Technology

Facebook’s Real Name Policy is Back

Clicky Steve, , , , , 11 Comments

Facebook have pushed ahead with the enforcement of their ‘real name’ policy, which requires users to use their real, or ‘authentic’ name.

This comes after a previous attempt stalled, following an uproar from the community which forced Facebook to give a rare apology.

Here’s the gist of the requirements:

Screen Shot 2014-11-27 at 12.26.07

Source: https://www.facebook.com/help/112146705538576

Sounds fair enough on the surface of it, and gives enough room for interpretation to allow aliases or nicknames – precisely what appeased the criticisms from last time. However, the practical implementation seems quite different.

Screen Shot 2014-11-27 at 12.26.23

Again, these additional requirements don’t seem too restrictive. If anything, they seem fairly flexible, whilst retaining some sort of continuity. However, the practical implementation has been completely different.

Today, there have been reports that users have been locked out of their accounts, after Facebook has deemed their names to not be ‘authentic’ enough. This included a determination that the name ‘Daz’ (a common offshoot of Darren) was not acceptable, and ‘Nikki’ should be changed to ‘Nicola’ – despite the insistence that shortened nicknames (like ‘Bob’ in the case of Robert) are fine.

Now comes the kicker. In order to get back into your account, you either need to provide a ‘real’ name, or some sort of ‘acceptable identification’ to prove that you are known by the name or alias you had beforehand.

Let’s take a look at what the acceptable forms of identification are, according to Facebook:

Screen Shot 2014-11-27 at 12.44.06

Uhm, sorry… what? Despite their warning that you should be sure to blank out any other personal information, there is no reason in hell that anybody should ever be giving copies of the above documents to Facebook. The idea that this would ever be requested is completely ridiculous. If Facebook demanded I send a copy of my passport – redacted or otherwise – then they would be politely told where to shove it.

But hey! Should you not wish to share such an important piece of sensitive ID with a social network based in a different country, you have another option. You can provide two bits of ID from the following list:

Screen Shot 2014-11-27 at 12.46.29

This just becomes more ludicrous. Here’s why:

  • There is no way for Facebook to verify any of the above properly.
  • All of this ‘evidence’ can easily be doctored by any muppet.
  • Even if you are known by a certain name in your everyday life, you won’t have that alias on official documents that require your legal name. In which case, how on earth are you meant to prove the existence of a nickname?
  • WTF is a ‘permit’ anyway?

There are plenty of reasons why people would legitimately want to avoid using their full, legal name online (those in teaching, or the health service, or…); those who have already lost the ability to remain hidden in searches thanks to previous changes, with the process to use a nickname or alias instead verging on the impossible. But there’s something far more fundamental here: That it’s absolutely fuck all to do with Facebook what name you choose to go by. Making determinations about what is and isn’t ‘authentic’ is evidence of an organisation that has no concern for its users other than its own commercial interests.

We need to find a better way to communicate than this by using this lot.

Travel Problems: Tesco Bank are Useless.

Clicky Steve, , , , , , , , , Leave a comment

Having the freedom to travel a lot because of your job is a great thing. It means you can disappear off to a different country for a few months to visit friends or family, or just see the world.

The problem is that often the utilities we make use of at our home bases aren’t really set up to deal with people that are out of the country regularly, or for longer than a couple of weeks. Sometimes, they can’t even cope with any length of absence due to badly thoughts out and implemented processes.

I’ve run into a pile of these issues, such as my mobile phone operator (T-Mobile) acting like complete idiots and refusing to allow international roaming, or how to submit electricity meter readings when you can’t physically get to the meter.

Today though, Tesco managed to knock it out the park, delivering a perfect example of how things are made difficult for those who wander.

I logged on to my Tesco banking account to make a credit card payment, and was confronted with the news that they had recently made changes to their security checks. As a result, if you were logging in from a computer that they didn’t ‘recognise’, then a security code would be sent to the mobile number registered on your account.

