mitm key

Wed, Nov 16, 2016
tech #MITM #security

To continue my MITM attacks theme - someone has just release a nice USB key that ransacks your PC - Ars Technica has a good write up.

This kind of thing is very dangerous as it’s really easy to get people to put USB keys into computers! I’m currently writing a longer article on the (many) ways to MITM TLS to help explain how easy it is!

malware and https

Fri, Nov 11, 2016
tech #security #banks #malware

I’m often heard worrying about the state of HTTPS and the ease to get users to do things that make it basically not function - but I’ll admit evidence of real world attacks is thin on the ground. There is a systematic reason for the lack of information - if a hacker uses a Man-In-The-Middle (MITM) technique to hack HTTPS there is very little evidence left and all thart will happen is the stolen data will turn up in a list at some point in the future. It’s nearly impossible to correlete the HTTPS hack and the stolen data - as it could have been stolen in dozens of places.

I was therefore delighted to see an article on WeLiveSecurity about the retefe malware (for the record I was not deligthed about the malware existing, but about the fact people are starting to notice this kind of thing exists). What we see this malware is a systematic attempt by an organized hacking group to break into people’s bank accounts.

Some key characteristics that should alarm everyone

  • They are targeting a huge list of banks (see below)
  • They have both PC and app based attacks
  • They are defeated 2 Factor Authentication by tricking the user into entering data

We often hear, when companies get hacks, the attack was sophisticated - often it is nothing of the sort. But in this case it is - this requires organization, planning and paitence - this is not a teenager in a bedroom, but an organized group setting out to earn substantial sums over time.

The worrying thing is this could become a lot more prevelant. Web browser security is focused on solving the problem of ‘how does the consumer browser trust the server’ not ‘how does the server trust the user’. Some companies (shameless plug) like Irdeto are looking at this - but mostly it’s being ignored.

Why is is being ignored?

I’d propose the main reason this is being ignored is the difficulty measuring the attacks. If you steal credit card data (for example) via such an attack it will simply show up on a list of stolen cards. There is no was to attribute where the card came from, it could have come from the bank, any merchant who’s processed that card, shoulder surfing or a dozen other sources. In theory with enough data you may be able to correlete a cause, but banks don’t tend to share such data in a useful way so we can’t produce analysis of where things were stolen from. An indivual bank is not in a good position to do the analysis as you’d have to correlete across multiple attacks.

I’d advocate for much greater sharing of detailed (not just a press release) of attacks to allow the whole security industry to try and find the patterns and to start blocking these attacks!

List of targeted domains

  • *.facebook.com
  • *.bankaustria.at
  • *.bawag.com
  • *.bawagpsk.com
  • *.bekb.ch
  • *.bkb.ch
  • *.clientis.ch
  • *.credit-suisse.com
  • *.easybank.at
  • *.eek.ch
  • *.gmx.at
  • *.gmx.ch
  • *.gmx.com
  • *.gmx.de
  • *.gmx.net
  • *.if.com
  • *.lukb.ch
  • *.onba.ch
  • *.paypal.com
  • *.raiffeisen.at
  • *.raiffeisen.ch
  • *.static-ubs.com
  • *.ubs.com
  • *.ukb.ch
  • *.urkb.ch
  • *.zkb.ch
  • *abs.ch
  • *baloise.ch
  • *barclays.co.uk
  • *bcf.ch
  • *bcj.ch
  • *bcn.ch
  • *bcv.ch
  • *bcvs.ch
  • *blkb.ch
  • *business.hsbc.co.uk
  • *cahoot.com
  • *cash.ch
  • *cic.ch
  • *co-operativebank.co.uk
  • *glkb.ch
  • *halifax-online.co.uk
  • *halifax.co.uk
  • *juliusbaer.com
  • *lloydsbank.co.uk
  • *lloydstsb.com
  • *natwest.com
  • *nkb.ch
  • *nwolb.com
  • *oberbank.at
  • *owkb.ch
  • *postfinance.ch
  • *rbsdigital.com
  • *sainsburysbank.co.uk
  • *santander.co.uk
  • *shkb.ch
  • *smile.co.uk
  • *szkb.ch
  • *tescobank.com
  • *ulsterbankanytimebanking.co.uk
  • *valiant.ch
  • *wir.ch
  • *zuercherlandbank.ch
  • accounts.google.com
  • clientis.ch
  • cs.directnet.com
  • e-banking.gkb.ch
  • eb.akb.ch
  • ebanking.raiffeisen.ch
  • hsbc.co.uk
  • login.live.com
  • login.yahoo.com
  • mail.google.com
  • netbanking.bcge.ch
  • onlinebusiness.lloydsbank.co.uk
  • tb.raiffeisendirect.ch
  • uko.ukking.co.uk
  • urkb.ch
  • www.banking.co.at
  • www.hsbc.co.uk
  • www.oberbank-banking.at
  • wwwsec.ebanking.zugerkb.ch

Web of distrust

Wed, Nov 9, 2016

The Register are reporting a browser extension for web of trust has been caught stealing and harvesting browser history.

