Recently I came up with an interesting issue at a customer. A governmental agency contacted us and informed us that due to a Windows update we could experience intermittent issue when trying to communicate with them. All I knew at this stage was that the issue would manifest itself when trying to upload a document and that the integration is done via DLLs that are wrapping a few web services.

After generating PDBs via dotPeek and adding them to the Visual Studio symbol cache directory I was able to debug through those third party DLLs and confirm that the issue was indeed located in one of them.

Knowing the DLL is redistributed with the product, is in multiple production versions and that the source control’s history is pretty patchy, the question then become: if we were to get a new DLL could we use it for all the versions?

To answer this question we will have to assess the differences between the DLL in each version.

Continue reading

Barnes and Noble: a tale of poor security practices

Being the happy owner of a Kindle I usually buy my ebooks on Amazon. They have a very large selection to choose from and normally sell all the latest releases. To my surprise they only had “Enigma of China” from Qiu Xialong in paperback and hardcover formats. Kobo didn’t have it at all but after searching for a while I found out that Barnes & Noble sold it as a NOOK Book for $10.

So far, so good or so it seemed. It turned out that Barnes & Noble has such a lax approach of security that at the end I decided not to purchase from them. You’ll find below the reasons that motivated my decision.

Continue reading

The Good, the Bad and the Ugly of password practices

Internet has taken a preponderant place in our lives and most of us regularly purchase goods on Internet or use Internet banking. The access to the services we use is protected by a password and humans are not good at managing passwords:

  • Most of us will reuse the same password on many services (combine this with the fact that people also use the same email address to log in into said services and you get an explosive mix when security is breached on one service).
  • Most of us will use weak passwords, basically as weak as the service will allow. Not only our passwords are weak they’re also extremely predictable.

To address those issues you need to use strong unique passwords. By strong I mean that your passwords should be:

  • long (let’s say at least 25 characters)
  • a mix of lower / upper case letters, digits and symbols
  • randomly generated (by a random generator not by you typing random keys on your keyboard)

By unique I mean that you should never reuse a password. You should set a different password on each service. As we tend to use many services and tend to log in from multiple devices (home and work computers, smartphones, tablets..) it makes it impossible to remember all those strong passwords.

Google has recommended the use of sentence and substitution, something even stronger has been advocated by xkcd. But this doesn’t work. I use over a hundred different services, how could I remember a hundred different sentences? Common substitutions (the one you will use) are also well documented and will be attempted by the attackers to guess your password. Other experts have advised to get rid of passwords altogether, but this opinion is unconventional to say the least.

Want it or not we’re stuck with passwords for the  predictable future. Luckily there is a solution: it’s called a password manager. With a password manager you’ll only need to remember one password (the master password), all the other ones will be entered automatically for you in the login forms. I use 1Password, but there are other products on the market: LastPassKeePass, RoboForm… Most of those products are not free but I’m sure you’ll prefer to drop a few dozens dollars every few years instead of seeing your online (and sometimes offline) life ruined.

Now that I’ve addressed password best practices on the users’ side it’s time to mention the other side. The services that you use should do everything they can in order to protect your password. There is a lot to say in this area but I decided to address the features that are easily observable:

  • passwords requirements: services shouldn’t restrict the length of our passwords (at least not smaller than a few dozens characters) or the characters’ set that we can use (this would reduce the entropy)
  • proper use of HTTPS
  • reset password feature

Due to the Heartbleed vulnerability I decided to change some of my passwords recently. To my surprise many well known services impose some strong restrictions on the passwords users can set. Shall we get started? The offenders are ordered from worst ones to the most benign ones.

Continue reading

Why You Should Not Use Chrome Extensions

Google Chrome Extensions have been launched officially in January 2010. Their goal is to extend the browser by providing additional features, for example you could add a weather extension and then be able to see the weather’s forecast in your city in one click. Extensions have become widely popular and you’re now wondering what could be the issue with them.

Much more power than expected

Google uses a system of permissions to determine what an extension will be able to do once installed. Those permissions are divided into three alert levels: high, medium and low. So far, so good? Not really, even the low level allows an extension to harvest your browsing history and the content of your clipboard.

Extensions are built using JavaScript and HTML. Those are the exact same technologies used on websites. I’m sure you’re aware how modern websites refresh part of their content without reloading the whole page. Extensions can do this too: nothing is preventing a low level alert extension to detect that you’re pasting your email and password on Facebook in order to login. Then the extension can send the collected information to a remote server.

In this case the exploit is fairly limited, you need the user to be copying / pasting the email and password for this to work (the extension would also collect everything that the user is copying and pasting). Whats about the medium and high level alert? This is where the real fun start, at this level of trust extensions can do whatever they want!

A medium alert level extension can generate HTML elements on a page. It could perfectly hide a login form, replace it by it’s own, harvest your credentials and submit the hidden login form. A high alert level extension can do similar things but on your computer! This means that it could take your picture via your webcam, browse your hard drive looking for interesting files…

You would think that all of this is hypothetical and Google would certainly remove any malicious extension, but in this case you would be wrong.

Continue reading