Oh, great.

This wouldn’t be a huge deal if we were away for a week or so, but given that we’ve been gone for a few months, this isn’t good. It means that I won’t be able to make any payment to my account, and so miss the minimum required to avoid charges.

The process to get the mobile number changed is a pain in the ass, and I’m not entirely sure what I’m meant to do. The Tesco Website seems to suggest that the only alternative is to have a one-time access code sent to your home address by post.

A One Time Access Code is a code we use as a security measure to confirm your identity when you forget your login details or use a browser, computer or mobile device that we don’t recognise.

Check that your mobile number is up to date and select Send. We’ll send the One Time Access Code by text message.

If you don’t have a mobile phone number, you’ll need to call us on 0845 300 3511 to get a Temporary Security Number by post.

This is DUMB.

Given the inconsistency in the way these places implement their checks, I downloaded the Tesco Banking app to take a look and see if I could bypass the mobile number validation. Unlikely, but worth a shot.

What really stung though, was this message:

TescoBankFail

That’s right. If the mobile number you need to login to the online banking account isn’t correct, you need to log in to the online banking account to change it.

Well done Tesco. Well done.

What really annoys me is that this is completely un-necessary, for various reasons.

* Recognising computers or devices via cookies is a pretty crappy approach, penalising those who regularly clear out their caches. There are far better ways to deal with this (such as registering MAC addresses) that don’t rely on the browser config staying the same.
* Having a two factor method of authentication is important, particularly for financial related accounts. However, to tie that into SMS text messages is pish. Mobile coverage and carriers are far too unreliable to be used as the sole source for 2fa. There are plenty of alternatives available to generate tokens – independent of something as variable as a mobile number.
* There should always be an alternative to access the account where you can’t use your device. It’s why Google, LastPass, WordPress, and countless others all provide back-up, one-time access codes that you are meant to store in a safe place to use in the event that you can’t receive a text message, or a code to your smartphone.

So there we have it. Tesco has failed to implement a sensible account verification process, despite standards and templates already available widely online. Useless.

Regex E-Mail String Matching

Clicky Steve, , , , , , Leave a comment

Recently, I was playing about with Keyboard Maestro – a powerful (Mac) tool to automate tasks that you have to do on a regular basis. It seems daunting at first, but has proved to be pretty useful.

One of the the things I wanted to achieve was to be able to strip out a whole pile of data to return just the e-mail addresses, rather than have to go through them manually.

In order to do that, I needed a Regex (regular expression) pattern that would match e-mail addresses, with all of the weird formats they take: multiple TLDs, periods and dashes in the alias… and not to forget the plus sign that lets you create additional handles in GMail.

I looked around the web but didn’t find any patterns that did what I wanted. There were a few, but most seemed based on e-mail validation rather than filtering the address out of a bigger data set. So, I created my own:

\b([A-Za-z0-9%+._-])+[@]+([%+a-z0-9A-Z.-]*)\b

I’ve been using it for a couple of weeks and haven’t come across any addresses that it hasn’t picked up correctly yet. If you spot any, give me a shout in the comments below.

You can test out the expression for yourself over on the incredibly useful site regexr.com.

Why I’ve Switched to WordPress.com

Clicky Steve, , , , 3 Comments

The eagle-eyed amongst you may have noticed that not only have I switched the blog’s theme in the past few days, but I’ve also shifted the hosting completely over from a self-hosted WordPress.org instance, to one on the servers of WordPress.com. (Confused? This article will explain the difference.)

