James Galvin

I used to think that it wouldn’t matter if my bank details got leaked, because that would only enable people to put money in to my account, and not take it out. A friend of mine who worked in a bank told me it is not quite so straightforward, and advised me not to broadcast my personal details on the internet. This is funny.

TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column.

The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs.

He wanted to prove the story was a fuss about nothing.

But Clarkson admitted he was “wrong” after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.

I’ve mentioned Monster.com a few times since details of the big security breach first came out - when 1.6 million CV’s were swiped by hackers, leading to lots of spam and highly targeted scams. Most people didn’t pick up on the fact that this is nothing new for Monster. Because of the way their website is structured, with all the CVs up for grabs by anyone who can get a hold of an employer login, it is safe to bet that thousands of candidates every day have their private details leaked into some spammer’s database. No SQL injections or XSS required - just get access to one of the many thousands of employer accounts.

So I was surprised that Monster vowed to set things right by pledging a portion of their $80,000,000 upgrade to improving their security. I mentioned at the time that they could throw $80 billion at security upgrades, and it would still not make a difference to its users’ privacy without fundamentally changing the way the site works.

Regardless, throwing money at upgrading the security of the website should prevent any further embarrassments, right? According to The Register, attackers hijacked part of the website yesterday, using it to spread malware to the site’s visitors.

The outage affected the Monster Company Boulevard, said Exploit Prevention Labs’ Roger Thompson, who first noticed the site was inaccessible around 5 pm Monday East Coast time.

Several hours earlier, he discovered the site had been subject to an iFrame attack that was redirecting visitors to servers that hosted exploits from Neosploit, a nasty attack toolkit that competes with better-known packages such as MPack and Icepack.

This is gone beyond a joke. I’ll bet €50 that Monster will make headlines once again (for the wrong reasons) before the year is out.

I’ve been subscribed to the security expert Bruce Schneier’s blog for a long time now. He has always urged people to refuse to be terrorised, as he collected stories about a paranoid society that sends the SWAT team after Indian poetry professors for recycling paper, and can’t tell a bomb from a tape dispenser.

Today, he has aggregated these bits and pieces into an article entitled The War on the Unexpected:

We’ve opened up a new front on the war on terror. It’s an attack on the unique, the unorthodox, the unexpected; it’s a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.

The article is both entertaining and disturbing, and with each ridiculous scenario he references, Bruce highlights a worrying trend which cannot be averted without some unlikely policy changes by administration officials. Cue a lot of angry comments from people who didn’t get it.

After all the coverage that Eircom got over their security problems, Irish Broadband have attempted to capitalise on the situation with this press release: “Irish Broadband routers are totally secure”. I don’t know whether they are trying to lure any confused/misguided Eircom customers to switch providers, or whether this is an attempt to console their existing customers, but this is an irresponsible message to send at a time when the public has finally begun to take note of internet security.

This line in particular is rotten to the core:

This password, being set by the customer, is not derived from the serial number of the modem or the network name and is therefore completely secure.

Ignoring the 58,700 results that I get in Google for “crack wpa”, even if the encryption method is somehow 100% unbreakable, just ask Paypal what happens when you allow the user to pick his own password.

When Eircom responded to their security issue last week, their reply was responsible and honest (for the most part). They qualified their statements with the standard disclaimer known to every first year computer science student and network technician: “it is widely recognised in the industry that no wireless access can be deemed 100% secure”, noting that through policy and advice to customers, they are making an effort to minimise the potential vulnerability. This is the textbook response.

Eircom gave their customers a false sense of security because some programmer made a genuine mistake (and he would have got away with it if it weren’t for those pesky kids). Irish Broadband are doing the same thing - unnecessarily allowing their customers to overestimate their security - but what is their excuse? Either they’re completely ignorant, or they’re blatantly lying.

In the two days since I posted about the security flaw in Eircom broadband routers’ default configuration, coverage has spiraled to the front page of the Irish Times and elsewhere. In the words of a former roadie for Metallica: “new shit has come to light, man”. Bart got a reply from Eircom. I am surprised to say that it looks like everyone’s favourite Irish telecoms operator (excluding BT Ireland… and Smart Telecom) are taking this seriously and responsibly. I am obliged to nitpick, however, at a particular section:

“This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to access an eircom customer’s Internet connection”

Eircom, you are missing the very crucial point here. We are not worried about the person with an advanced working knowledge of encryption and coding techniques - WEP is no protection against these guys to begin with. We are worried about the guy with NO knowledge of encryption and NO coding techniques, who can simply wander over to s4dd’s Eircom WEP Key Generator website and type in his neighbour’s SSID.

