Yeah, I forgot to make that clicky - https://www.bentasker.co.uk/blog/security/315-the-state-of-mobile-banking. The summary is, all pretty crap but in a variety of different ways
1489 posts • joined 23 Oct 2007
Still about 18 months old, but I did have a tinker with some mobile banking apps last year - https://www.bentasker.co.uk/blog/security/315-the-state-of-mobile-banking - though that was on Android not iOS and involved a MiTM
Re: Martlesham Heath
As for the blasted Heath there was modern pub there called the 'Douglas Bader'. They were not happy when I said it looked like a great place to get legless in.
Still there, and they still don't like that joke ;)
but there is no "advertising itself" element here either. DNS is no BGP. Unless I missed something?
Took me a few reads too....
Assuming El Reg hasn't just gone off the deep-end, they're talking about the recursor (which can also use locally configured data rather than going to the authoritatives). So you could potentially inject configuration which would tell the recursor to return a specific set of A records for any lookup.
If you stuck the recursor's own IP in there, then you could DDoS it (though you wouldn't gain much). It's more likely though that an attacker would just redirect specific domains to their own servers (for some MiTM goodness).
No change in NS records required to achieve that.
But yeah, there's no advertising itself - and the reference to youtube getting blackholed does leave me a little unsure that El Reg hasn't confused BGP and DNS.
I thought that was the point behind periodic password changes: to deal with undetected breaches
That was the point yeah. The thing is, it's unusual for someone to just sit on a known-good password - generally they'll use it as a point of entry more or less straight after gaining it. Usually it'll be used to gain a pivot point so that they can go after something more useful (like gaining domain admin or the like).
So unless they get your password on day 89 of your 90 day rotation period, it doesn't actually offer that much protection. Especially when you factor in the fact that enforced rotations tend to lead to lower quality passwords, as users get sick of having to memorise a new one.
Essentially, having an Intrusion Detection System on the network probably offers far better protection than rotating passwords ever did.
> Unlike other userland processes, the death of PID 1 is fatal. So things which are perfectly acceptable in other process are not in tolerable in PID 1.
Oh, agreed, but the joke was based on your typo ;)
> The only userland event that should cause a panic is PID 1 existing.
But only if it's SystemD. SysVInit should be allowed to continue as normal
Well, yes, if you configure your malware (or the host system) not to use DNS, then obviously a DNS service (however good) isn't going to offer any protection to the users/victims.
On the other hand, you throw away a lot of flexibility for yourself, as you're no longer so easily able to periodically rotate the C&C address to evade detection (and circumvent blocking). There's a good reason why malware tends to use domain names and not simply have a hardcoded IP in there - editing /etc/hosts is essentially the same as hardcoding the IP into the payload.
It claimed users wouldn't suffer a performance penalty for using the service, but added it plans to double the Quad9 PoPs over the next 18 months.
They're both right and wrong.
You won't suffer a performance penalty on your DNS lookups, they'll come back nice and quickly.
But, the service doesn't support the EDNS Client_Subnet extension, so most CDN's will wind up geo-locating you to wherever the resolver you've hit is located. If it's a US DNS server that answer's your query, you'll get a CDN cache in the US even if you're the other side of the ocean.
IMO, it's a pretty big feature to be launching without on today's internet, and it's likely going to cause various CDN's lots of tickets from users/operators claiming that delivery is slow and they're being routed to machines in the wrong country.
The lack fo EDNS is deliberate - to preserve the user's privacy (so that they're not spurting your source subnet out to each authoritative nameserver you require records from). On the other hand, that "privacy" pretty much vanishes the second you use the received records to establish a connection to their servers, so *shrug*.
Definitely nice to see a new competitor to OpenDNS/Google pop-up, but I'm not going to be using them until they've got working ECS support in place. It's claimed that 188.8.131.52 does support ECS, but a packet capture on my authoritative servers suggests that either this isn't the case, or their using a whitelist of authoritative nameservers (which I'm not on).
Re: 2 Factor Authentication
There's nothing more infuriating than being sent an SMS that you cannot access without going outside, or even have to drive somewhere else to receive.
Yes, ^ That.
