Security Archives - Page 6 of 11

TNO

Posted on Tuesday 4 December 2007Tuesday 4 December 2007 By Mark Wilson

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There is a well known phrase in IT security – trust no one (often abbreviated to TNO). A couple of weeks ago, a United Kingdom government department admitted to having lost a couple of discs containing, among other things, names, addresses, dates of birth and bank account details for my family. Thanks. For nothing.

Then, yesterday, a Senior Marketing Manager at Microsoft was not having a good day. First of all, she sent a survey invitation to a list of "Microsoft Influencers" in the EMEA region but the bulk mailing tool she was using failed part way through dispatch. After preparing a second message to the remaining recipients, she hit the wrong button and mailed a bunch of people she didn’t mean to. So far, no real harm done, and an apologetic e-mail was sent to those affected. Except that somewhere along the way she attempted to recall the message, the names of the recipients went to everyone who received the recall request, and two bright sparks on the list said (in jest, I think) something to the effect of "wouldn’t it be good if I could sell the e-mail addresses of all these people that Microsoft considers influential" (all 884 of them). So that’s my e-mail address potentially compromised too.

And a few weeks back I had an e-mail from Fasthosts (through whom many of my domain names are registered) letting me know that they had experienced a security breach and that my account may have been compromised (but they couldn’t be sure)… so I could have been subject to a domain hijack if they hadn’t already locked my account for me.

Then there’s the various online and telephone-based services (including banks and credit card providers) that use ludicrously low security, with a myriad of single factors for authentication (and really, what use are my mother’s maiden name and town of birth for "security" questions as both of those items are publicly available information?).

It seems that avoiding identity theft is fighting a battle that can’t be won. I have to entrust organisations with my personal details but, based on recent history, those organisations (including my government) cannot be trusted.

Maybe it’s time for me to find a new identity?

TNO.

25 million people caught up in UK Government data security fiasco

Posted on Tuesday 20 November 2007 By Mark Wilson

I’m treading carefully here to avoid political comment but, for those who haven’t seen tonight’s news, a UK Government department has lost the personal details for 25 million people including names, dates of birth, national insurance/child benefit numbers and bank details. On a CD. In the post.

So, I’d like to thank HM Revenue and Customs for making such a monumental **** up with my family’s personal information. In this day and age, I find it amazing that two government departments have to transfer data between one another on CD (isn’t that why they have a Government Secure Intranet?) but to send that in the internal mail (unregistered) is amazingly inept (and, according to tonight’s BBC News, against Government guidelines). Furthermore, the news report I heard said that the passwords protecting the data could be cracked in seconds, so I’m interpreting that as a statement that the data wasn’t even encrypted.

What makes it so galling is that the information was being transferred to the National Audit Office. Surely they can be trusted to access the Revenue’s systems directly without needing a database extract on CD? And why did it take nearly 3 weeks for someone to report that the data was missing?

Fair enough, names and dates of birth are public information and bank details are not exactly top secret (my bank has told me it’s not something to be too concerned about) but it puts my own attempts to maintain data security into perspective. If the Government can’t keep my identity safe, who can?

Anybody who is concerned about the implications of this data breach should check out the HMRC and APACS information on the data loss.

Installing Microsoft Dynamics CRM without domain administrator rights

Posted on Tuesday 11 September 2007Tuesday 11 September 2007 By Mark Wilson

I recently inherited the task of designing the infrastructure for a Microsoft Dynamics CRM 3.0 implementation. After being briefed by the consultancy partner that we are using for the application customisation and reading Microsoft’s implementation guide I was fairly comfortable with the basic principles but I was also alarmed that the product seems to require installation to be carried out using an account with Domain Admins permissions. There’s no way that I will be granted those rights on our corporate Active Directory (and nor should I be) – too many applications seem to require elevated permissions for service accounts and it makes life very difficult when trying to define a delegation policy for Active Directory administration.

Regardless of the assurances I was given that Domain Admins rights are only required to carry out the installation (and subsequent updates) and that the account can be relegated to a standard domain user afterwards, I felt that there must be a way around this – surely the groups that the CRM installation creates can be pre-staged somehow, or that a organizational unit can be created with delegated rights to create and manage objects?

It seems the answer to my question is yes – I’ve now been pointed in the direction of Microsoft knowledge base article 908984 which describes how to install Microsoft Dynamics CRM 3.0 as a user who is not a domain administrator by using the minimum required permissions.

How Windows PowerShell exposes passwords in clear text

Posted on Wednesday 22 August 2007 By Mark Wilson

I’m attending a two-day Windows PowerShell course, delivered by my colleague Dave – who I know reads this blog and should really think about starting his own…

I’ve written before about Windows PowerShell (twice) and I think it’s a great product, but it is a version 1.0 product and as such it has some faults. One (which I was horrified to discover today) is that this product, which is intended to be secure by default (for a number of good reasons) has the ability to store user credentials in clear text!

