Rubénerd!

So, I was one of the super lucky 250,000 users to have their Twitter account details leaked. While I did create my account in March 2007, my #875,971 account ID is still higher than 250,000. Maybe they only hacked earlier accounts that are still active?

UPDATE: The Guardian is saying the attack only affected Twitter accounts created in the first half of 2007. Mystery solved, if true.

Dear Twitter User:

As a precautionary security measure, we have reset your Twitter account password. Check your inbox for a separate email from Twitter with instructions on how to reset your password. If you don't see an email, you can go to this page in our Help Center to request a password reset. More information is below.

We recently detected an attack on our systems in which the attackers may have had access to limited user information - specifically, your username, email address and an encrypted/salted version of your password (not the actual letters and numbers in your password). Further information about the attack can be found in this blog post.

Since your password has been reset, your old password will not work when you try to log into Twitter. We strongly encourage you to take this opportunity to select a strong password - at least 10 (but more is better) characters and a mixture of upper and lowercase letters, numbers, and symbols - that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.

For more information about making your Twitter and other Internet accounts more secure, read our Help Center documentation or the FTC's guide on passwords.

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to reset your password and publicize this attack while we still gather information. We are also helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

Almost two years ago, I bemoaned the fact Yahoo were creating new things, but were still the only major mail provider to not offer SSL. On an unsecured wireless network, this is an open invitation for anyone to hijack your session.

Well, they finally listened!

Activating SSL adds an extra layer of security to your account. While using SSL protection is optional, we recommend it if you are on an unsecured internet connect, such as a wireless network at a cafe.

It's a step in the right direction, but it desperately needs to be enabled by default. As a developer and sysadmin I know most people don't change default settings, which means most of their users will still be unprotected.

Over the weekend, a subdomain at the University of Technology Sydney was defaced, and with it the names and passwords of several staff members. What isn't being talked about much is: it was bound to happen.

Image of computers in UTS Building 10 taken by me in 2011.

Well, bother

According to Michael Lee of ZDNet Australia, the breach affected an older content management system (CMS) backend used to deliver news. Once the system was compromised, the information of staff members was published including their names, email addresses and their passwords as plaintext.

The site also had an ASCII art picture of Zoidberg from Futurama added, performing his trademark roar of exasperation. I see what they did there.

The good news is this breach did not affect the primary site, though it exposes a far larger issue.

The claws of the problem

When I first enrolled at UTS, I was surprised at how easy it was to choose subjects, set up my timetable and get started. Some of my fellow students may scoff at this, but having studied in several places, UTSs system is far superior. They may use Blackboard for everything else, but at least they had the common sense to keep clear of it for enrollment. But I digress.

The one part of the process that gave me pause was when I was prompted for a password. I proceeded to type in a unique passphrase that I'd be using for logging into UTS, only to be told it was too long.

Warning bells.

I've blogged at length about the risks of accessing sites with password character limits, and why they're technically unnecessary in a securely designed site. You can read about it here.

In a nutshell, passwords that are stored securely as a cryptographic hash have no technical reason to be limited in length. When a site informs you of a length limit, it's a fairly sure sign they're storing your password insecurely as plaintext, which means when there's a breach, your password is viewable. Like they were here.

UTS uses student passwords for administration, student email, the Blackboard Learn environment, WPA2 passwords for wireless access, Faculty of Engineering and IT access to student servers, login access to shared computers and many more places. I can appreciate the challenge of keeping all these the same, as students are unlikely to be willing to remember different passwords for each of these.

Still, for an institution of higher learning, I can't help but think they could solve this challenge securely. It dismays me when action is taken only as a result of a breach. I hope UTS uses this as an opportunity to revise their security policies.

There have been so many password "hacking" stories lately, I thought I'd write this post so I can refer back to it. For added security, I've included the above image of Makise Kurisu, the scientist in my anime harem.

Covering my behind

Crypto is an exact science, so before I go any further I will make these clear.

• When I say random, technically I mean pseudorandom. Algorithms are deterministic, and computer order and logic can't strictly speaking produce "true" randomness. Contemporary algorithms are an order of magnitude better than the BASIC RND() function of yore though.

• When I say impossible and one way, I mean practically speaking. Our current algorithms would take the birth and death of several universes to brute force with current hardware, but that doesn't mean it's impossible. Just very very very very improbable!

How passwords are supposed to be stored

When you create an account with a well designed, secure website, your chosen password is not stored anywhere. Instead, your password is put through a one way cryptographic hashing algorithm which converts it to random gibberish, along with some salt or random information only the web server knows.

When you attempt to log into your site, the password you give is hashed and compared to the hash on file. If they're the same the server knows you have the right password.