I'm looking in particular at HMRC - do you want me to do my Tax Return or not? If I need to go out just to receive the text, I'd much rather go out to the pub for a quiet afternoon than walk back in and fill out paperwork.
If you use the latest and greatest browser, then your connection will use the highest available encryption, so is not at risk.
If the bank / business also allows connections using weaker encryption for people with older browsers, that doesn't compromise your connection.
To be fair, as noted in the previous article, the highest available encryption available from some of the banks is actually quite low/old (with some not even have PFS).
But, as the current article notes, crooks don't generally both trying to attack your connection to the bank. Far easier to either deploy malware or use traditional phishing tactics.
As we continue to secure connections, those routes are only going to become more popular too. You only really need a low(ish) bar on the connection itself to make these the more lucrative and desirable routes, and that bar is already in place.
Security researcher Scott Helme and encryption expert Professor Alan Woodward were both adamant that this was a serious failing, not least because updating to support the technology would be straightforward,
I've often found that you'll see people saying "it should be done, and is straightforward to do" only to later find they have no understanding of either the systems they're referring to, nor the operational requirements of the organisation operating those systems.
It's straightforward to update a low-traffic VPS to do almost anything, it's almost never straightforward to "just" update anything at scale, particularly where there are strong security considerations to be made infra-structure wise.
As others have noted, any plans to do so are probably stuck deep in beauracracy at the moment.
Lack of HSTS isn't all that big a deal in the scheme of things. Especially when as late as last year, certain banks were still using plain old HTTP to load assets for their banking apps: https://www.bentasker.co.uk/blog/security/315-the-state-of-mobile-banking
Funnily enough, that bank was the only I'd tested that had bothered to configure HSTS on their "main" domain, and then they went and did something like that. They're also the only one who scored an A in the Reg's tests... go figure
I think calling the lack of HSTS a "serious" failing is one hell of a stretch. It's a failing, but there are far bigger issues than need to be addressed first. Just my 2 cents
Assuming it *was* deliberate, the aim probably wasn't to freeze the accounts so much as to gain access to them.
Which in a way, he sort of did - he managed to get his key onto those wallets/contracts as required for authorising a transaction. The next step would have been to find a flaw that allowed that key to authorise transactions without the sign-off of the other (legitimate) keys. At that point you could move the funds out and ride off into the sun.
Assuming, again, that it was deliberate, the sticking point seems to have been not being able to find a flaw that allows that second step.
Deleting the "new" wallet was a bad move though. If it had been left active he could at least have freed everyone elses funds back up. On the other hand, the funds are now sat waiting for someone to find a way to gain access to them, legitimately or not. If it was a deliberate act then he's probably looking for a way at the moment.
The thing is, deliberate or not, its something that should never have been able to happen. If a crypto-currency wants to be considered, well, currency then users need to be able to trust that they're not suddenly going to get hit by something like this.
Its quite possible that by the time access is recovered (if at all) that the value may have flopped significantly. It's not the first issue Parity have had, and it's not exactly a small deal having your funds frozen indefinitely because of a bug in the code
To satisfy my curiosity, I succeeded in changing the hash value of an image I downloaded from a website merely by opening and then saving it with an image editor. I didn't have to modify any pixels at all.
That won't affect the software they're using.
If you're patient enough to try it, get the original indexed by TinEye.
Then reverse search your "modified" one. Then crop it and try again, then change some pixels and try again.
You will most likely find that TinEye correctly returns the original every time. When they say hashing, they don't mean filehashes.
It's not a simple filehash.
We've had TinEye - capable of taking an input image and finding cropped variations across the net - for years and years. It's developed in the meantime, but this is far from new technology.
The hashing is based (AIUI) on the variation between pixels in "key" locations (of which there are more than a few), so cropping the image won't help. Even contrast tweaks have to be fairly extreme to throw it off.
All that said, it's far from perfect.
If they're saying it's completely automated then they carry the same risk even when you upload for hashing (could you, for instance, upload a bunch of Trump images?).
There'll be hell to pay, though, if they fuck this up and it turns out to be leaky
Re: In the past, I would have cared about the BBC
> but since the Brexit vote, they've taken on the mantle of "Brexit Broadcasting Corporation".
