I wrote a thing for the company blog:
Crash Handling
Seriously, though, displaying a stack trace to your users is poor form. It's the web site equivalent of the Windows "Blue Screen of Death". However stack traces are useful diagnostics tools for the developer or DevOps team.
Frequently they occur in unexpected circumstances -- database down, disk full, disk not writeable, disk error, network failure, etc. Even in the most trying of circumstances try to log something useful somewhere (be aware that your normal logging procedure may not work, so have a fallback), and try to display something less unfriendly to the user, such as redirecting them to a "maintenance" page or server status blog. Try to keep your customers informed -- don't just leave them hanging. Status blogs are good practice because it may be some time before your networks, systems or DevOps teams have the problem diagnosed and resolved.
Tuesday, 27 December 2016
Saturday, 15 October 2016
This is what happens when you don't keep your software updated
The problem that happens when you don't keep your website updated is this:
Hackers pop 6000 sites on active 18-month carding bonanza
Magento patched this bug 18 months ago and so it should be simple for web site owners to organise this to be fixed but Willem de Groot is still producing lists of online stores that are vulnerable and getting hacked on a daily basis.
It seems that a lot of store owners either don't care, or are completely oblivious to the issue, with responses like 'we are safe because we use https' or 'we are safe because we have the Symantec security seal'. Neither of which are protection against software bugs.
Hacked sites may have all sorts of card skimmers installed, of the type that send customers' credit card data to online hackers. A few months ago I personally noted that a few of the websites that I was managing had a big increase in credit card fraud -- this is one of the likely vectors of all of those stolen card numbers.
Also, contrary to what you might think, the big money in stolen credit cards is not where thieves take the card number and use it to buy a Porsche or a Rolex. Those transactions are easy to spot because people don't usually buy Porsches or Rolexes with their credit cards. The big money is in $5 or $10 monthly "service fees". It works like this: The thief puts a $10 charge on your card with the description "service fee" or similar. You, the customer, looks at this charge and thinks "damn bank, slugging me for more fees again" and gets on with your life, ignoring the fee. Meanwhile the thief has thousands or tens of thousands of stolen cards, each earning them a $10 monthly fee. That's big money.
Hackers pop 6000 sites on active 18-month carding bonanza
Magento patched this bug 18 months ago and so it should be simple for web site owners to organise this to be fixed but Willem de Groot is still producing lists of online stores that are vulnerable and getting hacked on a daily basis.
It seems that a lot of store owners either don't care, or are completely oblivious to the issue, with responses like 'we are safe because we use https' or 'we are safe because we have the Symantec security seal'. Neither of which are protection against software bugs.
Hacked sites may have all sorts of card skimmers installed, of the type that send customers' credit card data to online hackers. A few months ago I personally noted that a few of the websites that I was managing had a big increase in credit card fraud -- this is one of the likely vectors of all of those stolen card numbers.
Here is what happens when your credit card gets stolen
Contrary to what you might think, stolen cards don't automatically get detected by the bank at the time the card is stolen. The bank has to wait for a transaction to appear on the card that you don't recognise.Also, contrary to what you might think, the big money in stolen credit cards is not where thieves take the card number and use it to buy a Porsche or a Rolex. Those transactions are easy to spot because people don't usually buy Porsches or Rolexes with their credit cards. The big money is in $5 or $10 monthly "service fees". It works like this: The thief puts a $10 charge on your card with the description "service fee" or similar. You, the customer, looks at this charge and thinks "damn bank, slugging me for more fees again" and gets on with your life, ignoring the fee. Meanwhile the thief has thousands or tens of thousands of stolen cards, each earning them a $10 monthly fee. That's big money.
Tuesday, 20 September 2016
Westpac Are A Bunch Of Useless Morons
Sometimes I get a bit steamed up when it comes to computer security. Usually it's over someone doing stupid things, such as writing their password on a yellow sticky note and putting it under their keyboard, or attaching it to their screens. Sometimes it's about lack of forethought put into product design such as the BlueCoat proxy SSL interception (more about that later).