For years I’ve always run sites using WordPress software that I’ve configured myself, rather than those on WordPress.com, based on the following reasons:

  • Hacker Mentality – Not wanting to let go of complete control of my site, and the ability to do with it what I please (like hosting weird web apps and playing about with plugins)
  • Cost – I was always under the impression it would be relatively expensive to keep all of my stuff on WordPress.com’s servers, as generous pals have hosted my sites previously
  • Transition Pain – Moving from an already established and customised site to a different platform seemed like a faff, with inevitable SEO problems/broken links
  • Features and Customisation – Not believing that I’d be able to get my blog to look/feel the way I wanted it to within the WordPress.com boundaries, and that I would miss features (like permalink restructuring)

The more I thought about it, the more I realised that I didn’t actually need to run a self-hosted site for http://iamsteve.in. The design of the site was pretty straightforward, there was no real complicated customisations involved, and the cost of shifting to WordPress.com wasn’t what I thought it might work out at; definitely not for a site that isn’t hosting large numbers of images anyway.

In fact, the benefits of being hosted on WordPress.com seemed more and more appealing:

  • A dedicated, and passionate support team that are on hand to help out with any issues (Working alongside them, this was an even bigger boon for me personally)
  • A streamlined interface that I use everyday (for both work and pleasure)
  • No more having to login to separate admin panels all the time
  • A site that is integrated into the highly active WordPress.com community – and so more engagement with other users on the posts
  • No more worrying about rogue plugins crashing or needing to be re-configured after an update breaks something
  • The ability to take massive spikes of bandwidth, as I’m hosted on WordPress.com’s massive network

and one of the most important things of all:

  • The knowledge that my host won’t be intimidated by any legal pressures that come from any of the critical posts I write. (See here for more)

I’m incredibly proud to be part of a team that fights back against those who attempt to censor bits of the Internet that they don’t like on a daily basis, and it makes sense to bring my own writing into that fold. I know I have good people on my side should anything hairy come up.

Really the only thing that I was left swithering over was the pain of moving across. I thought I would give it a bash, and two hours later, the entire site is completely migrated over (multiple domain names and all). The difficulties I thought I’d run into didn’t even crop up as issues at all. All of my custom permalinks are smartly resolved by the WordPress software to their new locations (which I am both almost in disbelief and awe at).

I’m pleased. Not a bad experiment after all.

A Critical Look at Facebook’s Proposed Facial Recognition Feature

Clicky Steve, , , , , , , , , , , Leave a comment

facebook facial recognition

A couple of weeks ago I was asked by the Open Rights Group to write an article up on the latest round of changes to Facebook’s various privacy policies. One of the changes relates to the extension of the ability for Facebook to deploy facial recognition software. Whilst not currently available in the EU as the result of a previous challenge, it caused quite a stir to see this idea raising its head again.

To be completely honest, I had very little opinion on facial recognition software on social networks at the time, and said as much. I couldn’t immediately see what the problem with it all was, and fully expected it to be just a knee-jerk reaction by those keen to jump on any changes made by Zuckerberg and co. As a result, I went into this with open eyes and an open mind, to see what I could find.

You can read all about it over on the Open Rights Group Zine.

The NSA, GCHQ, and Encryption. What’s Going On?

Clicky Steve, , , , , , , , , , , , , Leave a comment

encryptionIn the past few days, more details have emerged about the sheer extent of the surveillance being carried out by both the NSA in America, and GCHQ in the UK.

Whilst the initial news that these intelligence agencies have been intercepting massive amounts of data was a shock, the latest round of news is perhaps the most alarming of all. PRISM had an apparent budget of $25 Million. ‘Bullrun’ has a value of closer to $250 Million.

A surge of web users have reportedly moved to increase the amount of encryption they use on a daily basis after discovering the extent to which their unsecured communications were being monitored. Now, it turns out that that much of that encryption could well have little effect on the ability for Government bodies to snoop.

This is a development that has massive implications for our use of, and dependency on, the Internet itself… yet because of the subject matter, has not garnered as much coverage as it should have. The articles from the Guardian et. al give an insight into what is going on, but do not go into specific details of the technologies at risk, and can be inaccessible to somebody who is not already familiar with issues relating to encryption.

What’s the problem?

