I just tried to visit Facebook but typed the URL wrong and typed “faceobook.com” (note the extra ‘o’). Here’s where I ended up:
(click for full-size image)
Devious, eh?
Needless to say, I did not participate in the “anonymous survey.”
Archive for the ‘Computer Security’ Category
Devious domain typo hijacking
Friday, December 17th, 2010![[Digg]](http://blog.kamens.us/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://blog.kamens.us/wp-content/plugins/bookmarkify/facebook.png)
![[Email]](http://blog.kamens.us/wp-content/plugins/bookmarkify/email.png)
The wrong way to be a good samaritan
Monday, December 13th, 2010You’ve probably heard by now (the party line from Gawker, an a much more comprehensive analysis from Forbes) that a huge database of Gawker Media usernames and (poorly) encrypted passwords was recently stolen, and that the thieves published the stolen data for anyone in the world to download, and that the thieves managed to crack hundreds of thousands of the passwords using a brute-force attack. As far as I know, the thieves, who are in it for glory rather than money, haven’t released the decrypted passwords, but since they released the usernames and encrypted passwords, anyone on the Internet is free to download and do their own brute-force cracking.
Fortunately, this security breach had almost no effect on me, because I’ve already learned the hard way about the perils of using the same password on multiple sites, and because I don’t really care if my email address is leaked to yet another group of spammers since it’s been widely disseminated all over the Internet for over two decades and my spam filtering is just fine.
However, this morning, I received an email message from “teamhint@hint.io” which read as follows:
Mac OS X Mail parental controls vulnerability
Tuesday, August 3rd, 2010The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent. The Mail client can be fooled into adding any address to the child’s whitelist (i.e., the list of addresses with whom the child is allowed to correspond), as if the parent had approved the address, without his/her knowledge or consent. This vulnerability can be taken advantage of by the child or by any third party anywhere on the Internet.
Supposed SysAdmin & Network Security experts don’t know how to run a secure Web site
Friday, April 9th, 2010Yesterday, I decided I wanted to unsubscribe from one of the e-newsletters published by SANS, which bills itself as, “the most trusted source for computer security training, certification and research.”
There were no instructions in the e-newsletter for how to unsubscribe, so I went to their Web site. It told me that I had to sign into my Portal account; the only problem is that I’ve never had a Portal account, and I subscribed to the SANS e-newsletters long before such a thing existed. I figured that perhaps they auto-created an account for me at some point, so I gave the site my email address and told it that I’d forgotten my password. It claimed to have mailed password reset instructions to me and told me that I had to follow them within two hours, but over ten minutes later, they still hadn’t arrived.
Thinking that perhaps I could register my email address for a Portal account and would then “inherit” any legacy subscriptions under that email address, I tried registering. It rejected my registration form, telling me that I needed to enter a valid email address. I couldn’t tell whether it was rejecting the form because the email I entered was already in its database, or because it incorrectly believed that “jik@kamens.brookline.ma.us” was not a valid address (a lot of Web sites can’t seem to handle the idea that “kamens.brookline.ma.us” is a valid email domain).
At this point, I threw up my hands and sent them email describing everything that had happened and asking what the heck I should do. I ended my email with, “The fact that you guys are supposedly experts at secure Web site design make this rather ironic.”
It’s MY desk, dammit!
Monday, December 28th, 2009I share my home office with my kids, an unfortunate necessity in a house with five bedrooms, five children, and no dedicated office space (the “office” is actually one of the bedrooms). All the kids are fully aware of the “never, ever touch anything on Daddy’s desk” rule, but apparently the stuff on my desk is just too tempting. Who would have imagined that a roll of tape could be such a powerful influence for evil? Needless to say, when something is missing, the kids often blame the disappearance on the mythical “not me.”
This morning, my oldest daughter, who at 11½ surely should know better, saw something interesting on my computer screen, which was visible because I was accessing it remotely from work (with Linux, when you connect to your desktop remotely, it is visible on the local monitor). I watched with amazement from work as she moved my mouse around and opened several of my documents.
