Category: Security

Various Tin-Foil-Hat stuff.

How To Steal A Credit Card

Post date 2/21/2008
1 Comment on How To Steal A Credit Card

I said a while back RFID credit cards still have to prove themselves. Today I saw this interesting story on CNet:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible.

You can find a ton of information including code and the hardware necessary to duplicate this his website RFIDIOt.

Another real potential issue is companies using RFID for security badges. Considering how easy it is to read and duplicate, potentially anyone who can get close to someone walking into an office can capture the data necessary to produce their own ID card. In this case only matching the photo stored by the company on their computer system (not the one on the badge) to the person’s face is security. So for those offices who don’t have security staff doing this, anyone could theoretically get in.

The best security mechanisms are the most simple and discrete. Credit cards are naturally pretty secure if used correctly. Nobody can abuse a credit card unless they know the number. Nobody can read it through a wallet. The wallet in this case is a great security feature. To read it you need to either visually inspect it for the numbers, copy it, get an impression of it, or swipe it through a reader. All things that require intimate contact with the actual card. Impressive security for some old technology isn’t it?

I’ll stick with swiping a credit card for the foreseeable future. Your only not liable for a stolen credit card if you and your credit card company mutually agree it’s stolen or being misused. Otherwise you may be on your way to an expensive dispute. Regardless it may have hit your credit, and you’ll spend a lot of time sorting it out and getting it corrected. Bad credit costs you money. Some individuals make it sound like it’s just a phone call and your done, but people who have had their credit card stolen sometimes spend several months fighting to save their credit.

Tags credit-card, finance, rfid, Security

Mozilla Security

False Alarm, Go Back To Bed

Post date 2/10/2008
1 Comment on False Alarm, Go Back To Bed

The other night I was reading about this new security flaw, and for some reason I couldn’t figure out why it was a security flaw. Why couldn’t you just download Firefox and open the file yourself? I presumed I was just tired, and went to bed.

Ends up I wasn’t the only one who didn’t think it was a vulnerability. Mike Shaver has more info on it. If someone wanted to get that information, they don’t need to get people to visit a hacked server. They can just download Firefox and open the file itself. No big deal.

Theoretically a custom enterprise build made by a company for use on it’s network could be modified, but I doubt it. Even if it was, it wouldn’t really contain anything very useful.

Always take things posted on a tech site with a grain of salt, unless they are confirmed by multiple experts. Slashdot ran the story a little premature.

Tags directory traversal, firefox, hacking, Mozilla, Security

Networking Security Tech (General)

Hacking A Boeing 787?

Post date 1/5/2008
No Comments on Hacking A Boeing 787?

According to Wired the Boeing 787 Dreamliner connected the networks for passenger services to critical flight systems:

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

Here’s what a Boeing spokesperson had to say:

…it is employing a combination of solutions that involves some physical separation of the networks, known as “air gaps,” and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn’t want to discuss in public.

Would it really be that much more costly to create 2 networks. One for the important stuff like navigation and control systems, and another completely independent network for passengers to download porn? Networking gear isn’t that expensive. Internet access at 35,000 feet is high latency anyway.

I’m really not so sure I’d feel comfortable knowing that the same network that’s carrying a Rob Schneider movie to the guy in 11F is also carrying packets intended for the horizontal stabilizer.

Maybe I’m just paranoid. After all, I’m not to comfortable with the Airbus A380 apparently running windows in the cockpit.

Hopefully they get it all figured out quickly.

Tags airbus, airbus a380, boeing, boeing 787, dreamliner, firewall, internet access, Security

Apple Security

Calculator Phoning Home? Not Really

Post date 11/17/2007
4 Comments on Calculator Phoning Home? Not Really

Wasn’t sure what this is all about, but according to Little Snitch 2.0 (which is awesome by the way) the Calculator in Mac OS X 10.5 (Leopard) apparently phones home. Based on the URL http://wu-calculator.apple.com one would assume that’s checking for updates (wu typically stands for web update). Though I find this somewhat odd considering Mac OS X has an update system that’s all encompassing. I decided to take a closer look. Earlier it was said that 10.5 was phoning home, though that turned out to not be the case.

