Wednesday 12 February 2014

Ways In Which Your Passwords Can Be Stolen


There are numerous ways in which someone could hack into one of your online accounts, but the most obvious one is by getting hold of your password.  In a previous article I explain how and why a website shouldn't know your password, so if they don't store it and you don't tell anyone, how can someone get hold of it?

In this article I explain just some of the fun and interesting ways in which your passwords can be stolen.  The purpose of this is twofold: Firstly to allow you to take measures to reduce these risks.  And secondly to make you realise just how real the threat of one of your passwords being stolen is, and that you can't mitigate against all of the risks, thus encouraging you to have passwords.  Plural.  Not one password for everything, like your gran has.

Let's go...


Phishing Emails

You've probably heard of these, and you've probably seen them.  These are where someone sends you an email attempting to trick you into entering your login credentials into a site.  These emails usually take the form of "Please confirm your account details for security" and some kind of dodgy-looking link which takes you to a site which is masquerading as a site which you trust.  If you're naive enough to follow the link and enter your credentials then that's it.  One password, stolen.

How to avoid it:



Domains Squatting Attacks

This is another form of phishing - tricking you into willingly entering your credentials into a bogus site.  But this version doesn't require sending you an email.  Instead, the attacker buys a domain name which is a common typo of a site which you use.  Supposing I'm an attacker and I buy facebok.com, and you're checking Facebook at 3am, again, and in your fumbling sleep-typing you enter facebok.com instead of facebook.com.  You now arrive at my site, which I have made to look exactly the same as the login page on facebook.com.  In fact, I just made an exact copy of their page, and then added one subtle difference: my version contains a little script which takes what you enter into the login form and sends me a copy, before submitting the login form as usual.

And that is the beautiful part (from my evil hacker perspective), because you never notice that you visited my bogus page.  The form on my site actually submits to the real form on facebook.com, and so when you submit my login form you actually get logged into Facebook.  Stealing you password is one thing, but stealing it without you noticing is even better!

Side note: There are actually ways in which websites and web browsers try to prevent a site from submitting a form to another site, but it is theoretically possible.  And even if I can't get that to work, I can always just redirect you to the real site, you might be logged in anyway, in which case it will look as if my form logged you in, or if not then you'll be presented with the real login form and will think that there must just have been a glitch in the Matrix.  (There was!)

How to avoid it:


The 'Real' Site Has Been Hacked

Let's suppose that I'm back as my evil hacker alter-ego, and I've been surfing the web finding some sites to hack into.  I've managed to hack into one site in a way which lets me alter their login page (the details of how one goes about doing such a hack would take another whole article, no, another entire blog, but...), let's suppose that I can modify the login page.  Like with my previous example, I've just added a little script which takes a copy of the username and password which are entered into the form and sends me a quick copy before allowing the form to submit as usual.

It could take the owners of the site ages to discover my hack.  Maybe hours, maybe months.  But until they notice I can get a copy of the login details of everyone who logs in, which I can use whenever I like at a later date.  And again, the users have no idea that it's happening.

The important message here is that just because the website itself is not malicious, that doesn't mean that the page isn't doing malicious things.


How to avoid it:
  • You can't, but using a different password for each site will confine the damage to just the one site.


Malicious Websites Taking Advantage of Your Reused Password

Let's suppose that you reuse the same password for several sites, and one of these sites isn't quite as bona fide as you thought.  A well-built and well-intentioned website will never actually store your password, but a malicious website could take your login details and then try them out on other sites.  This is especially dangerous if your username is your email address and you've reused the same password for your email account.  If the password for your email account is used for any other online account then read this and change it.  Now.

How to avoid it:

  • Use a different password for every account (more about this in my next article).



Your Password Is Stolen Directly From The Site


As I've said too many times now, a well-built login system will never store your password in plain text, but because you can't see how a website's login system is built, you can't be sure that it's following this practice.  So if a site is storing your password in plain text and its database gets cracked open, your password is going for walkies.  And even if the passwords are hashed in the database, there are things called rainbow tables, which may give hackers a chance of de-scrambling your password.

How to avoid it:

  • Use a different password for every account.
  • Use complex passwords (trust me, it helps to avoid getting rainbow tabled).



