Home   RSS Feed

half serious, half half-serious

Content

File: Security

Security
2008-08-28 :: Kevin Murphy

Lloyds TSB bank stores some customer passwords in the clear. Doh!


 ::  Read on

Paypal, PHP, Security, Web Development
2008-01-20 :: Kevin Murphy

When developing a subscription-based web site using Paypal’s Instant Payment Notification APIs, you have the option to let Paypal create a username/password combination for your user.

When a user has successfully paid, Paypal gives him a username and password, and POSTs them both back to your web server, along with all the other necessary transaction information, which you can then dump into your own subscriber database.

Of course, for very good security reasons, Paypal only gives your script an encrypted version of the password.

Which is all well and good, except Paypal’s documentation just says that the password is “encrypted”, which is not nearly enough information to do a password verification when your user subsequently tries to log in.

Obviously, when a user submits a plaintext password with your login form, you need to perform the same encryption function on the submitted password in order to check that it’s the same as the encrypted password Paypal gave you.

And if you don’t know what the function is, you’re screwed.

It took me some time and headaches to figure out how Paypal encrypts its passwords, so I thought I’d post the answer here for any googlers on the same mission as I was.

Paypal uses the Unix crypt() function, which is happily available in PHP, but they also use salt to further secure the encryption.

The salt they use in this instance is the first two characters of the encrypted password.

So, in PHP, you can use a string function such as substr to get the first two characters from the encrypted password you have in your database.

$salt = substr ($databasePassword,0,2) ;

You are then able to encrypt the plaintext user-submitted password using Paypal’s method.

$encryptedPassword = crypt ($submittedPassword, $salt) ;

You can then compare the two to see if they match

if ($encryptedPassword==$databasePassword){
// they match
} else {
// they don't
}

I hope this will ultimately be helpful to somebody.


 ::  Read on

Apple, Journalism, Security, Techdirt, Unemployed, Web 2.0
2007-12-22 :: Kevin Murphy

About a year ago, I made a bunch of “unusually specific security predictions for 2007″. Given I’m no longer technically in the industry, I have no real business following up on this, but what the hell.

Here are the predictions I made, with a quick review of each one.

* Apple forced to ‘Do a Microsoft’. I’m not a Mac user, but if Apple’s attitude to its operating system security is as lousy as its attitude to Quicktime security, then the company will have to start taking security disclosures and updates a little more seriously soon or face the same kind of backlash Microsoft did five or six years ago. There will be one or two big Apple security incidents in 2007, and its reputation for being more secure than Windows will erode. If company is smart (and I’m not claiming it is), it will start being more like Microsoft when it comes to security. Apple fans will support the company regardless of what it does.

Hit? Miss? Apple had a shitload of security problems this year, whether it was the iPhone unlocking debacle, dodgy patches, or the seemingly incessant series of Quicktime problems, but I’m not convinced the company has learned its lesson yet.

* Patch Tuesday goes cross-vendor. I’m getting sick and tired of having to patch-and-reboot several times a month, whenever an application I’m running needs updating. It would make a lot of sense for users if software makers started pushing out patches coordinated with Microsoft on Patch Tuesday. I’m surprised this hasn’t happened already. I think it will start slowly. In Microsoft Update, Microsoft will publish links to recent patches for third-party Windows applications, starting with popular applications such as Acrobat Reader or Quicktime (which really shouldn’t need to have their own irritating update managers). Eventually, Microsoft will also offer to directly bundle and deliver these third-party patches to end users, but not until the cost, legal, testing and support issues have been ironed out.

Miss. I still think it’s a good idea though.

* Sales of Norton Confidential will be miserable. Few people will want this Symantec product. Most of the interesting features are already in the browser or existing security software. There won’t be a 2008 version.

Hit! While I have no idea if Confidential sold well or not, there is not a 2008 version, so I’m going to assume I was on the money with this one.

