Kirkian Computing

Tag: security

  • Password security

    Last year I signed up with Facebook, and the “find friends” page asked me to give them the password to my GMail account so that it could log in as me and look at my list of contacts (address book), then see whether any of those people are already registered. I, however, was disinclined to acquiesce to their request; with my password, they would be able to impersonate me (sending emails on my behalf), intercept incoming emails, and even lock me out of my own account. I’m not saying that the Facebook programmers in particular would necessarily do any of these things, but I prefer to be cautious about handing out that type of information.

    This may seem a bit paranoid, but I read an interesting post today at Coding Horror: A Question of Programming Ethics. Basically, somebody wrote a shareware program called “G-Archiver” that will store a backup copy of your GMail messages on your hard drive; in order for this to work, you obviously have to provide your password. However, it turns out that the program was emailing all these passwords back to the programmer. Oops.

    In fairness, you need to type your password into your computer somehow if you want to get at your email; this could be through a web browser or a dedicated email application (e.g. Outlook Express). So, you have to make the trade-off: who do you trust? Personally, I’m willing to trust Microsoft applications, although I know that other people disagree. I’m also willing to trust Firefox. However, open source isn’t a panacea; just because something can be read, that doesn’t mean that anyone has actually read it, particularly if it’s obscure. It’s also worth mentioning that the same thing could be done on other platforms (e.g. a Mac); this isn’t a virus, it’s the program doing exactly what it was designed to do.

  • Integrated Windows authentication in web browsers

    A while back, I was setting up an internal website (on a Windows domain with Active Directory), where I needed to identify each person who connected to it. IIS has an option for “integrated Windows authentication”: the idea is that if you’re already logged into the domain then you don’t have to provide a new username and password (or retype your Windows password) because the webserver will recognise you. This is similar to the way that permissions work on a fileserver, and I’ve used the same approach for desktop applications. One scenario is that you might want to use Outlook Web Access internally.

    However, in order for this to work, the web browser actually has to send the relevant information to the webserver. The website doesn’t actually get your password, just your username, e.g. “example.com\john”. Opinions may vary about whether this type of authentication is a good idea; personally, I think it is, because I don’t want people to get into the habit of typing in their password whenever a pop-up dialog box asks them for it. Still, whatever your views, it makes sense to be able to control this setting.

    (more…)

  • The small print of DOOM!

    I was going through the log files on my firewall server today when I saw something odd: my PC was trying to send outbound traffic on port 6667 every 30 seconds. At first I thought that this was for my IRC client, but it wasn’t. Instead, it’s a legacy of the “Sky by Broadband” service that I signed up for last year.

    (more…)

  • Router passwords

    Following up on my recent post about computer security (and my comment about phishing scams being cross-platform), Bruce Schneier has posted an entry about “Drive-By Pharming”. It has a stupid name, and it’s nothing to do with wireless access; there is also some doubt about how feasible the attack vector actually is. Still, it’s worth reading about, because the general principle is important.

    (more…)

  • Tales from the spam folder

    Since my email address is public, I get a lot of spam: typically 100 messages per day. The Outlook 2003 Junk E-mail filter does a decent job of catching most of it, but there are still some that slip through; I also keep an eye on the spam folder itself, in case of false positives. Generally speaking, these messages fall into three categories:
    a) Direct sales for dodgy stuff, e.g. pirate software and viagra pills. (I have no idea whether they actually send the relevant goods to people who type in their credit card details, or just take the money and run.)
    b) Phishing sites, e.g. “this is your bank/PayPal/Ebay, please log in via this link to confirm your details”. (If you log into their fake site, they can then impersonate you at the real site.)
    c) Viruses, typically either an attachment or a link to a website with dodgy pop-ups. Sometimes there are messages which try to exploit security bugs (by effectively being a web page themselves), but these seem to be rarer.

    (more…)

  • Computer security

    I see that there’s now a UK version of the “PC vs Mac” adverts. These are pretty similar to the original American versions, although there are fewer UK ones so far. Still, I think that they’re quite funny, and I actually prefer the UK ones, mainly due to the actors involved (Mitchell and Webb); the “I’m a PC” guy is very enthusiastic about his stupid ideas. Sample quote: “Eye of the tiger! Claw of the eagle! Tentacle of the octopus!”

    As a counterpoint to the “Viruses” advert, there’s a Ctrl+Alt+Del strip which offers an alternate theory, and I think that’s also quite funny. (I read that before I’d seen any of the adverts, which may have coloured my opinions a bit.)

    More generally, while I found all these things amusing, and I’m sure that there are plenty of valid reasons for choosing a Mac, I wasn’t particularly convinced by any of the technical arguments involved, particularly when it comes to security. Basically, I think that a lot of this comes down to the way you configure your system, rather than the choice of system.

    (more…)

  • Anatomy of a hack: SBS 2000

    A few years ago (August 2002), my home server got hacked. I dealt with it fairly quickly, but it took me a while to really understand what had happened, because I was more naïve about security in those days.

    (more…)

  • Anatomy of a hack: mail server

    Today I’ve been fixing a problem with my mail server after someone “hacked” (cracked) it. I’m reconstructing the chain of events as best I can, but the causality wasn’t obvious at the time.

    Background: this machine is running Windows Server 2003 SP1 with Exchange Server 2003 SP2.

    A few weeks ago, someone gained unauthorised access to the server over the internet. I’m not sure how exactly, but I suspect that they used a buffer overflow in IIS (since the server runs OWA). The server is up to date with all the relevant security patches, so that shouldn’t be possible, but something obviously went wrong.

    (more…)

  • Digital certificates

    I’ve been taking an interest in computer security recently, and as part of that I’ve been investigating digital certificates, primarily in the context of code signing (e.g. applications/macros/plugins).

    There seem to be two main misconceptions here (at opposite ends of the scale), which are worth addressing:

    1. “If something has been signed then it’s safe.”

    2. “Just because something’s been signed, that’s no guarantee of safety, therefore signing is pointless, and it’s just a way for Microsoft to extort money from people while spreading FUD.” (FUD = Fear, Uncertainty, and Doubt.)

    (more…)