Posts Tagged ‘security’

The Code Book

Friday, December 11th, 2015 | Books

In The Code Book Simon Singh discusses the history of cryptography. It is a journey through the first simple ciphers through to the war years and then the computerisation of encryption.

It was not a topic I thought I would be that interested in, but Singh’s writing makes it an enjoyable read.

It was originally published in 1999. Given the nature of the topic, the book is showing it’s age significantly. This only comes into play in the last few chapters, but is noticeable.

the-code-book

Please give x letter of your password

Friday, April 10th, 2015 | Tech

Recently I registered with the new Virgin Money credit card service. They have just taken over the running of their own credit cards from MBNA so everyone has to re-register on their new system.

I selected a 14-character password containing a mixture of upper and lower case letters, numbers and symbols.

Five minutes later I was changing it to a simple easy-to-remember phrase. Why? Because every time I log in to my account I have to enter a set of certain digits from my password.

The problem is that I have no idea what my password is. It is safely secured away in 1password; I never look it at, I never know what it is. But thanks to Virgin Money’s so called security measures, much like other financial organisations do, I am instead forced to use a far more easily crackable password.

Security in banks

Tuesday, May 14th, 2013 | Religion & Politics

Were you under the impression that you were not allowed to cover your face while in a bank, because of security seasons? I was. But it turns out that I was mistaken.

veil-in-a-bank

For privacy reasons, I’ve hidden the identity of the subject, but as you can see, this is a bank customer who has clearly hidden their face. Why is this an issue? Because if they are, but I am now, that is religious discrimination. You have to treat everyone equally, and if you grant or restrict extra privileges for one specific group, you are discriminating.

I wrote to HSBC to ask them to clarify the situation.

To Whom It May Concern:

I was of the understanding that when using your bank, I was not allowed to cover my face for security reasons. However, when I visited your branch on 17 April, I noticed a customer using the banks facilities while wearing a full-face veil. I was hoping you could clarify whether these restrictions have been relaxed?

Yours faithfully,
Chris Worfolk

HSBC phoned me a few days later in response. They said that balaclavas and motor cycle helmets were specifically band, because they are associated with burglaries, but I was otherwise free to cover my face while using their bank.

Airport security

Saturday, September 1st, 2012 | Religion & Politics, Thoughts

I’ve said it before and I’ll say it again – airport security should be relaxed.

Flying back from Dublin recently, we arrived at Dublin airport and joined the queue to pass through to the departures lounge – a queue that would take us 40 minutes to get through. That is really long and irritating. But often, these queues can be even longer (though in fairness, often shorter too).

Of course you can come back with “but you can’t put a price on human life”, but this is simply nieve and we all know you really can. For example, a million people a year die on the roads and we could reduce this by setting the speed limit to 20 miles per hour on every road everywhere. But this would be too inconvenient, we would rather let people die is the harsh truth.

So, putting emotional arguments aside, why should we relax airport security?

Well, first off, lets remember why we shouldn’t – if we did, more terrorists would get through with more bombs, and people would die. That is a good reason for airport security!

But there has to be a trade off between the lengths taken and the success. So my question is, have we got the levels quite right. I would argue that perhaps we have not.

Firstly, there is a time cost. 40 minutes for everyone passing through an airport is a long time. Given that the average person has around 3,000,000 (3 million) hours left on this Earth, that means that for every 6 million people that pass through airport security, we’ve essentially wasted a human life.

It isn’t as simple as time vs life as the emotional argument would have you belief – when it comes down to it, length queues in airport security take away small parts of people’s lives – and these quickly add up to entire lives.

London’s airports see 134,000,000 people pass through it each year. Based on our previous maths that is 22 people’s lives per year spent on airport security. That is just one city, albeit the busiest in the world in terms of air passengers – internationally, we’re losing hundreds of lives per year.

So terrorists would have to kill everyone on board a jumbo jet (or several smaller planes) at least once a year to make the time we spend on airport security cost effective.

Secondly, we have to wonder how effective these security checks are. Most terrorist plots are stopped by homeland security forces in the planning stage, airport security stops very few – indeed, security expert Bruce Schneier argues that a lot of the security added in recent years does absolutely nothing, and is merely a “theater” designed to make us feel safer. Is that the kind of system that saves a jumbo jet full of people, every year?

It is also arguable that it simply doesn’t work – even in a post 9/11 world we still have the shoe bomber and the printer cartridge bombs – we’re more paranoid than ever before and people are still getting bombs on our planes.

Finally, it is also worth asking what ideological cost we are paying for these security checks.

We have to remember that the aim of a terrorist isn’t to blow up an aeroplane – that is merely a means to an end, and the end is, as is suggested by their name, causing terror.