However occasionally there is a incidence of organisational stupidity that goes beyond the pale. Westpac Banking Corporation (WBC or Westpac as it's know to us Australians) is one of the "big 4" banks of the Australian banking scene. So you would think that at some point they would have the funds to hire a security expert to tell them that their recent online banking redesign was a really dumb idea. Or perhaps they could have hired a 5 year old, because any 5 year old could have spotted this.
Here's a screen shot of the Westpac Online Banking sign-in, or "Westpac Live" as they prefer to call it:
I have "redacted out" (scrubbed over with red paint) a few pertinent details such as my customer ID (account number) and password. Of course I didn't enter my real password I just clicked on the number "5" a few times.
The customer ID is normally shown in clear text on the screen. That's no big deal because nobody can access my Westpac accounts without both the customer ID and password. Nothing beats single factor security, eh?
However the password can also be clearly read by anyone standing behind me. In fact in the latest redesign the buttons that you click to enter your password have been enlarged, and now the button that you click is highlighted as you click it. That means that anyone in the same room can probably read the password as it's entered. You can't type it in, you have to click the buttons, for "security reasons" as I've been told by Westpac staff in the past.
I guess "security reasons" are also why the password has to be only 6 characters, letters and numbers, and is all upper case. I guess "security reasons" is also why they haven't switched to 2 factor authentication yet.
Anyone who still banks at Westpac should probably look to close their accounts and take them elsewhere. For "security reasons".
However occasionally there is a incidence of organisational stupidity that goes beyond the pale. Westpac Banking Corporation (WBC or Westpac as it's know to us Australians) is one of the "big 4" banks of the Australian banking scene. So you would think that at some point they would have the funds to hire a security expert to tell them that their recent online banking redesign was a really dumb idea. Or perhaps they could have hired a 5 year old, because any 5 year old could have spotted this.
Here's a screen shot of the Westpac Online Banking sign-in, or "Westpac Live" as they prefer to call it:
I have "redacted out" (scrubbed over with red paint) a few pertinent details such as my customer ID (account number) and password. Of course I didn't enter my real password I just clicked on the number "5" a few times.
The customer ID is normally shown in clear text on the screen. That's no big deal because nobody can access my Westpac accounts without both the customer ID and password. Nothing beats single factor security, eh?
However the password can also be clearly read by anyone standing behind me. In fact in the latest redesign the buttons that you click to enter your password have been enlarged, and now the button that you click is highlighted as you click it. That means that anyone in the same room can probably read the password as it's entered. You can't type it in, you have to click the buttons, for "security reasons" as I've been told by Westpac staff in the past.
I guess "security reasons" are also why the password has to be only 6 characters, letters and numbers, and is all upper case. I guess "security reasons" is also why they haven't switched to 2 factor authentication yet.
Anyone who still banks at Westpac should probably look to close their accounts and take them elsewhere. For "security reasons".
Thursday, 26 November 2015
This is what to do to not get hacked
sigh.
Another facebook trojan doing the rounds, no doubt aiming to steal passwords, and another few friends had their accounts tumbled into. Here is what to do to stop it happening to you.
First, the simple rules.
Rule 1. The people trying to hack your accounts usually pimple-faced geeks (PFGs) with nothing better to do. They are looking for an easy ride. They are lazy, and generally speaking don't want to cause a major incident by identity theft. They may be after a few dollars from your bank account, but mostly they are after a bit of fun.
Rule 2. Most people have passwords that are pretty easy to guess. It's either the same as their login name, or it's the same with a few numbers, or can be figured out by looking at their on line profile. Or it's just "password1".
Rule 3. Catch one, catch them all. Most people have the same password for their facebook account as their linkedin account as their gmail account as their internet banking. Either that or add or remove a few numbers from the end and you have them all.
Rule 4. Most people who don't fall into rule 2 or rule 3 have a complex and difficult to remember password that is written on a yellow sticky note next to, or under, their keyboards.
Rule 5. People who don't fall into rules 2, 3, or 4 make life hard for the PFGs and they will go elsewhere looking for fun. See rule 1.
So here's what to do.
Step 1. Get hold of a decent password safe program. There are many of them about, and most of them are free. The one I use is called KeePass, and it can be found here: http://keepass.info/ There is a Linux version that is compatible with KeePass version 1 files, which is here: http://www.keepassx.org/ The thing I like about it is that it's free, and it can be obtained in a "portable" edition that can be copied onto and run from a USB stick. In fact it's not that hard to compile the Linux version statically, so that it can also be run from a USB stick.