I dunno, Have I Got News For You (for example) is fairly anti-brexit when it comes up, as are other programmes. Coverage seems to flip between pro and against. I'd rather they just wrote the facts too but it's not unexpected for a journalist to interpret them to some extent.
> Both by giving disproportionate airtime (the correct proportion being "zero") to Nigel Farage
I think the idea, pre-brexit was probably to make sure he couldn't whinge that he was being oppressed and censored. Better to make a pillock of himself for all to see, as it were. What they seem not to have factored in is our seeming current fondness for twats (see BoJo).
> by an editorial stance which seems to be "if it's from a Brexiteer, it can't be challenged or held to scrutiny". Even Radio Four has suffered.
I've not really noticed that to any great extent, and I tend to hear a little bit of radio 4 in the mornings. Though it's more than possible - there seems to be this general idea that Brexit is set, final and cannot be argued with (or rolled back). We had one chance and fucked it, basically. Not sure I agree with that, it should be an ongoing debate, given that there are facts which were available to no-one at the time of the vote (and still some we don't have yet, as things haven't progressed all that much)
Re: RE: AC
> Bill was a terrible gay character. If your character has to remind everyone they're gay EVERY episode then something is seriously wrong.
To be fair, I've known gay people who felt the need to re-assert their homosexuality at every possible opportunity. Conversely, I've also known people who you'd never have guessed were gay if they hadn't told you. Different people differ, so I don't think Bill's character was that unrealistic
Re: Vapourous clouds
"It keeps it out of US jurisdiction."
No, it doesn't. $orkplace didn't use them for corporate mail because they explicitly WOULD NOT provide a guarantee that data could be held out of US jurisdiction. It goes everywhere.
The poster you're replying to is saying that using his own computer instead of Google keeps it out of US jurisdiction. Which is true (depending on where you're based....)
Whether MS's solution does or not is something we're likely to see in the near future.
Re: Should not?
> Should not? Confident? Significant? Whatever happened to evidence and certainty?
Evidence and certainty in these matters tends to come from experts, and apparently we've "had enough of experts"
So why does El Reg (amongst many others) publish AMP-formatted pages? And why do so many people voluntarily view them?
It's not always voluntary.
If you hit a link on Twitter to (say) Ars Technica on a mobile device - you'll almost certainly go to the AMP page first, and then have to click a link to go to the properly formatted version.
Aside from AMP pages being unadulterated dogshit (IMO) one of the common complaints about it is that there's no way to opt-out of being served the AMP crap.
They've got more reach because of the way Google is pushing them - it doesn't automatically mean that AMP is a better solution. It's more than possible to create a page that'll load quickly on a mobile without AMP, and doesn't even take that much effort.
If you like AMP pages, that's fine. The difference is, that those of us who don't like them are getting them pushed with no way to say once (whether per-site, or globally) that we'd actually rather have the full-fat version of the site. IMO it's as, if not more, annoying than the sites that insist on loading a modal to say "We see you're on a mobile, why not install our app?" every time you visit.
Re: Helpful tips to make the above concept better welcome.
Last night I needed to send a text message with a picture , which costs extra money and is not part of anybodys free texts in their phone contract. To avoid spending 50p I sent the message via whatsapp instead.
How else could I have done that? Bear in mind the recipient was a "normal" and dosent have their own ftp server set up or anything like that.
Presumably, like most people, they've hooked their email up to their phone right? No FTP servers needed.
Course, if you want to go the whole hog, you set up your own box, push the images to that and send them a secure link, but that probably is overcooking the effort side of things.
There are always ways around it if you want to solve problems like that. The trick to making it work is to make sure any extra effort is on your side, and then work to minimise that too.
Personally, I've just given anyone I really care to talk to a jabber account on my server and dumped an app on their phone for them. They can talk to each other, and they can talk to me via it. Nothing extra really needed - if they want to use WhatsApp to talk to other people that's obviously fine, but I've neither need nor intention of doing so.
Re: I'm confused
,,, 10K per violation. There's 100 of them, so thats 100 grand please. ,,,
You've missed a zero, mate. It is a million.