It's a proven, tested technique and it works... provided everything is implemented properly. No doubt you've seen plenty of news stories suggesting sound security is harder than coming up with some snappy alliteration on a blog post.

Why go to the trouble?

Rather than storing a hash of a password, you could simply store the password and compare it when someone logs in. It's simpler, and a worryingly large number sites still do this.

The problem is, if the database is broken into, the malicious hacker has access to all your customer's passwords. People like conserving energy (politically correct way of saying lazy!), and are probably using those same passwords for all sorts of stuff including their banking sites, email, social networks and so on. You can see what a disaster this could be!

If you store them as hashes, all anyone ever sees is random gibberish... even the site owner!

How to tell

Short of asking the site administrator, there are two main tells that a site is storing your passwords instead of a hash:

• They're able to provide you with your password. This could happen when you first create your account and they send you a welcome email, or if you've said you've forgotten your password. A secure site should always direct you to a page to reset it, because they don't know your password either.

• Hashes take any password length and adjust them to a uniform size (such as 128 bits). Not always, but often if a site puts a limit on your password length, it's because they're storing it as plaintext in their database.

There may have been (bad) excuses for these practices in the past, but not any more. If a site you access does either of these, it's time to question how important they are and whether they're worth risking your data and security over. Blunt, but true.

If you suspect a site you access is storing your password in plain text and you have no choice but to use them, complain, and make sure you pick something random and unique to that one site. If/when they get broken into, you'll be glad you did.

If I could be further impressed with my crypto-hero Bruce Schneier, I would be. Richard Stallman on the other hand, I find myself vehemently disagreeing with him for the first time in a long... time.

Siemens Simatic S7-300 PLC photo by Ulli1105 on Wikimedia Commons.

For those who haven't been following, it's been widely reported that the Stuxnet worm was developed by the United States government. Stuxnet took advantage in a vulnerability in Windows and certain Siemens PLCs that Iran used in their nuclear facilities. Of course, it affected plenty of other people as well.

Why am I bringing this up now? Because it's a fascinating look into the brains on two different tech luminaries.

Richard Stallman

Richard Stallman, the champion of the copy-left Free Software Foundation, hasn't made a secret of his policical leanings. While I've largely agreed with his stances on warrentless wiretapping, security theater and the like, I was a a little disturbed by his take on Stuxnet. From his March-June 2012 archives (emphasis added by me):

Stuxnet was made by the US and was approved personally by Obama.

I don't think such an attack against Iran is necessarily wrong. However, it can backfire.

So the man of uncompromising principals lets slip that he condones state sponsored attacks, despite even admitting they can backfire. Not only that, this remark is included on the same page where he asks for diplomacy to resist "being pressured into war".

Hacking a foreign government's computers constitutes diplomacy and doesn't pressure us into war? For once, I find myself unimpressed sir.

Bruce Schneier

Let's take the other side. In the context of proposing a cyber security treaty, Bruce Schneier appealed for restraint in one of his recent posts, which serves as a useful counterpoint to Richard's stance.

We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day.

Specifically regarding Stuxnet, he addresses my concerns exactly. Forgive the large blockquote, he just lays it out perfectly here.

[C]ountries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame.

Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar.

Richard Stallman and a growing cohort of technically minded people don't necessarily see a problem with exploiting security holes for political reasons, even if they acknowledge the potential for escalation and "collateral damage".

I find that... disturbing.

Got a replacement bank card in the mail today with PayPass. For those interested, here is my letter I sent to Westpac this morning!

Sean Livingstone
Bank Manager, Westpac Surry Hills
547 Crown St
Surry Hills NSW 2010
Australia

Dear Mr Livingstone,

Replacement card without PayPass

I recently received a replacement Debit MasterCard in the post. Unfortunately, I was disturbed to read this in the welcome letter:

Your new Westpac Debit MasterCard with PayPass has arrived

Your current Westpac Debit MasterCard is due to expire at the end of the month, so we're plaesed to present you with its replacement which now includes the security of CHIP technology and the added convenience of the latest in contactless payment technology.

As an IT student and developer with experience in wireless technolgies, I have informed and severe reservations about bank cards with embedded antennas, let alone one that's tied to my daily checking account.

I would like to request a new replacement card without the SmartPay antenna, as you issued me with previously. Otherwise, I suppose a delicate scalpal job to sever the antenna from the CHIP may be in order.

I appreciate your understanding,

Ruben Schade

For some reason I got into the habit years ago of using Kallen to hold legal letters. I think it started with this in 2009!

An AC on Slashdot, so take with a grain of salt:

Do you want to know why the government continues with it even though [security measures don't] work? It's because insurance rates for airports and airlines would go through the roof if we didn't have this in place. [..] Our lives are governed by actuarial tables.

