Category Archives: Secure things

Secure things, Teach things

daD Talk

One of the things I wanted to develop is critical thinking. Not only by myself, but also by my kids themselves. The led to a rather unpleasant start of one of those dad kid conversations.

There was no way back: a subject I tried to delay for a few years:
computer security.

The complaint about a program was packaged as a request:
“I want to have a computer, which can execute [dangerous module] programs without using [dangerous module].”

I exhaled. My kid had absorbed the information and realised that the use could have a severe consequence for the computer. No more computer time. On the other hand the disadvantages were too big to forget about it.

I tried to find a solution, but I could not find one. If a program can change things on a computer, then it can do bad things.

While blogging I realised I was wrong. There was a work around.
There are programs, which can do same things like the original program, but they are built differently. They are called emulators. Some gamers like to play low resolution games on emulators of very old operating systems.
Wow, that’s my kid.

It’s hammer time

“If you have a hammer, then you can use it to break a window. But that’s not right.”
My kid nodded.
“So I program the hammer, so it cannot be used for a window glass. Then I can go to a door and use it to break a lock. I can program it not to break a lock. Then I can use it for a window frame.”

It would be easier to tell the hammer it could only be used on wood. This looks brown and it has grains. But it could be changed, so that everything looks like wood.”
I made a wide gesture with my arm pointing to different objects in the room.

“But I could change the picture. All objects would look like wood. That is not a good idea, so I store the picture in a book. But the picture in the book can still be changed.

Then I could place a lock on it. But the lock could be picked. I could place a better lock on it, but then the whole book could be replaced by another book.

And that’s why it is so difficult to secure things.”

Another unpleasant guest
My kid had seen a cool app. And it should be installed absolutely. So I did my dad thing:  looking at the permissions, which I would grant to the app. It could handle my files. It was just a game and why should game have a peek at my files? Time for the bad news.

So I told my kid, that the app would access files on the phone. The reply was to buy a phone just for games. Then I told that after a while the phone would be also used for other purposes like making pictures. “You don’t want your pictures in someone else’s hands.” There was a lack of nod.

I needed another way to tell the warning. A visual one.
“Suppose someone comes in. He looks television for the whole evening. And he eats the whole fridge empty.

If you protest, he will say:
“You said I could come in.”

The next evening he comes back. He takes the table and the sofa out of the house.

If you protest, he will say:
“You said I could come in.”

Secure things

Security by Luck

Last week I saw the attack vectors of the most popular attack on
WordPress web sites at the moment.
Just two lines.

Was I prepared? Yep.

In my mail box I had a message, that my web site was updated. It was completely automatic.

I did not even have to press a button. Self service is nice, good service is better. I had the last version of WordPress running. All minor updates are automatically deployed.

Why did I choose WordPress? For one of my test assignments I had to test a WordPress web site. And I did not want to learn another tool to maintain a web site. Sheer luck.

Last year I got an insistent mail from my host provider, that I should upgrade my PHP. The advised version was a safer one.

I dutifully followed the instructions: pressing buttons instead of typing long commands after the prompt. There was nothing scary about.

How did I select my web site host?
I looked for a provider, who provided all kinds of handy services: e-mail, backup, and web site statistics.

“Sheer luck mate. “
“Really? “
“I compared several providers. The one I chose also focused on companies. If I ever would scale up, I had a company, who could help me. “

“Can you be more specific? “

“Sure. I looked for the information on the web site. It was written in a way that I could advise it to a company.

It had also enough tech background information. That was good for my inner nerd. “

“Wait a minute. “
“Yep. “
“You just told, which Content Management System you use for your web site. And that you are using PHP. Are you not exposing too much information? “

“A real hacker can determine this information within seconds. He looks at the source code or using some plug ins.
On my smartphone I have Dual HTML Viewer which is a similar tool.”
“How did you find that mobile tool? “
“#30daysoftesting

You could call it luck. I prefer to bend it.“

No comments please

Seth Godin once gave the advise to turn off comments in a web site. If the blog post would be interesting enough, then they had to refer to it. Free publicity.

This time saver was a nice advice for me. Yes, I like good comments. Sorry, I focus on writing.

This year I started to test on XSS or Cross Site Scripting attacks. I basically added information to a web site, which changed the behaviour.

If I add html code to a comment, then the comment can be shown in bold or italic. Sometimes it is possible to add extra feature like a window. This can be used to distribute confidential information to other people. Without their permission.

