The Blog of Harald

An analysis of a large collection of passwords gathered in a Myspace phishing attack reveals that passwords are getting better, although:

bq. We used to quip that “password” is the most common password. Now it’s “password1.” Who said users haven’t learned anything about security?

Schneier on Security: Real-World Passwords

Schneier on Security: Tracking People by their Sneakers

Researchers at the University of Washington have demonstrated a surveillance system that automatically tracks people through the Nike iPod Sport Kit.

feint and attack; move and countermove. The escalation is constant.

Steel armor meant the end of bows and crossbows. Firearms that could punch through armour made it useless as a defense, since armor only made the soldier slow and uncoordinated; a sitting duck. A close formation of infantry firing volleys by the numbers was unstoppable, until the devasation of the machine gun spelled their demise. Kevlar armor influenced the development of armor-piercing rounds (which, incidentally, are *less* deadly because they tend to go through their targets).

Technology is no different:

* Many modern computer viruses and trojans are capable of automatically disabling anti-virus software.

* Carjackings are on the rise, not because criminals necessarily like violent crime, but because with modern auto security systems it’s the only way to steal the car.

* In Denmark, criminals are breaking into stores and ransacking them; not because they like trashing stores, but because they can install ATM card-skimming hardware while everyone is distracted.

* In the Netherlands, they’re less subtle; they simply blow up the ATM and scoop the cash as it flutters down. (Kind of reminds me of the back-hoe technique of driving up and scooping the ATM out of the wall :).

Plus ca change, plus le meme chose.

I went to log on to my Group RRSP provider’s website today Thanks to a misguided policy that HR introduced this year, my January RRSP contributions ended up in a non-registered plan, and I wanted to fix it. It turned out that I can fix this particular problem on the web, but that’s beside the point.

When I logged in, I was informed that my password had expired, and must be changed. It’s been 18 months since I logged in (yes, I check my quarterly statements, but I’m happy with the results; no changes required). I dutifully filled in the boxes, only to be faced with password strength requirements. Now, the whole point of these things is to prevent high-speed, dictionary-based password guessing attacks. You can’t launch a high-speed guessing attack against this website because it’s really slow, and after a certain number of failures, your account is locked out. And we have the research to prove that these kinds of passwords are less secure, because people cannot remember them and are forced to write them down. But a bunch of security consultants are getting paid to write password policies, and they’re an insurance company so care greatly about liability, so there you go.

Anyway, for as yet unknown reasons, I managed to fumble the password change, so I couldn’t get back into my account. So then I trundled off to the password reset page. And it occured to me:

* My password expires regularly. The problem is, I don’t login regularly (who moves RRSP funds around that often, anyway?).
* Password strength rules are enforced (mixed-case, numbers or symbols, minimum length, etc.)

And yet, the password reset page does none of this, and doesn’t have any other security checks! At least they used to make me phone Ireland to change my password. Now, I type in the answer to my challenge question, my date of birth, and instantly a new password is printed on the screen. The answer to my challenge question doesn’t have to be mixed case or have numbers, and never changes! They don’t even take the minor step of using e-mail to send my either my new password or a temporary, expires soon password reset URL. Granted, this is a minor security enhancement, but it does keep the amateurs out.

Does anyone else see a false sense of security here?

The irony is that I spent the rest of today fighting with our own password reset implementation :-).

Bill Gates has promised that the password will be obsolete in 2007; I’m beginning to hope he’s right…

It figures. After doing a bunch of work to move my backup mailserver to a “virtual server”:http://blog.cfrq.net/chk/archives/2006/01/29/power-and-virtualisation/, it worked fine for about 10 days, and then suddenly I was seeing no incoming email in the logs. This is a sign of a problem; even when the primary server is working, spammers are always connecting to the backup (in the hopes of getting past filters).

Much testing has determined that rogers is now blocking inbound SMTP on my portion of the network (something they’ve apparently been rolling out for over a year now). The best laid plans of mice and men, and all that…

(Ok, it’s been around for a long time. Sue me. :)

So after having received yet another telemarketing call about switching my local service away from Bell, I called Bell and asked if there were any checks and balances in place. You know, to prevent fraud. The kind of fraud the US has been dealing with for 25 years.

