Archive for the ‘Security’ Category

TapFlash Bang Wallop

16 Jun 2010 15:41 by Rick

Little known fact—Adobe Flash has to be installed on BOTH Internet Explorer and any alternative browser you have even if you don’t use them.

Well known fact—Installing Adobe Flash is a pain in the backside.

The official method is to go to http://www.adobe.com/ click on “Get Adobe Flash Player” and follow the instructions remembering to un-tick the undesirable “free offers” on the way. It goes on to perform up to two restarts of the browser using a download manager.

This process is incredibly complex, unnecessary and very prone to failure. On one of my systems the Download Manager aborts, on another it is blocked by a firewall I don’t control; on a third it wants missing plugins—just the ones I am trying to install! Even if it works you can end up with more stuff than you want.

They haven’t made it easy to avoid, whatever route you take you always get to the same “Agree and Install Now” button, but there is a way. Near the top of the Flash player install page is a link titled “Different operating system or browser”. Clicking that takes you to a menu page—select the OS you are using and Continue. Now you get two choices “Internet Explorer” and “Other Browsers”. You CANNOT select the browser you are using—that will take you straight back to where you started; but if you select the other one then the “Agree and Install Now” button does a straightforward download of an executable (without any free extras). The trick is to use each browser to download the code for the other one and then just run them. If you need them on other systems then put them on a memory stick, it saves a lot of time.

TapBimbo the Budgie

28 May 2010 12:11 by Rick

Well we can all rejoice I hope, now that the ID cards and National Register and Biometric Passports will all be scrapped. What is sad is that all the money wasted on it cannot be recovered and there is very little that can be saved from the wreckage. I hope that the contractors that took on the work won’t be compensated as they knew in advance that, if the government changed, the job would be cancelled. That is the risk that they took.

David Blunkett’s version of what was to be implemented is very different to what he proposed back when he was home secretary and for him to say (Radio 4 this morning) that the information he provided to get his now useless ID card was no more than we would have needed for a passport can only be credited to the continual public opposition to the whole idea. There was no doubt that once it got established, more and more would have been demanded and other existing government databases would have been cross-referenced.

In case you are wondering and didn’t hear the interview, Bimbo was David Blunkett’s first pet as a child. It came up in conversation because he said it was the only piece of information that he provided that wasn’t needed for a passport application and that if anyone could find a use for it then good luck to them (or words to that effect). Well I can. As most people will realise, banks and other institutions are always asking us for a password which they can use to authenticate you and a secret question and answer is quite a common method to do this. Information like this is not as secret as we think it is. Even if the answer to the question is not known, the set of possible answers is quite small, though admittedly, Bimbo is not in the first dozen that I would try. I have seen questions like “What is your favourite colour?” Now how many possible answers are there to that? This is *VERY* low security and not worth the name.

The reason I could use the information is that people reuse passwords for multiple applications. Presumably he will no longer use that one now, but had I discovered it previously on some account that was compromised then there was a good chance he had used it elsewhere so was worth a try. That is why when some low impact login system is cracked and the passwords leaked, it is so much more dangerous than it seems. There is a good chance that many people will use the same credentials for other much more important systems and it is worth the effort of the criminals to try them out. If you think your email password is not critical, remember that if you click the “I’ve forgotten my password” button on any site, it is your email address that they send the new one to.

[Corrected: I accidentally wrote John Prescott instead of David Blunkett—shows how similar all these politicians are]

TapInternational TLD

8 May 2010 10:56 by Rick

A few days ago (5 May) saw a great leap forward in the development of the internet. For the first time, top level domain names (TLD) are permitted using non-Latin scripts. In particular, three country codes have been assigned by ICANN. These are for مصر (Egypt), السعودية (Saudi Arabia) and امارات (United Arab Emirates). They are the first country codes which are not two characters (except the “cat” = Catalan anomaly), possibly because they thought there was no need to maintain the restriction if they were branching out into other scripts.

These first ones are all in Arabic which is a right to left language. That means that when you see one in the address bar it will appear the other way round to usual with http://TLD dot then the lower level parts of the domain name in reverse order but still followed by the / and the directory path as usual, even if in Arabic. Actually this is more logical all round and is how all URLs should have been but it is too late for that now.

[I would like to have shown you examples directly here but my editor and WordPress don’t work well with these scripts—I will need to work on that.] A good place to look is the Wikipedia page towards the bottom.

The implementation in browsers seems to vary and may also be dependent on what the server does as well. The ICANN Arabic test page http://مثال.إختبار/ works well in Firefox (Mac and Win) and Safari (Mac & iPhone)—the whole of the URL in the address bar after the http:// is in Arabic. In IE7 & 8 (Win) the address you see in the top bar is what looks like random Latin characters. For the tests I have done, Safari always gets it right, Firefox sometimes and IE never; I would be interested to hear of other results. An example of one that doesn’t work well in Firefox is the Egyptian Ministry of Communications and Information Technology http://وزارة-الأتصالات.مصر/ .

