Category Archives: Computer Security

It’s amazing more email accounts weren’t hacked back in the 2000s

At a tech training session, I wanted to get access to some of my class-related email on the training computer. But I didn’t want to log into my primary email on an open network, or on someone else’s computer at all. I have no idea what they’re logging, whether they’re doing SSL inspection, whether there’s a keylogger on it — probably not, but who knows?

Heck, I didn’t even want to use my own device on the hotel Wi-Fi without a VPN, and that was at least secured by WPA2! (then again…)

I ended up forwarding the extra class materials to a disposable email account and logging into that one. No risk to other accounts if it got sniffed, at any level.

But I remembered how we all used to get at email when traveling back in the early 2000s, before smartphones, and before every laptop and every Starbucks had Wi-Fi:

Internet Cafes.

We’d walk into a storefront and rent time on one of their computers. Then we’d go to our webmail site and type in our primary email login and password over plain, unsecured HTTP without TLS.

I’d never do that today. Admittedly, I wouldn’t need to in most cases — I can access my email wirelessly from a device I own that I carry in my pocket. (Whether that’s a good thing remains up for debate.)

But more importantly, we know how easy it is for someone to break into that sort of setup. Even if your own devices are clean, someone else’s computer might have malware or keyloggers or a bogus SSL cert authority on their browser to let them intercept HTTPS traffic. An HTTP website is wide open, no matter whose device you use. And an open network is easy to spoof.

So these days it’s defense in depth: If it needs a password, it had better be running on HTTPS. If I don’t trust the network, I use a VPN. And I really don’t want to enter my login info on somebody else’s device.

Rogue One (Star Wars) and Imperial IT (SPOILERS!)

I liked Rogue One: A Star Wars Story quite a bit. Despite having a very different tone from either the original trilogy or the prequels, it’s still recognizable as a Star Wars film, and successfully weaves in and out of the events leading up to A New Hope.

There’s a somewhat odd setup for where they actually find the Death Star plans, though. SPOILERS after the cut:

Continue reading

Amazon Apps won’t Install on Android? Check Screen Dimmers

I mostly use the Google Play Store on my phone, but I have a few apps through the Amazon App Store. I recently found that I couldn’t update them — or the store itself. I could tell it to download the app, but at the point that I was ready to review the permissions and click on Install, the Install button wouldn’t respond. At all. Nothing. Cancel worked. Everything else worked. But not that one.

A forum thread pointed me to screen management apps. Lux, Twilight, etc. – the kind of apps that will alter your screen to red-shift it at night, or adjust brightness below the range of the screen’s backlight.

Sure enough, I disabled Lux from the pull-down, and the Install button worked. Once the update was done, I re-enabled it. Just an extra two seconds of work before and after.

It probably happens on other third-party app stores and stand-alone installers as well.

The cause wasn’t completely clear from the discussion thread, but reading between the lines and adding my knowledge of software and web development suggests that it’s a security issue: Apps like Lux and Twilight work by altering the appearance of the screen (“draw over other apps” permissions). It makes sense that Android would prevent installation (outside of its own privileged update system, anyway) actions when it can’t be sure that what the user sees is actually an Install button.

Imagine a malicious app that overwrites the screen to hide an Install button under something more benign. In web development, we call this clickjacking.

Anyway, that’s the issue and the workaround, and why I think it hasn’t been fixed in all this time: Fixing it would open up a security vulnerability.

Fortunately, the workaround is pretty easy!

Update: It occurs to me that Facebook also requires the “draw over other apps” permission, which was why I finally uninstalled it. I expect that might cause issues if chat heads are visible when you try to install/update an Amazon app.

Pingback Problem: 162K WordPress Sites Tricked into DDoS

It’s always annoying when someone figures out a way to exploit intentional behavior, especially when it’s a key part of the design.

Sucuri reports on a denial-of-service attack that used thousands of legit WordPress sites to distribute the attack by sending fake pingbacks “from” the target site to all of the reflectors. Those blogs would all contact the targeted site to confirm the pingback and retrieve a title and summary…all at once, overwhelming it and taking it offline.

The quick-and-dirty solution is to remove XML-RPC functionality, but that also breaks certain plugins (like Jetpack) and the ability to connect to your blog using the WordPress mobile apps.

A little background on why Pingbacks work this way:

Waaaay back in the early days of blogging, most bloggers would interact by way of comments. If you wrote a blog post, and I was inspired to write a response, I would then go over to your site and post a comment letting you know about my own post. Two systems were proposed in 2002 to automate this process: pingbacks and trackbacks.

  • Trackbacks sent a complete summary to the remote blog, including the title of your post, the link, and an excerpt (which you could manually craft, or let your software handle).
  • Pingbacks sent a notice — a “ping” — to the remote site with the URL of your post, and then the remote site would retrieve it and extract the title and a summary.

This was also around the time that blog comment spam and spammy blogs were getting to be a big problem. What would happen is a spamming site would send out trackbacks to as many sites as possible claiming that they’d responded to some post, thereby getting backlinks on a zillion blogs and increasing their page rank. Pingbacks had an advantage: Because you were calling back already, your server could check to see whether the other site really had linked to you. It took a long time, but eventually this escalated into spammy blogs creating a temporary post with real links to the pages they pinged, then replacing it with a spam page after a short amount of time.

The problem now is: How do you block abuse of an as-designed behavior? That’s happened before: Back in the early days of the internet, it was considered polite to run your mail server as an open relay and rude to lock it down, but after spammers started massively abusing them, an open relay became a sign of a sysadmin who didn’t know what he was doing.

The comments on the Sucuri article suggest that Akismet, as a collaborative comment-spam filter, might be able to mitigate this type of attack. Wordfence’s collaborative security filter seems like another system well-positioned to detect it. But if that approach fails, pingbacks might just go the way of open relays.

Update March 18: Akismet has released a new version of the anti-spam plugin that mitigates this problem in two ways:

  1. Spam checks on pingbacks are now done before the verification request is sent, so that once an attack is identified, Akismet will prevent blogs from participating.
  2. An X-Pingback-Forwarded-For header is added to the verification request identifying where the pingback actually came from, making WordPress+Akismet a less attractive choice as a reflector by removing the anonymity.

Item #2, IMO, belongs in WordPress itself, not in a plugin, but I imagine this was a way to roll out the feature more quickly, at least to those sites using Akismet.

Update April 8: The X-Pingback-Forwarded-For header has been added to WordPress 3.8.2 and the upcoming 3.9.

Somebody Hears You

Every time I listen to Vienna Teng’s song, “The Hymn of Acxiom,” it gets creepier. It’s beautiful, it’s haunting…and it’s all about how big data is keeping track of every trace we leave, piecing together a more and more detailed picture of each of us in order to feed us back the perfect, tailored life, and isn’t that what we wanted?

Tracking. Privacy. Social media. Filter bubbles.

And I always think, “I need to post something about this on Facebook…”

And that just creeps me out more.