Tagged: security

How I Almost Fell for the “Google Docs” Phishing Scam

Less than an hour ago, I received an email saying that a former student has invited me to view a Google Docs document. I hovered over the link and saw that URL was one at Google, beginning with https://accounts.google.com/o/oauth2/auth.

I followed the link and went to a Google login page. My Google accounts were listed there. But a suspicious feeling gave me pause, and I closed the “Google accounts” window.

Some moments ago, I learned that this wasn’t an ordinary phishing attempt. It is one of the more clever phishing attempts in recent memory.

  1. You get an email from a known contact.
  2. The “Open in Docs” link is to a google.com domain.
  3. You are taken to a Google accounts page, where you grant access to the fake “Google Docs” app.

The scam is “well designed” in that it doesn’t try to steal your credentials—username and password—but instead gets you to authorize the scammers complete access to your Google account. Even a strong unique password and two-step authentication won’t protect you.

I alerted a few colleagues earlier today, and as I did so, I felt like I was forwarding some chain mail–type warning that would have circulated twenty-odd years ago.

It’s Time to Get Rid of “Security” Questions

Since 2009 or so, I’ve been using and preaching about using a password manager to generate and track all of your usernames and passwords. Until some other system comes along, the only way to safeguard your user accounts is to use a complex and unique password for every one of your accounts. If hackers steals a site’s user database and can decipher your credentials for that site, they can use those credentials to log in to other sites where you use the same password. But with a password manager, it’s easy to create strong and unique passwords for each site. And should hackers ever breach a site you use, you only need to change the password for that site because all your other accounts use a different password.

Yahoo Hacked… Again

Yesterday, Yahoo revealed that in 2013 hackers stole user information for about one-billion Yahoo accounts. By the way, this is a separate theft from the one the company disclosed earlier this year where thieves stole information from 500 million users in 2014.

The stolen user information includes (emphases are mine):

  • name
  • email addresses
  • telephone number
  • date of birth
  • hashed passwords
  • security questions and answers

Ordinarily, I would just change my password for any Yahoo account I have. The password manager would generate and store a new unique and complex password, and it would alert me if I had other accounts on Yahoo that needed the same treatment. It turns out I have two Yahoo accounts, although I haven’t used one of them since the 2008 or so.

Because so many people use the same password for multiple sites, it’s fairly common for sites that store usernames and passwords to hash (or encode) the passwords so that thieves can’t read them and use them to log in to your accounts. Apparently, Yahoo has done this but used a hashing technique that is cryptographically broken.

“Security” Questions Aren’t Secure

However, what seems even more troubling to me is that Yahoo might not have hashed the security questions and answers that act as workarounds to access your account when you forget your password. These “security questions” are a very primitive way of verifying a user. Twenty or so years ago, when you phoned your bank, they would verify your identity using your mother’s maiden name or your date of birth. But today that seems quaint because it’s not really secure: a close friend or relative easily knows that information.

Nonetheless, many websites have used similar security questions to “safeguard” your account:

  • where were you born?
  • what is the name of your favorite teacher?
  • what is the make of your first car?
  • what is your high school’s mascot?
  • what was the name of first street you lived on?
  • what was your first job?

With a little detective work, someone can learn all these bits of “secure” information about you.1 As a way to strengthen this system, I use fake answers for these security questions: some are random bits of text or some are just random names. I record these in a password manager.

However, since Yahoo didn’t appear to hash those security questions and answers, instead storing them as plain text, these could be used to reset your passwords on your accounts.

Time for Two-Factor Security

If I learned something from this breach, it’s that the time has come to get rid of security questions and instead force users to use two-factor authentication.2 This requires you to enter your password and a temporary code that is either generated by an app on your mobile device or sent to you by text message.3 This provides a small safeguard because if hackers learn your credentials, they still need a code to access your account.

It’s certainly more secure than the name of your childhood pet.

