The financial services industry view on cybercrime

I recently attended Jim Oakes’ “Cybercrime, Global Underground Economy Developments and Challenges” talk. All the hype about his 30-year service for the police, anti-fraud teams, financial services organisations yada yada made me very sceptical to begin with, but the session turned into a quite useful overview of the (depressingly many) ways you can be ripped off by criminals while doing business with/through your bank.

…

I let this draft lie for a few months now, as I wasn’t sure how to digest the hordes of information in Jim’s presentation into a more friendly, easily digestable message. Shall we just say it’s pretty bad out there?

Practical advice:

• DO NOT use the same password for different websites. Use something like Oplop to generate passwords and a password manager to store them.
• DO NOT do eBanking from your smartphone just yet. I have some reservations about the iPhone, but Android phones can certainly currently not be trusted.
• If you need to do eBanking using a computer (laptop, desktop etc) then start the computer with a bootable CD or USB disk and then do your eBanking. Unless you are personally targeted by law enforcement or criminals, this should give you a computer you can trust. Don’t take my word for it – take Krebs‘ word for it. Computer security is in *such* a sad state.

Cleaning malware while travelling: A case study

I have been on the road for the past few months and using plenty of Internet Cafes for all my digital endeavours. As I result the USB sticks I use to save my pictures, documents etc while I travel have been infected with all sorts of malware.

Malware that is obvious is the least dangerous kind. It means its creators are not organised or skilled enough. The truly worrisome malware is invisible. You don´t know you have it, but it quietly monitors all your actions.

So I was intrigued when my USB stick started displaying typical silly malware behaviour. The folder icons in Windows changed – they were not “shortcuts to folders”, but really they pointed to executables somewhere deep in System32 that would do its nastiness and then show you the contents of the intended folder. Other than that, everything looked normal.

Well, it was obvious malware was there and the USB stick was infected. Antivirus software installed in public Internet Cafe PCs could not detect or clean it, so I had the pleasure of doing it manually. Here is how:

1. Get a system you can trust not to lie to you – to show you the absolute truth and nothing but the truth. A pristine Linux installation does just that, and unless you happen to have a netbook with Linux installed with you while travelling, creating a bootable Ubuntu Linux CD or USB stick is your best bet. The computers I had access to were ancient and could not boot (start) from a USB stick, so I had to create a bootable Ubuntu CD following the steps detailed at http://www.ubuntu.com/download/ubuntu/download
2. Now you are using a computer you can trust. Plug in the infected USB stick. You will probably see all sorts of new files there, stuff you haven´t put there. Delete it one by one. In my case I had filenames starting with “._”, others starting with dot-space, all sorts of tricks that will make files harder to view and control in Windows or Macintosh machines. After you have deleted all files that don´t belong to you, check for an autorun.inf that tries to execute the malware when the USB is connected to a computer. If it´s there, either edit out the malware items or simply delete it (which is what I did).
3. Next, I had a surprise waiting for me as I connected the now clean USB stick to a Windows computer – I could still not see my original folders! The reason is that the malware had hidden the folders by changing their attributes to /system and /hidden – so Windows Explorer does not display them by default. This can be corrected from a Command Prompt (Start -> Run -> cmd) by changing directories onto the USB stick and using the “attrib” command. My original folders were “pics”, “stuff”, “maps”, “portable”, “truecrypt”  etc so I issued the following commands to mark them as NOT hidden and NOT system folders:

• attrib -H -S /D /S pics
• attrib -H -S /D /S stuff
• attrib -H -S /D /S maps
• attrib -H -S /D /S portable
• attrib -H -S /D /S truecrypt

Et voila! All was visible, usable and normal again.

Goodbye silly piece of malware!

How I managed to donate to OpenStreetMap

Using Internet cafe computers while travelling can be a proper nightmare. I know of people who got so fed up with fighting to clean their USB sticks from viruses all the time that they bought a netbook to use while travelling.

As I have been travelling by bicycle for a few months now, I am very careful about what I carry. Weight and space is at a premium. So I have tried as hard as possible to keep myself from buying a netbook to avoid using Internet Cafes. I am well aware of the risks I am taking, but for the time being I am still finding using Internet Cafes borderline worthwhile. It also helps that my trip will finish in less than 2 months so by this point the investment in a new netbook is just not worth it.

So I use Internet Cafes around Chile and Bolivia. I have seen a couple of well maintained machines (the pinnacle of which are the Ubuntu machines in Rancagua´s bus terminal!), but the overwhelming majority of them is in an appalling state. Illegal copies of Windows XP, not receiving updates, with illegal copies of antivirus software not receiving updates, etc etc… all wrong. Using such machines feels like digging with your bare hands in a patch of mud right after you have seen a flock of sheep relieve themselves on it.

