Monthly Archives: May 2010

Security

AMEX blasted for security flaw

Leave a comment

Joe Damato checked the source of an AMEX page and then sniffed the traffic to see if his credit card information was encrypted properly. He was not impressed.

So I filled out the form with fake information and sniffed the POST to the server.

The Daily Wish sign up form from the American Express Network is sending credit card numbers, expiration dates, and all the other personal information on the sign up form in the clear back to their server.

Big ooops. AMEX fixed the problem quickly.

An interesting twist to Damato’s blog post is the comment section where many people seem to rant about outsourcing and jobs instead of the actual issue. Outsourcing certainly brings security issues but a mistake in coding practices is not something you can blame on it — it happens both inside and outside.

Damato’s post also reminds me of the conviction of a computer consultant in England in 2005. That consultant argued he was worried about his credit card safety when he used a website that looked insecure. His story was not consistent, however, and a Judge found him in violation of the Computer Misuse Act, 1990.

The conviction of a computer consultant who gained unauthorised access to the Disaster Emergency Committee’s fundraising Web site has left security experts leafing through the magistrate’s decision to try and understand the full implication of the verdict.

On Thursday, Daniel Cuthbert, a computer security consultant from Whitechapel in London, was found guilty of breaching Section One of the Act on the afternoon of New Year’s Eve, 2004. He admitted attempted to access the Web site, which was collecting donations for victims of last year’s tsunami.

I doubt anyone would charge Damato in a similar fashion so times have apparently changed for the better, or at least Damato does not mince words about what he did and why.

Security

Digital Forensics and Search and Seizure

Leave a comment

The Fourth Amendment site has posted an interesting result for a search and seizure suit, related to digital forensics.

United States v. Stewart, 2010 U.S. Dist. LEXIS 50876 (E.D. Mich. May 24, 2010)

A laptop searched at the border turned up illegal data. A second laptop had no power and no adapter so it was instead seized and taken away to a lab where further investigation could be performed. This provoked a lawsuit claiming Fourth Amendment rights were violated.

The US District Court just ruled that law enforcement needs to show “a particularized and objective basis for suspicion” to be allowed to move data/devices to forensic labs.

Food, Security

If you see something, think twice about saying something

Leave a comment

Bruce has quoted a poem in his blog post for today:

If you see something,
Say something.
If you say something,
Mean something.
If you mean something,
You may have to prove something.
If you can’t prove something,
You may regret saying something.

I think the best lines are actually

If you shoot something,
Eat something.
If you eat something,
Floss something.

Bruce brings forward a story about a man who has been accused of the equivalent of crying wolf. This is only slightly removed from yelling fire in a crowded theater. Apparently this man left a bag full of papers and then tried to call in a bomb threat.

My favorite lines are good security references too, but have little to do with the particular philosophical example of fraud and risk to the public.

Bruce often says if you ask amateurs to help with security work then expect amateur results. I think his post today is meant to support this.

I disagree for several reasons. One, intelligence functions best with a network of inputs rather than in isolation. There is always chatter and noise, but go for too much squelch and you lose vital signal. Two, experts all were once amateurs. Why not embrace and provide the opportunity? Three, the definition of expert is rarely accurate, especially with rapidly changing technology — kids can become more “expert” than even “trained” professionals — so who decides? Etc.

This takes me back to the customized billboards I created some time ago.

Poetry, Security

50% reCaptcha Failure

1 Comment

Ever wonder why you are offered two separate words in the reCaptcha box? They call it a “free anti-bot service that helps digitize books”. What they really mean to say is that if you type in two words, one of the words will help you and the other word will help them.

The security implication of this is only one of the two words is the real test for anti-bot access. The other word is to help them fix issues in their digital book images.

reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly.

One word they already know and the other word they are trying to decipher. If you type in two random words, you fail their test. If you type in one random word you have a good chance of passing the test as well as giving their database bogus information.

Many years ago as a graduate student I worked on a Xerox implementation for the blind. Fellow blind students would scan books and then give me the output files to correct and verify. I built simple scripts with WordPerfect to look for the number 5, for example, and substitute for the letter s. It was not terribly sophisticated (I am no linguist) but it was enough to save me the trouble of reading every word of every page.

The reCaptcha effort seems to headed in the same direction but using human labor as the solution instead of algorithms. Although I can see why they find this attractive, it begs a question of trust. It also begs the question of whether you want to bother putting in two words or gambling with just one. Try it and see.