Order of the Bath

Archive for the ‘Security’ Category

Facebook Ads

6 Mar 2009 10:09 by Rick

I have had a bunch of posts piling up waiting until I could update WordPress (which I did last night) so here is another one.

I have created a Facebook account, mostly to see what it is all about and see if I can use it to progress my genealogy research. That has been quite successful but in passing I have noticed that the advertisements down the right hand side of the profile screen are dominated by “Get Rich Quick” ads. They are all very similar in style with titles like “My New £1,000/day Hobby” and are mostly advertising a system using Google Adsense. The way this works is that you allow Google to put adverts on your website or blog and you get paid if your readers click through to the advertised site. It is certainly a legitimate way of earning and it is possible to make money doing it—BUT you need a very popular web site to make much. To get a very popular site you need lots of good content and that takes time and effort (and skill).

I strongly suspect that what these Facebook advertisers are really selling is a book or software supposed to help you reap these enormous gains. Information about running an Adsense program is readily available for free online (just read them with your brain switched on) and, anyway, you will probably find that the supposed income from the schemes are faked anyway.

P.S. The linked technique above can be used to fake any web site so just don’t trust screen shots!

Posted in Miscellaneous, Security | Comments Off on Facebook Ads

Configuring the Firewall on MacOS X 10.5.1+ (Leopard)

2 Feb 2009 11:23 by Rick

Confession: Until last week, I had it switched off. It didn’t make a lot of difference but I should have been more careful. It was just that when I first switched it on, nothing worked and I didn’t understand how the Mac worked enough to fix it; then I forgot. It ought to be switched on by default then this wouldn’t happen.

Anyway, it is all actually quite straight forward. There are guides available to show you how to do it. The problem is that they are a bit too technical in language and also are not clear on how to decide what to put in the table of allowed programs. The answer is don’t put any in manually, let them ask you first and then decide if you want to allow it.

The sort of programs which will ask and need it are IM/VoIP (iChat, Adium, Skype) and Download/Upload services (µTorrent, iPlayer, CyberDuck). Your browser may also ask, it rather depends on what sites you go to. Some applications ask more than once but eventually they remember. The ones that don’t ask and shouldn’t need it are Mail/RSS/News (Thunderbird, iMail), Text (NeoOffice, TextWrangler, TextEdit, MS-Office) and (to my surprise) Virtual Machines (VMware Fusion, Crossover and probably Parallels). In any case, you ought to run a local firewall in virtual machines.

Posted in Mac, Security, Technical | Comments Off on Configuring the Firewall on MacOS X 10.5.1+ (Leopard)

Intercept Modernisation Programme

13 Jan 2009 13:53 by Rick

Information is slowly leaking out about what this government initiative will actually mean. The EU Data Retention Directive provides for member states to require Communication Service Providers to collect and retain data for a period of between 6 months and 2 years. There are hints that the Home Office are going to not only specify the maximum period but also to set up a system to record it all centrally.

Some sources suggest that the recording of phone call information (that is source and destination numbers and timestamp, not content) is already being done (but probably not Skype calls).

Extending this to email could be problematic. The source address of an email is known to be highly unreliable (look in your spam box to see examples) and, anyway, if the ISPs are to do it then what about those people who use international web mail services like Hotmail and Google plus there are those (ahem!) who use an off-shore host. But then, other sources suggest that, to make things easier for the smaller ISP, the intercept will be done further upstream on the trunks. To do this they would have to filter on the port numbers (POP, SMTP & IMAP). Even then it wouldn’t catch the web mail services.

Extending it further to monitor other internet traffic such as web sites generates a huge quantity of data. Just viewing one page can easily generate dozens of requests and downloads, a busy portal can require hundreds, so some serious data reduction techniques would have to be used. But as a side effect, the data is unreliable in intent even if comprehensive in actuality. The user is not in control of side content on the web pages they view and not even the main content when the referrer information is vague or misleading.

We already know that the return on investment for video surveillance is very poor to the extent that some authorities are leaving them unmanned. Sifting through the archives looking for incidents retrospectively is enormously time consuming and frequently a waste of police time. I don’t suppose this new idea will be any better.

Posted in email, Security, Technical | 1 Comment »

Verified by Visa

15 Dec 2008 12:05 by Rick

Another attempt at improving the security of online transactions is Verified by Visa (and a very similar system called Mastercard SecureCode). The system is that a password independent of anything written on the card and with much more variability (10-15 characters) is verified with the bank first and then used for transactions. Not all banks nor all retailers are signed up yet but it looks to be a good system, albeit with only one of the factors of authentication in use (Something-you-know). A clever part is the echoing back of a phrase decided by you (“Personal Message”) in advance to give you confidence that it is a genuine transactions (so beware of any Verified-by-Visa popups that don’t contain this phrase).