* A worm will spread through mashups. As more web services are mashed up via open APIs, hackers will find that compromising a single site can help spread malware to thousands of users via dozens of mashup sites. It’s not unprecedented. They’ve done it with banner ads before now. In 2007, they’ll do it via these newfangled web services APIs too.

Miss. Hackers clearly aren’t as inventive as I supposed. Only a matter of time though.

* TechCrunch will get hacked. During 2007, somebody will break into TechCrunch and post a fake item, probably about some two-man startup with a silly name being acquired by Google for a ridiculous figure. It will show up in the feeds but not on the front page. Robert Scoble and/or Om Malik will repeat the news on their own blogs. Dozens of B-list and C-list bloggers will repeat the item. One B-lister will notice more spelling mistakes than usual in the TechCrunch post, and speculate on its authenticity. TechCrunch will notice the fake item and delete it. Scoble/Malik will correct their items. Player-haters will say the incident proves A-list bloggers cannot be trusted. A-listers will respond that the fact that the item was removed so quickly shows that the blogosphere is intrinsically self-correcting. Tom Foremski will write a think piece about the fragile nature of truth and reality in a metaconnected social mediasphere. This will all happen in the space of three hours. A week later, the San Jose Mercury News, the New York Times and the Wall Street Journal will carry a lengthy piece on the incident. Nothing of value will be learned.

Miss. At least, I think it is. I didn’t read any of the aforementioned blogs for most of the year. Of course, it was only a half-serious prediction anyway.

* VoIP security will get reality-checked. At some point in 2007 the security industry’s collective consciousness will realize that a hacker using VoIP to call somebody up and ask for their PayPal password is not a VoIP security problem, it’s a user IQ problem. Similarly, we will realize that VoIP spam is not a VoIP problem, it’s a telemarketing problem. (As soon as these facts are raised on C|Net, this prediction can be considered accurate.)

Looks like a miss. At least based on the C|Net test. But News.com has been pretty blah on security for most of the year, so I’m not going to lose sleep over this. Now I think about it, getting a reality-check from a publication that renamed their security section “Threats” was probably overly ambitious.

* Prevx, DriveSentry and Sana Security will get acquired. These endpoint security firms have good ideas and decent technology, but consumers and enterprises really don’t need any more damn security applications on their desktops. These firms will all get bought by antivirus vendors.

Miss. Miss. Miss. Boy do I suck.

* NAC will remain “almost there”. In the last quarter of 2007, at least one article will be published in a widely read trade rag in which a vendor or analyst claims that network access control technologies are “almost ready for the mainstream”, or “ready to go beyond the early-adopter phase”, or words to that effect.

This is probably a hit, but I’m not going to do the legwork to verify it.

* Google will get whacked by its first major security incident. I don’t know what it will be, but Google is long overdue for a major security incident. Sure, it’s had its fair share of minor security blushes, but 2007 will be the year for the biggy. It’s too big a target to not get whacked sometime soon. We’re talking massive user privacy compromise, significant service downtime, major data theft. Something like that. Noticeable enough to go front-page and freeze its share price climb for a few days, at least.

Well, fuck me if it isn’t another miss.

* In December 2007, security reporters will be flooded with press releases about security predictions for 2008. I’m ending with the easy one. This is guaranteed to happen. 100% probability. Trust me.

Well, I haven’t been a security reporter since November 30, so I can’t accurately verify this. But trust me, it’s true. Hit.

So, this is like 3 or 4 out of 10.

Clearly, I was a terrible security reporter, and the industry is better off without me.


3 comments  ::  Read on

Black Hat, DefCon, Hackers, Journalism, Security, TV
2007-08-03 :: Kevin Murphy

Michelle Madigan off of the tellyThere are two reasons why I don’t bother staying around for DefCon after Black Hat is over.

The first and most important reason is that most of the good newsworthy presentations at DefCon are, in my limited experience, just rehashed Black Hat talks. The wheat/chaff ratio leans too much toward the latter.