  • When encryption first was introduced online, there was a concerted effort by Governments to require systems to have in-built weaknesses to ensure they retained an ability to access it; the ultimate master key. This was defeated after a hard-fought, cross-political campaign. However, the NSA and GCHQ have gone ahead and achieved the same result, without legislation, by utilising their considerable resources.
  • The intelligence agencies have deployed multiple tactics to ensure they have access to data – whether it is encrypted or not.
  • One of the tactics includes the weakening of encryption systems by implementing vulnerabilities into their architecture. This means that even the most theoretically secure encryption services can be exploited to reveal the information.
  • Encryption is not just a tool for political activists or paranoid geeks. Every day we rely on encryption to securely log in to our bank accounts; buy things online; save usernames and passwords; and keep the likes of our Facebook accounts from interference.
  • By systematically targeting encryption to weaken its protections, the NSA and GCHQ are also undermining the integrity of all of our communications online; the basis of the global ‘information economy’.

How can I protect myself?

At the moment, it isn’t clear exactly what services have been manipulated, and what have not. Speculation is rife over whether actual protocols used (such as HTTPS for secure web browsing) have been compromised, or whether it is simply specific companies that have been coerced into providing covert ways into their services. SSL for example – indicated by the presence of the padlock in the address bar – has been shown to be extremely vulnerable given the way that the ‘certificate authorities’ who sign off on the transmission are susceptible to attack. As Orwell Upgraded puts it: ‘Who looks after the keys?’ Even the much lauded article by security expert Bruce Schneier on this topic seems contradictory and unclear in places. (“The NSA has huge capabilities – and if it wants in to your computer, it’s in. With that in mind, here are five ways to stay safe” – Eh?!)

However, this technology is not available to everybody, yet. Your local police force will not have access to this technology, nor your employer, nor the opportunist hacker. It wasn’t too long ago that even Scotland Yard were reporting that the use of TrueCrypt encryption on David Miranda’s laptop rendered the data ‘extremely difficult to access’. The NSA is still reportedly deploying many of the bread-and-butter tactics used by hackers for decades, including brute-force attempts to access accounts by mathematically ‘guessing’ passwords. If they did indeed have a golden bullet to decrypt all secure material, then there would be no need for this. Edward Snowden himself, the exiled NSA contractor who leaked the documents in the first place, has confirmed that ‘properly implemented crypto systems‘ work; the issue being the lack of security that surrounds those systems in the first place.

There are still steps that can be taken to make it more difficult for your data to be accessed. Whilst not ideal, for the everyday web user, taking a few extra steps can mean that your data is less likely to be intercepted than somebody who takes no steps at all. There’s that well-worn tale of the man who, when faced with a lion, puts on trainers. When someone points out that he’ll never be able to out-run such a powerful beast, he simply replies that he only has to out-run everybody else.

No, we don’t know who to trust just now, but you can still take steps to improve your security:

  • Make use of high entropy passwords. Never use the same password for more than one service. LastPass is one of the best ways to manage this. Whilst stored in ‘the cloud’, it makes use of end-to-end encryption, which means only you should theoretically be able to decrypt its contents.
  • Encrypt your data with 4096 bit encryption where possible.
  • Use open source software that can be scrutinised by the online community for weaknesses. Avoid commercial, ‘closed’ software from a vendor that can be more easily manipulated. TrueCrypt is one of the most widely used and respected. Whilst we currently don’t know about its status in this whole affair, it’s one of the best bets.
  • Encrypt your Internet traffic with a VPN, or use Tor.
  • Use extensions such as HTTPS Everywhere to ensure you are always using the most secure version of a website where available.

Make your data as difficult to access as possible. Don’t just leave the door wide open.

What now?

Good question.

  • People need to know about this and why it’s important, not just be blinded by the technical speak. Spread the word, explain to people, and get them to act as well. – (Share This on Twitter)
  • Sign the Electronic Frontier Foundation’s petition to demand answers to what is going on. (US link hereUK/International link here).
  • Write to your local MP and demand that they challenge the UK Government to give answers on this. Write to your MSP and do the same with the Scottish Parliament; it might be a reserved issue, but they still have the power to speak. Cause a fuss until they listen.