It Gets Remembered On A Public Computer

This is a bit of an edge case, but I thought I'd mention it.  If you're using a public or shared computer, then there are 3 ways I can think of in which your password can be stolen:

  1. You tell the browser to remember it.
  2. You accidentally type your password into the username field, and hence the browser automatically remembers it.
  3. The computer is infected with malware which steals it.

How to avoid it:
  • For 1 and 2, just be careful.
  • The only way to avoid the malware is to avoid public or shared computers.


Malware

This covers a whole variety of evil software which could be lurking in various places on your computer, which could take the form of viruses, trojan horses, browser plugins, or mobile apps.  Basically, anything which lives on your device snooping on you.

A lot of these will be some form of key logger, a piece of software which monitors everything you type.  All of your keystrokes are then sent to a remote location to be scanned for repeating patterns, such as [email address][tab key][a short string of text][return], which are likely to be username/password combinations.  Yet another reason to not use the same password for multiple sites, especially not your email account.

How to avoid it:
  • Keep your software up to date, including your operating system and your web browser.
  • Use a modern web browser such as Firefox or Chrome.  (Internet Explorer may be less riddled with security holes than it used to be, but I still don't trust it.)
  • Keep anti-virus software up to date.
  • Don't install anything which you don't entirely trust.
  • When you use a friend's computer, ask yourself "Do I trust this person, and more importantly, do I trust their IT skills enough to be sure that this computer is completely free of malware?".


Conclusion


So given that any website which you type your password into could deliberately steal that password, or accidentally leak that password, the thing you have to ask yourself any time you re-use the same password is: "Am I totally happy for the owners of this website, and anyone in the world who hacks into it, complete access to all of my other accounts which are using the same password?".  The answer should be no.  So you should never re-use the same password.

My next article will cover a few approaches to generating a different password for every site, without having to remember them all.

You should also realise by now that you can never be entirely sure that your password hasn't been stolen, even if the website is bona fide and you haven't used the password for anything else.  So my article after the next one will cover 2-factor authentication.

Until then, have fun, and watch out for the rainbow tables.
Posted by at No comments:

Sunday 2 February 2014

Are You On The Right Domain? - Knowing When It's Safe To Type Your Password

You should only ever type your username and password in when you're on the domain which the account belongs to.  I.e. your Facebook password should only ever be typed when the domain name of the page you're on belongs to facebook.com.  You probably already knew that, but how good are you at telling when you're on that domain and when you're not?  You can take the test below to find out.

Hopefully, given that you probably use passwords on the internet, you already know how to work out what the domain is.  But for a lot of us (myself included), this wasn't part of the curriculum at school, so if you're unsure then here are the instructions.  You might want to skip straight to the test and just come back to this afterwards if you don't score 100%.

1. After the initial http://, find the first slash and discard everything after it.
2. Find the last dot before the .com (or .co.uk, .net, .org.uk or whatever the ending is) and discard everything before it.
3. What's left is the domain.

The Test... Type Away, Or Run Away?


For this test we'll pretend that you've got an account on the site wobble.com.  For each of these URLs you must decide whether or not you are on the domain wobble.com.   Do you merrily type away and enter your password, or run away?


  1. http://www.wobble.com/login.html
  2. http://wobble.com/login.html
  3. http://www2.wobble.com/please-login.html
  4. http://www-wobble.com/login.html
  5. http-www.wobble.com/login.html
  6. http://www.wobble.com.com
  7. http://www.wobble.com.wobble.www.com
  8. http://http-www.wobble.com.museum/http://www.wobble.com/login.html
  9. http://www.www-wobble.com.wobble.com
  10. http://www.wobble.com.login.html
  11. http://www.wobble.com/www.login.php
  12. http://wobb1e.com/new-login-page.html
  13. http://www.wobble.co.uk/login-page.html