All it takes is two lines of PowerShell script:

$cred=get-credential username

(the user wil then be prompted for their password using a standard Windows authentication dialog)

$cred.getnetworkcredential()

(the username, password and domain will be displayed in clear text)

Some people ask what’s wrong with this? After all there are legitimate reasons for needing to use credentials in this manner. That may be so but one of the fundamental principles of Windows security is that passwords are never stored in clear-text – only as a hashed value – clearly this breaks that model. Those who think there is nothing wrong with this argue that the credentials are then only used by the user that entered them in the first place. Even so, I’m sure this method could easily be used as part of a phishing attempt using a fake (or altered) script (digitally signing scripts may be the default configuration but many organisations will disable this, just as they do with signed device drivers and many othe security features).

After searching Microsoft Connect and being surprised that I couldn’t find any previous feedback on this I’ve raised the issue as a bug but expect to see it closed as “Resolved – by design” within a few days. If it really is by design, then I don’t feel that it’s a particularly smart design decision – especially as security is tauted as one of the key reasons to move from VBscript to PowerShell.

Windows fast user switching + Zone Alarm = bad IT day

Posted on Thursday 12 July 2007Thursday 12 July 2007 By Mark Wilson

My poor colleagues had to put up with a lot of complaining yesterday. I was having a bad IT day (when nothing seems to go well). And it seems to be continuing today.

I recently rebuilt my company notebook PC to run Windows Vista and Office 2007. That’s going well but then there’s all the stuff that goes on top (anti-virus software, corporate VPN client, etc.). My colleague and trusted advisor, Garry, helped me to get all that in place, an administrator added my machine to the corporate domain and before I left last night I logged on so that I had a profile for my domain account with cached user credentials (for working at home today).

It should have been fine but I didn’t log out from my original account because I was in the middle of something – I used the fast user switching feature instead and then waited… and waited… and waited… as Windows tried to set up my profile.

In the end I gave up and logged out, only to find a load of Zone Alarm messages popped up under the original account.

“Blah blah blah is trying to do something… do you want to allow this?” I don’t know – probably! Just let me get on with logging in.

Today it’s more of the same, as switching back to my old (non-domain) profile to run Windows Easy Transfer resulted in the same problem.

I think Garry was quite disturbed to see how I (and another colleague) quickly tired of reading these incessant firewall popups and just clicked the “allow” button (and the “don’t bug me again” checkbox) every time – which proves a point I made about firewall messages almost two years ago. And anyway, what’s wrong with the Windows Firewall? If I didn’t have to use Zone Alarm to meet VPN access policies then I wouldn’t. Grrr.

The good news is that Windows Easy Transfer was really useful for migrating my application settings from my old profile to the new domain profile (I didn’t use it for the files as it’s easier to just drag and drop them in Explorer).

Why the banks just don’t get IT

Posted on Tuesday 10 July 2007 By Mark Wilson

Identity theft worries me. It doesn’t stop me sleeping at night but nevertheless it does worry me.

It seems that each time I log in to a banking website the security has been “enhanced” with yet another item that I fail to enter correctly and then have to call the helpdesk to get my account unlocked – and I’m an IT guy… what about the “normal” users (they probably write down the details somewhere)!

Mark James has written an interesting article about this issue – and how the answer is really quite simple – if only the banks would apply the same security approach to consumer banking as corporates do for remote access.

Security – Why the banks just don’t get IT

Posted on Tuesday 10 July 2007Saturday 14 January 2017 By Mark Wilson

A few weeks back, I read a column in the IT trade press about my bank’s botched attempt to upgrade their website security and I realised that it’s not just me who thinks banks have got it all wrong…

You see, the banks are caught in a dilemma between providing convenient access for their customers and keeping it secure. That sounds reasonable enough until you consider that most casual Internet users are not too hot on security and so the banks have to dumb it down a bit.

Frankly, it amazes me that information like my mother’s maiden name, my date of birth, and the town where I was born are used for “security” – they are all publicly available details and if someone wanted to spoof my identity it would be pretty easy to get hold of them all!

But my bank is not alone in overdressing their (rather basic) security – one of their competitors recently “made some enhancements to [their] login process, ensuring [my] money is even safer”, resulting in what I can only describe as an unmitigated user experience nightmare.

First I have to remember a customer number (which can at least be stored in a cookie – not advisable on a shared-user PC) and, bizarrely, my last name (in case the customer number doesn’t uniquely identify me?). After supplying those details correctly, I’m presented with a screen similar to the one shown below:

Screenshot of ING Direct login screen

So what’s wrong with that? Well, for starters, I haven’t a clue what the last three digits of my oldest open account are so that anti-phishing question doesn’t work. Then, to avoid keystroke loggers, I have to click on the key pad buttons to enter the PIN and memorable date. That would be fair enough except that they are not in a logical order and they move around at every attempt to log in. This is more like an IQ test than a security screen (although the bank describes it as “simple”)!