This underlines the risk browser plugins carry - they often can ‘see’ everything you’re browsing on the web and can send that data back to their developers. Most plugins are harmless and do what they say - but there is very little stopping ‘bad actors’ adding malicious code.

Another potential risk is a 3rd party ‘buying’ an existing plugin, imagine how many developers would happily sell their plugin for a few thousand dollars, they can then ‘update’ the plugin with malicious code and most users would never note.

The plugin stores do attempt to prevent this - but it’s going to be nearly impossible for them to stay ahead of all hackers.

Google not fixing Android Dirty Cow Yet

Tue, Nov 8, 2016

It’s become fashionable to give security defects ‘cool’ names like Heartbleed, the latest is Linux’s ‘Dirty Cow’. This is quite a major bug as it allows any user/app on a linux device to get ‘root’. Linux has now got a patch, but interestingly Google have delayed the patch for Android by a month.

It’s worth thinking a bit about what that ‘could’ mean…

  • Any android app on your phone can now do anything - all those permissions mean nothing to an app using this exploit
  • Google may be able to stop apps doing this getting through the Google App store - but they probably can’t stop them all
  • As a user there is nothing you can do to secure your phone/tablet

So all those apps you use on your phone are now vulnerable - even the best software security can only hinder an attacker with ‘root’ permissions on Android. That means if any developer, of any app on your phone, decides they want to do things like capture your online banking passwords, pretend to be in you in any app or engage in any mischief they want.

In all likelyhood most apps won’t try this - but it only takes one and all the stuff on your phone is exposed.

So what should be done, should consumers be demanding google patch quicker (probably), but we should also be demanding app vendors secure their own apps as much as possible and we should all be aware that IT security is always falible. There is no such thing as perfect security only ‘good for now’ security!

Booth eye tracking

Wed, Oct 26, 2016
tech #does-it-exist-yet

Recently I was at a Trade Show (Money 2020 in Las Vegas) and was wondering how effective the booth designs were at getting people’s attention. There seem to be a number of apporaches people try

  • Big Pictures to grab attention
  • Videos on loop explaining stuff
  • ‘Gimmicks’ on the stand
  • Live Talks
  • Text explaining products
  • Slogans explaining mission

What’s not clear to me is which of these actually work. Annecdotially you can watch people go buy and see what they look at, and then observe who engages. But it struck me that it should be possible to do this more scientifically.

Eye tracking has been around for many years in website testing and a few companies can do it now with simply a web cam (no headsets on the people being tracked). So why not mount 1 or two webcams on the booth and try and video people passing by to gather some real data on what is catching people’s attention.

I had a quick google, and it doesn’t look like such a product exists today, there are some libaries that may help you build such a solution (you’d need to combine face tracking and eye tracking tools). I suspect event organizers and shops would love such technology.

Why is there such a thing as default passwords?

Wed, Oct 26, 2016
tech #security #iot

Why in 2016 are people still shipping software and devices with default passwords? The recent IOT/Botnet that broke large chunks of the internet was entirely avoidable if the devices had been shipped without default passwords.

This is perfectly within the capability of a device manufactuer - even British Telecom (who have many many issues) have been shipping their devices with randomized passwords printed on a sticker on the device for years. It’s not hard to do that! With software it’s even easier you just force the user to pick a password and don’t ship them with admin/password or whatever you’ve decided is good enough.

I’ve seen some commentry that it’s the consumers fault, as they should change the passwords. This is a very wrong-headed response in my opinion. People are busy, people don’t understand the tech they use and people don’t read instructions books or change passwords in menus that are hard to find. It’s simply bad user interaction design to create a system that requires consumers to do anything to be secure.

Maybe it’s going to take a government regulator to simply ban devices shipped this way, you’re not allowed to ship a device that electrocutes people - so why are you allowed to ship one that exposes all of us to these risks.

Will PSD2 revolutionize banking?

Sun, Oct 23, 2016
fintech #payments #psd2

There has been quite a lot of excited commentary about how PSD2 will revolutionize the banking industry, so I thought it was worth a bit of analysis to see what the actual outcome is likely to be.

What is it

PSD2 is a EU directective aimed at

  • Forcing open API’s on the payments industry to open up competition including ability to deliver cross border direct debit
  • Increasing security of payments/banking by mandating ‘strong authentication’ based on multiple factors
  • Better transparency on charges for payments

What are people saying it will mean

A number of commentators are crediting PSD2 with opening up the EU banking market to much more competition from non-banks and between banks. The theory is that these new entrants will use the API’s expose to create new and exciting services that will take marketshare away from banks.

