2019-01-08

A comic about the "evil maid" attack

Here is another comic about security! I swear, everything a security expert needs to know can be learned by reading old comics. If you ask me, these security guys are overpaid. Wait, I am one of those security guys now! Never mind.

This is yet another Franco-Belgian comic. This one was published in 1971. How does a pre-AOL comic relate to computing security? Well, read on!

Context: The heroes are looking for a friend, who  disappeared after responding to a "help-wanted" classified ad in the local newspaper. The ad was anonymous, so only the newspaper knows who the ad poster was.

For Millenials: classified ads were pages covered with various ads and announcements you could publish for a fee. An anonymous ad was like Craiglist on paper, with not even a phone number, only a reference that you responded to by writing a letter to the newspaper. Say what? What's a newspaper, you ask? Oh, man... Forget it. Just enjoy the comic.

Click on image for original size.


A great social satire series


The comic is from the album "The Awkward Age", part of the "Walter Mellon" series (Achille Talon, "L'âge ingrat" in French).

Only one album of the series was translated into English, sadly: Magnesia's Treasure. The latter is a hilarious romp in a South American country where a local treasure is disputed between head-shrinking (but business-minded) natives, a no-nonsense military, greedy guerilla men, a naive countess, and scappy explorers. In a satirical tone, the series visits very serious topics such as war, terrorism, dictatorship, without every becoming preachy or strident.

But wait... What maid?

In information security, the "evil maid attack" happens when a dishonest employee steal his company's information, especially files. In this comic, the file in question is the confidential list of ad posters. In a modern, computerized company, the files would be located on a machine that is left unlocked, or would be intercepted and copied while the dishonest employee is able to access them.

In the last few years, I have seen  two cases where a sales manager left a company to join a competitor, bringing with him a list of the juiciest, most valuable customer contracts from his former employer. Of course, in both instances, they ended up in court. I don't know if these sales managers made money from the stolen customer lists, but their lawyers certainly did get richer.

2019-01-05

A comic about password safety

This 1966 comic below is a perfect illustration of what not to do to validate a password.

Context: Our heroes are fleeing the state police in a German-speaking dictatorship and are trying to reach a dissident network. Click for original size.




Common sense, amirite?


 This is an English translation (mostly by artist Miriam Korver) of a page from "QRN over Bretzelburg", a graphic novel in the "Spirou and Fantasio" series. It was originally published in 1966.

The comic mocks a bad password management practice that seems obvious: When you ask strangers for a password, don't give them the password and ask them to make sure they already know it. Common sense, right? And not only that, but it predates personal computing, so you'd think it's old hat, right?

And yet, to this day, it is still common to have web site that send the password along with the page's Javascript, using a function like:
if user_typed_password = "Secret_P@SSW0RD!" {validate = true; }
Looking at the page source with Ctl-U is all it takes to reveal the "secret".

Also very popular: After validating the password, the authentication page appends "&login=true" to the URL, and that extra parameter is what passes for access control. Want to access the site? Just paste that string after the URL!

Thank God, this type of amateurism becomes increasingly rare.

Don't be like the bungling dissident in that comic. Do real authentication!




2019-01-03

Who keeps the password keepers?

Keep your unmentionables safe


Hey folks! As a system administrator and security maniac, I am very much in favor of good password hygiene. Just like your undies, you should really know where your passwords have been. But contrary to your undies, your passwords are not always easy to change.

That's why I recommend using a good password manager. A password manager is a little application that lets you generate and store complex passwords that you use to log in to various sites. You don't have to remember the complex passwords. But you do have to remember the one that protects the password manager, of course.

When you use a password manager app, you implicitly trust that app to safekeep your secrets. So that's why the latest fail in that field is particularly cringe-worthy. Abine, the company that make the Blur password manager, has reported a customer data leak.

The fail


Photo:
Francesco Paggiaro
To be more precise: Back in December, a security researcher found an exposed file that contains info about people who used Blur before January 6, 2018. The exposed file contained some users' first and last name, email addresses, password hints, and encrypted password, among others.

If you use Blur, the company recommends changing your Blur password.

Comment: The Blur password itself was not exposed, only its encrypted version. According to Abine, the Blur passwords were "encrypted using bcrypt with a unique salt for every user", which is pretty safe if done properly. There is no practical way to break a well-implemented bcrypt encryption. Also, no protected data (these complex passwords stored inside the Blur app) was compromised. So overall, it could have been worse.

Of course, this won't stop some users from feeling betrayed. Just like undies, you get pretty intimate with a password manager. If my Supersafe UndiesTM ripped and exposed some skin, I'd feel pretty let down.

Personally, I use and recommend Keepass, a free, open source password manager which, to the best of my knowledge, hasn't been breached so far.