The second is that DefCon appears to really dislike reporters, which makes the socializing side of the conference experience really uncomfortable, and almost unbearable for borderline autistics such as myself.

Which is why this story, about some “undercover” Dateline reporter getting pwned at DefCon is not particularly surprising.

DefCon doesn’t like the media.

I was surprised, and frankly offended, when I first attended DefCon to be told that not only would I have to pay for my press pass, but that I would also have to agree to abide by full page of rules.

Basic stuff like, from memory, “identify yourself as a reporter before interviewing on the record”.

That really pissed me off.

DefCon wants to tell me how to do my job?

I’d sooner accept ethical guidance from a PR guy [optional smiley].

But, strangely, in the case of Dateline’s Michelle Madigan, I find I’m on the geeks’ side. And I think it’s because it’s the appalling state of TV news journalism in the US that makes life difficult for the rest of us.

It’s hacks like Madigan that give geeks good cause to hate us.

I know this because one of the presentations I caught at DefCon a few years back was called “How to Hack the Media”. Delivered by some guy in a greatcoat who was trying to look like a cross between Neal Stephenson and The Crow, if I recall correctly.

I was naively expecting some ingenious lecture about viral public relations or social engineering — how to “hack the media” to place a story, in other words — but what I got could be described as a “Media Training 101″ for non-corporate geeks.

A lot of it was reasonable advice. Such as, from memory again, “Just say whatever it is you need to say to advance your case, regardless of what the reporter asks. The reporter just needs a quote, so they’ll use whatever you give them.”

Fair enough, given the audience, but absolute horseshit as far as the way I operate. If you spout bollocks to me, it doesn’t get printed, simple as that.

The main reason I sat through the whole thing was I was amazed by the contempt that the speaker seemed to have for “the media”.

It was pretty clear by the end that he was mainly talking about TV news people, especially local TV news people, but that he was lumping us all together as “the media”.

That really pissed me off too.

Many reporters go to conferences like Black Hat and DefCon because listening to, for example, Dan Kaminsky talk about how he hacked the public DNS infrastructure to stream audio is about 100 times more interesting than listening to some company talk about their latest firewall.

Hackers — we’re not all out to misrepresent, misquote and humiliate you. Some of us are genuinely interested in what you’re doing.

As an aside, I’d like to say that I think the idea of Dateline sending a hot blond chick to DefCon “undercover” is the kind of retarded move that I would expect from a TV hack.

I mean, really, come on.

She would have stuck out like… like… like a hot blond chick in a room full of hackers.


1 comment  ::  Read on

Domains, Security
2007-07-30 :: Kevin Murphy

I think I’m probably right in guessing this guy is trying to scam me into buying “my” brand in dot-cn. The email has full phone and email contact details, giving it an air of legitimacy.



But it is trying to sell me the .cn version of a .com domain, namely computerwire.com, of which I am not and never have been the registrant. I merely have an email address @computerwire.com.

Dear manager:

This is Shanghai JinYue Network Technological Inc , which is the oversea domain name register center in China authorized by our government . On 30th July. we received KINGSAN Investment company’s application,they want to register “computerwire” as Internet Brand and CN domain name. But after checking I find this domain name conflict with your company , so I send you email ,and want to confirm whether your company have authorized KINGSAN to register or not .
I’m looking forward to hearing from you!

John Zhou

China Internet Domains Accredited Registry:
Shanghai JinYue Network Service Co.,Ltd

Tel:+86(0)XXXXXXXX
Fax:+86(0)XXXXXX
Email: XXXXXX
Internet:www.cniigov.cn

As you can see from the many comments on this post, I am far from alone in receiving this likely scam.


197 comments  ::  Read on

365 Main, Blackout, Dinosaurs, Ninjas, Security, Silicon Valley, Web 2.0
2007-07-24 :: Kevin Murphy

As widely reported, the big data center at 365 Main in San Francisco has suffered some major downtime this afternoon.

