30 September 2016

Why do some companies use so many different domains?

One thing that I find confusing is that some companies use a whole lot of different domains for different but related services and products. Depending on their line of business, this can sometimes make it tricky to know: am I communicating with the right company or with someone else? In the case of online merchants, banks, credit card issuers, etc this can get even more confusing and makes users more vulnerable to phishing and other deceptive practices.

Below are examples of domains used by two local banks here in Thailand, UOB and SCB. UOB has actually had a few more "phishing style" domains in the past, but they have retired e.g. "uobcyberbanking.com" and a few others.

The examples above are actually all legitimate domains, owned by respective bank. However, for a customer or end user, it can be very difficult to know which domains/sites are legitimate, and to distinguish legitimate domains from a fake phishing domain pointing to a spoofed website when so many different domain names are used in parallel.

I was wondering if even the banks' own staff can spot the difference, so I made an experiment. In the image above, there is an "scbcreditcard.com" domain that belong to the bank. A quick check with a domain registrar revealed that the [possibly better named] domain scbcreditcards.com was up for grabs for a few dollars.

Would an employee at the bank, say a customer service representative, know which one of the domains scbcreditcard.com and scbcreditcards.com is fake and which one is real?

I registered the domain scbcreditcards.com, and simply made it redirect to the bank's real site. I then sent off a baited question to the bank on Twitter:

The bank eventually replied, but the reply was even more confused. I guess the person operating their twitter account doesn't even know what an internet domain name is, because they replied that only scb.co.th is the only domain name they use.

This is clearly not the case, as they in fact use many more domains as seen in one of my screenshots above. Had this been true, that they only used scb.co.th, that would have been good, and I wouldn't have written this blog post in the first place.

Regardless of the bank's confused answer, it is incredibly difficult for me and other customers [of banks and other companies] to spot a tiny difference like that, especially when so many different domains are used by the same company for their different online services.

In this case, at first I made the newly registered domain scbcreditcards.com redirect to the bank's own (legit) site scbcreditcard.com, but I could have pointed it anywhere, as phishers and other scammers do. I later redirected it to this page.

Being in control of the domain scbcreditcards.com also means I can buy an SSL certificate for it. Just for the sake of testing/demonstrating this in action, I spent another $10 for a DV certificate for the same domain. I wonder if the CA has enough checks in place to catch this...

Note: the bank's legitimate site at http://www.scbcreditcard.com doesn't even support https in the first place, which is a bit weak for a site in any way affiliated with a credit card issuer. Even if the site doesn't provide any access to cardholder data, I would expect a site like that to do https only, with HSTS.

I think it would make a lot of sense for companies to stick to one main domain, and if needed use subdomains under that. If all UOB's services was under "uob.co.th", and all SCB's services were under scb.co.th then it would immediately be more difficult for phishers to set up fake websites under spoof domains.

In the meantime, consumers will have to try to figure out on their own whether a website they're accessing is legitimate or not, and some will continue to fall for spoof/fake/phishing sites. Companies that set up a new domain for every department/product/service is partially to blame when their customers get tricked; it is simply not possible for end users and consumers to spot the difference between a legitimate site and a fake site when the same company use 5 different domains for closely related services.

Does your company have too many different domains? Why? Would it make sense to consolidate them?

02 July 2015

Do you know which CAs can issue SSL/TLS certificates trusted by your PC or phone?

Most PC and phone users are blissfully unaware that their PC or phone have a very long list of trusted root CAs, certificate authorities that can sign SSL/TLS or code signing certificates that will be accepted at face value. Those root CA lists are regularly updated, most recently all Windows PCs silently got a bunch of new trusted root CAs from the Chinese government, India CCA, etc.

In other words: a few hundred organizations that you have probably never heard of, and a few thousand organizations trusted by them, can issue certificates that is trusted by your web browser, mail client, and used for signing software. Any of them can issue a SSL certificate for any web property, and sometimes they do issue certificates to the wrong party. When a certificate is issued to someone else than the legitimate site-owner, it opens up for man-in-the-middle attacks where an unknown third-party can intercept and modify communication between a web browser and web server.

To reduce the risk of getting man-in-the-middle'd by someone who got a certificate from one of those CAs (or the thousands of intermediates trusted by them), it is a good idea to regularly trim the list of trusted root CAs on your PC or phone so only the ones you really need are trusted. It is relatively easy to update the list of trusted root CAs on a PC or phone, the following two infographics shows how to trim trusted root CAs on Windows and Android, respectively.



29 June 2015

RandomCards: a simple low-tech method for managing strong passwords

Passwords, always a problem

Everyone with access to a computer has problems with passwords. Repeatedly, whenever some website is hacked we're reminded that the majority of all people use weak passwords like "P@ssw0rd1" or their dog's name. Whenever some website is hacked, users with weak passwords or those who reuse their passwords are the first victims, and often have their data compromised at other systems than the ones that got hacked.