Now, I don’t know about you, but when we’re all too scared to let a small child take a bottle of water onto a plane, in my book that suggests that we’re pretty fucking terrified.

Like many of you, I’m sick and tired of hipsters wearing “keep calm and…” t-shirts. But what is worse is that the whole meaning of them has been lost. As you may well know, the original meme comes from British posters that said “keep calm and carry on” to tell the public what to do during the Second World War.

That is what London does best – when the terrorists struck on 7-7 and blow up our trains and our buses, what did Londoners do? They stuck two fingers up at the terrorists, got right back on those buses and showed them that we were not going to be scared of them.

Air transport however, has taken no such approach. As news stories about parents forced to drink baby milk to show it wasn’t actually liquid explosive have shown, there is literally no substance that we cannot be scared of.

Seems a high price to me.

Luckily, of course, you can buy a bottle of water once you have passed through security, for twice the price. But that is a different blog post.

So the situation is this.

In order to stop terrorists we’ve banned every single substance we can think of that could possibly be used as an explosive, even though they’re still getting explosives onto the planes and we’re using up hundreds of people’s lives a year in a line of defense which may or may not be saving any lives.

Maybe it is time that we, at least reviewed, the situation.

Securing your World

Thursday, August 16th, 2012 | Distractions, Video

A couple of weeks ago I was speaking to a friend who works for G4S, the company that totally messed-up the Olympics security.

He was telling us how we can somehow become some kind of comic villain – he only works on reception and yet he was telling us how kids have been booing him every time he goes out to get some lunch.

More importantly however, it turns out that G4S have a corporate song! Not just any song, but a rock power ballad with someone singing “G4S, protecting your world…” It’s brilliant! Check it out below.

Changing your SSH port

Thursday, May 3rd, 2012 | Life, Tech

If you want to change your SSH port to something a little less obvious, it’s easy to do. It’s debatable how much security it actually gives you, but it will certainly make you feel safer, and that is probably the most important thing.

pico /etc/ssh/sshd_config

I’m using pico in this example, but vim will work just as well. You should find a line which is commented out, specifying that the port is 22. This doesn’t need to be uncommented normally, as it defaults to port 22.

#Port 22

Just uncomment this and put a new port number in.

Port 8473

Now save the file and exit. Finally, restart SSH for it to take affect.

/etc/rc.d/init.d/sshd restart

Don’t forget, next time you SSH in you will need to use the new port number!

ssh -p 8473 hostname

Lloyds TSB headaches

Wednesday, February 8th, 2012 | Life

Recently, I received a letter from Lloyds TSB saying they had begun charging the charity a fee for its bank account. This seemed strange given we had a fee-free small charity account. So I phoned them up to find out what was going on.

Turns out, they hadn’t actually set it up as a charity account but had instead set it up as a regular business account. This meant they needed to transfer the account to a whole different area of the bank – something which is apparently quite complicated as when I phoned back to check two weeks later, the action which I was told I didn’t need to check up on because it would just be done, had not been done.

I gave it another few weeks and then I decided to log into my internet banking to see if I could see if it had been fixed. This is no small task because Lloyds TSB require you to use a card authentication system. But, because they don’t give debit cards out to small charities, they have to send you a special card, which isn’t a debit card, but which can be used in the card carder.

The card reader is massive btw, it’s not the kind of thing you can keep on your keyring, like you potentially could with the HSBC one, if you had seriously big pockets anyway, it’s not like theirs is tiny either.

So I arrived at the Lloyds TSB website and selected logon to business banking. First, I had to enter my user ID. This wasn’t easy because my user ID isn’t a memorable username as you would expect – it’s a string of nine random digits.

Luckily, they send you out a card to remember this. Though it isn’t a card with it printed on, it’s just a piece of cardboard with a white box that you can write it in yourself and hope that it doesn’t get rubbed off on the gloss finish.

I finally found my card and punched in my user ID. Step one was complete! Next I had to input the security code generated from the machine. So I dropped my authentication card into the authentication machine and typed in my PIN. It rejected it.

I tried again. It rejected it again.

So I clicked on the “I am having trouble logging in” link and it began asking me more questions about myself, for security purposes of courses. After four times of it telling me I didn’t exist, it finally let me through – only to tell me the only thing I could do was to phone the call centre.

I did phone the call centre and the nice woman at the other end of the phone said that she would have to get a new PIN sent out to me, and this would take a week to arrive (they can’t give it out over the phone to allow me to access my account now or anything). so I asked her to do that.

Next question, she needed two of the digits from my telephone banking password. I gave her those digits. She said they were incorrect. So now I can’t use telephone banking either apparently.

We eventually managed to bumble through, involving a shot in the dark guess about the year that I set up the account and a new PIN has now been dispatched to me in the post. As soon as I get that, I will be able to log into the account to check if they have changed it to the correct account type yet and refund the erroneous charge they put on the account. Wonderful.