Some of the comments about it’s likely impact are getting quite excitable

For banks, PSD2 poses substantial economical challenges. IT costs are expected to increase due to new security requirements and the opening of APIs. In addition, 9 percent of retail payments revenues are predicted to be lost to PISP services by 2020 . And, as non-banks take over the customer interaction, banks may find it increasingly difficult to differentiate themselves in the market for offering loans. – [https://www.evry.com/en/news/articles/psd2-the-directive-that-will-change-banking-as-we-know-it/]

The main difference will be that we won’t need wallets anymore (eg: Paypal, PingIt) but we’ll simply ask Whatsapp to connect to our bank account and use our fingerprint to accept a payment request from the colleague next door. No need to open 3 different apps, fiddle with 20+ digit long IBAN codes and double check at the cubicle if the payment arrived alright. – [https://www.finextra.com/blogposting/12668/psd2---what-changes]

By breaking from the current banking monopoly, the payment services market will benefit from increased innovation and free-market competition. This, in turn, means that at a minimum, banks will need to reorganize their IT infrastructure and, most likely, will need to refocus part of their business model. For the banking industry, the new payment services established under the PSD 2 is having a tsunami-like effect. For a longtime, the industry had been fighting to avoid this evolution by arguing that such changes would cost a lot of money and would increase security risks. – [https://letstalkpayments.com/the-impact-of-psd-2-explained/]

What will it really do

Let’s test in turn the ideas

Change the way people pay away from VISA/Mastercard/Amex towards direct debit

PSD2 will enable any merchant or PSP to start allowing direct debits as a payment option. This is already a reality in some european countries (e.g Ideal in the Netherlands). PSD will certainly make it easier to allow such an offering.

However

  • The addition of ‘Strong Authentication’ (which many cards don’t do today) could cause issues in the consumers minds - the ‘new’ stuff will look like it’s harder.
  • What’s the benefit to consumers? PSD2 also prohibits card surcharges - so why would someone change their behaviour
  • The authentication scheme looks like it will involve the bank - which will make this a harder payment flow than current payments

A lot will come down to ease of use, but just becuase something can be done, doesn’t mean consumers will change their beviour!

Increase competition

One theory goes that consumers will be able to go to a site (think Money Supermarket), log in and see all their accounts in one place and potentially be told ‘better’ accounts so they are more likely to switch.

This does look possible in PSD2 but I’m not sure it will be that revolutionary

  • Compare it to Electric/Gas where this is possible, still the vast majority of consumers rarely, if ever, switch. People are really not that interested in their finances.
  • Items like Mortgages anchor people to banks, it is extremely non trivial to move a mortgage and most people don’t unless there is a massive saving.
  • The current technical standards for PSD2 don’t appear to lend themselves to a ‘running service’ for this stuff. If I could register all my banks and get notified when a better deal appears that would be great. But PSD2
    • Does not mandate account discovery APIs
    • Does mandate ‘short sessions’ and 2FA via each bank meaning that background services are going to be very difficult

So there will be an effect, but I not sure it will be that revolutionary. Those who already shopped round for financial products will be able to do it easier, those who can’t be bothered, still won’t be bothered.

Increase security

Mandating multi-factor authentication in PSD2 should increase overall security. However it also goes with opening up API’s, so on balance I suspect the securty effect will be neutral. It’s probably worth explaining that

  • Multi-Factor will reduce risk of many classes of hacking attacks on banks
  • Sharing data by API’s will increase the number of organisations who have to get security right to keep your bank data safe

In theory all the organisations involved will be regulated, but regulation does not guarentee security, and if you have a bigger attack surface you probably have more issues. There is, and never will be, such a thing as a totally secure IT system - so if you have more systems you are less secure.

Conclusion

PSD2 is going to a big deal - lots of banks will implement open API’s, strong authentication and be transparent on charges. However I’m not sure it’s going to be enough to drive massive increases in competition. If we compare to other markets which are ‘open’ such as Electric/Gas even 30 years after the market was first opened up, many consumers cannot be bothered to switch. If I had a service that I could sign up to that auto switched my Bank, Electric, Gas based on what’s cheapest that would be really useful. However such a service is not enabled by the PSD2 proposals. Direct payments could be big, but I fail to see what will motivate a consumer to choose that, over the VISA card they already have (especially with the ban on surcharges).

Google Pixel - Initial Review

Fri, Oct 21, 2016
tech #phone #google

I ordered a Google Pixel when they were released as I needed a new personal Android phone and generally the Nexus line has been very good, so I thought I’d try the Pixel.

Some initial comments

  • It looks nice, it compares well to my (work) iPhone 6 from a looks point of view
  • The finger print reader is great, so far much more accurate and quick than my iphone one which seems to be getting slower and slower
  • The USB cable ‘port your phone’ thing didn’t work at all with my old Android Phone (A Moto X). Instead I had to do it via the cloud
  • It’s really quick - both apps and data seem faster that my old phone. Data is a bit odd as am in same place with same signal, but it does seem faster (good job I have unlimited data)
  • The camera is very good (as reported), it won’t be replacing my DSLR for ‘good’ shots, but for quick shots it’s very good.

Overall it looks like a nice phone, I’ll have to use it for a few weeks to see how good it really is!

New Website

Mon, Oct 10, 2016
tech #me #amp #blogging

I’ve decided to finally move this site off blogger. It wasn’t adding much value so I’ve gone old-skool back to static HTML using Hugo.

The site is using a AMP based template so it should be super quick and responsive.