Digitivity » Digital Security

Head of ChronoPay Arrested in Russia?

Digitivity — Tue, 15 Nov 2011 18:37:09 +0000

DigitalCashNews tweeted that the head of ChronoPay, an alternative payment system, was arrested in Russia, being accused of orchestrating a DDoS attack on a competitor. The tweet links to threatpost.com, but I can't access the site at the moment. Nevertheless, it seems doubtful for people trying to establish PayPal alternatives. Related posts:

Is Bitcoin Flawed? Microsoft Research Says Maybe

Digitivity — Mon, 14 Nov 2011 18:59:00 +0000

Posted in Articles

Microsoft Research has identified what it thinks may be a flaw in the system: Namely, there's an incentive for miners not to forward Bitcoin transactions. See here for the MS paper and here for basic info on the Bitcoin protocol. Can Bitcoin survive the death of a thousand cuts? Related posts:

DigiNotar SSL Hack Threatens Browser Security

Digitivity — Tue, 06 Sep 2011 14:02:18 +0000

This is a little technical, but it affects your ability to access secure sites without anybody seeing what you’re doing.

DigiNotar, a Dutch provider of SSL certificates, has been hacked, and hacked well and good. The hackers then created rogue SSL certificates, which can be used to impersonate actual, well-known websites, like google.com.

The total number of compromised domains is now an amazing 531 (yes, five hundred thirty-one). That includes Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, WordPress, the CIA, Mossad, MI6, and others. The Dutch government also said it couldn’t guarantee the security of its own government sites.

What to do about it

There’s something built into the secure certificates system which is supposed to mitigate the harm done in situations like this: certificate revocation. When a certificate authority (an issuer of SSL certificates) finds out that its certs have been compromised, it can issue a revocation notice.

Browsers are supposed to check for such notices before using a certificate. (In Google Chrome, there’s an option “Check for revocations”.) Theoretically, all should be fine, since DigiNotar has revoked the certificate.

But browser distributors have also done some updates of their own so that users of the latest browser versions will get a warning if they try to visit a site signed with a DigiNotar certificate.

So be sure you’re using the latest browser version.

Resources

Slashdot
Net Security
Nine News
Wikipedia has a good overview

Google Releases Skipfish Automatic Website Security Scanning Tool

Digitivity — Mon, 22 Mar 2010 18:55:29 +0000

Google released a free website scanning tool called Skipfish. Skipfish accesses your entire website’s URLs and tries to find problems from a huge list of tens of different security problems.

About Skipfish

Skipfish is implemented as a program that you run locally (from your personal computer) or on the same server as a website or WordPress or other blog. It saves output in a directory you specify in HTML format (sample below).

If you’re wondering why Google would release a security scanner for free, Google has in interest in a secure and non-exploited Internet. If, every time you go online, your computer is hacked, you’re less likely to go online. The less you go online, the less Google searches you do, the less ads you click on, and the less money Google gets.

Skipfish is similar to other security scanning programs like Nikto and Nessus. But it also has some advantages such as:

High Performance. You can run 500+ requests per second over the Internet, 2000+ requests over a LAN, and 7000+ requests on the same server as a website.
Ease of Use. Skipfish is flexible and it handles weird URL schemes and even comes up with automatically generated password guesses based on site content.
Fine security checks. Skipfish detects subtle problems like cross-site scripting, but it also identifies and avoids false positives.

Major security holes that Skipfish finds include

Server-side SQL injection (including blind vectors, numerical parameters).
Explicit SQL-like syntax in GET or POST parameters.
Server-side shell command injection (including blind vectors).
Server-side XML / XPath injection (including blind vectors).
Format string vulnerabilities.
Integer overflow vulnerabilities.

And there are other minor problems that it finds as well.

Running Skipfish

Skipfish is written in C, and you probably need to compile it before you run it. I’ll have another blog post later on preparing and running Skipfish.

Skipfish is hosted at Google Code here: http://code.google.com/p/skipfish/

Twenty Most Common Passwords to Avoid

Digitivity — Sat, 20 Feb 2010 19:02:31 +0000

A data security company released a list of the 20 most common passwords.
Of course, these are also the top 20 passwords to avoid, too.

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

The passwords were taken from Imperva’s analysis of 32 million user accounts in the Rockyou.com data breach.

Half of the users used names, dictionary or slang words, or consecutive keyboard keys, which are, of course, easily brute-forced. I guess it makes sense to people in that “who would ever guess that I’m using my wife’s/daughter’s/friend’s name as a password”, but there are only so many common names in English, so it’s easy to test them one after another to see if they work.

It’s always better to use a totally nonsensical and random password. Also, you should use a different password for every site where you have an account. I’ll blog later on how to keep all of these passwords straight and not mix them up.

Resources

Tech News Blog article on passwords
Imperva passwords report

Backupify Social Media Backup Free Account Offer Extended

Digitivity — Fri, 05 Feb 2010 16:14:31 +0000

I wrote the other day about social media backup with a new service called Backupify.