Preferably, use a free one. This is not an endorsement of KeePass as a product, but free is the way to go. Whatever you do, don't use one where the source code can't be obtained, or one that says "we have a fantastic proprietary encryption algorithm that's all our own that nobody else knows about so it's ultra safe". That is BS. The best encryption algorithm to use is AES, preferably in the 256 bit variant. The US government uses this algorithm for all of its defence needs and mathematicians all over the globe have been studying the algorithm for years and failed to find any faults. The worst algorithms to use are the secret and proprietary ones, because they haven't been scrutinised by hundreds of mathematicians, and nobody knows if there are faults or not, or what those faults are. The source code and mathematics behind AES are publically available, which makes it more secure.
Step 2. Go buy a USB stick. Doesn't have to be big. Get one with a swivel, that has a small loop on the swivel so that it can be stuck on your keyring. Yes, that keyring, the one you keep your house keys on. This is going to be your "internet" key, and you should keep it safe just like your house keys. Fetch and install KeePass or KeePassX or whatever onto the USB stick. Make a folder on the USB stick and call it something like "holiday snaps". Copy a couple of hundred of the most boring holiday photos you can find into the folder, preferably the ones of Uncle Ernie when he got drunk at your sister's 21st and felt up the cocktail waitress. In addition to those holiday snaps, create your password safe file (KeePass calls this a KDB file but you don't have to give it a .kdb extension, in fact you can call it ernie_001.jpg. This will confuse your JPEG viewer but won't bother KeePass.
Step 3. Think of one password that you will never forget. That's going to be the password to your KDB file.
Step 4. Use KeePass or your favourite program to generate new, random passwords to all of your on line applications. You want a different password for each app, so your facebook password and your LJ password and your internet banking password will all be different. What size password you use may vary from place to place, e.g. LJ requires 8 or more characters in a password, and some require a minimum of 8 and a maximum of 32 or something like that. 16 or so randomly generated characters of upper & lower case plus some numbers is usually pretty good.
Don't try to think of different clever passwords for each application. Use the program to generate a random one, within the constraints allowed by the application. There might be something in your thinking that allows a hacker to guess what password you might choose, but nobody can guess what happens when you push the "Generate" button to create a random one.
The other simple rules
This is not a tutorial about how to use KeePass. It's a pretty simple program, really, and there are many others like it. There are on line manuals and tutorials and stuff for them, it's not rocket science.
Save your KDB file back to your USB stick. Carry the USB stick with you. Don't copy the KDB files to your hard disk, and don't write a copy of your password onto the USB stick (or on a yellow sticky note on your keyboard).
Make a backup copy of the USB stick every now and again (get a second USB stick) and give it to your mother, sister, aunt or some other trusted family member (probably not Uncle Ernie, especially if he's prone to getting drunk and feeling up cocktail waitresses). Don't tell the person who you give the USB stick to what it's for, or what's on it, or what the password is. If you like, make a copy of the password, put it in a sealed envelope with the name of the KDB file and give it to your solicitor, to be opened in the case of your accidental or untimely death.
Don't write the passwords down somewhere else. It's an easy enough job to cut and paste the passwords from the KeePass program into your web browser or whatever other program you use that needs the passwords (your work's VPN client software for example). KeePass has a special mechanism where it will put the password into the clipboard so you can copy and paste it for 10 seconds or so, and then erase it.
Another facebook trojan doing the rounds, no doubt aiming to steal passwords, and another few friends had their accounts tumbled into. Here is what to do to stop it happening to you.
First, the simple rules.
Rule 1. The people trying to hack your accounts usually pimple-faced geeks (PFGs) with nothing better to do. They are looking for an easy ride. They are lazy, and generally speaking don't want to cause a major incident by identity theft. They may be after a few dollars from your bank account, but mostly they are after a bit of fun.
Rule 2. Most people have passwords that are pretty easy to guess. It's either the same as their login name, or it's the same with a few numbers, or can be figured out by looking at their on line profile. Or it's just "password1".
Rule 3. Catch one, catch them all. Most people have the same password for their facebook account as their linkedin account as their gmail account as their internet banking. Either that or add or remove a few numbers from the end and you have them all.