When I realized what was going on, I locked the screen. To my even greater amazement, rather than this causing my daughter to come to her senses and realize that she wasn’t supposed to be touching my computer, she clicked the “Switch user…” button, thus breaking my remote connection and locking me out until I got home from work. (I’ve since fixed my configuration so that I can’t be locked out like that again, but that’s not the main point of this story.)
This was the last straw. No longer will I tolerate items mysteriously disappearing from my desk with none of the kids taking responsibility. Thanks to the wonderful open-source software package Motion, the Webcam atop my monitor will now capture and save images of anyone who touches anything on my desk. Busted!
What makes this interesting enough to be worth blogging about (in my opinion; yours, obviously, may differ!) is how I solved the problem of not filling up my disk with images of me using the computer. I wrote this script, which is designed to be run as a GNOME startup application. Whenever my screen is locked, it turns on the camera, and when the screen is unlocked and the camera is turned on, it prompts every 15 minutes to ask whether to turn it off (it prompts rather than always turning it off because I may be accessing the computer remotely and want the camera to remain on).
There are detailed comments at the top of the script explaining how it works and how to use it. I’m posting it here on the off chance that it might prove useful to someone else. Enjoy!
American Express has a definition of “electronically” I haven’t heard before
Friday, October 16th, 2009I recently received a letter from American Express confirming that I’d enrolled in online bill payment. I received the letter on paper, in an envelope, with a stamp on it, in the mailbox on my porch.
The final sentence of the letter, all the way at the bottom, below the signature, reads as follows:
You are receiving this information electronically because you have indicated your desire to do so via your acceptance of the Pay by Computer terms and conditions.
I wonder if this definition of “electronically” has something to do with the South African company that recently sent a bunch of data by carrier pigeon faster than the country’s biggest ISP could have sent it.
WordPress inadvertent disclosure bug
Tuesday, October 6th, 2009As I previously wrote, I recently had to change my password on over 300 Web sites because my default “medium-security password” was compromised. The compromise was caused by a bug in the WordPress blogging platform which can result in inadvertent disclosure of information when content is pasted into the WYSIWYG text editor built into WordPress.
In a nutshell, sometimes when you paste text into the editor, the editor inserts an invisible copy of the pasted text. You won’t see the invisible text at all in the editor; it’s visible in the HTML view, but WordPress users often post without every looking at the HTML view (that is, after all, the whole point of the editor). Even if you do look at the HTML, you probably won’t notice the hidden text block unless you know to look for it, which most people obviously don’t. It is not clear whether this invisible copy is inserted in addition to a visible copy of the same text, or whether it’s inserted instead of the visible copy you intended.
Although the text is not visible in the editor, it is in the HTML, which means that when you publish your blog entry, the hidden text goes along with it. Search engines will happily index it and even show you snippets from it in search results if you search for a keyword that’s found in the hidden text. Furthermore, syndicators of your blog that strip out HTML style attributes (including, e.g., the feed syndicator at LiveJournal.com) will render the previously invisible text for the world to see.
Discover is replacing credit cards because of the Heartland data breach
Wednesday, September 30th, 2009I haven’t seen this posted anywhere else…
I received in the mail today replacement Discover Cards for my wife and me. Our cards were not due to expire for quite a while. They were attached to a special-purpose mailing sleeve, not the generic sleeve they usually use when mailing out new cards. Some highlights of what’s printed on the sleeve (italics added by me):
“Destroy your current card because it will be deactivated shortly and you will no longer be able to use it for purchases.”
…
Why you’re getting a new card
Heartland Payment Systems, a company that processes credit card transactions for merchants, experienced a compromise. This incident did not involve any Discover card systems, and there is no evidence that an unauthorized individual is using this account number. Please be assured that, based on information received from Heartland Payment Systems, this incident cannot cause identity theft. Heartland Payment Systems has created a Web site to assist you with any questions you may have about this situation. Please visit 2008breach.com for more details.
To reduce the possibility of fraud on your account, we are issuing you a new card. For the security of your account, we replaced the security codes on your card without changing your account number. Discover continually monitors the security of the credit card environment so we can take preventive measures to better protect your account. As always, you are never responsible for unauthorized charges to your account through our $0 Fraud Liability policy.