  1. Some sites force you to choose from a list of answers. For example, United Mileage Plus asks “What is Your Favorite Sea Animal?” and offers about forty choices. United chose this method because it would prevent a hacker from logging your keystrokes and users from revealing their password in a security question. Some users need to be saved from themselves. 
  2. Last year, Google found that security questions weren’t actually secure and encouraged users to use a second factor to authenticate. They are phasing them out. 
  3. Once you activate two-factor on your Apple account, you no longer authenticate with security questions. Good riddance! 

OS X-Files

http://www.hulu.com/watch/904855

I have been slowly catching up with the tenth season of the X-Files, otherwise known as the thing that Fox needed to air after the NFC Championship Game wrapped up in late-January.

The fifth and penultimate episode of the tenth season, “Babylon”, bears an uncanny resemblance to the recent events in San Bernadino and the aftermath of gathering information from one of the terrorists. In the episode, a couple of young Muslim men detonate a bomb an art gallery in Texas, exhibiting a painting that depicts Allah “sitting on a toilet defecating radical Islamists.” One of the suicide bombers barely survives the attack. The FBI is interested if he has any information about a larger terrorist cell or a possible future attack, but because he is in a persistent vegetative state and imminently close to death, he is not talking. To gather any possibly useful intel, Mulder and Scully each separately try to “listen” to his thoughts to uncover any useful information.

This reminded me of the FBI and Apple.

I’ll admit that it’s a bit of a stretch to relate this to the protracted battle between the FBI and Apple. In both the real-life and the X-Files cases, the FBI is seeking information from a “dead” terrorist. The real FBI is asking Apple to defeat its own security protocols to unlock his phone, while the TV FBI tries two different methods to read the bomber’s mind. To no one’s surprise, Mulder’s method seemed a lot more fun than Scully’s: we see a few familiar faces during “El Viaje Misterioso de Nuestro Mulder.”

I won’t spoil how they try to get the information or whether they succeed, but I wonder what kind of software can the FBI compel someone to write to read someone’s thoughts. Is that covered under the “All Writs Act,” too?

A Simple Software File

Yesterday, a court in California ordered Apple to assist the FBI with bypassing the iPhone’s encryption and security features to recover the data stored on an iPhone 5c used by one of the San Bernardino gunmen. The court order requires Apple to write and install a special software file.

This software file, which one astute observer labelled as FBiOS, would enable the FBI to…

  • bypass the auto-erase (“poison pill”) feature that kicks in after ten incorrect password attempts;
  • enter a series of passcodes electronically, without doing so by hand on the iPhone touchscreen;
  • eliminate the delay that the iPhone introduces after more than four incorrect attempts.

Apple vigorously opposes the order and has vowed to challenge it.

Evidently, there is a fix to Error 53 that angered the world this month. iFixit has learned that replacing the display on a newer iPhone requires that both the Touch ID sensor and the cable joining the sensor to the display panel be paired. Before, the best practice for replacing a broken display screen was to replace the whole display assembly, including the cable that connects to the Home Button (which is now the Touch ID sensor). When a new display assembly is installed, the new cable attached to the Touch ID sensor will not match, thus bricking the iPhone. Apple does this to prevent a fake Touch ID sensor from allowing unauthorized access to an iPhone.

iFixit’s solution to fixing “Error 53” is to remove the old Touch ID cable from the old display and transplant it to the replacement display assembly.

Did you catch that?

After showing us how simple it is to regain access to your iPhone by matching the Touch ID sensor to its cable, the iFixers insist that Apple needs to hear our voices and to write a “simple software tool”:

The request is simple. What we need is a software tool that allows you to re-authenticate your…new Touch ID cable and the Touch ID sensor with the Phone. If they make that simple software tool available, it will un-brick these thousands of phones…

Presumably, iFixit’s request for Apple to write a software tool to bypass security will have to wait until Apple finishes dealing with the FBI’s request for Apple to write a software tool to bypass security.