Rule 4. Most people who don't fall into rule 2 or rule 3 have a complex and difficult to remember password that is written on a yellow sticky note next to, or under, their keyboards.
Rule 5. People who don't fall into rules 2, 3, or 4 make life hard for the PFGs and they will go elsewhere looking for fun. See rule 1.
So here's what to do.
Step 1. Get hold of a decent password safe program. There are many of them about, and most of them are free. The one I use is called KeePass, and it can be found here: http://keepass.info/ There is a Linux version that is compatible with KeePass version 1 files, which is here: http://www.keepassx.org/ The thing I like about it is that it's free, and it can be obtained in a "portable" edition that can be copied onto and run from a USB stick. In fact it's not that hard to compile the Linux version statically, so that it can also be run from a USB stick.
Preferably, use a free one. This is not an endorsement of KeePass as a product, but free is the way to go. Whatever you do, don't use one where the source code can't be obtained, or one that says "we have a fantastic proprietary encryption algorithm that's all our own that nobody else knows about so it's ultra safe". That is BS. The best encryption algorithm to use is AES, preferably in the 256 bit variant. The US government uses this algorithm for all of its defence needs and mathematicians all over the globe have been studying the algorithm for years and failed to find any faults. The worst algorithms to use are the secret and proprietary ones, because they haven't been scrutinised by hundreds of mathematicians, and nobody knows if there are faults or not, or what those faults are. The source code and mathematics behind AES are publically available, which makes it more secure.
Step 2. Go buy a USB stick. Doesn't have to be big. Get one with a swivel, that has a small loop on the swivel so that it can be stuck on your keyring. Yes, that keyring, the one you keep your house keys on. This is going to be your "internet" key, and you should keep it safe just like your house keys. Fetch and install KeePass or KeePassX or whatever onto the USB stick. Make a folder on the USB stick and call it something like "holiday snaps". Copy a couple of hundred of the most boring holiday photos you can find into the folder, preferably the ones of Uncle Ernie when he got drunk at your sister's 21st and felt up the cocktail waitress. In addition to those holiday snaps, create your password safe file (KeePass calls this a KDB file but you don't have to give it a .kdb extension, in fact you can call it ernie_001.jpg. This will confuse your JPEG viewer but won't bother KeePass.
Step 3. Think of one password that you will never forget. That's going to be the password to your KDB file.
Step 4. Use KeePass or your favourite program to generate new, random passwords to all of your on line applications. You want a different password for each app, so your facebook password and your LJ password and your internet banking password will all be different. What size password you use may vary from place to place, e.g. LJ requires 8 or more characters in a password, and some require a minimum of 8 and a maximum of 32 or something like that. 16 or so randomly generated characters of upper & lower case plus some numbers is usually pretty good.
Don't try to think of different clever passwords for each application. Use the program to generate a random one, within the constraints allowed by the application. There might be something in your thinking that allows a hacker to guess what password you might choose, but nobody can guess what happens when you push the "Generate" button to create a random one.
The other simple rules
This is not a tutorial about how to use KeePass. It's a pretty simple program, really, and there are many others like it. There are on line manuals and tutorials and stuff for them, it's not rocket science.
Save your KDB file back to your USB stick. Carry the USB stick with you. Don't copy the KDB files to your hard disk, and don't write a copy of your password onto the USB stick (or on a yellow sticky note on your keyboard).
Make a backup copy of the USB stick every now and again (get a second USB stick) and give it to your mother, sister, aunt or some other trusted family member (probably not Uncle Ernie, especially if he's prone to getting drunk and feeling up cocktail waitresses). Don't tell the person who you give the USB stick to what it's for, or what's on it, or what the password is. If you like, make a copy of the password, put it in a sealed envelope with the name of the KDB file and give it to your solicitor, to be opened in the case of your accidental or untimely death.
Don't write the passwords down somewhere else. It's an easy enough job to cut and paste the passwords from the KeePass program into your web browser or whatever other program you use that needs the passwords (your work's VPN client software for example). KeePass has a special mechanism where it will put the password into the clipboard so you can copy and paste it for 10 seconds or so, and then erase it.
Subscribe to:
Posts (Atom)