Having the freedom to travel a lot because of your job is a great thing. It means you can disappear off to a different country for a few months to visit friends or family, or just see the world.
The problem is that often the utilities we make use of at our home bases aren’t really set up to deal with people that are out of the country regularly, or for longer than a couple of weeks. Sometimes, they can’t even cope with any length of absence due to badly thoughts out and implemented processes.
I’ve run into a pile of these issues, such as my mobile phone operator (T-Mobile) acting like complete idiots and refusing to allow international roaming, or how to submit electricity meter readings when you can’t physically get to the meter.
Today though, Tesco managed to knock it out the park, delivering a perfect example of how things are made difficult for those who wander.
I logged on to my Tesco banking account to make a credit card payment, and was confronted with the news that they had recently made changes to their security checks. As a result, if you were logging in from a computer that they didn’t ‘recognise’, then a security code would be sent to the mobile number registered on your account.
This wouldn’t be a huge deal if we were away for a week or so, but given that we’ve been gone for a few months, this isn’t good. It means that I won’t be able to make any payment to my account, and so miss the minimum required to avoid charges.
The process to get the mobile number changed is a pain in the ass, and I’m not entirely sure what I’m meant to do. The Tesco Website seems to suggest that the only alternative is to have a one-time access code sent to your home address by post.
A One Time Access Code is a code we use as a security measure to confirm your identity when you forget your login details or use a browser, computer or mobile device that we don’t recognise.
Check that your mobile number is up to date and select Send. We’ll send the One Time Access Code by text message.
If you don’t have a mobile phone number, you’ll need to call us on 0845 300 3511 to get a Temporary Security Number by post.
This is DUMB.
Given the inconsistency in the way these places implement their checks, I downloaded the Tesco Banking app to take a look and see if I could bypass the mobile number validation. Unlikely, but worth a shot.
What really stung though, was this message:
That’s right. If the mobile number you need to login to the online banking account isn’t correct, you need to log in to the online banking account to change it.
Well done Tesco. Well done.
What really annoys me is that this is completely un-necessary, for various reasons.
* Recognising computers or devices via cookies is a pretty crappy approach, penalising those who regularly clear out their caches. There are far better ways to deal with this (such as registering MAC addresses) that don’t rely on the browser config staying the same.
* Having a two factor method of authentication is important, particularly for financial related accounts. However, to tie that into SMS text messages is pish. Mobile coverage and carriers are far too unreliable to be used as the sole source for 2fa. There are plenty of alternatives available to generate tokens – independent of something as variable as a mobile number.
* There should always be an alternative to access the account where you can’t use your device. It’s why Google, LastPass, WordPress, and countless others all provide back-up, one-time access codes that you are meant to store in a safe place to use in the event that you can’t receive a text message, or a code to your smartphone.
So there we have it. Tesco has failed to implement a sensible account verification process, despite standards and templates already available widely online. Useless.
After the revelations last week concerning the active weakening of encryption technologies by the NSA and GCHQ, I used writetothem.com to get in touch with my local MSP John Mason, and MP Anas Sarwar.
The message I sent to John is below, with a similar variant used for Anas Sarwar:
Dear John Mason,
Yesterday a number of major media outlets published revelations that GCHQ, in partnership with the American NSA, have been systematically working to defeat encryption systems used on the Internet. Despite a move many years ago to have vulnerabilities inserted into encryption software being defeated, these agencies have clandestinely used their considerable resources to do this extra-legally.
In actively reducing the integrity of secure communications, GCHQ has also weakened the protection of consumers online. With un-named vulnerabilities being implemented into systems that we have been led to believe are safe, such as online banking, and e-commerce, these have been opened up to exploitation by third party hackers. The Internet is a more dangerous place because of these actions.
Much is still unclear about the capabilities possessed by GCHQ and the NSA, such as what technologies that are now vulnerable. Answers need to be provided, as these agencies have far over-stepped their remit, effectively engaging in mass surveillance of their own citizens, in breach of the right to privacy afforded by the various International conventions.
Whilst I understand that this can arguably be classed as a reserved matter, I believe that it is so important that the actions of GCHQ cannot be left un-challenged. I ask that you would publicly challenge GCHQ for details of the technologies that they have exploited; to cease the invasion of the privacy of those in Scotland; and to demand that the UK Government explains why this has been allowed to happen.
