Tag Archives: Security

Geo-IP Security: Option Three

Posted on by
Reply

Face­book, and many other online ser­vices, have an almost-clever secu­rity mea­sure that tries to pro­tect users against account theft. It uses your IP address to do a “Geo-IP” lookup — that is, to fig­ure out roughly where in the world you nor­mally access the site from. If an access attempt hap­pens from else­where, the user will have to sup­ply extra infor­ma­tion to log in — often an “iden­tify this per­son from their tagged pho­tos” quiz.

Even if you pass this test of your iden­tity, how­ever, strange things some­times hap­pen — after a recent trip to France I found myself hav­ing to re-authenticate all my apps, and after a few days in Ger­many, my friend Pete could only restore nor­mal ser­vice by chang­ing his password.

I can see how this fea­ture could be use­ful for some peo­ple — per­haps even the major­ity — but for some it has the poten­tial to be a major irri­ta­tion. Not only is there no way to dis­able it in Facebook’s case, there’s also no way of vent­ing your frus­tra­tion when it goes hor­ri­bly wrong.

For this rea­son, I sug­gest that Facebook’s set­tings page needs the fol­low­ing options:

image

Cold War II: Once More with Botnets

Posted on by
Reply

In a press con­fer­ence at the RSA Con­fer­ence yes­ter­day, Michael Chertoff, for­mer Sec­re­tary of the US Depart­ment of Home­land Secu­rity, sug­gested that the prin­ci­ples of “cyber-war” could be influ­enced by those of nuclear deterrence.

“An attack on the US or its allies with a nuclear weapon would be responded to with over­whelm­ing force. …coun­tries should be able to respond to cyber­at­tacks ‘with over­whelm­ing force’.” [ZDNet]

In my hum­ble opin­ion, this ranks pretty high up there on the list of Worst Ideas Ever.

Nuclear deter­rents are rea­son­ably easy to secure (so long as you’re not Pak­istan). A nuclear war­head is a giant chunk of metal, too big to carry, stuck in a silo or an Air Force base or a sub­ma­rine under the Arc­tic cir­cle — no-one’s going to make off with that. You can be sure that if a nuclear strike hap­pens, it is launched by a nation state with a tar­get cho­sen by that state.

Not so the cyber-WMD. While we can assume that for now, gov­ern­ment agen­cies prob­a­bly have the best tech around for launch­ing and coun­ter­ing network-based attacks, what the gov­ern­ment has today, a 13-year-old script kid­die will have tomor­row. What­ever form these defen­sive online weapons take, they’re just soft­ware. They can be stolen, hun­dreds of thou­sands of copies fit­ting in a spy’s pocket. They can be reverse-engineered, manip­u­lated in the wild, copied and spread around. They can be placed to guard a net­work from which an attack on US online inter­ests is launched, pit­ting one bit of soft­ware against the other until no bystanders are left.

To say noth­ing of the fact that most sus­tained attacks orig­i­nate from bot­nets, leav­ing the gov­ern­ment the choice of going after the cen­tral con­trol servers, leav­ing the bots them­selves to carry on, or nuk­ing some of their own cit­i­zens off the inter­net. Add to that the com­pli­ca­tion of using this tech­nol­ogy against for­eign cit­i­zens, and it becomes an unholy mess.

No, I believe cyber defence should learn from immunol­ogy, not nuclear deter­rence. Do the min­i­mum pos­si­ble to fix the prob­lem, because sooner or later, some­thing will attack you that’s immune to your fix. If you’ve deployed your H-bomb and it hasn’t killed every­thing — and in the online world, it never will — the next thing that hits you will be H-bomb proof. And then you’re screwed.

Proxies and the Law

Posted on by
1

In light of the pass­ing of the Dig­i­tal Econ­omy Bill, and Ben Bradshaw’s intent to push for gov­ern­ment power to force ISPs to block sites that are “likely” to be used for copy­right infringe­ment, the gov­ern­ment could in a few months’ time demand that ISPs block access to the likes of Wik­ileaks, The Pirate Bay and Rapid­share, all sites that have per­fectly legal uses. And I’m sure it can’t be long before the gov­ern­ment and the IWF together have a go at 4chan.

A few ques­tions for any inter­net lawyer-types out there:

  1. Is it legal for a UK cit­i­zen to set up and main­tain a pri­vate, secure proxy server in another country?
  2. If ISPs in the UK are instructed to block a site, is it legal or ille­gal for a UK cit­i­zen to access that site via an over­seas proxy?
  3. If it is ille­gal, would the fact that the Briton runs and uses an over­seas proxy ‘rea­son­able cause’ for them to be inves­ti­gated in any way?
  4. Would the server admin be legally obliged to keep logs for the proxy server in case such an inves­ti­ga­tion took place? (And does this depend on UK law or the law of the coun­try where the server is located?)
  5. Can a court or police war­rant require the server admin to dis­close pass­words, encryp­tion keys or logs?

For ref­er­ence, I’m merely inter­ested in the answers to these ques­tions — I’m not nec­es­sar­ily con­sid­er­ing doing this, par­tic­u­larly not if it does turn out to be illegal.

OMG WTF CPP

Posted on by
2

Allow me to share with you one of the most bizarre and infu­ri­at­ing login forms I have ever seen. This is it, the one for CPP Iden­tity Protection.

CPP Identity Protection Login Form

Exhibit A: ‘wut.’

Yeah, you read that right. “Pass­word or user­name” fol­lowed by “E-mail address”. The site drops hints that appar­ently pass­words are dis­con­tin­ued, and since last year every cus­tomer has a user­name instead. Er, guys? Do you even under­stand how this works?

So when you join, you get a let­ter that con­tains your user­name, which is a pretty short alphanu­meric string. It’s pretty much… a pass­word. Not a very good one, but still.

First time you log in, you get a delight­ful series of prompts that up the WTF fac­tor even more. The first one is “change your user­name”. My first reac­tion, as I guess it is for a lot of peo­ple, is “yeah, this alphanu­meric string is crazy-hard to remem­ber. I’ll just use the same user­name as I use every­where!” I actu­ally got as far as typ­ing ‘tsuki_chama’ in the box before I realised. That would leave my online han­dle and e-mail address — both publicly-known infor­ma­tion — as the only things pro­tect­ing my account. On a web­site that deals with iden­tity theft. Whaaaaat?

The sec­ond prompt is for the “user­name reminder”, i.e. pass­word reminder, assum­ing you left your ‘user­name’ as a password-like string. Now there was no lim­i­ta­tion on what you could have as a user­name, I guess you could have “abc” if you wanted. But here, your pass­word reminder, is another story. There’s a drop-down box of Secret Ques­tions, the usual sort — first pet, mem­o­rable place, etc. You have to pick one, there’s no free entry. And then you enter your answer to that secret question.

Which must be at least 8 char­ac­ters and include at least one number.

Geez, do you think there might be another authen­ti­ca­tion field that you might want to apply that restric­tion to instead? But yeah, I’m fine, because I had a pet ham­ster called ROBOHAM-877.

So yay, the only vaguely secure string you’re pro­vid­ing is your pass­word recov­ery answer, which is not needed to log you in at all, only to recover your bizarro-username in case you for­get it, assum­ing you didn’t just go with the flow and set your user­name to the same damn user­name you use every­where else.

Iden­tity. Pro­tec­tion. Fail.