Others try to use strong passwords, but the elements that make a password strong such as length, entropy (randomness), and not being based on a dictionary word in the first place usually make strong passwords very hard to memorize. This is often overcome by using a password manager, or by simply writing the passwords down in a file or on paper.

Unfortunately, password managers are sometimes compromised too, for good reasons. Why would hackers not put extra effort into breaking into a system where thousands of users store all their credentials? They do, and as a result it happens that even top-of-the-line password managers are sometimes breached.

Good password managers are designed to make life harder for hackers by employing layer after layer of strong encryption, yet if a user's master password is not strong enough that user is at risk of having all their passwords leaked anyway.

Writing passwords down in a file or on a paper is equally insecure, as has also been shown repeatedly. When the French TV channel TV5 Monde was hacked recently, it turned out that not only did they use a combination of very weak passwords such as "azerty12345" ("qwerty12345"), and "lemotdepassedeyoutube" ("password for youtube"), but they also posted them on post-it notes all over their offices.

Of course, they're not alone on using post-it notes for passwords:
Personally, I am not a fan of password managers, especially the "online"/cloud based ones where you store all your credentials in one central location, trusting a third party to ensure that unauthorized users can't access them.

I don't claim to have a solution to any of the issues surrounding passwords, but being sceptical of password managers and still wanting to use sufficiently strong passwords myself, I have put together an experimental app for generating and printing pocket-sized cards with random content that can be used to derive passwords, "RandomCards".


RandomCards is a small app that will generate large random numbers using cryptographic random number generators, convert them to printable/human readable characters (Base64), and print out 10 wallet sized cards with random characters on a sheet of A4 or Letter paper.

The RandomCards app has a fairly simple user interface: choose which RNG (random number generator) you want to use, how many pages of RandomCards you want to print (with 10 cards on each page), hit the "Print" button, select target printer, and it will print out your cards. Each card has a small unique icon to distinguish it from your other cards, so you can keep a stack of them together and still be able to distinguish the cards from each other.

The list of random number generators available in the app depends on which RNGs you have on your system. On a baseline windows system with no TPM, you may see only Microsoft's CSPs. If you have a TPM ("trusted platform module") installed, you should be able to use the TPM's hardware-based random number generator. The default option is "All Available RNGs", which will generate random numbers using all installed RNGs and XOR them together. This should result in a random sequence at least as strong as the strongest RNG, regardless of if any of the other RNGs are weakened/predictable.

Although this can resemble some kind of "post-it notes on steroids" password manager, the idea is that these cards contain enough entropy to be used for strong passwords, and since you can read them in any direction you want they are much more difficult for an attacker to figure out your password if you lose them than an ordinary password note or file.

Print, laminate, and keep a sufficient number of cards in your wallet. The cards are wallet sized for a good reason, and if you make up your own technique for reading them ("red pineapple card, start at J5, read diagonally up for 18 characters is for xyz.com") then they're going to provide you with strong passwords without having to memorize a full long random password, while making no sense to someone else if you lose your cards.

Change around your RandomCard printed cards, pick a starting point that you can memorize, pick an arbitrary reading direction (up, down, left, right, diagonally, diagonally pairwise, zig-zag [up/down/ltr/rtl] etc), pick an arbitrary password length (12 characters or longer), and each card offer a very large number of combinations of fairly strong* passwords.

* = Remember, since the random data on the RandomCar cards is base64 encoded, every 3 characters of a RandomCard password correspond to 2 bytes or 16 bits of entropy, so a 12 character string from one of these cards are equivalent to 8 bytes or 64 bits of entropy, or 1 in 18,446,744,073,709,551,616 for someone who have no access to your password cards.

Download the app (or source code)

If you want to try out or use RandomCards, you can download the app from https://apps.huagati.com/download/RandomCardsApp.zip, or the source code for it from https://apps.huagati.com/download/RandomCardsSource.zip

The app requires a PC with .net 4.0, sufficient user privileges to use the random number generators installed on the system, and a printer.

As always: provided as-is. No warranties (expressed or implied). Use at your own risk. Batteries not included.

Feedback, comments, questions? Post it in the comments section below.

18 May 2015

IKEA shows how NOT to do passwords...

A few weeks ago, I took my family to the local IKEA store here in Bangkok to pick up a few pieces of furniture. I am generally not a fan of loyalty programs offered by shops/banks/airlines/etc, but I made an exception and joined IKEA's "IKEA family" program to see if I would get any discount* on the items I purchased. (* = Nope, I didn't.)