Update: Apple has in fact released iOS 9.2.1 that fixes “Error 53,” though Touch ID will remain inoperable unless repaired by an authorized Apple service provider.

iPhone “Error 53,” or Security > Convenience

In information technology, there’s almost always a tradeoff between security and convenience. The more convenient something is to use, the less secure it is. Otherwise, you could leave your front door unlocked, leave your car running, and have 123456 be your password for everything. However, as you know, that is far from secure. You need to lock your front door, you need to turn off the ignition, and you need to have unique, strong passwords for each of your online accounts. This inconvenience yields some measure of security.

The Guardian reported last week about a “fury” from iPhone users against Apple for bricking iPhones that have had their screens replaced by an unauthorized, third-party repair outfit, which inadvertently tampered with the Touch ID sensors during the repair process. Thereafter, the phones stopped working altogether.

The Device Shop on Mercer St, New York City

If I were to open a repair shop, such as this one, I would call it “Error 53.”

According to various users quoted in the article, an iPhone 6 or later will report an “Error 53” and not function if a third-party repair person has replaced the screen or the home button and if the user has upgraded the phone’s operating system to iOS 9. The issue is prevalent enough that iFixit reports over 180,000 queries to their user forums about “Error 53.” The maligned users and Miles Brignall, the Guardian author who reported on the “fury,” all but accuse Apple of bricking these repaired iPhones in order to force users to only repair their phones through Apple or to buy a new replacement.

Could Apple’s move, which appears to be designed to squeeze out independent repairers, contravene competition rules? Car manufacturers, for example, are not allowed to insist that buyers only get their car serviced by them. Apple charges £236 for a repair to the home button on an iPhone 6 in the UK, while an independent repairer would demand a fraction of that.

Pointing to an economic motive is all too simplistic. Although Apple is certainly concerned with being profitable, these accusations always surface when Apple does something to “brick” someone’s computing device or peripheral. It happened when Apple…

  • replaced the serial port with USB and rendered a lot of printers obsolete,
  • eliminated the floppy disk drive in favor of optical drives on the iMac,
  • replaced SCSI with FireWire,
  • eliminated swappable batteries in their notebooks,
  • and, most recently, replaced the 30-pin connector with Lightning.

And when these changes occurred, critics accused Apple of doing so in order to sell expensive adapters.

Instead, these are moves to destined improve the product and the experience. USB and FireWire were far superior to the serial port, ADB, and SCSI, as Lightning has been over the previous 2001-era iPod connector. Similarly, the only reason anyone ever needed a swappable notebook battery was to work longer than two hours, and the built-in batteries in the newer notebooks far exceeded that runtime, making toting those bulky batteries obsolete.

In this case, “Error 53” is to protect the security of the device. An Apple spokeswomen, quoted in the article, says as much:

We protect fingerprint data using a secure enclave, which is uniquely paired to the touch ID sensor. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the pairing is re-validated. This check ensures the device and the iOS features related to touch ID remain secure. Without this unique pairing, a malicious touch ID sensor could be substituted, thereby gaining access to the secure enclave. When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.

Emphasis mine.

However, Brignall scoffs at this explanation, labelling it overloaded with “jargon.”

But, to any reasonable technologically competent person, this explanation is certainly sound. Apple’s own philosophy is that iPhone users store all kinds of private information on their devices, and that is Apple’s responsibility to prioritize the security of that device, even at the expense of user’s going to the corner repair shop to fix a cracked screen.

MyAmbulancePayments Website Needs an Ambulance

When I dislocated my pinkie finger nearly three years ago, I had a little taste of the American Healthcare System. It was gross. A teammate walked me from Central Park to the emergency room at Mount Sinai–St. Luke’s Hospital. There, the attending physician…

  • ordered a sets of x-rays to determine whether my finger was broken. It was not.
  • yanked my finger back into place, which immediately straightened the digit and made it stop looking purple.
  • ordered another set of x-rays to make sure he didn’t break anything. He didn’t.
  • bandaged my cut.
  • administered an intravenous antibiotic to prevent any infection due to my open wound.
  • prescribed an oral antibiotic for even more protection against infection.