A lot of people missed the issue here, focusing instead on the demerits of WEP encryption. Here’s the analogy: someone sells you a new car with those old-fashioned locks on the side of the window that you push down / pop up. Anyone who knows what they’re doing can break through this security mechanism simply by using a coathanger, but at least your car is locked, right? What if everyone in Ireland had the key to the car? The fact that there are better ways to secure your car than using those push down / pop up buttons suddenly becomes irrelevant.

This is not about the strength of WEP - it is about being sold short. It’s about thinking you have a Cornetto when it’s really just a Wibbly Wobbly Wonder. It is also a funny story about an over-enthusiastic programmer who spent weeks thinking up an elaborate key-gen algorithm but was so distracted by the Hendrix solo in his head that he overlooked a pretty significant weakness in his magnus opus. But more importantly, it is about a false sense of security (albeit partial security) given to Eircom broadband customers.

So how will Eircom respond? According to the letter sent to Bart, they’ll contact everyone affected outlining the issue, with advice on how to handle it. They’ll be upgrading the security on their routers and will also try to improve the general security awareness of their customers. Could we ask for anything more? This does not sound like the incompetent Eircom I’m used to dealing with. Business development mangers at Monster.ie could take note!

A post on Irish Linux Users’ Group awhile ago linked to this boards.ie thread about a major weakness in the way the default WEP key for your Netopia is generated. The WEP key is formed from the serial number of the router and some Jimi Hendrix lyrics. That’s fair enough you might think, because nobody knows your serial number, right? For some reason, the Eircom SSID is also generated from the serial number in such a way that, given the SSID, you can easily find out the serial number, and hence the WEP key. The process has already been automated via an Eircom WEP key generator. I haven’t tried it myself, but one ILUGer has already reported that it works.

Some people will point out that WEP hardly gives much protection to begin with, since it can be cracked so easily and quickly by someone who knows what they’re doing. But now, even the laziest kid on the street can hack into your network without ever having to worry about command prompts or aircrack-ngs. Eircom broadband users would be wise to change their SSID from the default, and to switch to WPA encryption while you’re at it. (Surf to 192.168.1.254 and it’s in the options there somewhere…)

Update: I removed the link to s4dd’s site with the WEP key generator. There’s no point brushing stuff like this under the carpet, I think it is important to raise awareness about this, but at the same time I don’t want to be responsible for anyone stealing your email.

One of the most effective ways to achieve anonymity online is by using TOR - the Onion Router. A minority of volunteers run servers which make the service possible. It is risky, because, if you run a server, it could be your IP that is logged when somebody does something illegal.

The TOR website has an abuse FAQ that asks “So what should I expect if I run a server?”. The answer they give is:

If you run a Tor server that allows exit connections (such as the default exit policy), it’s probably safe to say that you will eventually hear from somebody. Abuse complaints may come in a variety of forms. For example:

* Somebody connects to Hotmail, and sends a ransom note to a company. The FBI sends you a polite email, you explain that you run a Tor server, and they say “oh well” and leave you alone.

Alexander W. Janssen tells a different story:

I was arrested. They scared my wife. They consfiscated all my equippment. They stopped the investigation. I’m sitting on a pile of bills from my lawyer no one except me has to pay. I’ll sue for compensation, but I don’t think that this will lead anywhere. I’m now accused of something else.

It’s time to raise the bar in internet security, and this needs to start with the likes of Paypal. Since I began using the internet in 1996, it has been the same old story - plenty of advice about strong passwords and good security policies, but attitudes have still not changed. Good advice will get us nowhere - this was proven many times over, when the ILOVEYOU worm was followed up by Sircam and a thousand other bizarre email attachments that people insisted on opening.

Today I created a Paypal account for “casual” online sellers (there’s a pun in there somewhere but it is beyond my ability, unfortunately). Paypal requires a minimum of 8 characters in your password, and if you try to use “password” it replies: “Password contains a forbidden word”. This is a start, at least. So then instead, I use ‘qwertyui’. It is not difficult for a hacker to work off a list of the most common 8- or 9-letter passwords. How many Irish people do you think use ‘liverpool’ as their password? It might be safer to take the responsibility out of the user’s hands altogether, and force them to learn a random password, but that would most likely lead to sticky notes on the monitor.