The code conversion is called Punycode and uses a rather strange algorithm to convert any Unicode text into ASCII. It is pretty unreadable but has to exist because the DNS system only allows ASCII so Punycode allows domain names in any character set (and any mix) to be uniquely resolved. I don’t know if this is always the case but the ones I have seen all start “xn--“. I imagine that, in time when implementations are sorted out, that this will become transparent to the user.

One worrying security implication of these “foreign” character codes in URLs is that some letters look very similar to Western Latin ones. So if you see a familiar link, to your bank say, it may not be quite what it seems. For example if the “ο” in “www.llοydstsb.com” is actually a Greek Omicron (which it is on this page) the fake address could direct you to a phishing site. It is possible that the behaviour of IE is deliberate to avoid this problem but I somewhat doubt it.

[This post has been revised since I discovered how to insert the Arabic characters. I will write up how it is done later.] [Updated to include IE7 & iPhone]

TapDisaster upon Disaster

22 Apr 2010 10:26 by Rick

What happens if you get a real disaster during a disaster training exercise? Iowa State discovered yesterday. The exercise was a simulated bio-hazard at a major sports event. The real disaster was a simultaneous failure of all the 911 computer systems across the state. It also affected city and council management, fire and police services. Read the full story for the details. The culprit—McAfee Anti Virus false alarm. They will take a while to recover the negative PR from that one.

TapAirport Security

10 Feb 2010 13:53 by Rick

Govt. Crackdown on Religious Extremism: Tambourine Detector

The Telegraph has a slide-show series of Airport Security cartoons.

TapLog it

9 Feb 2010 09:39 by Rick

Today is Safer Internet Day 2010 and [one of] the slogan[s] being promoted is “Zip it, Block it, Flag it”; I suppose the principle is ok but this is not the language that kids understand however we are stuck with it. What it means, and I had to look it up, is Zip it—Keep stuff private, Block it—Block nasty people, Flag it—Tell someone if anything bothers you. There is more detail, but that is the gist of it; make it too complex and they won’t remember at all. Seeing as this program was announced back in December by the Prime Minister, it is not exactly prominent!

Anyway, I would like to add another one, not for the kids, except perhaps the older ones, but for the parents—Log it.

Most instant messaging (IM) and chat systems have a mechanism that allows a permanent (private) log to be made of all conversations. Switch it on. That way, if there is any doubt or worry then it can be reviewed and, when it is all in one place, trends and tendencies can be spotted more easily. Of course, for young children it is only a reminder because you are always there with them when they are on line **AREN’T YOU**. Older ones are entitled to a bit of privacy so if there are any concerns then you can discuss it with them and review the log together. Without the log there is no evidence that you can see (there are server chat logs which the police can use if an offence is suspected). But, beware, some chat systems also have public logs available where conversations can be seen by anybody. This is not usually a good idea.

Footnote: these are really rotten web sites, they don’t work properly with all web browsers, some make sounds which you can’t turn off and one feature only works with IE 8, a browser only used by 15% of users. The real web site is ceop.gov.uk but there are bogus ones at ceop.org.uk and ceop.co.uk designed to mislead you.

TapGift cards

20 Jan 2010 12:27 by Rick

When I was a child, one of the things I loved to receive at Christmas and birthdays were gift cards. In those days it was book tokens and it meant that I could get something that I wanted rather than chosen by a rarely seen aunt who had forgotten how old I was. Later on it became record tokens but after a while these became a problem because few shops would take them where we lived. However, I think book tokens are still going strong.

In latter years everyone got into it and there was a big growth in store tokens. Everyone from the big department stores to smaller specialist chains had their own gift tokens; even some individual shops did it.

Recently there has been a move away from the denominated slip of paper with banknote like swirls, embossing, holograms and markers to a plastic card that looks like a store discount/loyalty/charge card. With this have come some security problems which are causing many people grief. The victims can be the shop or the customer and the perpetrators can be the staff, the public or third parties. I will concentrate on the problems for the customer because they have no control over the system.

The cards themselves are low security. They have a number which is duplicated by a bar code and sometimes by a magnetic stripe. Some cards also have a PIN which is initially concealed by a scratch-off covering. When the card is purchased it is “loaded” with money but this does not get recorded on the card itself but onto a central computer system. When goods are purchased with the card then the cost is deducted and any balance remains in credit. In order to provide the customer with documentary evidence a receipt is issued every time a card transaction takes place which shows how much is left on the card and this can also be checked at any time, either in a branch of the shop, by telephone or online.

How can you be conned? There are a number of holes in the system from old fashioned deception though to weaknesses in the system.

  • One way is that the card you are given when you buy one is not the card that was loaded with the deposit, it has been switched by the cashier. As this is likely to be a gift this is not discovered until little Johnny tries to buy his new trainers or whatever and then often not followed up because the parents don’t want to trouble the old guy that gave it because perhaps he did something wrong.
  • A similar switch can be pulled when spending a card with the cashier returning a different card with less on it or claiming the one presented has less on it than it does.
  • The other one I have heard of is even more blatant. When you buy the card, you are not given it, just a gift wallet containing the till receipt. When questioned, the cashiers have said that that is the token, there is nothing else. This was observed a few times when they were new and could have been partly down to poor staff training but in many cases they were not reported because it was thought that “aunt Millie had lost it before giving it to little Johnny.”