I could continue with the anecdotal user experience disasters but I think I’ve probably got my point across by now. Paradoxically, the answer is quite simple and in daily use by many commercial organisations. Whilst banks are sticking with single factor (something you know) login credentials for their customers, companies often use multiple factor authentication for secure remote access by employees. I have a login ID and a token which generates a seemingly random (actually highly mathematical) 6 digit number that I combine with a PIN to access my company network. It’s easy and all it needs is knowledge of the website URL, my login ID and PIN (things that I know), together with physical access to my security token (something I have). For me, those things are easy to remember but for someone else to guess – practically impossible.

I suspect the reason that the banks have stuck with their security theatre is down to cost. So, would someone please remind me, how many billions did the UK high-street banks make in profit last year? And how much money is lost in identity theft every day? A few pounds for a token doesn’t seem too expensive to me. Failing that, why not make card readers a condition of access to online banking and use the Chip and PIN system with our bank cards?

[This post originally appeared on the Seriosoft blog, under the pseudonym Mark James.]

Quick tip for Mac users to recover a forgotten password

Posted on Saturday 7 July 2007Saturday 7 July 2007 By Mark Wilson

If you’re anything like me, then you have hundreds of security credentials to use at many websites. Best practice dictates that you should use a different password at each one but sometimes that’s just not practical – and, unless you write it down, sometimes you just forget what the password is.

I’m not sure how Windows and Linux applications store passwords, etc. (I suspect they use a variety of methods) but Mac applications tend to use the Mac OS X keychain feature – the equivalent of writing down all your passwords and storing them in one (secured) database.

If credentials are stored in the keychain, you don’t normally need to use them again as the application (e.g. a web browser) reads the keychain as required but users can come unstuck if they need those credentials to log in from a different computer. Luckily, it is possible to find out what the password is for a particular application or website (as stored in the keychain). Simply open the Keychain Access utility, open the appropriate item, select the show password checkbox, supply the keychain password when prompted and click the allow once button – at this point the password should become visible in clear text.

Password visible in the Mac OS X Keychain access utility

Low cost SSL certificates from Go Daddy

Posted on Friday 6 July 2007Wednesday 31 December 2008 By Mark Wilson

I have a number of web services running at home, some of which are SSL secured; however, they are only used by me (and a few select friends and colleagues) so, in theory, I could generate certificates by creating my own public key infrastructure (PKI) and add my certificate authority (CA) to the Trusted Root Certificate Authorities store. The trouble is that I’m lazy, and a CA is just another infrastructure service to run (it really is a bit geeky to have as many computers as I do), so I use a public certificate instead.

Because I don’t require the highest levels of validation, I don’t need an expensive certificate from a class 1 CA like Verisign so last year I used a free certificate from Ascertia. No matter how hard I tried, I couldn’t complete the certification path or get clients to trust the Ascertia root certificate, but last night, Scotty McLeod mentioned low-cost certificates from and, crucially, Go Daddy is one of the trusted CAs in most web browsers (certainly recent versions of Internet Explorer, Firefox and Safari).

Of course, there are other (more expensive) options available from Go Daddy and other CAs for longer certificate life, multiple top level domains, domain wildcards or higher levels of validation (hence trust) etc. but for $19.99, I bought a 12 month SSL certificate that will work with both servername.markwilson.co.uk and www.servername.markwilson.co.uk.

SSL certificate from Go Daddy

BT Home Hub users beware

Posted on Tuesday 3 July 2007Tuesday 3 July 2007 By Mark Wilson

I’ve just got back from a couple of weeks holiday – a rare opportunity to spend some quality time with my wife and sons. Over that time, blogging has taken a back seat – although I had taken my laptop with me it was on the basis that it was somewhere to back up the digital photos and anything remotely work-related was strictly banned… but I’m an Internet junkie and I just had to get online.

Turning on the laptop revealed weak signals from a number of free wifi providers in the area with names like “Netgear”, “Linksys” and “D-Link”. Of course, these were unsecured access points using default configurations but more worrying were the wireless networks that Windows Vista classed as security-enabled, named “BTHomeHub-xxxx“.

Available wireless networks, as reported in Windows Vista The BT Home Hub is a popular ADSL router in the UK and, although I’ve never used one, judging by what I saw WEP appears to be the default configuration (I certainly didn’t find any evidence of anybody using anything else) – BT Home Hub users should be made aware that wired equivalent privacy (WEP) is by no means secure and can be cracked very quickly, as Michael Ossmann details in his WEP dead again articles part 1 and part 2 and as Steve Gibson explained in episode 89 of the Security Now podcast (transcript).

I should stress that I did not use any of the methods that Mike or Steve describe to hack into anybody’s network but I was tempted. Next time I may even give it a try… all in the name of security research of course.

markwilson.it

get-info -class technology | write-output > /dev/web

Security

TNO