Short answer: no. They simply trust the other guy, and let them take your service away from Bell. There’s a CRTC mandate that the new company “formally obtain consent”:http://www.crtc.gc.ca/eng/INFO_SHT/t1023.htm#n6, but a) that can be in several different easy-to-forge formats, and b) apparently Bell doesn’t bother verifying consent except in disputes.

I’m not sure who the imbeciles are here (I suspect the CRTC, but it *could* be Bell Canada), but there’s one somewhere.

You’d think we’d at least attempt to learn from the mistakes of our neighbours to the south with all of these attempts at deregulation, but no. That would require that intelligence trump greed.

I’m appalled…

Today I’m feeling like throwing in the towel on this web server business: there’s just too much crap to deal with.

A friend’s server was broken into and defaced last week by a script kiddy. I’ve been double-checking my box over the last few days, and I’m astonished at the amount of crap flowing in from the Internet. As a security professional I knew it was bad, but I was fooling myself; I didn’t know it was _this_ bad!!!

I monitor the site regularly, mainly to ensure that we’re not abusing bandwidth that is generously donated, but also to make sure everything is working, and to watch for obviously suspicious activity. In the last week a major portion of the traffic to this server has been:

* referrer spam (which doesn’t do anything for the spammer, since I don’t display referrers anywhere; it only abuses my bandwidth). About 15% of my bandwidth for the last _month_ has been referrer spam; they seem to breed faster than I can block them out!
* people trying comment spam on weblogs with no comments (and no comment script!). This includes attempts to invoke old security holes in Movable Type.
* people probing for security defects in software that I don’t even have installed.
* people probing for security defects in software that I _do_ have installed (fortunately that was password protected, so they didn’t get in :).
* probes for network sockets (both for software with vulnerabilities, and for software installed by hackers). This box is heavily firewalled (in both directions; blocking outbound traffic has saved my bacon more than once!), but I still see the logs.
* password guessing attempts (mainly via SSH, which has been locked down to a small number of IP addresses for months now, since the last major SSH vulnerability).

The promise of Open Source software was that more eyes staring at code would lead to fewer defects. I’m seeing the opposite; it seems that the rate of vulnerability annoucements, and resulting patches, is _increasing_. Just last week I just upgraded three packages here as a direct result of security announcements (and, as mentioned above, caught someone probing for one of them…)

The Internet has become the cesspool predicted in several recent science fiction novels (notably Peter Watt’s Behemoth, which specifically mentions automated virus / hacking activity). After three days of looking two closely at my logs I feel like pulling the plug. If it were just me using the server, I probably would…

I’ve experience the problems described here: The Daily Whim: MT Plus Comment Spam Equals Dead Site

Several times we’ve woken up to a dead cfrq.net server, and (ignoring one disk crash) it’s always been runaway Movable Type comment scripts causing the system to thrash, until some important process gets killed because of the resulting out-of-memory condition. It invariably happens on a Saturday, which means we all get to wait until Monday morning for the server to get manually rebooted.

I’ve installed countermeasures in the past:
* I’ve renamed the comments script
* I close comments automatically after two weeks
* “Comment SPAM interlocking”:http://blog.cfrq.net/chk/archives/2003/10/14/comments-spam-interlock/

And still, I see a constant, steady stream of comment spam that gets posted, even to postings that are closed to comments!

So far my WordPress blog is getting fewer hits, but it’s only a matter of time until the spammers find that one…

*sigh.

I’ve visited lots of old fortresses in Canada, and a few in Europe, and I remember learning about defense in depth. This is the idea that your assets should be surrounded by multiple separate layers of defenses to make it harder for the barbarian hordes (or Americans :-) to break in. Ideally the defenses should be _different_, so that if a simple technique of defeating one is discovered, it doesn’t help against the others.

