Tag Archives: Security

Geo-IP Security: Option Three

Posted on by
Reply

Facebook, and many other online services, have an almost-clever security measure that tries to protect users against account theft. It uses your IP address to do a “Geo-IP” lookup — that is, to figure out roughly where in the world you normally access the site from. If an access attempt happens from elsewhere, the user will have to supply extra information to log in — often an “identify this person from their tagged photos” quiz.

Even if you pass this test of your identity, however, strange things sometimes happen — after a recent trip to France I found myself having to re-authenticate all my apps, and after a few days in Germany, my friend Pete could only restore normal service by changing his password.

I can see how this feature could be useful for some people — perhaps even the majority — but for some it has the potential to be a major irritation. Not only is there no way to disable it in Facebook’s case, there’s also no way of venting your frustration when it goes horribly wrong.

For this reason, I suggest that Facebook’s settings page needs the following options:

image

Cold War II: Once More with Botnets

Posted on by
Reply

In a press conference at the RSA Conference yesterday, Michael Chertoff, former Secretary of the US Department of Homeland Security, suggested that the principles of “cyber-war” could be influenced by those of nuclear deterrence.

“An attack on the US or its allies with a nuclear weapon would be responded to with overwhelming force. …countries should be able to respond to cyberattacks ‘with overwhelming force’.” [ZDNet]

In my humble opinion, this ranks pretty high up there on the list of Worst Ideas Ever.

Nuclear deterrents are reasonably easy to secure (so long as you’re not Pakistan). A nuclear warhead is a giant chunk of metal, too big to carry, stuck in a silo or an Air Force base or a submarine under the Arctic circle — no-one’s going to make off with that. You can be sure that if a nuclear strike happens, it is launched by a nation state with a target chosen by that state.

Not so the cyber-WMD. While we can assume that for now, government agencies probably have the best tech around for launching and countering network-based attacks, what the government has today, a 13-year-old script kiddie will have tomorrow. Whatever form these defensive online weapons take, they’re just software. They can be stolen, hundreds of thousands of copies fitting in a spy’s pocket. They can be reverse-engineered, manipulated in the wild, copied and spread around. They can be placed to guard a network from which an attack on US online interests is launched, pitting one bit of software against the other until no bystanders are left.

To say nothing of the fact that most sustained attacks originate from botnets, leaving the government the choice of going after the central control servers, leaving the bots themselves to carry on, or nuking some of their own citizens off the internet. Add to that the complication of using this technology against foreign citizens, and it becomes an unholy mess.

No, I believe cyber defence should learn from immunology, not nuclear deterrence. Do the minimum possible to fix the problem, because sooner or later, something will attack you that’s immune to your fix. If you’ve deployed your H-bomb and it hasn’t killed everything — and in the online world, it never will — the next thing that hits you will be H-bomb proof. And then you’re screwed.

Proxies and the Law

Posted on by
1

In light of the passing of the Digital Economy Bill, and Ben Bradshaw’s intent to push for government power to force ISPs to block sites that are “likely” to be used for copyright infringement, the government could in a few months’ time demand that ISPs block access to the likes of Wikileaks, The Pirate Bay and Rapidshare, all sites that have perfectly legal uses. And I’m sure it can’t be long before the government and the IWF together have a go at 4chan.

A few questions for any internet lawyer-types out there:

  1. Is it legal for a UK citizen to set up and maintain a private, secure proxy server in another country?
  2. If ISPs in the UK are instructed to block a site, is it legal or illegal for a UK citizen to access that site via an overseas proxy?
  3. If it is illegal, would the fact that the Briton runs and uses an overseas proxy ‘reasonable cause’ for them to be investigated in any way?
  4. Would the server admin be legally obliged to keep logs for the proxy server in case such an investigation took place? (And does this depend on UK law or the law of the country where the server is located?)
  5. Can a court or police warrant require the server admin to disclose passwords, encryption keys or logs?

For reference, I’m merely interested in the answers to these questions — I’m not necessarily considering doing this, particularly not if it does turn out to be illegal.

OMG WTF CPP

Posted on by
2

Allow me to share with you one of the most bizarre and infuriating login forms I have ever seen. This is it, the one for CPP Identity Protection.

CPP Identity Protection Login Form

Exhibit A: 'wut.'

Yeah, you read that right. “Password or username” followed by “E-mail address”. The site drops hints that apparently passwords are discontinued, and since last year every customer has a username instead. Er, guys? Do you even understand how this works?

So when you join, you get a letter that contains your username, which is a pretty short alphanumeric string. It’s pretty much… a password. Not a very good one, but still.

First time you log in, you get a delightful series of prompts that up the WTF factor even more. The first one is “change your username”. My first reaction, as I guess it is for a lot of people, is “yeah, this alphanumeric string is crazy-hard to remember. I’ll just use the same username as I use everywhere!” I actually got as far as typing ‘tsuki_chama’ in the box before I realised. That would leave my online handle and e-mail address – both publicly-known information – as the only things protecting my account. On a website that deals with identity theft. Whaaaaat?

The second prompt is for the “username reminder”, i.e. password reminder, assuming you left your ‘username’ as a password-like string. Now there was no limitation on what you could have as a username, I guess you could have “abc” if you wanted. But here, your password reminder, is another story. There’s a drop-down box of Secret Questions, the usual sort – first pet, memorable place, etc. You have to pick one, there’s no free entry. And then you enter your answer to that secret question.

Which must be at least 8 characters and include at least one number.

Geez, do you think there might be another authentication field that you might want to apply that restriction to instead? But yeah, I’m fine, because I had a pet hamster called ROBOHAM-877.

So yay, the only vaguely secure string you’re providing is your password recovery answer, which is not needed to log you in at all, only to recover your bizarro-username in case you forget it, assuming you didn’t just go with the flow and set your username to the same damn username you use everywhere else.

Identity. Protection. Fail.