords to hashes five years ago.

Sony will probably try to downplay this; to tell you that everything’s fine — to admit otherwise would be to open themselves to huge lawsuits. But I can think of at least two significant problems.

  1. Millions of Credit Cards on the loose — nuff said.
  2. Millions of e-mail address/password combinations. Let’s try those on the world’s major banks, shall we? Given the average user’s tendency to re-use the same password everywhere, there’s bound to be a few (thousands to millions) hits. And bank accounts will suddenly be emptied, their contents shifted overseas and untraceable, because while banks can turn off wire transfers for accounts, the default is ON.

But Sony couldn’t be bothered to do it right. And now heads should roll.

The price of security

Milady and I were conversing with a friend last night, and an interesting topic came up. Some years ago, several banks (BofA and CapitalOne were mentioned) started putting customers’ photos on their credit cards. This widely hailed as an excellent idea.

And then, inexplicably, they stopped doing this.

The obvious question was “why?”. Why did they stop doing something that was universally hailed as a good idea?

So I put my thinking cap on, and came up with some ideas.

  • I remember reading somewhere that the price of putting a photo on a credit card was a couple of dollars per card. Multiply this up by the millions of cards in circulation, and you have a huge expense that the bank has to bear.
  • Credit-card fraud, on the other hand, is not a cost that the bank has to bear. They do a chargeback, which effectively passes the cost on to the merchant. So, the customer is covered, the bank is covered, the merchant gets the shaft and pays the price. That is perfectly legit – it is part of the merchant agreement.
  • There are also many transactions where the merchant cannot see the card; for instance, pay-at-the-pump transactions in gas stations, and internet transactions.
  • Finally, with card-swipe machines in operation at most stores, there is often no need for the cashier to see the card — and too many of them don’t bother looking, anyway.

Sometimes “security measures” don’t really do that much for security. And sometimes, the price of security is too high.

I think I understand now.

But I still wish that they would give customers the option to have their photos on their cards. I’d buy that for a dollar.

Shame on you, Microsoft

Yesterday, being the second Tuesday of the month, was Patch Tuesday. This is normal.

As usual, Microsoft released a dozen or so patches. This, too is normal.

What is not normal is that when I went to restart one of the five machines in my house, I saw this:

Microsoft recommends and defaults to automagically installing updates. This is right, reasonable and proper, and what I recommend to most users. I, however, am a Geek, and I like to know – and control – what is happening on my machines, so they are all set to “download and notify”. That is: Download the updates and notify me;  I will control the installation process.

The above screenshot shows that one or more of the patches (two, in this particular case) were sneaked onto my machine without telling me and against my express wishes. This seems to indicate that Microsoft apparently views my freedom of choice with contempt.

What is worse is that they could not be bothered to mention the fact that they sneaked these patches onto my systems; nor did they mention that a reboot is required. In fact, the only way I would know is if I went to shutdown or reboot.

Since some of my machines go for weeks between reboots, this is alarming. Since the updates do not take effect until the machine has been rebooted, this means that a machine could be vulnerable without my even realizing it.

Shame on you, Microsoft. Shame, shame, shame.

Now Reading: Down and Out in the Magic Kingdom by Corey Doctorow