The bill for this treatment was over $6,000.

Once my health insurance reviewed the charges, the hospital immediately reduced the bill to about $2,500. (Imagine if I didn’t have healthcare insurance. Thanks, Obama!) The insurance covered most of it, and I was stuck with the co-pay and the deductible, which amounted to about $600. I eventually paid the bill over time through a hospital collection service’s website. I remember the website looking atrociously dated, but it was at least functional enough that I could save a few postage stamps and pay with my AMEX card.

Earlier today, I was helping a relative pay for an ambulance bill, and the website for paying the ambulance bill demonstrated to me that the hospital collection industry is due for an upstart competitor to enter this field. As of today, their website has four critical problems:

First, go to myambulancepayments.com/. Did you get a 404 error page? I did.

ambo-01-404

Silly, me! I neglected to prepend www to the URL. I should do that because this website predates the convention of not requiring www to connect to a website. I think that has been standard practice since about 1998.

Second, there’s a warning from Safari that my connection to the website is not secure.

ambo-02-safari1

It appears that their SSL certificate expired a few days ago, on February 5, 2016. Did they forget to pay their certificate authority? Ironic, isn’t?

ambo-03-safari3

I know what you’re thinking: “who uses Safari?” Perhaps I should fall in line and use Chrome.

ambo-04-chrome

Oh, my! That Chrome-generated error page looks even more alarmist that the Safari error page.

Third, though I’m advanced enough to recognize the risks and not enter any personal information, such as my name, address, or credit card information, I proceeded to site.

But, wait… why am I here in the first place???

Fourth, in my Safari installation, which doesn’t have Flash installed and doesn’t load any such content, I noticed some missing Flash content and a plea to install it.

ambo-05-safariflash

Since Chrome still supports Flash, though maybe not for long, I see that the all-important Flash content is some propagandastic animation, reminding you that you should pay up because they saved your life.

ambo-06-chromeflash

At least, for the many, many people using a mobile device, none of which support Flash, they’ll be spared this visual reminder of the Hobson’s Choice that is the American Healthcare System:

Get in and pay up, or else…

Digital Estate Planning

At some point last night, someone tried to change the password on my Facebook account. My account has been deactivated since last August, but I learned about this intrusion attempt because I received a notification alerting me to that fact. By the way, it’s well-know that the easiest way to get into someone’s account—Facebook, email, and any other account—is to request a new password, provided you can access your target’s email or know the answer to a challenge question.

As far as I can tell, no one accessed my email or my Facebook account. Nonetheless, I went into my Facebook account to make sure no one did anything fishy. While going over my security settings, I saw that I can assign a trusted Facebook friend to take care of my account after I die, known as a legacy contact. For this bit of digital estate planning, I appointed my brother to act as an executor.

Facebook has a whole process in place to deal with someone’s death, including memorializing the account or permanently deleting it.

Come to think of it, dying might be the only way to ever fully delete your Facebook account. Logging in to my account was really easy, and everything was there just like I remembered it. Having a deactivated account for sixteen months didn’t erase any bit of my presence there.

An Online Magna Carta (or Bill of Rights)

Tim Berners-Lee, inventor of the World Wide Web, calls for bill of rights for the web:

Berners-Lee has been an outspoken critic of the American and British spy agencies’ surveillance of citizens following the revelations by National Security Agency whistleblower Edward Snowden. In the light of what has emerged, he said, people were looking for an overhaul of how the security services were managed.

At the twenty-fifth anniversary of the World Wide Web, it’s going to be hard not to look back and regard Edward Snowden as instrumental a figure as Tim Berners-Lee, Vincent Cerf, and Robert Metcalfe.

(Via a student who pointed me in this direction through a Huffington Post article, which calls it a “Bill of Rights.” The original article from The Guardian (UK) refers to it as a “Magna Carta.” They translated it from English to English.)