Caffeinated Coder

Today’s featured website: European Visa Online

I visited this site for the first time today and was greeted with this page.

Seriously?

In case you’re curious, I’m running firefox 3.6.3.

Web developers and designers have scorned and mocked IE 6 for years now due to hoards of bugs and non-compliant behavior that cause endless development headaches.

However, IE 6 rose to a new level of infamy earlier this year when it turned out to be the culprit behind the Operation Aurora exploits, which led to Google and others to officially drop support for the browser due to security risks.

It also led to many European governments, such as Germany, France, and nearly the UK, to officially urge its citizens to switch browsers.

That made this page all the more surprising since it came from the European branch of Visa.

Then again, maybe I shouldn’t be surprised.

One of the very next pages prevented me from changing my initial password because the password generated by KeePass with the default settings was too long….that’s right….too long to meet their password validation rules.

I easily have over 100 passwords in my password database and I can’t remember the last time I’ve had this problem.

It doesn’t exactly inspire confidence in the area of security, especially considering that Visa is one of the most prominent and ubiquitous financial institution around.

Sigh…

Popularity: 12% [?]

What happens when you mix one of the most evil things in music with the evil that is cross-site scripting?

Let’s just say that the potential for shenanigans is endless.

Observe the result of entering the following embed tag into an editable column for one of our internal web apps.

   1: <embed src="http://www.youtube.com/v/XZ5TajZYW6Y&hl=en_US&fs=1&rel=0&autoplay=1" type="application/x-shockwave-flash" width="640" height="385" autoplay="true"></embed>.

Like a huge number of websites, this one directly displays the user-input on the screen without first scrubbing it with something like HttpUtility.HtmlEncode() (.NET world).

Want to partake in the fun?

All you have to do is find an internal website in your development environment that is vulnerable by trying to paste the embed tag into a textbox of some editable grid. If the video displays after saving, then simply send a fellow developer or tester an email asking them to go to the vulnerable page and verify some made-up bug. When they pull it up, they will be rickrolled.

Many thanks to Dan, our new tester, for catching this bug and hatching the evil plot.

Any other suggestions on fun things I can do to my co-workers before this bug gets fixed (without getting me fired)?

Popularity: 1% [?]

It appears as though I made a rather bone-headed mistake when configuring Subversion at work a few weeks ago.

Since we were not exposing our SVN server externally and decided that sending our code files in plain text across our internal network did not represent a significant security risk, we opted to not use SSL as a way to optimize performance.

I’m not sure why I assumed that the actual credentials would be encrypted even though I knew the content would not be.

Perhaps it was because we were using windows authentication security scheme in SVN. Maybe it was because I actually opened up the svn.simple file in the Subversion app data cache on my local machine and saw that my TortoiseSVN credentials were saved in an encrypted form on disk when using the ‘save credentials’ checkbox.

Whatever the reason, it was a very bad assumption.

Here is a screen shot from WireShark, my favorite packet sniffer. The blurred out part under authentication was my windows password in clear text. Oops…

Luckily, it was an easy matter to correct.

On the server-side, I simply had to check a box on the property tab of Visual SVN to turn SSL back on. On the client side, I had to have everyone run an svn switch command with the –relocate option to change their working directories to use the new url.

So what was the lesson learned?

Next time I make a mistake like this, I will use WireShark to gather all of the passwords of my fellow developers before I switch to the more secure option. Dumb…dumb…dumb…

Popularity: 23% [?]

Keeping track of my passwords has been a nagging problem for me for a long time, but I only recently got around to doing something about it.

I’m ashamed to admit it, but up until now I’ve relied on a few popular but extremely insecure strategies to manage my various online identities.

1. Reusing passwords – The obvious danger here is that some script kiddie compromises a very insecure ‘mom and pop’ site that stores my password as plain text and then goes around to all the popular sites trying it out until he finds one that works. Even though I was foolish enough to take this risk for years, most sites have different password complexity rules. That meant that I still had to rely on several different userNames and passwords combinations, which made revisiting sites that I hadn’t been to in a while painful since I invariably had to try several times before hitting upon the right one.
2. Forgot Password Email Feature – I don’t know about you, but I don’t normally access my yahoo email over SSL and many sites simply resend the password in plain text. This means that my password is visible to anyone with a strategically placed packet sniffer, like WireShark. It’s also annoying to have to wait for the email to be sent each time.
3. Firefox Password Manager – I let Firefox remember passwords for me all the time and I recently discovered that this is hugely insecure. If you’ve never used the SIW (System Information for Windows) tool from gtopala.com, take 30 seconds to download it and then click on the secrets node under software. You will be greeted with all of your passwords in plain text from any site that you’ve allowed Firefox to remember for you. That means if anyone ever gets even momentary access to your computer, all of your online identities will be compromised. Not cool.
4. Password protected Excel worksheet – Let’s face it. Microsoft Office security is a joke. I’ve tried this tool with file based dictionaries from this site on Excel 2003 documents and it has cracked the passwords almost instantly. I’ve tried this other tool with Office 2007 documents, which uses stronger encryption. It was pretty slow, but it eventually figured out the password as well.

Whether I’ve legitimately scared you or else you’re just sick of jumping through the “Forgot Password” hoops, I highly recommend trying KeePass. It is a open source password management tool that lets you store passwords securely and safely copy credentials into web forms.

KeePass lets you logon using a password/file combination for extra security and has several clipboard security measures built-in to prevent clipboard monitoring hacker tools from stealing the password while you’re pasting it into a website.

As far as encryption is concerned, the site boasts that even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe. That seems pretty secure to me…

If you’re still being lazy and insecure like I was, why not do something about it?

It only takes a few minutes to download and you will dramatically decrease your security related browsing frustrations as well as reduce your risk of identity theft.

Popularity: 14% [?]