I hadn't ever thought about this, but I wouldn't be surprised if it were true. Certainly the airlines themselves have a business interest in not have these carcinogenic full body scanners and sexual harassment, because they discourage people from traveling.

For the record, security theater was a term coined by my hero Bruce Schneier to describe security measures that are entirely for show, without any benefit.

In 2011 I discussed how I was giving Google the benefit of the doubt regarding their harvesting of open WiFi data, and that it was consumer network hardware manufacturers that should be working to protect consumers. I was... at least partly wrong!

Uh-oh

From my Google's non-existent whitelists... exist post I wrote on the 11th of March 2011:

Take the street view controversy. While I think Google engineers were short sighted by not closely studying the source code of the software they put on their trucks and drove around the world, I don't believe they did it maliciously.

Unfortunately, we now know that isn't true. From Stilgherrian:

So, you know when Google’s Street View cars, the ones taking photos down every street, were also accidentally scooping up people’s unencrypted Wi-Fi traffic? Turns out the engineer who wrote the software did it deliberately, and his boss knew he did.

The European Union isn't impressed, and may reopen their case against Google. To quote John Gruber:

Uh-oh.

But the networks were open!

Back when this controversy started and people were blaming Google for stealing people's data, I read an equal number of posts from other bloggers blaming people for having open wireless networks in the first place. I acknowledged this:

These signals were being broadcast in the open, and while the scale of Google's downloading may warrant further scrutiny, it skips the real issue that people are still broadcasting unencrypted data out of their homes for anyone to gain access to.

Still, I didn't go as far as to blame consumers.

Rather than blaming consumers (which is always an easy thing to do) however, I place the blame on network hardware manufacturers for selling devices that didn't make this clearer.

Unfortunately, we now know in hardware manufacturers attempted to make security easier for consumers by implementing WPA2 standards, and in the process introduced a security vulnerability so severe it bypasses the otherwise strong encryption used by them. All of course except Apple, and I remember people chewing me out for having a Airport Extreme base station... heh ;D.

Regardless, there are a lot of issues at play here, not least the ethics of some Google engineers. Any company can/does have rogue players, but the key is transparency. Only disclosing this now rubs me the wrong way, a little.

Two follow-up stories on my post regarding the DBS/POSB ATM saga. Encasing my NETS card in lucite!

Photo by the writer of Some things to Remember.

Notifications

From Channel News Asia, posted yesterday evening:

SINGAPORE: DBS Group Holdings chief executive Piyush Gupta said the bank will provide SMS alerts for ATM withdrawals beyond a certain amount or when it detects unusual transaction activity.

The move comes after 400 customers fell victim to a card skimming fraud where S$500,000 was withdrawn from their bank accounts without their authorisation over two days on January 4 and 5.

On the surface this sounds like great news, and I applaud it.

What worries me are the dates reported. If you'll recall, in my last post the article I quoted said the skimming took place last November. An honest mistake, or have there been more incidents since? And if so, I'm sure other banks have been affected too... are DBS/POSB the only ones fessing up?

Give us better security!

Whatever the case, it seems consumers are starting to demand better security which makes nothing but sense:

SINGAPORE: Most Singaporeans Channel NewsAsia spoke to said they will continue to use ATMs despite the latest fraud which hit 400 POSB and DBS customers this week.

However, they said they expect the bank to beef up ATM security to prevent a similar incident in the future.

Of course, they have reservations about security that should sound familiar to those setting up any secure IT infrastructre:

"Change the PIN number? But I'm afraid I can't remember the number," said one customer.

"Everyone has so many numbers to remember, so many passwords to remember. I think it's difficult," said another.

Leaving aside the issue that unless PINs were changed every single time the precaution wouldn't have prevented the fraud, one can't help but think there has to be a better way.

In the meantime, our old buddy education will have to be employed. The onus should be on banks to inspect their ATMs more thoroughly and regularly for tampering, but consumers should also be made aware of how to spot fraudulent modifications, just as they would look out for suspect email. The fact Singaporeans have largely been spared the onslaught of skimmers in the past may be a fact that works against them.

Suzanne Tindal writing for ZDNet.com.au:

The Australian and Music Feeds this morning flagged a spreadsheet, containing around 1500 BigPond email addresses, postal addresses and telephone numbers, that was freely accessible online. [.. Telstra] believed that the spreadsheet had been created by a consultant to use in training, and not for a malicious purpose.

It's often the case privacy and security breaches occur as a result of unwitting users, rather than someone malicious on the outside. In any event, at least they didn't display cleartext passwords again, right?