Such a machine gave my USB stick a virus that hid my folders and replaced them with executables. It replaced folder icons with its own shortcuts to ensure you were tricked into executing it with your current privileges every time you wanted to access a folder on the USB stick.

Tricking the user into executing script by double-clicking on a "folder" icon

The antivirus software of public machines proved useless – it did not even detect anything. I had no idea what this virus (call it malware, call it trojan, I don´t really care exactly what genre it falls in) actually does. But I will assume the worst. It eavesdrops on my every keystroke, steals my passwords, my credit card information etc.

As it happens I really wanted to donate some money to the OpenStreetMap Hardware Upgrade Fund, but I didn´t want to jeopardise my credit card information. I needed to use a computer I could trust not to steal my credit card information. Here is how I created one:

1. I found a computer with what seemed like a decent Internet connection with Mozilla Firefox installed. On Firefox, I installed my favourite download manager as an extension – DownThemAll!. Great, I can now make massive downloads easily.
2. I downloaded the latest Ubuntu ISO file with DownThemAll. It´s a large file (700MB) so a download manager is necessary – otherwise you run the risk of the download hiccuping and getting corrupted if the network link goes down for a few seconds. It can also be faster to use DownThemAll, as it downloads multiple segments of the file at the same time.  After a couple of hours I had an Ubuntu ISO file on the (probably infected with malware) computer I was using.
3. I then created a bootable Ubuntu USB drive following the instructions on http://www.ubuntu.com/download/ubuntu/download . Unfortunately this did not help my cause because the public computers I could reboot and attempt to boot from USB where so old that they did not support booting from USB! (we are talking 2003-era hardware, not exactly top-end for its time either…) So my only remaining option was to burn the ISO to a CD. I bought a blank CD and burned the ISO on it, and then booted one of the computers I had access to with the CD.
4. Success! I was now booted into an operating system I could trust not to be infected, since Windows viruses on the computer cannot jump into the Ubuntu Linux environment started from a CD. I was able to simply open a web browser and provide my credit card information for my OSM donation in confidence.

So there you have it. If you are travelling and concerned about your passwords or other sensitive information (and you should!) this is a method of getting a system you can trust. It does suppose that you have access to a computer you are allowed to restart and boot from removable media, but hotel/cafes around Chile seem to be quite laissez-faire about allowing people to restart their computers.

Free browser vulnerability scanners

Not having the latest security updates for your web browser or plugins is detrimental to your online privacy and security.

Using Internet Explorer? Click the following link to update your software: https://browsercheck.qualys.com/

Using Firefox? Click the following link to update your plugins: https://www.mozilla.com/en-US/plugincheck/

This is what the web sites look like:

Qualys’ free browser security checker:

Firefox’s own PluginCheck page:

Kudos to Julien who pointed out the Qualys BrowserCheck tool.

Why our way of handling SSL certificate errors is last nail in coffin of WWW security

It’s all supposed to be OK on the big bad Internet, because we have SSL. It’s really our only (first and last?) line of defence when it comes to having *some* degree of trust that we’re indeed talking to the website we think we are.

But:

• sloppy SSL certificate handling by websites and
• bad interface design by browser usability experts

kill any credibility the scheme ever had.

SSL has known issues we were prepared to live with, like:

• the dated crypto behind SSL (the whole MD5 thing)
• the assumptions of the trust model that are slightly too optimistic (Verisign as a malevolent root of Trust – puh-lease!)

But sloppy handling of certificates by multi-million dollar corporations that can’t be bothered to issue a proper certificate (Facebook?), and the poor handling of such situations by the main browsers in use today (IE8 & Firefox 3) put Internet users in impossible dilemmas.

Let’s say one wishes to securely connect to the regional website of Facebook in the United Kingdom.

Internet Explorer 8

Try visiting https://en-gb.facebook.com with IE8 and you get the following:

Do you see any information anywhere that helps you understand what’s going on? I don’t. And I call myself an IT professional.

So what is the poor user supposed to do?

• Clicking on “the green thing” closes the window. Hurray.
• You are strongly advised to NOT continue to this website, so that’s the “don’t click me” link.
• Clicking “More information” does not give you any information that helps you make a security decision.
• The result:
  • Frustrated users who feel stupid and intimidated by “all this techie stuff”.
  • Users who are trained to find having to make random decisions for incomprehensible dilemmas posed to them by a capricious computer completely normal.
  • Worse security for me, you, them. Everybody.