The forts I’ve visited are typically on a hill (so that you can see the enemy coming and prepare. But they’re also sunk into the hill, with sloping outer walls, to defend the inner walls against artillery. They’re surrounded by open fields (no trees or brush). The outer wall has gun emplacements, to mow down anyone trying to cross those fields. There is a deep trench between the inner and outer walls, deep enough that attackers must climb down, slowing them down. The inner walls are full of small, narrow windows to allow the defenders to shoot at anyone trying to cross the trench. The inner walls usually have towers that project into the trench, so that people trying to climb the inner walls aren’t hidden from defenders inside the walls; those attackers can be attacked from the towers. The important buildings inside the inner walls have their own defenses. And so on.

Of course, a few carefully placed shells from a battleship and the fort is history; but that’s progress for you.

Anyway, to make a long story short, here’s Robert Scoble’s “defense in depth strategy for Windows XP”:http://radio.weblogs.com/0001011/2004/08/22.html#a8128 – enjoy!

So after looking at “the mail I accidentally misfiled”:http://blog.cfrq.net/chk/archives/2004/08/16/oops/ there were, in fact, about 150 spam (almost 50%).

pobox.com has completely revamped their spam filtering service since I last looked; I can now monitor rejections, forward messages to myself, and add whitelist entries, all through a fairly simple interface. I’ve switched it on; so far one spam has gotten through, with no false positives…

Very strange.

I just came back from a weekend of camping to find one new message in my inbox, and zero messages in my spam and spamMaybe boxes.

I’ve checked all the logs, and everything _seems_ to be working properly…

It is very easy to setup a self-contained network, with a Domain Controller, using Active Directory. Too easy, in fact; I’m on my third attempt :-).

I’m using cloned hard disk images under Microsoft Virtual PC, which caused my latest problem; Active Directory let me register a computer in the domain with the same name as the domain controller. Needless to say, _nothing_ worked after that. The reason this happened was because I tried to rename the image _and_ join the domain at the same time; Windows 2000 apparently joins the domain _first_, then attempts to rename the computer. This surprised me :-)

Fortunately, I had a master disk image, so it was trivial to restart from a fresh install and rebuild the domain controller (which, thanks to Microsoft’s wizards, is easy). But then I had to rebuild the two child domain controllers, since they refused to “demote” themselves when the domain master was unavailable.

Sadly, all of this is _time consuming_, even when the host is a P4 2.8 with 1Gb of memory and oodles of disk bandwidth…

“Densise Anthony”:http://www.dartmouth.edu/~socy/faculty/anthony.html doesn’t mention her security research on her “home page”:http://www.dartmouth.edu/~socy/faculty/anthony.html, but the “slides from her presentation”:http://www.dartmouth.edu/~deploypki/summit04/presentations/PKIUserBehavior.ppt are available on the “Dartmouth PKI Unlocked Summit and Workshop”:http://www.dartmouth.edu/~deploypki/summit04/proceedings.html page, which I found after a bit of Googling led me to the “Dartmouth PKI Lab Outreach Web Home”:http://www.dartmouth.edu/~deploypki/ page. There’s a bunch of good stuff buried in there, especially deployment tips, and the “Dartmouth OpenCA – LiveCD”:http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html looks especially interesting; I’m going to try it out in my testing lab soon.

I can’t find it now, but I remember reading recently about another “cross-discipline” team that discovered all sorts of interesting things, because each member of the team had a different way of looking at the data. Now a PKI research group has attached a sociologist to the team, and that is “starting to produce insight”:http://www.dartmouth.edu/~deploypki/summit04/presentations/PKIUserBehavior.ppt:

bq. A recent survey found that 75 percent of Dartmouth students have shared their network passwords. “They like having people who know their password,” explained “Denise Anthony”:http://www.dartmouth.edu/~socy/faculty/anthony.html, a sociologist who spoke at the PKI summit conference I attended earlier this month. “They like having someone who can check their e-mail for them or log them in to places where they’re supposed to be.”