The cure for all of these is to observe closely everything that happens. When you get the card initially make sure the number on the card matches the one on the receipt and write that number on the inside of the gift wallet. Then when each transaction takes place, make sure the new receipt matches the same number and the card number is still the same. Also demand to have the empty card back, it is yours. If there is a significant amount of money on it then separately check the value using the phone/online system or another cashier.

There is one final scam which is enabled by the poor system design and there is not much that the customer can do about it.

  • The cashier selling the card has already noted the number and/or copied the card—if it is a bar code then a photocopy will do. They then spend the money on it before the legitimate owner. This is quite common around Christmas because they know that the card is unlikely to be redeemed until the January sales. It is very hard to prove that you haven’t spent it yourself because the shop has records that you have.

The flaw in the system here is that there is no interaction with the real card like there is with a Chip-and-Pin credit card. For online transactions they use the scratch-off PIN to verify that you actually have the card but in the shop there is no similar verification if you are on the inside—i.e. staff.

These observations were made on one brand (the M&S store card) but I am not picking on that one in particular because they all have similar problems. Perhaps there are some with real security but I haven’t seen one. These are being treated like real money, they are already as vulnerable as cash because there is no recovery if they are lost, yet the value can be spirited away from you without you even knowing.

TapBeware the Facebook Bikini Girl

24 Nov 2009 08:48 by Rick

This is one for the boys—not. We have discovered that it is mostly the girls who are caught up by the Farmville type scams but this time it is the boys using Facebook that have to look out. There is a very sophisticated worm about (a worm is like a virus but crawls through web sites rather than directly between PCs). If you see someone’s profile picture has become a rather curvaceous girl in a Bikini then *don’t* click on it. If you do, then three things will happen. First you will be taken to a web site which contains rather a lot of porn. Secondly, that web site will download a lot of nasty stuff to your computer such as programs that steal account details. Thirdly, your profile will be changed to include this picture so as to attract other mugs victims. I said sophisticated at the start because it uses a lot of different techniques to trap you, from the initial social engineering making you think with the wrong part of your body through to clickjacking which is a page layout technique where you think you are clicking on something innocent (ha!) but actually saying yes to something important hidden underneath. As Roger Thompson says in a parody of Trooper Truth, “Keep safe, folks.”

TapTypical Farmville scam

12 Nov 2009 12:14 by Rick

If you are not aware of it, Farmville is one of the many addictive games that are available in Facebook. It is not the only culprit in these deceptive marketing techniques but among the best known. What you also need to know is that the lure is the internal currency used in the game. There is a thriving market in this to rival some minor real world currencies. For those that refuse to part with actual cash to buy the stuff then they try these sub-games.

Take the Farm IQ Quiz! test your knowledge of farming with the Farm IQ Quiz! How much do you really know about crops and farms? Take the quiz and find out today! No credit card needed to receive Farm Cash withing minutes.

At the end it says “Farm Cash awarded after the submission of a valid mobile number and PIN confirmation.” What they don’t say anywhere obvious is that sending this PIN number back to them as “confirmation” subscribes you to a mobile service which will cost you $9.99 US per month (there may be different versions in the UK). This is only one variation that makes Farmville and its associates part of a multi-million dollar business and as a side effect, the advertising boots the profits of Facebook. They don’t have the muscle to stop it but, when there is this benefit, why should they bother.

Thanks to SunBelt for the lead and TechCrunch for the detail.

TapCold Call PC repair

10 Nov 2009 12:33 by Rick

I just had a “Help desk” call from a friend who relayed a phone call he had received earlier this morning. The caller knew his name and address (and obviously his phone number) and then went on to say that his PC was running slow and was having problems and they could fix it for him. To demonstrate they asked him to open Start==>Run and type “eventvwr” which would open a window, then click on “System” and he would see a lot of yellow triangle warnings and red cross errors which showed that there were problems. They then said that they could fix it remotely but the conversation never got far enough to say how as he became too suspicious.

On further questioning, during which he was passed between three different people, he discovered that the company was called SupportOnClick in India at www.supportonclick.com and could be reached at a UK number in Bradford 01274 900834. This looks like a legitimate web site for a PC support company which works in America, Britain, Australia and NZ and I suspect that the next stage of the call would be a connection via Remote Desktop and they would do something innocuous and then try to sell you a contract for three years.

I don’t suspect that this was a criminal scam, either obtaining personal bank details or infecting your PC with malware but the methods are certainly deceptive—the mechanism they used to “demonstrate” that there were problems will always show some errors. It is useful for diagnosing problems but not worrying of itself. I suspect that they are just working down an electoral roll or some other mailing list; the majority of people they call will have a PC these days. Doing a web search I find that some people are not so lenient and, as they seem to use other deceptions like passing themselves off as from Microsoft or your ISP then perhaps it is more sinister and they are trying to sell bogus AntiVirus software after all.

^ Top