Tag: computing

2

Security isn’t a dirty word, Blackadder

I’m often surprised at just how some websites treat their users when it comes to security.

As any decent website developer knows, one of the basic tenets of application security is that you should never store a user’s password in an unencrypted format – and you shouldn’t really be storing a password in an encrypted format, either. The correct way to deal with storing a password is to use a password hashing algorithm (note: “password hashing”, not just “hashing”)

I’m not going to pretend that I’m perfect at this. It took me an embarrassingly long time to stop using MD5 for hashing passwords in my code (although, in my defence, it was at least salted and not just a straight hash) but I caught up with the zeitgeist and all’s well again. Of course, it seems these days I do most of my work with existing frameworks and applications, so don’t really have to worry too much about that kind of thing any more.

The fact that there are so many frameworks and other tools out there to help devs with this kind of thing just makes it all the more upsetting when I see someone doing it so drastically wrong. Someone like whoever it was that developed KidsPass.co.uk

For those unfamiliar, Kids Pass is a website aimed at parents that offers many discounts and other offers on things to do with their little’uns. It’s not a website aimed at children, which is just as well because with password security as poor as theirs that would be absolutely terrifying.

What’s wrong with it?

The only thing right with it is that the website uses HTTPS, although even that isn’t as good as it could be (it uses an obsolete key exchange, in this case RSA)

Let’s start with the sign-up process:

Nothing too horrific there. You’ll note that it doesn’t ask me for a password, and also that it asks for credit card details. The latter there isn’t that unusual, but with how they deal with password security the thought of them having my card details fills me with the sort of dread that I feel if I ever find myself having to watch The Only Way Is Essex.

When you successfully pay for your membership, Kids Pass send an activation link that you use to complete your registration. More on this below.

Should you wish to continue, it is at this point that you choose your password. Which they then email to you, unencrypted, in plain text.

Still, that doesn’t necessarily mean that they store the password insecurely, right? Could just be that they send it to you after you submit it (which is still horrible from a security standpoint) and then hash it before saving it to their database. Fortunately, there’s an easy way to check.

Ah, the old “forgotten your password” trick

If you forget your password, a decent website will give you a link to click on where you enter your email address or username, and it will send you a “token” to that email address that can be used precisely once to change your password to something else. A truly great website will make the use of that token time-limited as well, usually 24 hours.

What Kids Pass do is this:

(note: I have changed my password for the purposes of this image, I’m not that silly)

Yep, they send you your password – as a reminder – completely naked and unencrypted. Sending passwords like this is bad enough, as SMTP (the method used to send email) is completely and utterly insecure, and could quite easily be pulled out of the ether by an attacker.

The real danger though, is that they are clearly storing those passwords either in plain text form, or in a way that they can be decrypted. The latter is better than the former, but not by much because it wouldn’t take a skilled hacker with access to their server long to figure out how the decryption process works, and when that happens they may as well not be encrypted.

I’ve sent emails and tweets to Kids Pass about this before (back in December), and have had no reply whatsoever.

Let’s go back to that activation process

When I first started writing this post, the goal was to talk about the lax password security – but in the process of writing it and performing the various actions contained within, I discovered something far more serious. Remember the activation link that they sent me earlier on? Well, it contains a unique identifier that ties the activation link to your registration, and the activation page looks like the below:

Note: I’ve removed my activation code, changed its format and redacted any personal details from the screenshot above.

The problem with this is that the activation code is entirely predictable – it’s not a 32 character token like many websites use, and all you need to do to access other people’s personal data is change the code in the URL that the link takes you to. It would be horrifically easy for someone to abuse this and harvest personal details – names, email addresses and postcodes.

This is unacceptable – not only is it a serious violation of the basic principles of information security and the Data Protection Act, but it’s inexcusable for a developer in this day and age to have not thought this through to that degree.

It should not be trivially easy to get access to other people’s personal information.

Oh, and about those credit card details

Because they collect credit card details directly on-page through their site, unfortunately there’s no way for me to identify who they use to process card payments. The server does do some sort of validation on the card details, as it spits out an error if I use an obviously fake card number, or a test number (4242 4242 4242 4242 for example)

The submitted number will clearly end up on their server somewhere though, be it in memory or in a logfile somewhere. Hopefully they don’t store the card details on the server for manual processing later on, or indeed for any reason whatsoever – because if they do, I shudder to think about how they’re storing them based on the revelations above!

They’re not the only ones

I wish they were, but of course they’re not. It’s frighteningly common – just take a look at Plain Text Offenders.

Sort it out, Kids Pass – before you have a serious security breach.

0

“Let off some Steam, Bennett!”

Points to anyone who recognises the quote, which bears only a tangential relationship with the topic of today’s post.

So, what is it? Is the topic movies? Movie quotes? Arnold Schwarzenegger? The family featured most heavily in Jane Austen’s Pride and Prejudice?

No – it’s Steam. And by that, I mean the digital software distribution platform, not the gaseous form of H2O.

Why would you write about that?

Well, truth be told, I’m running out of ideas a bit – it’s day 16 of Septemblog, I’ve written more posts on here so far this month than I have done for the past two years – I’m basically clutching at more straw than Worzel Gummidge in the throes of sexual ecstasy (with Mrs. Gummidge, obv.)

Still, someone mentioned Steam, and it made me think about how many games I have on my Steam account, and how many of them I’ve actually played. So, let’s get into statistics…

“Games, games! Everywhere I go – games! This is what my lifetime of achievement has been reduced to.”

Again, points to anyone who recognises the quote.

I joined Steam on November 20th, 2004, so I’m coming up to my 11th Steamiversary. Apparently I was a relatively early adopter, as Steam’s initial release was in September 2003.

The first game that I bought through the platform was most likely Half-Life 2, and this would tally up with my registration date, as the game was released on November 16th. According to mysteamgauge, where I’m getting these stats from, I’ve played 0.64 hours of Half-Life 2, which isn’t right as I’ve completed that game and it took me a damn sight longer than just over half an hour!

The last game that I bought was Shower With Your Dad Simulator 2015: Do You Still Shower With Your Dad? – a delightfully silly game written by one of the guys from the Making Games Megathread on the SomethingAwful forums. It’s also a game with a surprising amount of depth – and a not-entirely unsurprising amount of dong. I’ve played 0.1 hours of this, but I should really play a lot more as it’s quite enjoyable.

The game that I’ve played the most of is Far Cry 3, logging a total of 237.19 hours. I can definitely believe that, I spent far too long playing that game, completing every objective and raiding every outpost. Tremendously good fun.

Next up is XCOM: Enemy Unknown at a surprisingly-low 44.39 hours. I’m not sure that’s correct, as I feel like I’ve spent weeks playing that – but I could be getting it confused with the original UFO: Enemy Unknown (X-COM: UFO Defense for you Americans). The sequel to this, the imaginatively titled XCOM 2 (not sure if the subtitle is Enemy Known or not) comes out in February 2016, and I can’t bloody wait.

Totals

I have a total of 213 games on my Steam account, which – had I paid full price for all of them – would have been at least $3,500. However, Steam Summer/Christmas sales and Humble Bundles have meant I could acquire many of these on the cheap.

Of those 213 games, I have played approximately 85. That’s actually quite high, I wasn’t expecting it to be that much.

The total install size of all of my Steam games is a whopping 987.8 GB. But about 985 GB of that is Grand Theft Auto V.

Conclusions

I have too much money, and not enough time. A bit like Walter White.