This is a dark time for the Internet, but it doesn’t have to stay that way.

Do we need a ‘Cyber Fire Department’?

Clicky Steve, , , , , , , , , , 1 Comment

Yesterday I attended the ScotSoft 2013 technology forum hosted by ScotlandIS in the Sheraton ‘Grand Hotel and Spa’ through in Edinburgh. The event – followed afterwards by an awards dinner (which I did not attend!) – had a number of speakers that covered issues across the software business lifecycle, from acquiring initial financial backing to long-term development plans.

ScotlandIS LogoThe keynote was on the future of the Internet, and came from none other than Google’s ‘Chief Internet Evangelist’, Vint Cerf. It only took a few minutes to realise why he rightfully deserves what is probably the coolest job title that any self-respecting geek could ever have. Whilst the rest of the day had been very much focussed on those involved in the business side of the tech industry, Vint spoke with a natural and pervasive authority on everything from the implementation of IPv6 (‘Go ask your ISPs what their roll-out plan is’), to the distributed and often chaotic nature of Internet Governance. It should perhaps have been obvious that this would be the case from one of the ‘founding fathers’ of the Internet, but it is a rare thing indeed to find someone who is not only so formidably technically able, but who also has the charm and charisma to communicate that passion and ability to others so effectively. In many ways, it brings into question the existence of the much fabled, so-called ‘digital native’, and whether or not such a thing can or should be defined by reference to any particular generation.

Vint covered many topics in the short time he was allocated – from the crude beginnings of ARPANET, all the way through to using TCP/IP in space – but there was one fleeting reflection in particular that really captured my imagination: the idea of a ‘Cyber Fire Department’. This wasn’t something that there was too much time spent expanding upon, but he explained by giving the example of somebody trying to single handedly stop their house from burning down with a bucket of water; eventually, they would need other people to assist with bigger hoses and more water than they could supply on their own. With people increasingly concerned about the issue of safety online, the notion of a service that responded to people experiencing overwhelming technological difficulties was something that he suggested ‘we should be thinking about’.

It’s this idea I’d like to think about.

Binary Hose PipeWhy on earth would we need or want such a thing?

At first, it might seem a ludicrous proposition, especially to those who still instinctively perceive the Internet as some sort of glorified playground for teenagers to frivolously socialise. To many, the web simply isn’t serious business, despite all of the evidence to the contrary. Truth is, it may well be easier to simply be dismissive rather than to face the difficult challenges that will inevitably need to be tackled as the result of the increasing permeation of the Internet into our everyday lives.

We now have a globally interconnected network which has transformed the way we communicate, and become incorporated into the very foundation of our economies. This is not a phenomenon that is going to be reversed, and if anything, is set to increase rapidly as mobile devices proliferate, and more and more objects get the ability to share information on the net (the latest hot phrase being the ‘Internet of things’).

Just as fire spreads quickly from adjoining buildings due to carelessness or lack of education, the same is true of the Internet; weaknesses in one system potentially having a devastating knock-on effect on others that are connected either directly or indirectly. In order to ensure the integrity of such an important asset, it appears that to contemplate the proposition of an emergency cyber response brigade seems eminently sensible.

What would a ‘Cyber Fire Department’ look like? What would it involve?

Let us assume that such a service was run separately from region to region, rather than some centralised, global endeavour. Aside from simply flying in the face of the distributed nature of the web in principle, I’m sure that all of us can imagine the bureaucratic nightmare that such an international entity would inevitably end up finding itself embroiled in (ICANN, anyone?).