A simple permissions system in ASP

Wednesday, December 29th, 2004 | Programming, Tech

Building an admin log in system is pretty simple for s small site. You don’t need a username so a password is acceptable for log in and you can writee your password into the code. However because it is an admin section it needs to be fairly secure – no having the password available for any old joe to find in the source code.

The solution – a simple server side script. The password will be in the code but because it is server side is will never reach the end user and so they cannot get hold of it.

For this you will need three pages. A main page, a log in and page and log out page.

index.asp
login.asp
logout.asp

Because we need it to be fairly secure I am going to use a session cookie for the password. Let’s start with the main page.

<%
If Session("adminpassword") <> "dog" Then
Response.Redirect ("login.asp")
End If
%>

<html>
<head>
<title>Admin Homepage</title>
</head>

<body>
<p>Welcome to the admin secction.</p>
</body>
</html>

For this I have chosen the pasword “dog.” If this is not present in a session cookie called adminpassword, the user will be redirected to login.aso. Lets look at that now.

<html>
<head>
<title>Admin Log In</title>
</head>
<p>Please enter the admin password:</p>
<form action="login.asp" method="post" name="login_form" id="login_form">
<input name="password" type="password" id="password" size="40">
<input type="submit" name="Submit" value="Log In">
</form>
</body>
</html>

The first thing I have done is to add a form called “login_form” to allow the user to log in. In the form I have placed a text field called “password” and a submit button so they can type in the password and click submit to log in. This sends the user and the form variable, “password” to login.asp (the same page but reloaded). Now we need to add some server side scripting to the top of the game above the <html> tag.

<%
' checks to see if the password has been submitted
If Request.Form ("password") <> "" Then
' it has so writes in the session cookie
Session ("adminpassword") = Request.Form("password")
' if the user's password is correct they should now be able
' to gain access to the main page
' if they entered an incorrect password they will be
' redirected back here. Because the form variable
' is not sent when they are redirected back here
' they will not be redirected back to index.asp
Response.Redirect ("index.asp")
%>

If the password is incorrect, eg, they entered a password that is different from “dog” eg they entered “cat” it will still be saved in the session variable and the user will still be redirected to index.asp, but because the password is not “dog” they will be redirected back here again.

The fact that the incorrect password is saved in the session cookie allows us to give the user some more information when they are redirected back to login.asp because index.asp won’t give them access.

<%
' if the user is on login.asp but still has a password
' in the session cookie, they must have entered
' and incorrect password
If Session ("adminpassword") <> "" Then
%>
<p>You entered an incorrect password.</p>
<%
End If
%>

You can then insert the script that we placed at the top of index.asp to all the pages you want protecting. To save yourself having to change the script on every protected page when you want to change the password, you could also save the script, by itself, in a separate file and use file include to all the pages you want protecting.

<!--#include file="passwordcheck.asp" -->

You can then just update the script in passwordcheck.asp and all the protected pages would now use the new password.

Finally we need to create a log out page for the user to logout, to stop anyone else getting in after the user is done. This maybe not be needed if you are on a home pc which nobody else has access to but you might want to build one anyway. The log out page is amazingly simple.

<%
Session.Abandon ()
Response.Redirect ("index.asp")
%>

This should log the user out. If the user has not been logged out for some reason they will know because they will gain access to index.asp when they are redirected to it. If the user has been logged out successfully, index.asp will redirect them to login.asp and so they will know they have been logged out.

Now just o make it easier on you I will include the full source code including links, html and asp code, ready for you to copy and paste into your text editor and save as the appropriate files.

index.asp

<%
If Session("adminpassword") <> "dog" Then
Response.Redirect ("login.asp")
End If
%>

<html>
<head>
<title>Admin Homepage</title>
</head>

<body>
<p>Welcome to the admin secction.</p>
<p><a href="logout.asp">Click here to log out.</a></p>
</body>
</html>

login.asp

<%
' checks to see if the password has been submitted
If Request.Form ("password") <> "" Then
' it has so writes in the session cookie
Session ("adminpassword") = Request.Form("password")
' if the user's password is correct they should now be able
' to gain access to the main page
' if they entered an incorrect password they will be
' redirected back here. Because the form variable
' is not sent when they are redirected back here
' they will not be redirected back to index.asp
Response.Redirect ("index.asp")
%>

<html>
<head>
<title>Admin Log In</title>
</head>
<p>Please enter the admin password:</p>
<form action="login.asp" method="post" name="login_form" id="login_form">
<input name="password" type="password" id="password" size="40">
<input type="submit" name="Submit" value="Log In">
</form>
</body>
</html>

logout.asp

<%
Session.Abandon ()
Response.Redirect ("index.asp")
%>