Nah, Theresa May made a speech while I was typing and Sterling plummeted again
He keeps his legal fees as low as possible by avoiding using lawyers as far as possible.
He had to withdraw one case that went to court because the judge had questions about an Affadavit he filed, and wanted to speak to his lawyer. The lawyer in question hadn't touched said affadavit, so they withdrew (I don't know exactly what was wrong with it).
His settlements tend to come in stages (a lowish first stage, which gives him the leverage for a subsequent higher claim) so I guess that fills the gaps a bit too
Re: After reading this I am still confused.
> Failed to provide copies of the source for the binaries, either with those binaries or on request from recipients.
Not always. His claims are rather inventive at times.
In at least one case, the offer of source was there, but it came from the distributors parent company rather than the distributor itself.
Re: How long before...
> How long before... All trace of his code is expunged from the Linux Kernel?
Already being discussed AIUI
Re: I'm confused
I'm confused too. In the UK, you'd normally be restricted to claiming the amount of your actual loss from the violation which in most cases would be close to zero. It would appear that the result of the German claims are not easily publicly obtained, so it's difficult to know what the basis of any settlement might be.
There's a link above that explains it better, but basically what he's doing is this
Hey, ACME, you're not in compliance with the license, infringing my copyrights. Pay me 5,000 for my engineering time and I'll help you get it right.
OK, that's done, please sign this cease-and-desist to confirm receipt.
Hey, ACME, me again. I've found some other violations. According to the terms of our contract (the signed cease-and-desist) that's 10K per violation. There's 100 of them, so thats 100 grand please.
ACME's companies look favourably on stage 1 because it's a cheap way to avoid costs, and seemingly low risk. Under German law, though, when that C&D is signed, it becomes a binding contract - and that's his money maker.
If you look at some of the claims he's made too, some of them are... inventive. At least one was on the basis that "ACME" was distributing GPL code, but the offer for the source came from ACME's parent company.
And it's got a headphone jack!
It actually looks like it's got some potential, they seem to have at least put some thought into security on the face of it. I'd probably have balked at the price a while back, but given the asking price of some of the more recent releases it seems a lot more reasonable.
Tech-Radar labelled it as "not exciting" (http://www.techradar.com/reviews/blackberry-motion) which kind of misses the point that I don't actually want my phone to be exciting. I want it to work, and not gradually grow into a bigger and bigger mobile security hole over time. Maybe that's just me?
Re: Hang on a minute
Terribly sorry, I'm with the "feature, NOT bug" crowd here. I feel no obligation to assist said website with any reports about anything,
The flipside of that, of course, is that the day you visit with a "fresh" browser (having forgotten to install Noscript/uBlock et al) and get pwned via XSS, it's partly your own fault as the site admin could have received warnings at an earlier stage if you'd only been prepared to provide them.
That said, that's a trade-off I'm willing to make - it's an issue of consent in my mind.
Though I'd describe this less as a "feature" of uBlock as lack of a feature - there should be a toggle so the user can choose to enable CSP reports if they want (rather than having to update the whitelist).
Re: Hijack the hijack?
With Monero (which is what's being mined in most of these cases) there's very, very little advantage to using a GPU over a CPU - it was specifically designed to limit the advantage.
But, yes, a miner written in C (or in fact, almost any other language) will be more efficient that one running within the browser, even as Web Assembler.
Re: That's not even wrong
How do they even _have_ the plaintext password to display there?
They have it in plaintext at the time you enter it to create the volume. The root of the issue is that they've done something like
diskval.hint = null
diskval.pass = buildKey(password)
set diskval.hint = password
The root cause is probably a copy/paste of a block that checked for and set the password, and then they changed the conditional but forgot to change the name of the variable they were taking data from
> How much of this money goes to Ireland and how much to the EU?
AFAIK, it all goes to Ireland.
Whether it then gets factored into a percentage later in terms of what the EU gives/takes from Ireland is another matter, but the actual money under discussion goes to the Irish treasury.
There may be occasions where your patent is valid, but you come to realise that you're massively outgunned - the unauthorised usage of your patent may not outweigh the risk to your business from high legal costs for the duration of the case.