And here are the answers:
  1. Yep, that's a subdomain of www on the domain wobble.com.  Type away.
  2. Again that's fine.  This is the "naked" domain without the www subdomain.  Type away.
  3. Yep, that's a subdomain www2, still on wobble.com.  Type away.
  4. Nope, that's www-wobble.com, not to be confused with www.wobble.com.  Run away.
  5. Yep, that's a subdomain of http-www on wobble.com.  An odd URL, but it still belongs to wobble.com
  6. Nope, that domain is com.com, with a subdomain of www.wobble.  Run away.
  7. Nope, that domain is www.com, with a subdomain of www.wobble.com.wobble.  Weird.  Run away.
  8. Nope, that domain is com.museum with a subdomain of http-www.wobble.  And com.museum is not necessarily anything to do with wobble.com.  Run away.  More about strange top-level domains below.
  9. Yep, that's wobble.com, with a 2-level subdomain of www.www-wobble.com.  Add odd choice for a subdomain, so I would definitely raise an eyebrow, but technically it does belong to wobble.com.
  10. Nope, that's a domain of login.html, with a 3-level subdomain of www.wobble.com.  Again more about odd top-level domains below.
  11. Yep, that's fine.  You can ignore everything after the /, so the www.login.php is part of the URL path, not part of the domain.
  12. Nope, that's wobb1e.com, very different to wobble.com.  Note the difference between the digit 1 and the letter l.  Be careful.  I admit that I've deliberately put the URLs in a font which makes these 2 characters hard to distinguish, but I wanted to ram home the point that you should read what's in your browser's address bar very carefully.
  13. Nope, that's wobble.co.uk.  Not necessarily anything to do with wobble.com.


So how did you do?  Well actually, the test was a trick.  The answer is that you shouldn't have typed your password in on any of those URLs, because none of them have https:// at the beginning, meaning that your connection to the server is not secure and the password you type could be read by eavesdroppers when you submit the form.  In fact, without https you don't actually know that you're looking at the right domain, as someone could be intercepting the traffic and serving you totally different pages to the real ones.


The Bottom Line

  • The right domain.
  • HTTPS.

If in doubt then open a new tab and type the address yourself.


Subdomains

A domain name consists of a global top-level domain (gTLD) and then one or more child subdomains with the dot character (period/full stop) being what separates each subdomain.  The gTLD is the end part of the domain, most commonly .com, .net, .biz or .org.  Each country also has its own gTLD, e.g. .fr, .de, or .uk.  In some countries, such as the UK, this domain is itself divided into a few subdomains such as .co.uk, .org.uk, .gov.uk and .ac.uk.  Domains under .co.uk or .org.uk are then available for sale to the public, whereas .gov.uk and .ac.uk are reserved for the government and educational establishments respectively.

When a member of the public buys a .co.uk or .org.uk domain name they buy the level underneath .co.uk, e.g., cheesecake.co.uk.  They then control this domain, which means that if they want to add further subdomains they can, so they could add www.cheesecake.co.uk, tasty.cheesecake.co.uk or even several levels of subdomain like i.would.really.like.a.cheesecake.co.uk.  All of these subdomains are controlled by the owner of cheesecake.co.uk, so you know that any domain under cheesecake.co.uk is in their control.

In general, if you trust a domain, then you are safe to trust any subdomains underneath it.  For example, if you have an account with google.com, then it's safe to type your password on accounts.google.com.

In some situations the owner of a domain will give control of subdomains to its users, a good example of which is this blog.  I don't own blogspot.co.uk, but when I created my blog on Blogger I was given the ability to create pages on whirledwiseweb.blogspot.co.uk.  In most of these situations though, you will find that there is never a log in page on the parent domain.  E.g. there is no log in page on blogspot.com; when you log into Blogger you log in on blogger.com.  For this reason it's worth being aware of the domain which you create your account on, and making sure that you only ever type your password in on that domain in the future.


New Global Top-Level Domains

Until recently there was a fairly limited set of global top-level domains, which consisted mostly of .com, .org, .net, .biz, one for each country, and a few others.  But this list is now being expanded, with private individuals being allowed to purchase their own global top level domain, such as .pepsi.  So instead of www.pepsi.com, they can now have www.pepsi.

This is why I included a couple of strange-looking gTLDs in my list of domains.  Just to make you aware of the fact that domain names won't necessarily end in familiar-looking .com or .org anymore.


Why WWW?

Traditionally, most websites serve their web traffic on a subdomain of www..  Bear in mind that most web servers will also be dealing with email traffic and potentially other things, so people like you visiting with your web browser are just part of what the site is handling.  For this reason it's customary to serve "normal" web traffic on www., and to deal with other things on other subdomains such as mail. or ftp..  Some sites, such as Twitter, serve their web traffic on the naked domain of twitter.com and don't use a www subdomain.  There's nothing special about www though, zzz would work just as well.


More fun and games soon...

Posted by at 1 comment:
Subscribe to: Posts (Atom)