Firefox 3

Visiting https://en-gb.facebook.com with Firefox 3 is slightly better:

• You are told there is something wrong without being too scared and without using fancy words like “security certificate”
• By default you have one button available – the “Get me out of here!” button.
• For the enquiring minds, there is the “technical details” collapsible thingy that actually tells you what the problem is.
• Once you’ve seen what the problem is, you can choose to bypass the browser’s something’s-dodgy-here reaction

In this case Firefox is doing better than Internet Explorer because unlike IE8, Firefox allows the user to make an informed security decision.

Debian GNU/Linux Squeeze – first impressions

Well.. when it comes to usability Debian still has a long way to go.
Even though I’ve used Debian for various machines for years, I found myself reading all about package management internals (pseudo-packages etc). I know all that stuff, but why was I spending time reading it again?

The reason is that I had a newly installed Debian system and I *dared* wish to remove the games from Gnome. No reason for them to be there, as I never use them. So I fired up a terminal, su’ed to root and used aptitude to figure out what package I had to remove. Soon enough it was obvious that I needed to get rid of the package “gnome-games”, as all of these games come bundled together. No problem with that, issue the standard aptitude remove gnome-games, only to be told that to do that, I need to remove Gnome. The whole thing. The entire graphical environment.

Thinking “surely, it just means the metapackage, well that’s annoying but I’ll live”, I told it to proceed. It was the recommended action, and apt is supposed to be excellent at conflict resolution, right?

So I hit enter (for Yes), and voila! A long list of packages to be removed and the warning that “217MB will be freed”. WAIT – HOLD ON – STOP IT dammit! Don’t take my entire GUI away!

Using aptitude has failed me on this one, and it’s not exactly rocket science. Freshly installed system, and I’m asking it to remove a trivial package. Since it says that gnome-games is “recommended” and not a hard dependency, why does it try to rip the rest of gnone away?

And, what’s that cryptic interface that surely users will love:

root@lifebook:~# aptitude remove gnome-games
Reading package lists… Done
Building dependency tree
Reading state information… Done
Reading extended state information… Done
Initializing package states… Done
Reading task descriptions… Done
The following packages will be REMOVED:
gnome-games
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0B of archives. After unpacking 2,511kB will be freed.
The following packages have unmet dependencies:
gnome: Depends: gnome-games (>= 1:2.30) but it is not going to be installed.
The following actions will resolve these dependencies:

Remove the following packages:
1)     gnome

Leave the following dependencies unresolved:
2)     gnome-games-data recommends gnome-games
3)     gnome-desktop-environment recommends gnome-games (>= 1:2.30)
Tier: Safe actions, Remove packages (10000)

Accept this solution? [Y/n/q/?] n

The following actions will resolve these dependencies:

Keep the following packages at their current version:
1)     gnome-games [1:2.30.1-1 (testing, now)]

Tier: Cancel all user actions (20000)

Accept this solution? [Y/n/q/?]

I mean…

Please write instructions in plain English. Right after I’ve asked aptitude to remove gnome-games, it comes back with

gnome: Depends: gnome-games (>= 1:2.30) but it is not going to be installed.

What is that supposed to mean, exactly? Should that perhaps be rewritten to spell

A software package you’re currently using (gnome) needs the package you’re trying to remove (gnome-games).

There. That’s in English.

Then you’re told

The following actions will resolve these dependencies:

…which sounds quite good, and then the geek-speak starts:

Remove the following packages:
1)     gnome

Leave the following dependencies unresolved:
2)     gnome-games-data recommends gnome-games
3)     gnome-desktop-environment recommends gnome-games (>= 1:2.30)
Tier: Safe actions, Remove packages (10000)

Accept this solution? [Y/n/q/?]

What’s the user to make out of all this? Let’s see…

• You get a 1-2-3 list of actions broken into two sub-lists and then are given a chance to answer yes/no. Why can I not choose the action I want? I would just hit “1″ and sod the unresolved dependency.
• What’s all this gnome-games-data stuff? I never asked for that. I never ought to see that.
• Is “Tier: Safe Actions, Remove packages (10000)” supposed to mean something to users? (I understand what the poet is trying to say, after years of using Debian and after thinking about it for a good hard minute, but man is this bad interface design)

Then I try to copy/paste this madness to a text file on my USB stick to transfer to another computer to post here, and I realise that right-clicking on my mounted USB stick comes up with ALL OF THE FOLLOWING THREE options at the bottom of a huge menu:

Unmount

Eject

Safely Remove

I thought that user interface design was one of the strengths of the GNOME project. Well, it’s still failing in some basics and it’s quite disheartening to see such design in a modern operating system in the year 2010.

PS: Using the System -> Administration -> Software Centre to remove gnome-games doesn’t do anything. Just ignores me.