No comment disabled the use of XSS. Luck? Not really.
Seth let me think in another way.

BTW Seth did advise to use comments in the very same blog post.
It is nice to read good things about my blog posts. But for me time is (my) precious.

Don’t be too infectious

One of the criteria to choose my own web site host was full control over the content of my blog. Even I had to pay for it.

There are web sites which provide free web sites, SSL and nice domain names. Their business model or their way to earn money is advertisements on my web site. Of course I can disable it by paying.

On a security conference a Finnish guy showed how advertisements can be misused. He contacted to a web page with a single bad pixel. His system was contaminated within milliseconds. Life on stage.

Reading the right stuff

During one of my visits I saw a familiar computer magazine on the table: “I read it also.”
“It is good.”, was the answer. He also works in the IT, so I valued his input.

Once I read about WordPress tools. There are a lot which are free. So I scheduled my backup and restricted the access with a special tool kit. Sometimes I feel lucky to find easy to use tools.

A Case of Bad Luck
Within two days after pushing my first piece of this blog post on the web I found two annoying items on the web.

Santosh Tuppad had considerable considerations about the use of WordPress by hospitals. And Santosh is a good security tester.

Kristine Corbus, another tester, blogged about the misuse of headers in WordPress.

Then I had a story of Troy Hunt lingering in my memory. He used another Software as a Service for his web site.

“You wrote Troy.”
“It is not a city in ancient Greece, which had the first bad encounter with a Trojan horse.”
“Who’s Troy?”
“It’s the guy who reported about the bleeding cloud and the eavesdropping teddy bears. Troy is a security expert I follow by luck.”

Was I lucky?

Learning, Secure things

Losing gracefully

“Han Toan, something has to be tested.”
I got a short briefing, csv files and decent specifications. A senior tester and I had to test an interface. He started sprinting: opening a csv file and logging bugs. I froze. No time for writing test cases and reviewing them. I confessed to the tester, that I was uncomfortable with the situation. I tested a csv file, but I was losing gracefully.

Theory and practice revisited

The following text is translation of a text I found in a Dutch farm:

“Theory is: if one knows everything and nothing is right.

Practice is: if everything functions and nobody knows why.

In this company theory and practice are combined.

Nothing is right and nobody knows why.”

Learning to win

One evening I was playing Skip-Bo with my wife. My plan was to lose gracefully. So I forced myself to play the wrong cards. Her position in the game improved gradually. She was happy, so was I.

After a while I was holding too many good cards in my hand. There was no way, that I could hide them for long. I would either win or lose awkwardly. The last option was worse than the first one.

In the months after this clumsy situation I tried to repeat the steps during other games. What was the first wrong move I made? What were my following strange steps? Based on my observations I was able to extract a single rule to win or heuristic.

I think, that I might be able to find scientific evidence for my heuristic. But I chose not to, because it worked. That was my goal.

No log in required
During an afternoon session James Bach told about testing without scripts. He was in a hotel lobby and saw a computer. He described the techniques and heuristics he used to get access to this computer. At the end he succeeded.  

I was in the library. Killing my time with browsing newspaper articles. But that was not exciting after a while. I had an appointment within half an hour. In the meantime there should be something to be tested. I was still staring at the computer, when I remembered the story of James.

The computer environment had 2 access levels for normal users. A guest could use only basic functions, which were also limited. I did not have a library subscription, which would grant me a time slot to use standard office software and the browser. I could buy a time slot, but that would lower the challenge.

So I started testing the applications. There were many search engines for news and books. Then I noticed, that I could open the browser. It did not take me much time to go the download area. A document with Resume in the title drew my attention. I expected an error message, when I would attempt to open the file.

Then I actually opened the file. I had access to Word. And to personal data like name, address, birth day, …. I got more information than I had anticipated.

It was time to inform the information desk about this particular situation. One of the women acted adequately:
“Did you log in?”
“No. I did not log in.”
One brief look on the computer screen made her check the other computers in the library. She asked me the steps to reproduce the error. After my answer she continued with:
“After logging out the cache should be cleared. I’ll contact the system administrator about this situation. ”

I went back to the computer, which still showed the resume. I closed it. Then I noticed, that a pdf reader had been installed on the PC. One of the recently opened files contained passport in the name. One click gave me a high resolution full colour scan of a passport including social security number and picture of a fellow citizen.

I had made a little start. To explore in unknown environment. Without a script.