Tuesday, 10 February 2015

TMP make it time to re-revisit the topic of password security...

In the light of a recent rather embarrassing disclosure about password security on TMP, it's time for another heads up/reminder about password security.

In this particular incident, sponsors' passwords are visible in the URL they use to access their stats. Moreover, those URLs have leaked onto Google, complete with password. And the powers that be at TMP seem remarkably unbothered about this.

Let's take a step back to a topic we discussed last year when some Kickstarter passwords leaked, and revisit the question of how passwords work, and all the security risks involved, step by step. Be warned, though, by the time I've finished I should have turned you into a paranoid wreck.

You type in your password.

There's a whole PILE of risks right here.. is your machine (is it your machine?) infected with a virus or trojan that's logging your keystrokes? Given a badly-designed web forum (say), I can install a keylogger on your browser by simply having you read a carefully crafted forum post.

Are you being watched (physically 'shoulder surfed')...?

Your password is sent to the server.

And the first question here is 'is it?'

Do you trust the wifi access point you just connected to? Really? Give me a morning, and I can knock together a very nice, convincing-looking access point which returns the WRONG answer to (say) 'where is Paypal' and presents you with a fake Paypal login page and grabs your password, then says 'sorry, login denied'.

And even if it is the right server, it's not immune to being 'sniffed' - if the server isn't talking HTTPS (the secure, encrypted way for you to talk to a web server - check for the padlock icon) then the channel between you and the server is NOT encrypted, and you're fair game to anyone who happens to have the ability to snoop... Give me that same morning, and I can build an access point that routes all the unencrypted traffic it receives through a proxy that looks for user credentials and takes a copy without you ever knowing (really, do you trust ALL the access points in the shopping mall, or airport?). Or I could probably wave a few Bitcoins somewhere on the Dark Web and get a device mailed to me that already does that.

(Oh, and just because the site responds to HTTPS doesn't mean it's safe: if you click on the little padlock icon, it'll tell you which organisation the security certificate is registered to - if it doesn't match the organisation you believe you're connecting to and it hasn't expired, something's amiss. Either that or someone's being appallingly sloppy with their security certificates.)

The server checks if you have the right password.

Now, as we discussed before, the way this is supposed to work is that your password is stored with a one-way encryption, i.e. one where creating the encrypted password is easy, but recovering the original text is prohibitively difficult. All the server has to do is encrypt the password you supply and see if it matches the stored encrypted one, it never has to, and never SHOULD, store the unencrypted one. (Unless, of course, it's being malicious.)

Of course, if you're lazy, ignorant, or bad, you don't bother encrypting the password, and store it in plain text. (One easy way to tell? tell the site you forgot your password: does it ask you to enter a new one, or send you the old one? If it's the latter, this is not good. Equally, does it do anything else (TMP, I'm looking at you) that indicates it knows your password?)

Why is this a risk?

If it's sniffable, or Googleable? You're at risk, obviously. If you're sloppy, and reuse passwords on other sites, you're doubly at risk. The defence 'but it's hard to find and/or not very important' isn't a good one either. This is 'security through obscurity', which is no defence at all once you've breached the obscurity!

To my mind, this indicates a lack of understanding of some key concepts in security, that or a dangerous level of arrogance. If I found a risk like this in my day job, I'd be looking even harder for other issues. If I as a security professional would, you can bet your bottom dollar there's some hacker out there having a good poke around TMP right now, in the hope of finding a backdoor into a database full of unencrypted passwords.

Passwords are gold. Passwords and the email addresses they belong to are better than gold, because people are generally lazy and sloppy about password reuse.

Do you even know you're accessing the site?

You're probably all looking a little blank here, but: suppose that it's possible for you to perform an action on your target site by sending it an appropriately crafted URL without any other human interaction - let's say for the sake of argument, you can award a customer a gift voucher (this is appallingly bad development practice, BTW - don't do it!). I send you an email, containing a handcrafted URL that I know awards me a gift voucher, as an image link.

The web browser in your mail client (c'mon, how do you think your mail client displays HTML mail) tries to fetch the image. Obviously, the reply it gets back won't be an image, so you'll see the broken  image icon. But, you will still have accessed the URL, and hey presto, I just got a gift voucher and it looks like you legitimately gave me it.


Scared yet?
Change your password. Use a password manager. Don't use the same or related passwords on different sites. Don't blindly trust unknown web access points. Don't trust sites that are flippant or dismissive about security issues.
Also, don't insert USB sticks you pick up in the car park or receive via unsolicited mail to find out who owns them or where they came from. But that's another story.

Disclaimer: just in case it's not obvious? I am an IT security professional: part of my job involves looking for places where my colleagues have, accidentally or through omission or laziness, released security risks into our code. In my job, the bad guys only have to win once: I have to win every time. 

I do not use or condone any of the above techniques, except where used as penetration test tools by the likes of me to validate the security of software with the author/owner's explicit consent. And the above techniques are all public knowledge - for crying out loud, most of them have their own Wikipedia pages! So please don't run screaming to accuse me of being a hacker, or enabling hackers.

7 comments:

  1. One of the fun things your fake access point can do is pretend to be an access point you've connected to in the past and set to "automatically connect" - http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html

    ReplyDelete
    Replies
    1. Which, briefly, happened at the weekend for non-malicious reasons :D I brought a spare AP to the convention I was at, actually to see if anyone wanted to buy it. It got used by the tech crew as an emergency router/AP for the mixer LAN (yes, really: that mixer has iPad and laptop remotes)... before I reset it, it announced itself as the home AP, and my son came up to me, puzzled, and said 'Dad... why has my phone just connected to the house WiFi?'. And there were probably 20 or 30 people there who have that AP in their 'auto connect' list.

      Delete
  2. Very good post, Mike. Thank you for taking the time to explain it so thoroughly. Changing passwords is a lot easier than recovering from identity theft.

    ReplyDelete
  3. I changed my password protocols a little while ago and have a different one now for every site I visit. Still not sure if I'm secure enough.

    ReplyDelete
  4. A side note worth mentioning: this is why it's a good idea not to have a hidden SSID (i.e. non-broadcasting) on your wireless network. If the base station doesn't broadcast "My Home Net", each client has to send out queries ("does anyone have My Home Net"), which it'll do wherever it is - and a bad actor with suitable hardware can respond "sure", accept whatever password it's given, and it's all downhill from there.

    And a USB stick can present as a USB hub, so not only does it contain a malicious keyboard, it has a new network adaptor. Yay.

    ReplyDelete
  5. Ugh, the more I read about TMP on gaming blogs, the more and more I see it as a horrible place to go. I'm off to see if I can delete the account I have there (one I made, just so I could go on and report a post, not that it made any difference).
    Also, great informative post. I know I can be pretty lax with passwords.

    ReplyDelete
  6. Are the password sites good and how do they work with multiple verification sites like banks? Also, what do you use for backups - hard drives or cloud or both?

    ReplyDelete

Views and opinions expressed here are those of the commenter, not mine. I reserve the right to delete comments if I consider them unacceptable.

If you don't have a Google account, but do have a Yahoo! or LiveJournal account, read this post, which will explain how you can comment using that ID.

Comments on posts older than 7 days will go into a moderation queue.

Related Posts Plugin for WordPress, Blogger...