However the implementation on the ground has not been good. Very little advance information has been sent out to customers and often the first thing they discover is a retailer that is using it, sometimes with no option. You do get an invitation to sign up there and then (called Activation During Shopping) but this is exactly the situation we have all been warned against—an unknown web address (not even the retailer one) asking for personal details and passwords. I recommend that if you come across this, pause the transaction and go to a different window and sign up directly via your known bank web site.

Now when will The Cooperative Bank join in? Ah, they are, slowly, it just doesn’t say so on the Visa site. They have decided not to use Activation During Shopping so they get a gold star from me for having a clue. I will take half of it back though, as they are using a “memorable name” rather than a real password, nor do they seem to be using the echoed personal message. Is this really one system or are people making it up as they go along?

Posted in Security | 2 Comments »

Cardholder Not Present

5 Dec 2008 10:51 by Rick

The key requirements when approving a transaction are authentication, proving that you are the person you say you are, and authority, that you are allowed to perform the transaction. With a typical credit card transaction, these two go together as the authentication shows that you are the owner of the account who automatically has full authority. There is scope to break that link, but that would need to be another article.

The mantra in the security industry regarding authentication is

Something you have—such as a card.
Something you know—such as a PIN or password.
Something you are—much harder and relies on such things as biometrics.

When you go into a shop, you take the card out of your wallet immediately satisfying point one. Presented with a keypad, you type in your PIN satisfying point two. If the card had a photograph then it would (very weakly) satify point three as well, just as the signature used to do before Chip-and-PIN.

Cardholder Not Present transactions have always been weak. These are those done on the phone, by post or over the internet. Point one becomes subverted because there is no way to tell that you actually have the card, you could just have a photo-copy or a note of the number. If point three was ever covered then that is lost as well. So the authentication is reduced just to what you know—the card number. They have tried to improve this recently by adding three extra digits to the back of the card. The theory was that this number was not embossed nor recorded in shop transactions so was less likely to be compromised. In practice it is still visible to anyone who handles the card (which is why I obliterate mine) and an increasing number of face-to-face transactions are asking to know and record the number. Hotel receptionists, for example, who want to be able to process a transaction if you do a runner.

There are a number of initiatives to improve the position, mostly by providing the customer with some sort of device to generate a sequence of one-time passwords which are predictable by the bank but not anyone else. Each device is unique and keyed to your account. This has taken a significant step forward and now it is possible to build such a device directly into the card; a great achievement as the card still has to be capable of passing through an ATM machine and shop chip readers. What this provides is two major improvements: firstly it restores the requirement “Something you have” because you have to have the card to use it and it is locked to your account so there is no using one device with another card number. Secondly, it requires the “secret” number to be entered into the device itself not the online/telephone transaction so there is no risk of it leaking; and this number is now the truly secret PIN not the number printed on the back of the card.

This will surely annoy hotel managers though.

Posted in Security, Technical | Comments Off on Cardholder Not Present

Adobe vs. Clue ends in divorce

7 Jul 2008 11:16 by Rick

Adobe started to lose it some years ago when some marketing wizard decided to re-brand Acrobat Reader and call it Adobe Reader. You still find even experienced system managers confusing the names and you are never quite sure if they are talking about the real Adobe Acrobat or just the Reader freebie.

So when they announced Adobe 9 I wasn’t sure at first if they meant the full product or just the Reader (or both). Especially as we have only just had the emergency patch for Reader 8.1.2. “What patch?” do I hear you ask. Well, to digress, it was very important because it fixed a security hole that could allow those safe files called PDFs to compromise your system. Open up Reader now and click on Help > Check for Updates and it should download a thing called “Security Update 1”. Not that you would realise when it is done because for some stupid reason, the version number is not changed so it still says Version 8.1.2. While we are on the subject, if you download the Windows patch by hand it is called AcrobatReaderUpd812SU1_all.msi so it seems even Adobe are confused by the name.

Now the rest of this is hear say as I haven’t tried it myself yet but it seems that the new Adobe 9 has bundled together the PDF Reader which we generally tolerated with Flash, the product that Adobe bought from Macromedia and which we all love to hate. It also includes Acrobat.com and Adobe Air, neither of which I have heard of. That is a 33MB download and 200MB+ install for something to just read PDF files! Also beware of the Free eBay desktop which is automatically ticked for you.

I won’t be bothering on my Mac—Preview does the job for me just fine and my Windows systems can stick with Version 8.

Posted in Security, Technical, Windows | Comments Off on Adobe vs. Clue ends in divorce

AVG 8 Rumpus

17 Jun 2008 12:08 by Rick

There is growing concern among web site owners, their hosts and web marketing experts that AVG 8 is causing increased costs. The issue is LinkScanner and what it does to traffic. I have already commented that, for those users on limited bandwidth such as dial-up, it should be disabled and I have provided instructions on how to do this. But if it is also significantly affecting the other end of the internet—the web hosts—then AVG may be forced to modify it.