When I got home from an out-of-town trip yesterday, there was a letter from IKEA containing a welcome letter and my member card. The first thing that caught my eye was the third line in the welcome letter: "Your login password: Your date of Birth (DDMMYYYY)". My WHAT? That doesn't seem very secure, does it?

I opened up my browser and went to their site to have a closer look. Right on the login page was a password reminder link, which I clicked. That opened up a message box confirming that they do indeed use your date of birth as a password, but even worse: the wording of that password reminder even suggests that you can't even change your password later. After logging in I couldn't find a way to change the password or DOB, so I think you're stuck with your DOB as the password for your "IKEA family" account...

What's wrong with using your date of birth as a password?

Why is this bad, you say? Not everyone knows my date of birth, right? Well, unfortunately, it is very easy for a computer to test all possible combinations of someone's date of birth and make automated requests to login pages like the one used by "IKEA family". There are after all only 36525 possible date combinations in a 100 year timespan. If we assume that most "IKEA family" members are between 17 and 85 years old, that drops to 24837 combinations. That is way to easy to bypass, and in a real-world attack each member account would (on average) require about half as many attempts before the correct DOB is found: just 12k requests per member account. This can be done in a very short timespan (seconds) by your average home computer or smartphone.

Now, someone may argue that this is the password for a membership account with a 16-digit membership number, a membership number which would be hard for someone else to guess. That may be the case, it looks to me like the membership number starts with a 999320 prefix, followed by zeroes, and then a 6-digit membership number. Based on how the number is formatted, I would guess is that those membership numbers are issued in sequential order, which would make it easy to automate a brute-force attack. An attacker could start at 9993 2000 0010 0000 and work his/her way up through the account list.

An automated brute-force attack would probably need to make somewhere between 5-8 billion requests to the "IKEA family" site to retrieve all members' data. This may sound like a lot, but for a computer it is not very hard work at all to make a few billion http roundtrips over the span of a few days...

HTTP only

As an added bonus: the entire site, including the login page, use plaintext http instead of https. Whenever you access a http-only site from an open wifi-connection or a compromized network you are sharing your information with whoever may be listening in.

What's at risk?

IKEA family is just a loyalty program, where you can collect bonus points and get discounts on items in their stores. Fortunately, there doesn't seem to be a way to tie a credit card or bank account to it [yet], [in this country].

What is the risk if someone compromise an IKEA family member account? PII: Personally Identifiable Information. When you sign up for an IKEA family membership, they ask for your name, address, email, DOB, ID card or passport number, mobile phone number, family details etc. I shared that information with IKEA, but I may not necessarily want to share it with a hacker in China, or Russia, or elsewhere. Likewise, IKEA may not want to share their customer data with hackers who may use it for phishing, or even resell it to competitors.

I immediately updated my profile and changed name/address/etc to dummy data, and I will email IKEA in a short while and ask them to delete my "IKEA family" account until they handle my (and other members') information in a more responsible way. Maybe I will even join "IKEA family" again in the future, if they become more responsible with how they handle member data.

In addition to accessing your PII, the site also allow you to redeem bonus points and to review transaction history (including previous purchases at IKEA stores).

I had a quick look at the login pages for "IKEA family" sites in other countries, and it looks like the IKEA family program's website is implemented differently in different countries. The IKEA family sites in nearby Singapore and Malaysia appear to be identical to the one used by IKEA Thailand, while the one used by IKEA Sweden appear to be a bit more secure.

Dear IKEA, ...

If anyone from IKEA happens to come across this, please have a look at how the online version of your "IKEA family" loyalty site is implemented in some countries. You are making your membership data easily accessible to hackers and (potential) evil-minded competitors.

If whoever built the "IKEA family" site is this sloppy with passwords, there may of course be other weaknesses as well. If you change the way you handle authentication, you may also want to spend a bit of time on looking into other security aspects of your site.


To everyone else: your date of birth is not a good password. Neither is your grandmother's date of birth, your dog's maiden name, or "p@ssw0rd69". Don't do it, especially if you are using it to protect other people's PII. If a site you are using insist on using a weak/bad password, reconsider if you really want/need to use that site and limit what information you share with it.

06 June 2014

FSecure's FreedomeVPN - what does "tracking protection" really mean?

Since my previous blog entry on FSecure's "FreedomeVPN" app and how it after my previous test didn't block Google's tracking cookies, there have been a couple of conversations on Twitter on this matter. One such conversation took place last night, when twitter user @PrivacyMatters referred them to my blog post and asked for FSecure and Mikko's take on it. It went something like this:

Interesting... they apparently disagree that their failure to block Google's tracking cookies* is not really tracking, or maybe that Google is not a tracking company, or maybe that Google is not in the advertising or selling-user-data to-advertisers business.