Essential services such as Livejournal, Second Life and Technorati have been disrupted.

People are speculating about what happened, and why 365 Main’s backup didn’t kick in.

Well, I’ve got the scoop from a source close to the company:

A ninja T-Rex came in totally stoned out of his box, got angry, went berserk, and fucked up a lot of stuff. He’s eaten at least 40 racks and about half the staff have been killed or seriously injured. We await the arrival of SWAT and/or Sam Neill.

I’m sure 365 Main will deny that such a thing could ever happen. And, conveniently, the neighborhood is having power troubles, too.


1 comment  ::  Read on

Comedy, Security
2007-07-08 :: Kevin Murphy

David Mitchell and Robert Webb with an interesting take on identity theft, from BBC Radio 4′s That Mitchell & Webb Sound.


2 comments  ::  Read on

Security
2007-07-03 :: Kevin Murphy

I just finished reading Richard Dawkins’ The Selfish Gene — great book — and found this passage on computer viruses in the endnotes to the 1988 edition that I thought was interesting.

The danger is that an arms race will develop, with each advance in virus-prevention being matched by counter-advances in new virus programs. So far, most anti-virus programs are written by altruists and supplied free of charge as a service.

But I foresee the growth of a whole new profession–splitting into lucrative specialisms like any other profession–of ‘software doctors’, on call with black bags full of diagnostic and curative floppy discs.

I use the name ‘doctors’, but real doctors are solving natural problems that are not deliberately engineered by human malice. My software doctors, on the other hand, will be, like lawyers, solving man-made problems that never should have existed in the first place.

In so far as virus-makers have any discernible motive, they presumably feel vaguely anarchistic. I appeal to them: do you really want to pave the way for a new fat-cat profession? If not, stop playing at silly memes, and put your modest programming talents to better use.

Not a terribly bad prediction of the early few years of the 21st century computer security situation, imho.

Probably a bit dated now, though, with any anarchistic motives almost completely replaced by equally ruthless capitalism.


 ::  Read on

Law, Porn, Security
2007-06-06 :: Kevin Murphy

This makes me despair for the American legal system.

Julie Amero, the substitute teacher found guilty of showing pornography to children, has been granted a retrial, which will in all likelihood exonerate her of all charges.

This is a disgraceful abuse of judicial power by a clearly activist judge.

Amero was convicted fair-and-square by a jury of her peers, and in my view should have been handed the full 40-year custodial sentence.

She should have got a life sentence. Throw away the key. Better yet, melt the key down, feed it to a dog, then throw away the dog.

There are some who say that the pornography was popped up by spyware on an inadequately protected public school PC.

I say: So what if it did?

Teachers have a duty of care to protect their students from the life-destroying and dangerous effects of a fleeting glimpse of naked flesh, and 40 years to life would be a frankly lenient punishment for those who have the audacity to walk into this nation’s classrooms without a postgraduate degree in information security.

Prison is too good for these scum.


2 comments  ::  Read on

Apple, Security
2007-05-30 :: Kevin Murphy

Steve Jobs must be out of his box if he thinks iTunes on Windows is “like giving a glass of ice water to somebody in hell”.

Only if we’re talking about Dante’s version of hell, mate.

iTunes and Quicktime are the two most intrusive, slow, bulky, badly interfaced, confusing, insecure pieces of crap I have on my computer.

Quicktime even seems to have developed the ability to crash my browser and disconnect me from the internet in recent days. It needs patching every three minutes, but doesn’t tell you this until weeks later. You don’t see other media players attempting to launch hostile Javascript when you’re just trying to settle down with a nice bit of feces-related Japanese porn.

I’m sure I’m can’t be alone in having these applications on my Windows desktop only with extreme prejudice.

Don’t get me wrong, I hate virtually every piece of software I have installed, but there’s a special place in the blackest part of my heart for Apple’s crapware.


1 comment  ::  Read on