The way it works is that if you do a search using the major engines (at least Google, Yahoo and MSN Live) then you get a page of results, generally 10 at a time. AVG LinkScanner then steps in and visits every one of those results and checks the results for malware and sets a flag (Good, Doubtful or Bad) against each one to warn of potential problems.

The issues for users are:

The increased bandwidth caused by the requests and results could have an impact on performance and possibly on any quotas you may have. This will be particularly true for dial-up users but could also affect capped broadband. On the other hand, users may judge that the benefit offsets the costs.
Your logs and/or cache could show that you have visited sites that you had no intention of going to. This could have embarrassing or legal implications.
This could also be reflected in any profiling that your ISP or the sites themselves are doing which could affect the advertising you receive (it could also be regarded as an asset as it may upset statistics gathered by Phorm type systems 🙂 ). A possible impact is that a site may think you have already seen a particular advert and not deliver it again—you never know, it may have been the offer you were waiting for.
If the scanner itself were compromised then it is getting a lot of potential data to further infect your system.
Because much malware is served via adverts, and adverts are rotated on every visit, the green tick may give you a false sense of security.

The issues for site owners and their friends are:

They will see increased traffic, bandwidth which they have to pay for. Larger sites may need to deploy extra servers and connections to cope with the additional load.
Sponsored results will also be visited and the agencies will charge the customer for each visit and it increases the apparent Click Through Rate with bogus visits. Update: Apparently AVG 8 goes direct to the raw URL and bypasses the Click Through detector so that the customer will not be charged. They will, however, still see the increased traffic.
Ordinary pages that are funded by advertising appearing on them will see an apparent drop in Click Through Rate because the user never sees the ad to visit it.
Web statistics become [even more] unreliable due to the increase in “bounces” i.e. visitors that come in from search and don’t go to any other pages.

At present the traffic is detectable for what it is, so concerned web owners can allow for it either in their analyses or even suppress responding to them. However, if that remains the case, then it will also be detectable by any malicious hosts or content to fool the scanner into returning a clean bill of health. It will be interesting watching the news in the next few weeks to see how this is resolved.

Posted in Browsers, Security, Technical | Comments Off on AVG 8 Rumpus

Papers please

12 Jun 2008 10:31 by Rick

“Geheime Staatspolizei, die Papiere bitte!”

“Homeland Security, boarding pass and ID please!”

Can you tell the difference? I can’t. The second is now standard for internal flights in the USA even though it is unconstitutional and goes beyond the legal requirements. Some of us are sure that the same thing will come here if we are not careful.

Thanks to a comment by Ravan on Bruce Schneier’s blog for the idea.

Posted in Miscellaneous, Security | Comments Off on Papers please

User profiles in WordPress

20 May 2008 11:30 by Rick

For some time I have been having problems with registered users. Not the dozen or so users that I know about who either contribute to the site or are left over from the days when I insisted on registration before commenting. No, these are ones where “people” have found the registration page, created a profile but I have never heard from them since. I have been looking for a way to clear them out, which is not easy because I have no way to tell if they have actually commented using that profile and if I delete those, then the comments disappear with them. I have been looking around for a plugin to help and in the mean time I have been deleting ones with email addresses in Russia, Bulgaria and Poland—it is not xenophobia, just that I know that there is a 99% chance that they are spammers.

One possible plugin that I have tried is loginlogger. This keeps a track of when people have logged in. I was hoping it did a bit more but even that has been fascinating. Apart from my own connection, which I know about, I had well over 100 failed logins over a 2 hour period last night, and the usernames were quite repetitive; brutal2008, Reiki, kazikr, broker1980, watroba50, smiglidigli, bombastik2008, etc. occur quite often. These names don’t appear in my roster (but they may have once and I have deleted them, I don’t keep track) but doing a Google search on them reveals a common pattern; most hits are either on SEO sites or are Polish or Russian sites or in those languages.

So my policy seems to be justified—that is where the spammers are. To avoid the problem in the future I could have disabled registration altogether. It isn’t used a lot, but I like to give regular commenters the option of having their profile stored if they want to. So what I have done is install the Sabre plugin. This is a very flexible registration control system with options for Capcha, arithmetic tests, email confirmation and other validation tecniques. I am hoping that with minimal effort I can foil the majority of automatic bot registrations.

Posted in Security, Technical, WordPress | 2 Comments »

AVG 7.5 End of Support

13 May 2008 10:51 by Rick

Despite some messages to the contrary, AVG 7.5 End of Support date is 31 Dec 2008. Changes to this policy are not anticipated but this is the link to watch. Even some notices out of the product itself say other dates.

Misleading AVG Alert