I look forward to your response,
I have always found John Mason to be helpful, and determined to stand up for his constituents. His response is below:
Thanks for your email.
In the first place I am happy to agree with your main points that GCHQ or whoever should not be spying on their own citizens. You can quote me publically[sic] on that if you want.
However, how to deal with it is more difficult. In the first place I think there is wide public support for spying by the state on suspected terrorists and in fact when we do see terrorist acts we often have a public reaction as to why the state had not been more proactive in clamping down sooner. The film ‘Minority Report’ (I think) raised some of these questions in how far the state goes in preventing crimes happening.
Secondly, I believe GCHQ has the full support of the UK government/establishment. They see it as their job to do all this kind of thing. So asking them not to do it is a bit like asking a cat to stop being a cat.
Thirdly, my guess is that the UK establishment is also spying on the Scottish government.
On a personal basis, I tend to work on the assumption that my phone calls may be tapped, my emails and texts are likely tobe read by people who should not be doing so. Can we change all this? I’m not sure. I would certainly likely to and am happy to support any campaign on this. Whistle blowers are certainly part of the answer. Unless we can get insiders to go public, I doubt we will find out much information that the establishment does not want us to have.
I am happy to discuss any of this with you face to face if that would be easier. I guess I am a bit sceptical but I am open to persuasion that things can be made better.
The response from Anas Sarwar is below:
Dear Mr Blythe,
Anas Sarwar MP has asked me to thank you for your email below regarding allegations about data collection and sharing by UK intelligence agencies.
These are, of course, extremely serious allegations and it is vital that they are thoroughly investigated and that we ensure there is effective oversight and a clear legal framework to oversee our intelligence operations.
Mr Sarwar appreciates that our intelligence and security services undertake vital, often unrecognised, work to protect our security and to counter the threats we face. Given the global nature of their work it is also crucial that our intelligence agencies are able to share information across international borders with our allies, including the USA.
However, he also believes there needs to be public confidence that our intelligence agencies are themselves law-abiding and accountable, and that any intelligence information received from the USA or any other country has been obtained legally.
These recent allegations have caused real public concern and underline once again the need for effective Parliamentary and Ministerial oversight of all three of our intelligence organisations. The Government have been asked a number of questions about these allegations in the House of Commons and by the Intelligence and Security Committee. The Committee was set up in 1994 to examine the expenditure, administration and policy of the country’s intelligence agencies, and is currently looking into the issues around GCHQ that have been raised by recent events.
Mr Sarwar has asked me to assure you that he will continue to monitor this important issue closely and will try to raise some of the points you mentioned with Government Ministers in Parliament firstname.lastname@example.org Ministerial question time. [sic]
Thank you once again for writing to Mr Sarwar and sharing your views with him.
Office of Anas Sarwar MP
Deputy Leader of the Scottish Labour Party
Member of Parliament for Glasgow Central
Rm 221-223 Portcullis,
House of Commons,
I since have invited John Mason to come and meet with the Glasgow Open Rights Group members to discuss the issues involved.
In the past few days, more details have emerged about the sheer extent of the surveillance being carried out by both the NSA in America, and GCHQ in the UK.
Whilst the initial news that these intelligence agencies have been intercepting massive amounts of data was a shock, the latest round of news is perhaps the most alarming of all. PRISM had an apparent budget of $25 Million. ‘Bullrun’ has a value of closer to $250 Million.
A surge of web users have reportedly moved to increase the amount of encryption they use on a daily basis after discovering the extent to which their unsecured communications were being monitored. Now, it turns out that that much of that encryption could well have little effect on the ability for Government bodies to snoop.
This is a development that has massive implications for our use of, and dependency on, the Internet itself… yet because of the subject matter, has not garnered as much coverage as it should have. The articles from the Guardian et. al give an insight into what is going on, but do not go into specific details of the technologies at risk, and can be inaccessible to somebody who is not already familiar with issues relating to encryption.
What’s the problem?
When encryption first was introduced online, there was a concerted effort by Governments to require systems to have in-built weaknesses to ensure they retained an ability to access it; the ultimate master key. This was defeated after a hard-fought, cross-political campaign. However, the NSA and GCHQ have gone ahead and achieved the same result, without legislation, by utilising their considerable resources.