* = Google's persisted tracking cookies include a long unique number assigned to each visitor, and identifies each site visitor, where they came from, and on Google's end can be matched up to everything else that Google knows about that user.

So... maybe I am just to picky. Maybe Google don't track users, and their tracking cookies is not part of FSecure's "untrackably invisible claim". This morning I decided to take FSecure's FreedomeVPN for another 3-minute test just to see how their tracking protection measure up, and if I am maybe just too picky.

This time I decided to simply check if Facebook is able to track me around the web with FreedomeVPN's tracking protection is active. You may have noticed that many sites around the web have embedded Facebook Like boxes.

The Facebook like box shows if you and any of your friends have clicked "like". It comes in a few different shapes and sizes, but whenever it is present on a site, it means that every time you visit that site Facebook will know you did so through the use of their own tracking cookies. This seems like something that I would expect Freedome's "tracking protection" to block.

If Facebook is unable to identify you, the tracking box will state how many people have clicked "like" on the site and show some random profile pictures of people who have clicked like:

If Facebook is able to identify you, the tracking box will show if you at any point have clicked like, and it will show your own profile picture and profile pictures of any of your friends that have done so too, rather than profile pictures of other random Facebook users:

My test today was simple, and as follows. I installed FSecure's FreedomeVPN again (to ensure I had the latest and greatest version installed for the test):


* = Note the "become untrackably invisible" slogan is still there...

After installing, I activated all the protection features, including "tracking protection" with an exit point in Finland.

Surely I was now "untrackably invisible" to all datamining and advertising companies..? Easy to find out, just hit a (non-FB) website with an embedded FB asset*.

* = FB like button/like box/share button/login button/etc all work the same and come with the same tracking features.

Lo and behold. Despite having all FreedomeVPN's "anti tracking" and now being "untrackably invisible", Facebook was able to identify me when visiting a third party site. This means they are able to track me on ANY site around the internet that has an embedded FB Like, Share, Login, etc button embedded.

Sorry, FSecure and Mikko Hyppönen: I think we have different views on what "tracking protection" and "untrackably invisible" means.

After the test, the FreedomeVPN control panel says they have blocked one tracking attempt. Obviously not the one from Facebook, but maybe some other more obscure tracking service in that case...?

This app doesn't seem to do what FSecure's marketing claims it does, so I will uninstall it for now. Maybe I will try it again some time in the future if FSecure's developers catch up with what their marketing team's claims.

27 May 2014

False sense of security: FSecure's freedome VPN service

Every now and then, political events in different parts of the world can trigger situations where internet freedom is reduced. Such is the case at the moment in the South East Asian country where I reside; due to a recent military coup, some people are now afraid of increased monitoring, censorship, or other moves to reduce freedom of information by those in charge. This fear has led to an increased interest in using VPN services.

Earlier today, I came across an advertisement from Finnish antivirus company F-Secure where they used current events in Thailand to push their VPN client and VPN service for Android and iPhone, dubbed FreedomeVPN. This is one of their twitter ads:

I thought it would be a good idea to take FreedomeVPN for a test-spin, so I installed it on my Samsung Galaxy S4, a fairly up-to-date and modern smartphone.

This is what the the VPN app's main screen looked like once it was running on my phone:

A few swipes later, the app showed this reassuring statement in the "tracking protection" ring. It was very nice to read that they protect me from hackers, advertisers, and data collection companies...

I would like to know more about how that works, so I clicked on the "How does this work?" statement and got another warm and fuzzy/reassuring statement:

My interpretation of the statement shown in that screen is that FSecure's VPN service will not only give me a new exit point in another country, but it would also block tracking cookies from advertisers and data collection companies.

That's nice to hear, so I took it for a test spin and hit a server where I could see server side what was sent in the HTTP header, or in layman terms in the information that your web browser will send to every web server you visit. This is what my HTTP header looked like when masked by FSecure's FreedomeVPN service:

...and this is what it looks like when I hit the same server from the same device without running FSecure's FreedomeVPN with "tracking protection" enabled:

Guess what: they're exactly the same. NOTHING is masked when it comes to cookies and other http header data.

Tracking cookies from Google (one of the world's largest advertising companies), latest referral URL from a Google tracked site, and other semi-unique things (that combined can form a unique-enough combination to identify an individual user, such as the combination of user-agent, accepted languages, etc) are passed through as-is.

Nice move of F-Secure to offer a "free for a few months" VPN service, but maybe a good idea to cut down on feature claims that don't stand up to a 3 minute test-spin?

27 April 2014

Huagati DBML/EDMX Tools is now free to use

The latest version of Huagati DBML/EDMX Tools (v 2.34, released on 27 Apr 2014) has all license checks removed. This means it is now free to use. $0/user, no cost, no strings attached.