Home

Archive for the ‘Security’ Category

Just 6 days until telemarketers leave me alone…

Wednesday, September 24th, 2008

On September 30th, the National Do Not Call List (DNCL) in Canada comes into effect. I can’t wait! It’s like frik’n Christmas! Working from home, I get the full brunt of the stupid telemarketing-assholes. Today, alone, I’ve been called by the Toronto Sun and the Toronto Star asking if I want to get a free trial of their newspaper. “I didn’t want your crappy newspaper last month, why would I want one now? And also, I asked to be taken off your list before so don’t you have to legally do that?” Oh shit, that’s it, isn’t it? The DNCL is going to be just as useless isn’t it? Crap!

It’s time for Plan B: mash-up Canada411 with the DNCL. Feed every single number in the phonebook into the DNCL and starve those bastards out. That’s probably a crime though, so I’ll probably just get call display :)

Tags:
Posted in Security | Comments Off

Passport Canada security breach: I told you almost a year ago

Thursday, December 6th, 2007

Back in January, I blogged about the security holes in the ePass system, the online application that allows you to login to Canadian government websites. It all started when I noticed some fundamental flaws in the Canadian passport website after Chris had already exposed last April how generally frustrating it is to use.

Developers from the Passport Canada office (their IPs point right back to them) started leaving nasty comments on my blog:

Now, now. Everybody must live with the frustration of a world not as perfect as our own little person.

If the Passport application system was able to handle a sudden increase (what? 500% maybe? thanks to USA) without a glitch, it would mean that for many years this system had been running with way too much bandwidth and server muscles. Who would be crying then? Chris, Jonathan, Clay and their friends would be crying to the world that the government was wasting money all these years running such a system! (source – “Jo Blo”)

And on my friend’s blog:

do you know anything about security… whiner

if you can’t even figure out who built it you must be a simpleton.. oh yeah u use a mac … (source – “dl”)

Well this week, Passport Canada had to be completely shutdown for two days when someone noticed that they were saving login credentials in a browser cookie. That is egregious error by a web-developer, and shows a completely disregard for security practices. Now, after two days, they are back online and saying, “Now the Internet site of Passport Canada is one of the most secure” (source).

Are you serious?! Firstly, how are you determining that? Put your site on HTTPS all you want; you cannot repair application security holes through anything but a complete line-by-line examination of your code-base.

Secondly, the security hole I found is still there. You may have found and patched one hole, but the entire system is still open to exploit.

In the end, as a citizen myself, these websites are trying to protect my information and I want to help. I emailed Passport Canada and the CRA to try to get in touch with someone that way. Please, if you read this, drop me a line in the comments. I will do whatever I can to help you close these holes. Even if you don’t believe me that there are some, what do you have to lose?

Posted in Security | 2 Comments »

Discountasp.net being DOS attacked

Thursday, June 21st, 2007

If you’re wondering why WhyYouShould is responding very slowly (if at all) tonight, it looks like my hosting provider DiscountASP is experiencing a denial-of-service attack. They’re working on it and hopefully WYS will be back soon :)

From Discountasp.net:

Dear Customer,

We experienced a network-wide outage Thursday morning and late evening as the result of a distributed denial of service attack. You can read details related to the outage here: http://community.discountasp.net/default.aspx?f=6&m=18216&p=1

Why You Should not DOS wys

Posted in Security | 9 Comments »

ePass/Canada Revenue Agency Online Tax Filing Suspended

Wednesday, March 7th, 2007

A couple of months ago, I blogged about the security holes in the ePass system, the online application that allows you to login to Canadian government websites. It all started when I noticed some fundamental flaws in the Canadian passport website after Chris had already exposed last April how generally frustrating it is to use.

Developers from the Passport Canada office started leaving nasty comments on my blog:

Now, now. Everybody must live with the frustration of a world not as perfect as our own little person.

If the Passport application system was able to handle a sudden increase (what? 500% maybe? thanks to USA) without a glitch, it would mean that for many years this system had been running with way too much bandwidth and server muscles. Who would be crying then? Chris, Jonathan, Clay and their friends would be crying to the world that the government was wasting money all these years running such a system! (source – “Jo Blo”)

And on my friend’s blog:

do you know anything about security… whiner

if you can’t even figure out who built it you must be a simpleton.. oh yeah u use a mac … (source – “dl”)

Well today a “situation” popped-up that “in order to safeguard existing systems and to maintain the integrity of CRA’s taxpayer information holdings, Mr Dorais ordered tax filing processes halted.” (source). From the CRA commissioner, “The security of taxpayer information remains paramount as we strive to understand and correct this situation” (source). Maybe they finally got it through their heads that ePass is not secure.