The intelligence agencies have deployed multiple tactics to ensure they have access to data – whether it is encrypted or not.
One of the tactics includes the weakening of encryption systems by implementing vulnerabilities into their architecture. This means that even the most theoretically secure encryption services can be exploited to reveal the information.
Encryption is not just a tool for political activists or paranoid geeks. Every day we rely on encryption to securely log in to our bank accounts; buy things online; save usernames and passwords; and keep the likes of our Facebook accounts from interference.
By systematically targeting encryption to weaken its protections, the NSA and GCHQ are also undermining the integrity of all of our communications online; the basis of the global ‘information economy’.
How can I protect myself?
At the moment, it isn’t clear exactly what services have been manipulated, and what have not. Speculation is rife over whether actual protocols used (such as HTTPS for secure web browsing) have been compromised, or whether it is simply specific companies that have been coerced into providing covert ways into their services. SSL for example – indicated by the presence of the padlock in the address bar – has been shown to be extremely vulnerable given the way that the ‘certificate authorities’ who sign off on the transmission are susceptible to attack. As Orwell Upgraded puts it: ‘Who looks after the keys?’ Even the much lauded article by security expert Bruce Schneier on this topic seems contradictory and unclear in places. (“The NSA has huge capabilities – and if it wants in to your computer, it’s in. With that in mind, here are five ways to stay safe” – Eh?!)
However, this technology is not available to everybody, yet. Your local police force will not have access to this technology, nor your employer, nor the opportunist hacker. It wasn’t too long ago that even Scotland Yard were reporting that the use of TrueCrypt encryption on David Miranda’s laptop rendered the data ‘extremely difficult to access’. The NSA is still reportedly deploying many of the bread-and-butter tactics used by hackers for decades, including brute-force attempts to access accounts by mathematically ‘guessing’ passwords. If they did indeed have a golden bullet to decrypt all secure material, then there would be no need for this. Edward Snowden himself, the exiled NSA contractor who leaked the documents in the first place, has confirmed that ‘properly implemented crypto systems‘ work; the issue being the lack of security that surrounds those systems in the first place.
There are still steps that can be taken to make it more difficult for your data to be accessed. Whilst not ideal, for the everyday web user, taking a few extra steps can mean that your data is less likely to be intercepted than somebody who takes no steps at all. There’s that well-worn tale of the man who, when faced with a lion, puts on trainers. When someone points out that he’ll never be able to out-run such a powerful beast, he simply replies that he only has to out-run everybody else.
No, we don’t know who to trust just now, but you can still take steps to improve your security:
Make use of high entropy passwords. Never use the same password for more than one service. LastPass is one of the best ways to manage this. Whilst stored in ‘the cloud’, it makes use of end-to-end encryption, which means only you should theoretically be able to decrypt its contents.
Encrypt your data with 4096 bit encryption where possible.
Use open source software that can be scrutinised by the online community for weaknesses. Avoid commercial, ‘closed’ software from a vendor that can be more easily manipulated. TrueCrypt is one of the most widely used and respected. Whilst we currently don’t know about its status in this whole affair, it’s one of the best bets.
Encrypt your Internet traffic with a VPN, or use Tor.
Use extensions such as HTTPS Everywhere to ensure you are always using the most secure version of a website where available.
Make your data as difficult to access as possible. Don’t just leave the door wide open.
People need to know about this and why it’s important, not just be blinded by the technical speak. Spread the word, explain to people, and get them to act as well. – (Share This on Twitter)
Write to your local MP and demand that they challenge the UK Government to give answers on this. Write to your MSP and do the same with the Scottish Parliament; it might be a reserved issue, but they still have the power to speak. Cause a fuss until they listen.
This is a dark time for the Internet, but it doesn’t have to stay that way.
If we ever share a WiFi network, chances are I can intercept what you’re doing.
‘Man in the middle’ attacks have been around for about as long as the Internet itself, and so those familiar with network security will already be well aware of the threat posed by ‘ARP spoofing’ or ‘poisoning’. The thing is, most people aren’t familiar with the basics of protecting their communications online, and even those who are don’t always take the precautions that they know in theory they should be.