The gut reaction to the suggestion of such a service may be to query the merit of a 999/911 type response to issues that do not fundamentally involve crimes relating to the person, but this model doesn’t necessarily have to be the one that is adopted. If brought into existence, the thing would not be required to have the same status as the major emergency services, nor indeed have to be publicly funded. One needs only to look at the myriad of examples that are out there already, such as the Royal National Lifeboat Institution (RNLI) to see how such a service can be both publicly available and independent.

…but would the market swallow this? There are already commercial offerings from the likes of the ‘Geek Squad’ marketed as emergency technical support. It seems unlikely that there would be any philanthropic provision from a non-profit organisation with substantial enough backing to effectively take on the private actors, which would seem to indicate the inevitability of some sort of central Government involvement.

Perhaps a bigger hurdle to be overcome would not be the financial element of the funding, but the ideological implications of the origin. Already, creeping state involvement in the regulation of the Internet is being pushed back by advocates of the ‘open web’, and the introduction of such a significant step could be easily seen as too much interference in a sphere that by its very nature transcends the boundaries of nation states.

How far do we take this?

If we accept the premise that the Internet is a precious enough asset that we should adopt some sort of cyber fire department, then there are other interesting questions that become raised as a consequence. Off the top of my head, some of these might include:

  • Ageing computer systems and equipment pose some of the most significant security risks. Should we implement an MOT style check to ensure that the equipment people are using is of an adequate standard to help ensure safety online?
  • Do we grant the cyber fire department statutory powers to ensure that ‘cyber safety’ regulations are enforced, much as their equivalents in the actual fire service have?
  • Viruses are often spread by those who are unfamiliar with how to properly navigate online. Does this mean that we should implement a driver’s license style test before they are granted access to the Internet?

Some of this sounds preposterous, and would (rightly) be considered a massive encroachment into online freedom, but it wasn’t so long ago that the idea of state-wide Internet filters blocking access to content including message boards seemed completely out of the question too.

Thinking about it

The question about whether we should adopt an emergency cyber response service in the style of a cyber fire brigade may seem like being a long way off from any serious implementation, and it probably is. However, the discussion does spark off a whole slew of related considerations that we should be taking seriously. As the UK Government comes under criticism for its ‘digital by default’ strategy for not taking into account those without either the access or training to get online, the issue of digital engagement and education seems to go hand-in-hand with a lot of the concerns relating to online safety.

Whatever the outcome, we are at a point of transition, and the policy issues that are involved are as fascinating as they are complex. Like Vint said yesterday, it’s something we should be thinking about.

What you need to know about ‘man in the middle’ attacks

Clicky Steve, , , , , , , , , , , , , , , Leave a comment

If we ever share a WiFi network, chances are I can intercept what you’re doing.

‘Man in the middle’ attacks have been around for about as long as the Internet itself, and so those familiar with network security will already be well aware of the threat posed by ‘ARP spoofing’ or ‘poisoning’. The thing is, most people aren’t familiar with the basics of protecting their communications online, and even those who are don’t always take the precautions that they know in theory they should be.

The protection of private information, and ensuring data integrity has recently been thrown into the spotlight more than ever before, thanks to the ongoing revelations that show the mass interception of data by organisations such as the NSA. On top of that, the massive proliferation of devices that we carry around everywhere that are able to access the Internet has meant that we now have a whole new dizzying array of ways for others to access our data without our knowledge or consent. Arguably, these mobile devices are even more at risk of security vulnerabilities because of their tendency to default to insecure, public wireless networks. Specialists at the computer security conference DefCon recently warned that we could be yet to see the worst, or most sophisticated of these attacks, but the fact is that there are simple, and well known tools freely available on the Internet that allow anybody with basic technical knowledge to interfere with your connection whilst on wireless networks. It’s worth having a look again at what we can do to guard against this happening

Wifi Pineapple What is a ‘man in the middle’ attack?

Without going into the technical details of how these attacks actually work, a ‘man in the middle’ attack essentially stick their hand up first when your device is looking for an appropriate router to connect to, and pretends to be where you actually want to gain access to.