bq. Professor Anthony’s talk was dramatically different and showed why it was a really smart move to attach a sociologist to Dartmouth’s PKI research group. As security technologists, we’re easily dazzled by our shiny cryptographic swords. But while we’re brandishing our swords, our users — like Indiana Jones in that famous scene from Raiders of the Lost Ark — might simply pull out their guns and shoot us. Better security protocols alone can’t thwart such game-changing behavior. We need to understand what motivates the behavior and figure out which carrots and sticks will influence it.

bq. It’s a given that most people take the path of least resistance. So, for example, two-thirds of Dartmouth students never change their passwords during their four years of enrollment. And most reuse their internal passwords for external sites such as The New York Times and Amazon.com. How do they perceive the risk associated with such behavior? According to Anthony, it’s a tragedy of the commons. The network is a collective resource, but people connected to the network feel that they’re consuming a private good. Their subjective view, she says, is this: “I’m in my office. I’m using my computer. It doesn’t feel like I’m part of a group. I don’t recognize how my behavior affects you.”

InfoWorld: Tragedy of the network commons

Ok, so it turns out that all (well, 125 of 126 :-) of the spam I’m getting these days is coming through my pobox.com address. The greylisting is working fine, in other words :-)

It’s been great having a portable email address, but now that I pay real money for my own domains, maybe it is time to switch over. I can do more accurate spam filtering on my personal server than they can on their shared servers Unfortunately, the massive spam volumes floating around these days are forcing us to these drastic measures. I’m beginning to believe the pessimists; e-mail is dying…

So maybe I spoke too soon; in “greylist results”:http://blog.cfrq.net/chk/archives/2004/07/14/greylist-results/ I said that my spam volume had gone way down. Well, it has come back up again. I’ll have to write scripts to prove it, but I have a theory.

Machines owned by spammers are being used relatively infrequently, maybe to reduce the chances of getting detected and blacklisted? So the first time a spam host shows up, it gets greylisted. But if they show up again a day or a week later, they get past the greylist filter, because they’re now in the cache (but haven’t been expired yet).

Maybe a fix would be to put two cache timeouts in; the first would be for machines that have not yet successfully delivered a message i.e. by retrying the original delivery), and would be relatively short, probably less than a day. The second would be the existing long timeout for machines that have already passed the first test.

That would eliminate spam machines that only show up infrequently. I don’t know whether it is worth the effort, though.

On the plus side, greylisting _is_ still keeping out the virus traffic…

Mom brought Google to its knees (via “kuro5hin.org”:http://www.kuro5hin.org/).

bq. Fortunately for the internet, my mom’s on dialup. But unfortunately for the internet, your mom has cable. And your mom is just as obstinately ignorant as my mom. You might as well try to convince them to change their own oil as to keep their computers maintained.

In short: trying to teach Mom about computer security is a lost cause. Which leads to the obvious conclusion; we’re not going to fix the problem until we don’t have to teach Mom about computer security…

Heh.

| People who know radio technology | 1 |
| Bluetooth Security optimists | 0 |

Bluetooth proponents have been saying for a long time that Bluetooth security isn’t that big of a deal, because the range is so short. Now a group of enthusiasts has demonstrated that it is possible to setup a 1km, line-of-sight Bluetooth connection by modifying only one side of the connection:

Wi-Fi Toys

I’m not the only one:

* kasia in a nutshell: All the traffic spam that a website gets
* “Confessions of a G33k: Live capture comment spammer logs”:http://www.cleverhack.com/blog/archives/001274.html

and so on…

Some idiot script kiddy wiped out our bandwidth again today. He could have an automated tool, or he could be doing it manually. He’s trying to post comment spam to blog.org, but he’s repeatedly fetching pages over and over again (presumably to see if his comments are getting published or not).

The problem is that David’s pages are large (and getting larger all the time); an average of 200Kb each. So this spammer has single-handedly downloaded at least 70Mb of data today!

It’s one thing to try to abuse my server to get a site ranked higher in Google. It’s another thing entirely to waste _my_ bandwidth in the process!

64.57.64.0/19, 66.154.0.0/18, and 66.154.64.0/19 just made it into the blackhole list…