Having the patent invalidated because a bigger company said "fuck you, let's see whether you can last the whole case" probably isn't a good idea, as big companies will just ignore patents (as they do now) on the basis that you can't even really threaten them on the offchance of a settlement if it means invalidation when you can't risk following through.
Not that the current system doesn't allow for that risk anyway, and not that the current system is any good, but I think you're probably introducing more issues for "honest" companies there without actually doing too much harm to the trolls.
Don't use when referring to types such as "application/json"; instead, use "media type."
Sod off Google, RFC2616 disagrees with you.
Media may well refer to actual physical media, so media type's a shitty selection too
Re: Discrimination or not...
So when do businesses legally get to refuse customers without being accused of discriminatory behaviour?
When the basis of their discrimination is an attribute/quality that's protected by law. See, that wasn't so hard.
You can't be discriminated against for being gay, or for your race (and in some places, age), but you can be for being a jackboot wearing racist dickhead. It's actually quite simple.
Re: Quick note from easyDNS
> If they really wanted to, they could just publish an IP address - no DNS needed.
Or indeed set up a tor HS, or publish your own records into an alt dns zone,
HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?
And though I moved to the smartphone app to generate codes, that was a debacle and a half. I didn't have a dongle so I couldn't change to the app, resulting in them sending me a dongle and then me having to use that to activate the app. When they didn't work, they deactivated the dongle and then they started telling me to "just enter the code from the dongle into the app" "the one that's deactivated now" "Yes" "Surprisingly that doesn't work" "No problem, just log in and order another." "Cool... how do I log in now that the dongle is deactivated..."
Heh, try sticking with the dongle.... I won't use the pile of crap that is their app, so want to stick with the dongle. Except, you can no longer order a replacement (when the battery gets low) through Internet Banking. Their site says to send them a secure message through Internet Banking to request a new one, so OK.... And you get the following response back
I regret that I am unable to replace the secure key via this messaging service. We were able to send replacement keys through the secure messaging service, however due to a change in policy and for security reasons we can no longer do this.
Instead you've got to phone them. So I can't order a replacement dongle using a service that I need access to the physical token in order to use, because that's insecure, but I can phone them and just give them my internet banking creds to do so.
Clearly I know the creds as I'm logged into Internet Banking to send the message, so all they're actually doing is removing a layer of security.
Re: Linksys EA7500 -- It's worse than you think....
> Then I reset the thing and took it to the local charity shop.
You may have done someone a serious dis-service there, would probably have been better to bin it
Re: As much as I hate nazis...
This isn't about hosting the objectionable material, it's about their domain name registration. So this is more analogous to being denied a corner to screech from, because you don't have the documentation that will allow you out on the street.
No it's not. They could still stand on that corner - after all you can host a site and have it accessible without DNS at all.
If you want to analogise it to standing on a street corner, not being able to get a Domain Name registration is more like someone refusing to list you in their directory of who's speaking where so that people can come and find you. Instead you have to rely on word of mouth.
The Stormer has been spewing hate for four or five years.
True, but having dug out the article in question.... fucking hell.
I wouldn't have given them 24 hours to be honest
Re: Fingers crossed he rots somewhere horrible for it...
> Recent events elsewhere suggest that might be an overly optimistic point of view.
Aye, that's a fair point.
> What would happen if a scumbag just disconnects from the internet before accessing any media?
It depends on the mechanism used to be honest. If you're using the old-fashioned tell the player it's a DRM encumbered file and please fetch the license from URL, then depending on the player, it'll fail to play and tell them they need to be online.
That might scare the scumbag off playing it, or if they're suitably stupid (or so horny at the thought of the video they're not thinking straight), they may go online again to play back.
Some players may realise that the video isn't actually encrypted and play it back anyway.
Other techniques, though, may simply queue a request in the player, which'll be placed when said scumbag reconnects.
All that, of course, is assuming they don't write it to a USB stick and take it to an airgapped PC with a player on it.
Re: Fingers crossed he rots somewhere horrible for it...
> 'list of things to be careful about' : don't use windows media player*
> * I mean, if it doesn't play in VLC you don't touch it anyway right?
