Category Archives: Security

ID checks in the US

I’ve noticed that I am asked for ID in the US much more often than in Australia – usually when checking into hotels or hostels, and quite often when paying with a credit card. The amusing aspect of this is, however, that every time I’ve been asked for ID, they have accepted my Victorian driver’s licence without question (my passport is in my money belt, and I can’t be bothered going through the effort of getting it out).

Now, I’d bet that none of these people have ever seen a Victorian licence before, and certainly wouldn’t be able to tell a fake one from a genuine one. Most probably wouldn’t even know where Victoria was, nor whether it was a jurisdiction that is allowed to issue licences at all. I could imagine them accepting an official-looking laminated piece of plastic with my photo and “City of Wangaratta Driver’s Licence” written on it, too.

Security by idiocy.

I don’t know who came up with this idea, but they’ve just wasted about six hours of my Saturday: dynamic firewalling on a VPN network. It appears to block access to tcp ports, on the fly, if there’s nothing listening at the remote end – and then leave them blocked for an extended period of time. So, what happens when you shut down a three-node Oracle cluster for some maintenance? Some users – or other automated processes – try to connect to them while they’re down, and when they come back up again, no-one can connect at all.

This is then followed by a long, frantic attempt to prove that nothing has changed on the servers between reboots, because “this was all working fine before it was rebooted and now it doesn’t work” is rather hard to argue with.

So, thanks large-telco security people. I only had four hours’ sleep last night, and today I didn’t even get to see daylight.

Laugh, you bastards

You know that something is wrong when only Alexander Downer can see the funny side of yesterday’s Chaser APEC prank.

“Whatever you think of the humour of The Chaser, they were clearly not going to harm anybody in a physical way,” Mr Downer said. “They presumably were, as is the nature of their show, aiming to humiliate a lot of well-known people.”

I’m not normally one for giving credit to anyone from the right of the Liberal Party, but Downer has nailed it, here. This stunt was funny. And if it embarrasses the police for their over-the-top security and the utter waste of money being spent on this pointless exercise, all the better.

The police should be thanking the Chaser. It’s shown them a flaw in their security, given them a good live workout and demonstrated just how silly it is that society considers someone to be important just because they wear a suit and travel in an expensive car.

Limiting password attempts considered harmful

Whoever thought it was a good idea to lock passwords after a number of incorrect attempts? Aside from being incredibly annoying, it strikes me that this is a very simple vector for a denial of service attack. I’ve been working with a bunch of machines that are linked back to a single-sign-on system, and the central authentication server is set to automatically lock the user’s account after three incorrect attempts at the password. I’ve now had to have it unlocked often twice or three times daily, because it’s very easy to get my password wrong when sudoing to root as regularly as I have to do.

While users are regularly urged to keep their passwords secret, the same can’t be said of their usernames. In fact, in the Unix world, all usernames are clearly available to other users, in the /etc/passwd file as a matter of necessity. Furthermore, I’ve seen plenty of organisations who publish staff usernames in their internal online directories.

What does this mean? Well, it makes it very easy for a disgruntled member of staff to create a denial of service attack by locking huge numbers of users out of their accounts, just by attempting to connect to the systems with a dummy password. I’d be interested to know if Australian law even considered it an offence to do something like this, given that no unauthorised access would be gained. Want to really annoy someone? Grab their mobile phone, type in their PIN wrongly several times, and watch them have to call up their provider to have it unlocked.

Obviously I know why such account locking is done – it’s to prevent brute force attacks on passwords. However, it seems to me that a better solution would be to use a series of backoff timeouts, so that users aren’t permanently locked out, but brute force attacks are rendered less effective, due to the amount of time they’d likely take to be successful.

I noticed that my internet banking account was locked, a few years ago, when I accidentally used the wrong password several times. I wonder how far off we are from someone getting a list of user IDs to such a system, and then locking out all their customers in one hit?