Using the convoluted Synaptic package manager (what an interface! 10 buttons, 3 panes, menus, mystic “S” columns…) I was able to remove gnome-games without wiping out my GUI, even though I was warned that “gnome” would be removed too. At that point, I was past caring.

Ubuntu 10.4 LTS (Lucid Lynx) – first impressions

So I thought I’d resurrect my old Thinkpad and slap the latest and greatest Ubuntu distribution on it to see how it’s doing.

System: IBM Thinkpad T23

CPU: PIII/1GHz (speedsteps to 730MHz most of the time to conserve energy)

RAM: 512MB

First attempt: Install using “desktop” installation CD. Stopped it because it doesn’t allow me to encrypt my filesystem during installation. Really, that should be the default nowadays, as the performance penalty on modern systems is negligible and it will make laptop theft a much less lucrative business.

Anyway, I had to get the not-so-aptly-named “alternate” installer – downloaded that one via BitTorrent and was impressed with the speed. What a fantastic protocol!

Used the menu-driven installer to create an encrypted filesystem on my 80GB ATA drive, which was very easy, but took ages. Surely, it shouldn’t need to write to the entire disk to begin with… just make sure whatever is written from then on, is encrypted on the fly. Not sure how cryptfs works, need to look into that (but surely smarter people than me are involved in this and they *must* have done it the TrueCrypt way – encrypt only existing data, offer option to securely wipe free space).

At the end of the installation was offered the chance to encrypt my home directory, which I took just for the heck of it. Very good one on Ubuntu, to offer encryption this way. Of course, I’d still rather encrypt the entire filesystem with a local-only password that is not exposed over any network services etc.

So after seeing how the encryption of my home directory works, I removed it, thinking it was slight overkill to encrypt my home directory on top of an encrypted filesystem. My hardware can barely cope with modern software, let alone two layers of encryption… Notice: uninstalling home directory encryption showed no noticeable speed increase. The machine is still slow, but usable.

Then comes some user account confusion. I want to have access to the root account, so I use Ubuntu’s way of getting a root shell ($sudo bash) and set a password for the root user. This results in slightly schizophrenic behaviour from the system whenever a “system change” is about to be authorized – sometimes it asks me for my regular user’s password (which, since I gave root a password fails – some funky Ubuntu magic must have removed my user account from the sudoers file, no matter, I re-authorise myself as a sudoer – and uses sudo to then run whatever it needs as root) and other times it’s honest and asks me for the root password. Bet this would all be extremely confusing for a new user. Of course a new user would not need to setup a root password, I hear you say. Perhaps you’re right.

Then comes the ugly realisation that my home directory is readable by the entire (local system) world. Whaddya mean drwxr-xr-x  ? Is there *any* reason for this? How have GNU/Linux distributions done *without* world-readable home directories for ages? When a security-inhibiting decision is made on my behalf (that I cannot comprehend), I get frustrated.

Then comes software. Using the “Ubuntu Software Centre” I search for “truecrypt”, find only two graphical front-ends (“Easy Crypt” and “GDecrypt”), try installing “Easy Crypt” and am told that “This action would require the installation of packages from unauthenticated sources.” Oh my, I certainly wouldn’t want that, so I look into the “details” expandable box and I get the following useful information:

Yep, just that. One word. Fantastic. So I either have to Google for a workaround, or give this interface the toss and not bother. I decide to do the latter as I’ve already spent too much time troubleshooting why Skype 2.1.0.81-1ubuntu5 (which *is* available via the official Ubuntu repositories) crashes every time I have an incoming call. (I haven’t figured it out, by the way. I suspect the problems of the year 2000 are still with us in 2010, so it must be the sound server’s fault…)

Moving on, I explore Ubuntu One – a fantastic idea by any other name would be just as sweet – 2GB worth of online storage for stuff in your home directory. Great! Alas, it turns out it’s all stored unencrypted *unless* you use an encrypted home directory, which I just undid – argh! Why, oh why, does one need home directory encryption to enable online secure storage? This strongly hints that Canonical is taking the big vendor approach of providing one model in which everything works (mostly) fine and interoperates seamlessly, and you’re screwed if you choose a separate model (e.g. full disk encryption vs home directory encryption). But I’ll do it. I’ll re-encrypt my home directory because they have done it so easy that it’s really not rocket science, at least for an old Linux user like myself. For newbies, the advice is “stick to defaults and don’t you dare budge!” – which doesn’t ring like the Linux I knew.

In the mean time, I am rather impressed that a week has passed and there hasn’t been a single security vulnerability fixed and thus no notification to install critical security updates. So I check manually, and – oh la la! – there’s 41 of them! What happened there? Why no notification icon? Even default settings didn’t work in this case and I’m getting more and more pissed off as I lose trust in the system.

Ubuntu 10.04 not displaying security update notification