So I did a little sniffing around (literally packet sniffing), and here’s what I found. On load it sends the following (seemingly blank) request to apple for currency conversion info. The response is the exchange rate. I’ve got a copy for reference below for anyone who wants to see. Calculator seems to use CFNetwork to communicate (not surprising). What’s interesting is that this info doesn’t seem to be cached, every time you load calculator it’s requested.

So yes, it does technically ping the mothership, but no it doesn’t seem to send back any data worth being concerned about. The only thing noteworthy is the cookie. The cookie itself is characteristic of Omniture, an analytics company (who provides analytics services to Apple among many of the largest sites on the web). This seems like a side effect of the implementation (likely sharing stuff from webkit). I don’t think Omniture is pinged during this transaction, so unless Apple were recording that cookie and matching it against web analytics data. I’d consider that extremely unlike even if I put a tin foil hat on my head. I guess Apple could further neutralize any privacy concerns by modifying the implementation to not send a cookie. At that point they would only have your IP to go by (which could be behind a proxy and therefore isn’t very reliable). I don’t think think this is a privacy risk, but also don’t think it would be so bad for Apple to modify and drop the cookie to make it more anonymous. Or at least give the option to not request data every time.

Tags Apple, calculator, cfnetwork, currency conversion, leopard, little snitch, mac-os-x, mac-os-x-10.5, packet sniffing, phone home, Security

Hardware Security

Improving Storage And Backups

Post date 11/8/2007
No Comments on Improving Storage And Backups

I work on multiple computers (Mac/PC) and have various assets online including this blog and quite a bit of code lying around in svn, and just on the file system. My backup solutions so far have been pretty ad hoc but rather effective. Everything important is replicated somewhere else at varying frequencies. The downside is that it’s not very efficient and even partially manual. I’ve decided over the next several weeks I’m going to re-evaluate how I do all my data storage and backups. Here’s the list of goals:

Improve how data is organized and stored both primary storage and in backups. Organizing and clean up.
Make sure all data has at least 1 backup (I pretty much do this already and have for a long time).
Automate as much as possible.
Keep costs low. Backup more for less.
Use tertiary offsite backups for most critical data.
Maintain solid encryption practices where necessary for transmission and storage (already do this).
Decrease time to restore from backups.
Backup more often, so time between backups is minimal for frequently updated data.
Give myself room to grow.

At $0.15/GB Amazon’s S3 is very affordable for my needs. A dollar or so a month gets you a fair amount of storage considering most data doesn’t get touched that often (it’s data transfer that gets a little more costly). I’ve been using Amazon with a few backup scripts for a few months to see how it works and how I can best use it. I’m planning to ramp that up a little more. I also want to do more with incremental backups (perhaps use rsync more) to save time and disk.

Ironically I kick off this little project when reports indicated hard drive prices have been dropping (obvious right?). I’m not sure if would make sense to purchase additional storage, or if I can get by with just better utilizing what I already have.

I’m doing this for a few reasons. Considering the cost of storage, there’s no excuse to not have solid backups, or to even waste your time with data loss. I also want to improve my use of offsite backups for more important things to make sure that I keep costs low and keep backups fresh. Accident, fire, flood, theft, are always possibilities no matter how careful you are in life. The great thing about digital vs. paper is that it’s easier to have several copies.

I believe my practices are pretty good, and likely better than the vast majority of the population, but I think I can still do better. I think I can make better use of what I have and maybe for a slight cost add another layer of protection if necessary. I’ll post again with my findings.

Tags backup, Security

Security

Bank Security Sucks

Post date 9/24/2007
No Comments on Bank Security Sucks

Why is it, I can get a security key fob from PayPal for a mere $5, but not from my credit card company or bank? PassMark seems to be the latest craze of banks in an attempt to look more secure. It doesn’t work. Online security still seriously sucks. 96.66% fell for phishing according to Harvard and MIT just a few months ago. Interestingly both of those links reference the same bank (Bank of America), though they aren’t the only ones.