I've got bad news for you :)
At least one of the techniques that can be used for this works just fine in VLC too. You'd be better off sticking with something like ffplay and using various flags to lock things down (or inspecting the file with ffprobe first). Obviously the 100% certain way, though, is not to be an exploitative scumbag in the first place.
Re: OMG. Feds gather evidence of actual crime, get court warrant and arrest actual suspect
> OMG. Feds gather evidence of actual crime, get court warrant and arrest actual suspect
Yup, it's actually quite a nice use of the tool to be honest. Especially as his demands for video made life much easier for them - they didn't need to trick him into opening a file, just provide something that appeared to be what he'd asked for.
Re: Blind support
. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc.
That, however, is likely the status quo if you hadn't caught them in the first place. Unpleasant, but still.
Convicting and punishing an innocent person though isn't something that wouldn't have happened without your involvement, and therefore is arguably far more unjust.
> WoSign has labelled Microsoft's post “misleading”. In a post we've shoved through online translation engines, the company says its replaced its root certificate in November and that its recent certificates present no risk to users
They said the same about the Firefox/Chrome de-trust.
When I was looking at it last, I didn't find a conclusive answer on the truth of it, although they have submitted a new audit to try and get re-included in both Firefox and Chromium. But, crucially, the Chromium bug says they don't expect the audit to complete until October, so that's after the certs will have been distrusted.
So my conclusion for anyone relying on WoSign was basically - ignore what they're saying, there's a greater than acceptable chance they're wrong and the certs won't be trusted.
> It would not be an obvious burner phone. Just a 2nd hand one with a new SIM.
Yup, exactly. If you've engraved 'burner0001' into it, you're probably doing it wrong
Yeah, basically they've fallen in the same trap that many others have. They've done the easy bit - encrypting the files, and left the users to deal with the much harder challenge: securely exchanging keys (or in this case, the URL). Compromise of that URL means compromise of the file.
I've got a BASH script that'll generate a one-time pad for any given file, and then encrypt it with it. But because of the difficulties in securely exchanging keys it's next to useless in practice.
The medium you use to exchange the key needs to be at least secure enough to send the file (if it's not, you risk compromise of that file). If you consider (say) skype IM secure enough to send the key you may as well just send the file (or break it into chunks and send each using different services).
What this might do, though, is mean that users who wouldn't normally encrypt files they're sending start doing so, because it's all but transparent to them. More encrypted traffic flying around is a good thing for all of us as it increases the size of the haystack.
Basically, I think the functionality misses the mark a bit. But, because it's conveniently located in a popular application it may still have some positive benefits.
Re: Oh dear... maybe
> It's not about some piece of code. One can opt to use pseudo-code or plain English sentences to explain one's findings.
When explaining how a bug can be triggered/exploited, psuedo code is precisely fuck all use. And english explanation may not be sufficient to repro the issue, and if it is then the 'bad guys' can use that to build their own weaponised exploits.
Your solution does nothing other than either prevent the sharing of information, or add a single step
Re: So where will DEF CON move to?
They are apparently planning to hold one in Shanghai next year (as well as Vegas). Worrying that mainland China actually feels like a safer bet at the moment
Re: GPS ankle bracelets
> As I already posted, I can fool my GPS watch just fine. I have the tools, unlike the Drooling Fool whose Uncool Tools also Drool...
It'd be spectacularly unwise to do so, unless combined with scarpering out of the country. Not only is it a breach of bail conditions (welcome back to prison), but they tend to use it as an excuse to charge you additional 'administrative fees'.
The US is, for all intents and purposes, a corrupt state. As someone else noted above, many of the court ordered 'privileges' such as bail bracelets are non-optional and charged to you at extortionate rates (have a google for the racket involving drink drivers and in-car breathalysers). Even posting bail incurs (high) non-refundable costs.
Most of it isn't so much justice as naked profiteering to the benefit of the Justice Dept's chosen suppliers. That's not justice, it's extortion with a judicial veneer. Of course, before you even reach that point you've got to contend with the cops taking what they please and calling it civil forfeiture.
America, the country where bankruptcy can come as a result of getting ill, or having to defend false and flimst allegations in criminal court.
There are things in the US I'd like to have seen, but they're very firmly on my Do Not Visit list, and it's hard to forsee a future where that might change.