Essentially, instead of connecting to the network through the route you might expect (like a wireless router) you get redirected via another device first. This means that all of your traffic is flowing through an additional step before getting onto the Internet, and allows anybody in control of that piece of equipment access to it.

This is incredibly easy to do, there are many real world examples of this in the field. One of the more infamous comes in the decidedly fruity shape of the ‘WiFi’ pineapple… a rogue device that convinces network traffic to connect to it rather than the intended, legitimate source. However, even this is bulky in comparison to the possibilities that are now on offer through mobile phone apps… which are harder to find or identify if they are ever detected.

What are the dangers?

It should hopefully be pretty obvious why you wouldn’t want wee Davey sitting in the corner of Starbucks intercepting everything that you’re doing online, but even if you’re not all that concerned about anybody knowing which websites you visit and when, there are other, more potent dangers that the man in the middle poses.

Denial of Service

Finding Internet speeds too slow on a shared network connection? Not a problem for the man in the middle! As their device is acting as an intermediary checkpoint between yourself and the glorious open highways of the Internet, then they can simply… refuse to let you go any further. After convincing all of the devices on a network to use it as a gateway, those making use of this tactic can deny every single one of them access, and make use of the entire bandwidth available on that connection themselves. In effect, the man in the middle has a master switch to your use of any network you both are trying to make use of.

Nyan CatURL Redirection/DNS Spoofing

Really like NyanCat? What about 80s pop sensations? Probably just as well, as redirecting every page you try to visit to these websites is a particularly favourite past-time of the mischievous man in the middle. Oh those tricksters!

This might sound harmless enough, but is actually just a tame example of what is actually possible with this sort of technology. Imagine that instead of checking out the BBC News website, you were actually logging in to your online banking account, and were instead nefariously redirected to an identical looking page that was actually run by the attacker – completely unbeknownst to you….

You can see the problem here.

SSL Stripping

‘Psht, so what?’, I hear you cry! ‘I always use SSL when I’m logging in anyway.’

Sorry, but in practice, this alone doesn’t make a whole lot of difference when it comes to man in the middle attacks.

For those not familiar with what SSL (or Secure Socket Layer) means, it is essentially what the little padlock displayed by the browser when you’re online (usually making a payment) represents. This means that all of the traffic between you and that website, at that point, is encrypted. Even if somebody is monitoring what you’re doing remotely, then they can’t see any of what you submit.

So… problem solved?

Not quite.

Whilst SSL is widely used for financial transactions (such as over PayPal), in practice, it’s far from perfect. Many websites still do not offer SSL connections by default, requiring you instead to specifically turn them on. Many simply require encryption for the login process, and not anything afterwards (which we’ll get to in the next section). Even those that do default to a secure connection, often still run the insecure service as well. It wasn’t too long ago that Facebook were operating precisely in this fashion.

Since most people take this for granted, it is fairly easy to redirect a computer under the spell of this sort of poisoning attack to the non-SSL version of a website, without it ever occurring to the user to check.

Man in the Middle AttackSession Hijacking

Ahhh, session hijacking. That old favourite!

Ever left your Facebook profile logged in on a friend’s computer, only to return home and find some oh-so-hilarious status update that they’ve chosen to ‘frape’ you with?

Imagine this, but with people you don’t know, and without ever logging onto their computer… and you’ve got the gist of session hijacking.

When you login to a website, it remembers who you are for the duration of that ‘session’. This can be for varying lengths of time, depending on whether you decide to have them ‘keep you logged in’ or not, and can use different mechanisms for doing so, but the details are largely unimportant. What matters is, when these sessions are not secured, anybody with access to the flow of traffic can reach in, and pick up where you left off. Logged into Youtube recently? Nice… So has the man in the middle! At the time of writing, Youtube does not default to SSL connections, and so dropping in to read your messages (or worse) is as easy as walking through an open door.

How can I protect myself?