And I’m supposed to believe RFID enabled credit cards aren’t trouble? I think not. I’ll wait until the technology has been proven a bit more. Swiping the card really isn’t that hard. I find it to be a good workout. For the security of knowing my wallet is a good security device, I don’t mind the inconvenience. When they can prove it’s secure I’ll switch. I doubt that will be for a while.

I wonder how long until financial institutions start taking security to the next level. I’m confident they will be pushed to do so at some point. I’m just wondering what the catalyst for change will be. I’m guessing some more alarming statistics. I really want to see hardware based two-factor authentication the defacto standard in all banking systems. If PayPal can do it for $5 per user, I think the rest can manage to offer it. It’s not perfect, it doesn’t cover every type of attack, but it’s the single best enhancement over a good password. You do have a good password right?

[Hat Tip: The Consumerist]

Tags bank, credit-card, key-fob, passmark, paypal, rfid, Security, two-factor-authentication

Mozilla Security

Email Image Protection

Post date 9/12/2007
3 Comments on Email Image Protection

Many people think that making an image out of an email is a good way to protect it from being harvested by spam bots. It’s now possible to convert it from an image to email link via a Firefox extension. Guess what, an email harvester can do this just as well. What’s a better solution against email harvesters? Don’t put any trace of an email address online, use a form. Yes you could distort the image a bit to make it more difficult, but using a CAPTCHA as an email isn’t going to make you any friends. JavaScript can also be done, but no reason why it can’t be interpreted (though that may be more difficult in some cases, since a JS engine isn’t the easiest thing to work with, and implementing anything less can easily be defeated by throwing some extra JS in there. Some discussion on the Firefox Extension implementation can also be found on Gerv’s blog where he proposed the idea.

Tags captcha, email, facebook, firefox, firefox-extension, javascript, Security, Spam, Web Development

Internet Security

AOL and OpenID

Post date 8/26/2007
1 Comment on AOL and OpenID

So AOL uses OpenID. What’s pretty cool is that it adds 63 million OpenIDs thanks to AOL’s large user base (according to AOL). They also said:

We don’t yet accept OpenID identities within our products as a relying party, but we’re actively working on it. That roll-out is likely to be gradual.

OpenID is designed so that you can use provider to store your data, and authenticate to any OpenID enabled service using your own provider. The beauty of this is that unlike other unified login schemes, this one doesn’t form some sort of monopoly. I decided to take and see how far they’ve come. AOL’s rather long standing login page (which really hasn’t changed much since the AOL/Netscape authentication merge happened years ago) has finally been updated. The biggest change is the presence of prefs to allow you to choose what method of login you wish to use. I decided to try OpenID, and used mine. The results I guess aren’t so unexpected:

AOL OpenID

Interestingly, Netscape.com does support OpenID just fine.

OpenID is a really sweet system. Hopefully it will take off and do well. Hopefully there won’t be bias as to who accepts who as a provider.

Tags aol, authentication, netscape, OpenID

Google Security Spam

Google Used For Spam

Post date 6/20/2007
6 Comments on Google Used For Spam

This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

Google Spam

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

Tags email, Google, Security, Spam

Apple Mozilla Security

Safari Redux

Post date 6/12/2007
1 Comment on Safari Redux

I said yesterday:

Security – I have a feeling this will make it much more of a target to hackers. So far Safari has fared pretty well. I guess we’ll see.

Well, that didn’t take long.

The bottom line is: web browsers are complicated pieces of software that deal with a ton of different technologies and render code written by people you shouldn’t trust. While countless security measures are taken, nothing short of floating a hard drive in outer space will be secure, and even then… you never know.

Security is partially about preventing problems, and largely about dealing with them.

Tags Apple, safari, Security, web browsers