It was offering free accounts till January 31.

Now the offer has been extended until the 15th of February.

Granted, sometimes companies like to extend offers many times just to get everyone that could possibly be interested in their product. But since it’s totally free, there’s no reason not to sign up.

See my previous blog post about backing up Google, Facebook, Twitter, and WordPress for details on how Backupify works.

Resources

Backupify

Back Up Gmail, Facebook, WordPress, and Other Social Media with Backupify

Digitivity — Sat, 30 Jan 2010 17:40:48 +0000

These days many people prefer to have their applications in the cloud, instead of hosting them by themselves.

For example, people who use Gmail prefer accessing e-mail through a web browser instead of downloading their e-mail and viewing it with an e-mail program.

But what happens if Google loses your e-mail? The answer, for some, might be Backupify, a new cloud backup service.

Coincidentally, today is the last day they are offering free accounts, and today is the day I found out about it. So before you read the rest of this article, go and sign up for an account here: https://secure.backupify.com/signup

Note: Although it asks for your personal details (including address and phone number), all you have to enter is your name and e-mail address to get signed up.

Why you need to back up your social media accounts

How much did you pay for your Gmail account? For your Twitter account? Facebook? $0?

Well, how much liability do you think they have if they lose your e-mail, your tweets, your updates? Right, zero dollars.

While it’s true that these services have all kinds of great servers hosting your data, it’s also true that problems do occur. If you get a lot of advantage from your social networking presence, you’ll likely not want to take the risk of losing all of your hard work.

Cloud services that Backupify backs up

Backupify backs up:

Flickr
Twitter
Delicious
Zoho
Google Docs
Photobucket
WordPress
Services in Beta
Basecamp
Gmail
Facebook
FriendFeed
Blogger
Hotmail

It will back up the following cloud services later:

Youtube
Xmarks
RssFeed
Tumblr

After you sign up, you’re sent to the Settings screen:

Backupify Settings

Just click on a Manage for a given service to back up your account on that service.

Backing up Twitter

For example, to back up your Twitter account, click on Manage for Twitter, and then provide your account credentials:

Backupify: Backup Twitter

Backupify goes out to Twitter, downloads your tweets, and backs them up.

You can choose to back up daily or weekly.

Backing up WordPress

Backupify can back up your WordPress blog, too. To do this, you first have to install a WordPress plugin.

How Backupify works

Backupify uses account information that you give to access your accounts. For some kinds of services, it doesn’t send a username/password over the wire, but rather depends on something called a token to avoid having to exchange authentication information.

To the extent possible, Backupify keeps your data in encrypted format. It’s true that you have to trust them to a certain extent. If you don’t trust them, don’t give them any of your user account info.

It’s worth mentioning that, according to Alexa, Backupify is about the 15000th most popular website in the United States, so it’s not just a fly-by-night operation.

My comments

Although I haven’t decided to what extent I want Backupify to back up my social media accounts, I’ve gone ahead and signed up for the free account, which, again, they say the last day for is January 31.

Thanks to Bob Buskirk, whose article on Backupify I just caught today.

Resources

Backupify

Verified by Visa (and MasterCard SecureCode) Is Insecure

Digitivity — Fri, 29 Jan 2010 16:08:16 +0000

It seems that, anymore, Visa is increasingly encouraging credit cardholders to use their “Verified by Visa” program, in which you’re supposed to enter a secret code to confirm that it’s really you using a credit card number.

The problem is, it’s insecure.

The system is properly called 3-D Secure (3DS) but it’s called Verified by Visa and MasterCard SecureCode by the two card corporations.

Here are some of the problems found by Cambridge researchers Professor Ross Anderson and Steven Murdoch:

3DS is shown in an “inline frame” or IFRAME HTML element. The problem with that is that the content for that frame is coming from a different website than the merchants, and it’s hard for users to verify its authenticity because you can’t see the URL it’s coming from.
The system allows setting of a password directly on a merchant site with activation during shopping (ADS). Your identity is confirmed with a piece of information like birth date, which is commonly available.
That also means the password can be reset with birth date or other commonly available information.
It’s also vulnerable to phishing attempts.

Since users have to agree to be responsible for use of the card if they participate in Verified by Visa, banks are less likely to do chargebacks, and are more likely to put blame on the user if there is fraud.

My comments

I had been sort of suspicious of how well these systems worked, but thanks to these Cambridge professors, now we know. In fact, there’s probably no other way we’d know because the terms of these programs actually prohibit you from reverse-engineering or tinkering with the 3DS system in any way.

Moral: Don’t think your card is impenetrable just because your banks says so.

I think it’s good to have a separate, low-limit card for general Internet transactions.

Resources

PCWorld article
Register article
Cambridge University paper
Financial Cryptography and Data Security Conference
http://en.wikipedia.org/wiki/3-D_Secure
http://www.visa.com/verifiedbyvisa/