The protection of private information, and ensuring data integrity has recently been thrown into the spotlight more than ever before, thanks to the ongoing revelations that show the mass interception of data by organisations such as the NSA. On top of that, the massive proliferation of devices that we carry around everywhere that are able to access the Internet has meant that we now have a whole new dizzying array of ways for others to access our data without our knowledge or consent. Arguably, these mobile devices are even more at risk of security vulnerabilities because of their tendency to default to insecure, public wireless networks. Specialists at the computer security conference DefCon recently warned that we could be yet to see the worst, or most sophisticated of these attacks, but the fact is that there are simple, and well known tools freely available on the Internet that allow anybody with basic technical knowledge to interfere with your connection whilst on wireless networks. It’s worth having a look again at what we can do to guard against this happening
What is a ‘man in the middle’ attack?
Without going into the technical details of how these attacks actually work, a ‘man in the middle’ attack essentially stick their hand up first when your device is looking for an appropriate router to connect to, and pretends to be where you actually want to gain access to.
Essentially, instead of connecting to the network through the route you might expect (like a wireless router) you get redirected via another device first. This means that all of your traffic is flowing through an additional step before getting onto the Internet, and allows anybody in control of that piece of equipment access to it.
This is incredibly easy to do, there are many real world examples of this in the field. One of the more infamous comes in the decidedly fruity shape of the ‘WiFi’ pineapple… a rogue device that convinces network traffic to connect to it rather than the intended, legitimate source. However, even this is bulky in comparison to the possibilities that are now on offer through mobile phone apps… which are harder to find or identify if they are ever detected.
What are the dangers?
It should hopefully be pretty obvious why you wouldn’t want wee Davey sitting in the corner of Starbucks intercepting everything that you’re doing online, but even if you’re not all that concerned about anybody knowing which websites you visit and when, there are other, more potent dangers that the man in the middle poses.
Denial of Service
Finding Internet speeds too slow on a shared network connection? Not a problem for the man in the middle! As their device is acting as an intermediary checkpoint between yourself and the glorious open highways of the Internet, then they can simply… refuse to let you go any further. After convincing all of the devices on a network to use it as a gateway, those making use of this tactic can deny every single one of them access, and make use of the entire bandwidth available on that connection themselves. In effect, the man in the middle has a master switch to your use of any network you both are trying to make use of.
URL Redirection/DNS Spoofing
Really like NyanCat? What about 80s pop sensations? Probably just as well, as redirecting every page you try to visit to these websites is a particularly favourite past-time of the mischievous man in the middle. Oh those tricksters!
This might sound harmless enough, but is actually just a tame example of what is actually possible with this sort of technology. Imagine that instead of checking out the BBC News website, you were actually logging in to your online banking account, and were instead nefariously redirected to an identical looking page that was actually run by the attacker – completely unbeknownst to you….
You can see the problem here.
‘Psht, so what?’, I hear you cry! ‘I always use SSL when I’m logging in anyway.’
Sorry, but in practice, this alone doesn’t make a whole lot of difference when it comes to man in the middle attacks.
For those not familiar with what SSL (or Secure Socket Layer) means, it is essentially what the little padlock displayed by the browser when you’re online (usually making a payment) represents. This means that all of the traffic between you and that website, at that point, is encrypted. Even if somebody is monitoring what you’re doing remotely, then they can’t see any of what you submit.
So… problem solved?
Whilst SSL is widely used for financial transactions (such as over PayPal), in practice, it’s far from perfect. Many websites still do not offer SSL connections by default, requiring you instead to specifically turn them on. Many simply require encryption for the login process, and not anything afterwards (which we’ll get to in the next section). Even those that do default to a secure connection, often still run the insecure service as well. It wasn’t too long ago that Facebook were operating precisely in this fashion.
Since most people take this for granted, it is fairly easy to redirect a computer under the spell of this sort of poisoning attack to the non-SSL version of a website, without it ever occurring to the user to check.
Ahhh, session hijacking. That old favourite!
Ever left your Facebook profile logged in on a friend’s computer, only to return home and find some oh-so-hilarious status update that they’ve chosen to ‘frape’ you with?
Imagine this, but with people you don’t know, and without ever logging onto their computer… and you’ve got the gist of session hijacking.