While it may be true that this incident by itself is unlikely to cause identity theft for any particular cardholder, the fact of the matter is that when your credit card number, expiration date and (possibly) name is exposed to someone with nefarious intent, they’re a lot closer to being able to steal your identity than they were before.
I’m not sure whether to be concerned about the fact that they aren’t changing people’s account numbers. I suppose that changing the expiration date is sufficient, since the on-line card verification networks all check both the card number and expiration date.
I must say I’m a little puzzled by the fact that Discover waited to replace cards until eight months after the discovery of the breach. Many other card issuers started replacing cards within days of Heartland’s first announcement.
Password security hall of shame
Tuesday, September 29th, 2009As I wrote earlier today, I just changed my password on over 300 Web sites. In the process, I encountered a large number of sites which simply don’t know how to do password security properly. Some of these sites are operated by major corporations which are entrusted by their users with confidential and sensitive personal information — names, addresses, telephone numbers, birthdays, credit-card numbers, etc. It is truly frightening that these corporations fail to properly secure their users’ passwords, and therefore fail to properly secure their users’ personal information.
I am posting this article to highlight the weaknesses I discovered, to shame these sites, with the hope that doing so might perhaps push some of them just a little bit closer to doing the right thing. I am also posting this article to let people know of sites they should be careful about using.
If you know of other sites which don’t secure their users’ passwords properly, please post about them in comments here and I’ll add them to the article!
And so, without further ado, I give you… (more…)
Why I just spent three days changing my passwords on over 300 Web sites
Tuesday, September 29th, 2009“Hi, my name is jik, and I’m a password reuser.”
“Hi, jik!”
If there isn’t a “Password Reusers Anonymous”, there probably should be.
By “password reuse,” I mean using the same password over and over on multiple Web sites. It’s a really bad idea, and I should know that better than most, since I’ve worked on and off in the field of computer security for over two decades.
It’s a bad idea because lots of Web sites don’t protect passwords like they’re supposed to. A properly designed Web site doesn’t store your actual password; only a cryptographic hash of the password is kept. However, there are all too many Web sites which do keep your actual password, and so if you use the same password on multiple sites, you make yourself vulnerable in several ways:
- Operators of a bad Web site could use users’ passwords to log on to other sites where the users have accounts. If you think this would never happen, take a look at how many credit-card skimming operations are perpetrated by store owners, waiters, etc. (including this one, which I personally got snared in through the use of my corporate AmEx card).
- An operator of the site could sell its database of email addresses and passwords to hackers, who could then use them to make large-scale attempts to break into accounts on other sites.
- Even without the cooperation of the Web site’s operators, a hacker could break into the site, steal the account database, and use it as described above.
- Many of these Web sites will email your password to your email account if you tell the site that you’ve forgotten it. If someone breaks into your email account, they can look at old messages to see what sites you have accounts at, tell one of those sites to email your password, and then use that password to log into the other sites you’ve used.
- If you are the kind of person who has to worry about keeping things private from family members, the problem above is even worse, since they can look in your browser history, not just old messages in your mailbox, to find out what sites you’ve visited and may have accounts at.
But the biggest problem by far, which dwarfs all the problems listed above, is: If your password is somehow compromised, then you need to change it on every Web site on which you’ve used it.
If using the same password on multiple Web sites is such a bad idea, then why do so many people do it? Simply put, because it’s easier to remember one password than it is to create and remember hundreds of them. And if you can’t remember them, then you need to write them all down on a list somewhere, and find a way to both keep the list secure and make it accessible whenever and wherever you need it. There are some available tools to make this easier, but the best ones cost money, and not many people are savvy enough to go looking for tools to handle this sort of thing.
I fell into the password reuse trap years ago, when data breach incidents were few and far between and tools for managing passwords didn’t exist. Old habits die hard, and I never broke this one. And so, since last week, when the password I’ve been using as my standard third-party Web site password for well over a decade was compromised (I will post later about how it was compromised), I’ve had to spend every available moment changing my password on over 300 Web sites. Believe me, it took a while.