A safer solution is to get people used to long pass phrases (15+ characters), with numbers, special characters, and letters in upper and lower case. If you make it difficult enough, then maybe they won’t be inclined to use the same password with every mickey mouse unencrypted database they sign up to, which can only be a good thing. I really don’t think Paypal are going to lose customers just by making it slightly harder to log in. Look at Bank of Ireland’s Banking 365, as an example: to log in, you need a seemingly random 6 digit user ID that nobody knows AND a 6 digit pin that nobody knows AND the answer to a security question that most people could find out. This is a major contrast to Paypal’s login: an email address that everyone knows, and potentially a weak password that most people could guess. And still you get groups of phishing victims who try to sue 365 Online for inadequate security.

Remember, this is not just some web forum or Wordpress blog you’re signing up to, it is more or less an online bank. You are leaving significant sums of money and your credit card details, flimsily protected by 8 letters. If I went through all the eBay sellers who were selling Liverpool merchandise, and attempted to log in to their Paypal using their email address and the password ‘liverpool’, how many accounts would I have access to?

As for the two security questions, here is a screenshot:

There is a serious oversight here. On one hand, Paypal give you two solid, difficult security questions that only you and your close family could answer (Last 4 characters of driver’s license and Last 4 digits of social security number), but then they undermine it with two questions so blindly obvious that you wonder why they bother with security questions at all? Which two security questions do you think the majority of the users are going to select? Definitely not the one that means they have to go rummaging for their driver’s license, and trying to remember their social security number.

I was never a fan of security questions anyway, simply because of the fact that anyone who knows me can find out the answer to just about any of them. I always lie, which kind of defeats the purpose. What about the people that don’t lie? How difficult would it be to log onto their Facebook and find out their dog’s name or city of birth? Why don’t Paypal just allow me to put in two secondary passwords, instead of answering dumb questions? Or why not allow me to define my own security questions, like some sites do? Better yet, why not get rid of security questions altogether - if you forget your password, you can phone up the support team, and they can ask you a bunch of security questions in the old fashioned way.

“But it doesn’t matter if they can answer my security questions, because they don’t have access to my email!” exclaims the Man in the Yellow Hat, giddily. I’m not the person to say how secure or insecure your email is, but from my days as a Linux sys admin, I did notice a couple of things:

• Do you send your password in plain text? If you’re not using SSL or TLS to connect POP3/IMAP server (most people are not), it could be painfully easy for someone on your network to get your password using a sniffer
• Is your DNS safe? I once emailed an Irish ISP and asked them to change the MX records for a decent sized domain - about 300 users actively using the email. They were very nice and friendly, and swiftly complied with my request, neglecting to ask for my credentials or a fax or phone call to verify the request. I was a new employee at the company and they had no way of knowing that I was authorised to make this change. I could have been anyone, and I could have configured my mail server to forward on all emails to the real mail server, so that the company would never even know they were being intercepted.

I’m sure there are hundreds of reasons not to trust in the security of your email account, but those are the two that taught me to take nothing for granted.

Any company that stores credit card information should be legally obliged to set a minimum security standard. I believe there are laws like this already in existence, does anyone have the details? I’m guessing they need to be either stepped up or actually enforced. It could be so easy to make a positive change in the general attitude, but as long as big sites like Paypal are happy with sub-par security policies, then we will always believe that typing more than 6 letters in a password is an unnecessary inconvenience.

Infoworld are crowing that a “myth” has been crushed, as a hacker managed to break in to OS X to win a security contest in Vancouver. No myth has been crushed - at worst, perhaps a misconception has been dented. OS X is not hack-proof - there is no operating system on earth that is 100% secure when attached to a network, and the way some people have responded to a run-of-the-mill Safari vulnerability, you would think that there has been an apocalypse.

What the Infoworld article fails to mention is that CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day. It doesn’t specify exactly how the rules were relaxed, but a comment mentions that “The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari”. If this is the case, then as far as I’m concerned, the contest only served to show how well secured OS X really is.

The article quotes Dragos Ruiu, organiser of the event:

“You see a lot of people running OS X saying it’s so secure, and frankly, Microsoft is putting more work into security than Apple has”

Dragos: the reason Microsoft is putting so much more work into security than Apple is because it needs it so much more. How many times have I had to fix friends’ Windows computers for no other reason than they left it online for a few hours without a firewall? No myth has been crushed, common sense has prevailed. Your Mac is not untouchable - it is advisable that you tighten security controls on your web browser, and be careful of surfing to dodgy sites on the internet. As long as you don’t make a habit of antagonising MaddoxX, then you can be reasonably confident that your computer won’t be trying to nuke eBay if you leave it online untended for the weekend.