When you login to a website, it remembers who you are for the duration of that ‘session’. This can be for varying lengths of time, depending on whether you decide to have them ‘keep you logged in’ or not, and can use different mechanisms for doing so, but the details are largely unimportant. What matters is, when these sessions are not secured, anybody with access to the flow of traffic can reach in, and pick up where you left off. Logged into Youtube recently? Nice… So has the man in the middle! At the time of writing, Youtube does not default to SSL connections, and so dropping in to read your messages (or worse) is as easy as walking through an open door.
How can I protect myself?
Without a doubt, these attacks are something that everybody should be aware of, but most people aren’t – partly because of the technical nature of the problem. However, there are some simple things you can do to avoid this type of attack.
HTTPS Everywhere is a plugin for Google Chrome and Firefox which automatically forces the browsers to go to the secure version of a website where available, and send all of the traffic over SSL. No need to fiddle about with the settings of individual settings on different services, or working out where offers SSL and where doesn’t. HTTPSEverywhere does the work for you.
Use an encryption service
There are various different services that you can use to route all of your network traffic through that will prevent the man in the middle from being able to simply intercept your data like in the above explanation. If configured correctly, it won’t matter whether a website has SSL enabled or not, the attacker using this method won’t see anything but scrambled information.
The ‘Tor’ service is free, and will effectively anonymise your activity online – but can have a significant effect on the speed of your connection. Whole academic papers can (and have been) written on what Tor is, and how it works, so see here for a good introduction.
A good quality VPN service will encrypt all of your network traffic when configured correctly, with no meaningful impact on your connection speed. It’s also a quick and easy way to bypass local network restrictions, such as the upcoming proposed UK Internet filter. Premium services aren’t free, but there are alternatives available. I’ve written in more detail about VPN in the past, so check out this blog post for more information.
Both Tor, and VPN services can be used on your laptop, desktop, or mobile devices.
Further Securing against the man in the middle
Using an encryption services will keep the data you transmit over a network secure, which is the primary concern of man in the middle attacks. However, they won’t necessarily stop the denial of service attack that was explained above. Whilst there isn’t many, there are a few utilities that Android, Windows, and Mac users can make use of to kill off an attempt completely, or at least be notified of it happening. If anybody is aware of any other effective utilities – especially for Windows/the iPhone – please get in touch!
One of the highest rated is for Android phones is: WiFi Protector. As well as blocking against common man in the middle attacks such as session hijacking, it appears to manage to also protect against attempts at denial of service. At the time of writing, this is only available for users who are familiar with the technical side of phones (e.g. those who have their device rooted), and can be found at the XDA-Developer forum.
Again for Android, DroidSheep Guard is a free app that alerts of possible man in the middle attacks, and is available in Google Play. This is one of the easiest to use, with one of the nicest interfaces that I’ve come across. Always a bonus!
Mocha is a small tool for Mac users that will run in the background and alert you to any changes to the network configuration that may suggest a man in the middle attack. If you are connected to a WiFi hotspot and the physical address (MAC address) changes, it is possible that someone is attempting to redirect your traffic via their device. (Note that this will not work if you connect to a new hotspot which is already subject to ARP spoofing). It can be found via MacUpdate here.
CUTe ARP Protector is a tool for the more technically minded, and is available for Windows on their own website. Another useful Windows tool that has both free and premium versions is XArp, or ARP AntiSpoof (Windows/Linux).
There is no single way to completely prevent man in the middle attacks from impacting your network connectivity. Most of the advice that is given from people who skim the surface of this topic boils down to “don’t use open wireless networks”. Uhh, right. Nice idea pal, but not a practical reality. As we rely more and more on disparate WiFi networks, we all need to be aware of the dangers of insecure communications, and take steps to reduce the risks. These aren’t limited solely to open networks, but any that are shared – such as in a workplace or University. Just because they are secured with a keyphrase, doesn’t mean they are any more secure than a public hotspot in an Internet cafe. Some types of wireless network are more secure than others, but it’s up to you to ensure the integrity of your own data.
If you only do one thing after reading this blog, then sign up for a VPN service and start using it on shared networks. Make sure you check that you’re connected to websites in SSL when you expect to be, and if something doesn’t seem right, disconnect and login somewhere else. It’s a first step towards keeping your personal information safe.