You have to love security folk!

You just have to love people who insist on security for the sake of security. You know, the type who claim you need security even though it’s not really necessary, or even useful.

I spotted one of these cases on HSBC’s online banking. To get to the screen below you have to supply a string of digits which is your username, followed by secret word, then a numeric key generated by a token that I have to carry around me. Pretty secure, huh? Well, is what one of the screens looks like on the inside:


I love the fact that someone felt the need to obfuscate my phone numbers. I feel really secure in the knowledge that if someone hacks my bank account they won’t be able to phone me up.

Security Audit? Who needs one of those?

Here’s an interesting screenshot I just took on a website:


If you’re into development in any shape or form, you’ll see a number of security issues Three has with their website, including but not limited to:

  1. Password stored in plain text in a connection string
  2. Trivial password that could be cracked without thinking too hard
  3. And of course: not trapping errors so the whole world gets to see them.

I’ve omitted the name of the website, to protect the guilty, but there wasn’t much point, based on what the error was returning. There’s a lot that a potential hacker could learn from that lapse, and it essentially highlights the need of having a security professional involved in your development and release processes. These are basic errors that can be prevented, so why risk you site .. and your reputation!

Firefox turns off WPF plugin

I was greeting with an interesting dialog box when I got back to my computer just now:


I did some digging and it turns out that WPF did have a vulnerability, but it was patched a couple of days ago. Firefox, however, has no way of knowing if you’re running the patched version or the original one with a security flaw (which Microsoft forcibly added to Firefox without warning a few months ago). You can read more about the issue here.

Interesting times huh?

National Identity Fraud Prevention Week

I’ve just found out that it’s National Identity Fraud Prevention Week in the UK at the moment. What is ID fraud? Well, it’s when someone impersonates you or your company and commits criminal deeds which you may eventually be blamed for. The most common crime committed is fraud, using your details to defraud you or third parties. Unfortunately we live in a world where information is readily available, and most of us have no qualms leaving our date of birth on Facebook or telling people what our mother’s maiden name is. Unfortunately these two factors are also used by a number of financial institutions to protect your online account. Do you see where I’m heading with this? No? then maybe this video can help:

The week has been organised to raise awareness around these issues and the website includes a number of real life stories and tips that everyone can follow to minimise their exposure to this risk. Unfortunately everyone can be targeted by nefarious criminals, it doesn’t have to be your postman. It could be a Russian hacker pretending to be an Irvine web design firm; or a buyer on eBay who bought your old computer which had all your passwords stored on it; or a complete stranger who picked our your bank statement from your recycling pile; pretty scary huh?

The end result is that we need to be more aware of our actions and our information. Always be aware of what data you’re “leaking”. Being vigilant and aware is the key.

Looking for an Excel password?


Have you ever had a password-protected Excel document that needed opening up? It happened to me a couple of years ago. I worked for a company that used an Excel sheet in a shared folder to store passwords to different websites that the company had accounts on. One of the policies the company had was that the password to this spreadsheet would change on a routine basis, just following protocol; but the person who changed it must have typed in the wrong password. The spreadsheet was locked, but the new password just didn’t work. They tried various misspellings but still couldn’t unlock it.

Anyway, to cut a long story short, they had to bin the spreadsheet and start all over again; but today I found a product they could have used to retreive the password. It’s an Excel Password Recovery tool that has two options. It can either unlock the document and just remove the password from it. Or else, it can run a brute-force attack on the file and figure out what the password actually is. Depending on which method you use, there are different parts of the program to use, but the end effect is that you can finally get back into your document.

Pity we didn’t have access to this program back then; it could have saves lots of time and effort if that had been the case.

Secure your systems with FortressSSH

open for business

I came across a great whitepaper by a company called Pragma Systems that talks about their Fortress product line, designed to secure a wide variety of different platforms using protocols like SSH, SFTP, SCP and others. They have a variety of different offerings ranging from server security suites to a secure shell client and have a long list of clients including IBM, Coca-Cola, Dell and many others spread all around the world.

Read the whitepaper here

Clickjacking here’s how it works

I’ve posted before about Clickjacking and how scary this is for most Internet users, regardless of which browser you’re using or whether you have Javascript turn on or off. There’s more information about the threat on the Interweb today, including a demo of how the exploit works and some advice on how you can avoid it. First of all, what is clickjacking? There’s a great writeup on Securoris that explains it quite succinctly:

  1. Clickjacking allows someone to place an invisible link/button below your mouse as you browse a regular page. You think you’re clicking on a regular link, but really you are clicking someplace the attacker controls that’s hidden from you. Why is this important? Because it allows the attacker to force you to interact with something without your knowledge on a page other than the one you’ve been looking at. For example, they can hide a Flash application that follows your mouse around, and when you go to click a link it starts recording audio off your microphone. We have protections in browsers to prevent someone from automatically initiating certain actions. Also, many websites rely on you manually pressing buttons for actions like transferring large sums of money out of your bank account.
  2. There are two sides to look at this exploitation- user and website owner. As a user, if you visit a malicious site (either a bad guy site, or a regular site that’s been hit with cross site scripting), the attacker can force you to take a very large range of actions. Anytime you click something, the attacker can redirect that click to the destination of their choice in the context of you as a user. That’s the important part here- it’s like cross site request forgery (really, an enhancement of it) that not only gets you to click, but to execute actions as yourself. That’s why they can get you to approve Flash applications you might not normally allow, or to perform actions on other sites in the background. As with CSRF, if you are logged in someplace the attacker can now do whatever the heck they want as long as they know the XY coordinates of what they want you to click.
  3. As a website owner, clickjacking destroys yet more browser trust. When designing web applications (which used to be my job) we often rely on site elements that require manual mouse clicks to submit forms and such. As Robert (Rsnake) explains in his post, with clickjacking an attacker can circumvent nonces (a random code added to every form so the website knows you clicked submit from that page, and didn’t just try to submit the form without visiting the page, a common attack technique).
  4. Clickjacking can be used to do a lot of different things- launching Flash or CSRF are only the tip of the iceberg.
  5. It relies heavily on iFrames, which are so pervasive we can’t just rip them out. Sure, I turn them off in my browser, but the economics prevent us from doing that on a wide scale (especially since all the advertisers- e.g. Google/Yahoo/MS, will likely fight it).
  6. Clickjacking is very difficult to eliminate, although we can reduce its risk under certain circumstances. Because it doesn’t even rely on Javascript and works with CSS/DHTML, it will take a lot of time, effort, and thought to eliminate.

If that sounded scary, have a look at a video showing one application of the exploit:

If you want to study that further, you can actually run it through it’s paces here.

So, what can be done about this? First of all, it’s worth realising that while it’s a powerful threat, the risk of it happening isn’t that high at the moment. Vendors have started recognising the threat and coming up with solutions for dealing with it. Adobe has come up with a workaround and NoScript has released ClearClick to help address it. It’s only a matter of time before this is quashed too (won’t be easy though)