The Daily Tech have an article about a hacker who is curretly holding Valve Software (the makers of Half-life) to ransom, having hacked into the system that manages internet cafe licences, and retrieved details and credit card information.

Most gamers will remember the bit of trouble that Valve had a couple of years ago, when a German hacker known as Axel G, or “Osama Bin Leaker” when he’s in a particularly powerful mood, snuck into their network. Internal emails were leaked, demos were leaked, and ultimately the source code was to Half-life 2 was put on the internet. Valve burst into action like a coiled spring - instantly assembling a dynamic and energetic tiger team:

The fiasco resulted in a lot of hassle for the company, but they got some consolation in the end when they caught the perpetrators by pulling the oldest trick in the book - offering to hire Axel G as an in-house security auditor. Beaming with pride as he headed for the plane, ready to start his new life in America working on the game he loves, the poor boy had no idea that the FBI were laughing their asses off at the airport, doing Axel G impressions as they waited for him to arrive.

Axel G - a misguided enthusiast, suffering from classic notions of teenage hackers convinced himself that he was working for the greater good. He claimed that the motive behind the source code leak was to expose Valve for lying to the public about the state of the game, which was far from finished, implying that they demoed a fake version of the game at E3.

This latest haxor, MaddoxX, displays the same symptoms of a glorified self-image, probably seeing himself as half Robin Hood, half Darth Vader and half Zerocool. However, by comparing the number of x’s in their names, we can assume that MaddoxX is at least twice as l33t as Axel G, and thus less likely to fall for the “hey, you’re good! Come and work for us” trick. I would remind Valve of the old Chinese proverb that is strangely apt here: “Blind eagles soar with wings, but do not mess with psycho Russian hackers because you’ll get pwned”.

The Daily Tech article quotes MaddoxX, who outlines his motives:

In fact, MaddoxX says that he’s been tooling around on the Steam server’s back door since January. “I did try [to] contact them several months ago. At the time, I didn’t do anything harmful — just got [a few free copies of games] but never heard anything from them,” he says. “Later,” the steamed hacker adds, “I tried to warn them to fix bugs…but as usual, they don’t listen.” He recounts that he allegedly tried e-mailing Valve employees on several occasions without a reply. When a friend of his called attention to the potential security breaches on Valve forums, every trace of each thread got shut down. “They don’t even warn or reply to their Café customers that private information is leaked,” he says.

And here we come to the issue that is bothering me: MaddoxX is dead right in what he says. When you take confidential information from your customers - be it credit card details, home phone numbers, or their dog’s middle name, you take on a degree of responsibility. My guess is that Valve’s IT guys are still sitting around eating sandwiches in front of an empty whiteboard. The director of marketing at Valve, Doug Lombardi, just recently confirmed the security breach and released this statement:

There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam.

The Daily Tech refers to a very reasonable Californian Law which says that you are required by law to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed). I’m not a lawyer, so I don’t know if Valve are bound by this, but I am aware of a general rule of thumb: if you discover a security breach, you snap to it and do something about it. You don’t hum and haw and mumble some comment a week later about an “alleged hacker” who broke into the system. If the guy has got:

• Screenshots of internal Valve web pages
• A portion of Valve’s Cafe directory
• Error logs
• Credit card information of customers
• Financial information on Valve

…then I think its safe to put your hands up and acknowledge this. Funnily enough, the Cork gaming cafe Area 51 even makes an appearence on one of MaddoxX’s screenshots. I wonder if they know that their credit card details could be compromised? Perhaps I’m being unfair, and all of the affected customers have been contacted and informed, but judging by the concerned cafe account owners on the steam forums and elsewhere, this does not seem to be the case. This only serves to validate what MaddoxX is saying, and highlights a gross lack of responsibility on Valve’s part. I believe the guy when he says he has contacted them many times about exploits and bugs and never got a reply. They sound like an absolute disaster.

Security breaches happen occasionally, and that is inevitable. I won’t dwell on the fact that it seems to be a recurring event for this particular company, I’m more concerned about the reaction when something does go wrong. Read this example of how it should be done, from Wordpress. A responsible, well worded, concise account of what happened, when it happened, who is affected, and what to do if you are affected.

What would you have said if Automattic had come out with drivel like this: “There is no security breach at Akismet. I repeat, AKISMET IS SECURE AND SAFE. oh, by the way, Wordpress got allegedly hacked.” Doug Lombardi: the issue is not “There has been no security breach of Steam”; the issue is: “THERE HAS BEEN A SECURITY BREACH“.