It’s a difficult situation since a rewrite of their system would take months, and tax season is upon us. But I’m not sure how safe I, or anyone else, should feel if we’re using their our fundamentally flawed system to file our taxes this year.

A final note, although the CRA website turned off their ePass component, Passport on-line is still up-and-running (and open to exploit).

UPDATE: Looks like they might have just taken the site down because of some “computer work done on the weekend”. *sigh* I’m sure it’ll be back soon, and just as crap-tas-tic :D (Thanks for the update, Mike)

UPDATE #2: To add insult to injury:

The security and integrity of taxpayer data has not been compromised. This problem is not the result of illegal activity, computer hackers or a virus.

We have now traced the source of the problem to software maintenance conducted on March 4, 2007. We are currently working to bring all systems back online gradually.” (source)

Posted in Security | 6 Comments »

Diggbaiting

Friday, February 16th, 2007

As I was misrepresenting this news story on Digg as a story about Colin Farrell (it turns out, the guy just looks like him), it came to me that this would be a cool way to manipulate Digg.

Say your site, and another site, were competing with the same content to get digged first/the most. This is often the case with news organizations since they cull most of their news off the syndication feeds.

If you wanted to make sure your competition’s story didn’t rise on Digg, you could just make sure that the moment it is posted, you digg it first with an incorrect title and description (something no one would ever click on). Since you can’t submit the same URL twice to digg, it wouldn’t be possible for anyone to correct the reference. Then you can digg your own story on the same topic, and if you can get the diggs, you will rise to the top of the digg mod swarm.

Anyhow, I’m not suggesting anyone take advantage of Digg in this way, but it looks like there is a slight crack in their moderation scheme. I think I’ll have to coin the term ‘diggbaiting’ to describe this exploit ;)

UPDATE: Here’s an article toting the end of Digg, partly because of the factors I’ve mentioned. Oh, Digg. Everyone is teaming up on you today. Time to cache out, Kevin (Rose) :)

Posted in Security, Software | 2 Comments »

Log-in to my blog with your Yahoo! account

Saturday, February 10th, 2007

Feel like logging into my blog with your Yahoo! account for no particular reason? Then please feel free to login here: https://login.yahoo.com/config/login?&.done=http://www.keebler.net. Don’t worry, I’m not stealing your password or anything; you’re using the real Yahoo!.

I’m been noticing lately how much information web developers applications are giving away in the query string. In this case I can’t really do anything besides redirect to my site, but holes like these make it really easy for phishers to look legit, and trick people into giving them personal information (or worse).

For example, what if you went to a URL starting with https://login.yahoo.com, entered your correct username/password, then we taken to another fake page, that looks just like the “Incorrect password” screen from Yahoo!, where you are asked for your username/password again. Would you really be sure to check the URL again? I think 99% of people would offer up their username/password to the hacker.

Anyhow, you get my point ;) Security good. Phishing bad. Yahoo! vulnerable. *grunt*

Yahoo Login Window

Posted in Security, Web Development | Comments Off

ePass Canada is not Secure

Friday, January 12th, 2007

If you’re Canadian and have recently tried filing your taxes online, ordering a passport, or changing your address, you’re familiar with the ePass Canada system. Chris and I have already detailed how frustrating it is to use, but my experience has also revealed that the system is fundamentally unsecure. Obviously I’m not willing to demonstrate exactly how a hack could be executed against the system (I’m not that stupid) but I can outline the secure risk in broad-terms.

If you’re a web-developer and you’ve never head of cross-site scripting, take an hour and read up on it. It’s probably the number one open exploit on the web, and if you haven’t heard of it, it’s probably open on your site. In its simplest form, it allows malicious hackers to put up fake login forms (or anything else they want) on a legitimate website and trick visitors into giving away sensitive information.

For example, they could make a page on the government domain gc.ca, secured by SSL, that looks exactly like the ePass login form and trick you into giving the hacker your username and password (a process known as phishing). They can even make it look like you’ve logged in successfully, and if you trust the ePass system, would you really have a second thought to giving them your social insurance number, credit card number, or any other document?

So I ask, why is this big, gaping hole (sorry for the goatse imagery) in the ePass Canada system?! Millions of tax dollars were spent on this program, and it’s completely open to exploit by the lowliest of hackers. We have (and I have to admit that I had to google this one) a Canadian Cyber Incident Response Centre (CCIRC) that is documenting every security hole in Firefox but they aren’t analyzing the government’s own online system? FutureShop.ca is more secure than the ePass system!

In the end, it’s up to you whether you use the ePass system or not. There’s no way I’d file my taxes on paper, so I’ll probably continue using it myself. But rest-assured that someone (whose a much better “hacker” than I) has also seen these same security holes, and if they haven’t exploited them already, it’s just a matter of time. If they already had, would we even know about it? ;-)

Posted in Security, Web Development | 2 Comments »