Without a doubt, these attacks are something that everybody should be aware of, but most people aren’t – partly because of the technical nature of the problem. However, there are some simple things you can do to avoid this type of attack.

HTTPS Everywhere

HTTPS Everywhere is a plugin for Google Chrome and Firefox which automatically forces the browsers to go to the secure version of a website where available, and send all of the traffic over SSL. No need to fiddle about with the settings of individual settings on different services, or working out where offers SSL and where doesn’t. HTTPSEverywhere does the work for you.

Tor Project LogoUse an encryption service

There are various different services that you can use to route all of your network traffic through that will prevent the man in the middle from being able to simply intercept your data like in the above explanation. If configured correctly, it won’t matter whether a website has SSL enabled or not, the attacker using this method won’t see anything but scrambled information.

The ‘Tor’ service is free, and will effectively anonymise your activity online – but can have a significant effect on the speed of your connection. Whole academic papers can (and have been) written on what Tor is, and how it works, so see here for a good introduction.

A good quality VPN service will encrypt all of your network traffic when configured correctly, with no meaningful impact on your connection speed. It’s also a quick and easy way to bypass local network restrictions, such as the upcoming proposed UK Internet filter. Premium services aren’t free, but there are alternatives available. I’ve written in more detail about VPN in the past, so check out this blog post for more information.

Both Tor, and VPN services can be used on your laptop, desktop, or mobile devices.

Further Securing against the man in the middle

Using an encryption services will keep the data you transmit over a network secure, which is the primary concern of man in the middle attacks. However, they won’t necessarily stop the denial of service attack that was explained above. Whilst there isn’t many, there are a few utilities that Android, Windows, and Mac users can make use of to kill off an attempt completely, or at least be notified of it happening. If anybody is aware of any other effective utilities – especially for Windows/the iPhone – please get in touch!

DroidSheepGuardOne of the highest rated is for Android phones is: WiFi Protector. As well as blocking against common man in the middle attacks such as session hijacking, it appears to manage to also protect against attempts at denial of service. At the time of writing, this is only available for users who are familiar with the technical side of phones (e.g. those who have their device rooted), and can be found at the XDA-Developer forum.

Again for Android, DroidSheep Guard is a free app that alerts of possible man in the middle attacks, and is available in Google Play. This is one of the easiest to use, with one of the nicest interfaces that I’ve come across. Always a bonus!

Mocha is a small tool for Mac users that will run in the background and alert you to any changes to the network configuration that may suggest a man in the middle attack. If you are connected to a WiFi hotspot and the physical address (MAC address) changes, it is possible that someone is attempting to redirect your traffic via their device. (Note that this will not work if you connect to a new hotspot which is already subject to ARP spoofing). It can be found via MacUpdate here.

CUTe ARP Protector is a tool for the more technically minded, and is available for Windows on their own website. Another useful Windows tool that has both free and premium versions is XArp, or ARP AntiSpoof (Windows/Linux).

Be vigilant

There is no single way to completely prevent man in the middle attacks from impacting your network connectivity. Most of the advice that is given from people who skim the surface of this topic boils down to “don’t use open wireless networks”. Uhh, right. Nice idea pal, but not a practical reality. As we rely more and more on disparate WiFi networks, we all need to be aware of the dangers of insecure communications, and take steps to reduce the risks. These aren’t limited solely to open networks, but any that are shared – such as in a workplace or University. Just because they are secured with a keyphrase, doesn’t mean they are any more secure than a public hotspot in an Internet cafe. Some types of wireless network are more secure than others, but it’s up to you to ensure the integrity of your own data.

If you only do one thing after reading this blog, then sign up for a VPN service and start using it on shared networks. Make sure you check that you’re connected to websites in SSL when you expect to be, and if something doesn’t seem right, disconnect and login somewhere else. It’s a first step towards keeping your personal information safe.

man in the middle, and wifi pineapple images by Nadine KhatibAmor Group