Tag Archives: security

Compromises

It was last year in March that I posted a gripe about a change to my T-Mobile checking account.  They had changed the requirements for how you get the bonus interest rate on their account.  Instead of making a direct deposit each month, you had to use the check card 10 times each month.  I didn’t like the change for the inconvenience it caused, but there was another concern that I had and I didn’t express it in that post back then.  Tonight, my concern became reality.

Lying in bed, ready to sleep and my phone goes off with a text message.  It says:

FreeMsg: Bankmobile Fraud Ctr: 18449392796 Case (redacted) Did you attempt $.00 at MOTHER GOOSE TI with card x8930? Reply YES or NO. opt Out reply STOP.

This brought me a bit of concern.  BankMobile is faintly familiar, but I wasn’t sure if that was my card number.  I climb out of bed and get on the computer.  Yes, it is my card number, and BankMobile is the bank.  I still think this might be a scam, though, so I call the bank directly, not using the number they provided.

Talking to the service rep, I am assured that there is nothing wrong with my card, but that the message is legitimate.  So, I say, ok, I’ll reply to the message after this call.  After the call, I reply NO and immediately get a reply saying my card is now locked.  Well, great.

Back on the phone again and explaining this new turn of events, and the rep says that there is a blank transaction on my card and my card is locked, so they will have to send me a new card.  Yeah, yeah yeah, this is nothing new to me, let’s go ahead with it.

But what IS new to me is that concern I’ve had since last March.  This card is tied to a massive (to me) amount of money.  Because of the excellent interest rate (4% on 3k and 1% on the rest), I keep the bulk of my money in there.  And EVERY TIME I am using my check card to get to my 10x transactions to qualify for the 4%, I am exposing myself to theft and fraud.  And within a year, in less than 150 transactions, it has happened.

I want to say just how careful I am with that card.  I just went through every statement in the last year and checked.  I’ve only used my debit card at 15 different places.  That is a crazy small number compared to how many places I use my credit card.  And that’s the part that freaks me out so much.  Debit cards don’t have the same fraud protections that credit cards do.  Yeah, sure, it’s covered, but if someone drains your account and you scream fraud, your money’s not coming back until they finish the investigation, as your bills go unpaid.

So where does that leave me?  For my financial security, I should give up the 1% interest on the large balance and only keep the amount that will get me 4%.  4% of $3k is $120/yr.  Not bad when all other places will get you like $3, $15 if you’re lucky.  But what’s the value of security?  It’s priceless.

More Words, Now With More Security

I got my lock!  If you don’t see it, you need to go to https://anachostic.700cb.net.

image

Thanks to the regular march forward of technology, I can now get a free SSL certificate for my websites.  The process isn’t exactly simple, and it’s not convenient, but the results are effective.

The process is more geared towards Linux servers, but with a few additional steps you can create a certificate for Windows servers.  I’m sure I’ll figure out a way to simplify/automate the process and make it easier over time.  The lack of convenience is that the certificate expires every three months instead of every two years.  That’s a fairly significant investment of effort to keep this going.

But, I am a believer in security and privacy, so you can now rest easy knowing that the pages you’re requesting here are not being snooped on by anyone else.

Making It More Difficult, For The Better

A little while ago, I saw a post online that was like a little PSA on financial security, which, of course, I am rather big on.  It was warning that PayPal and Venmo were not to be trusted because they were not held to the same security standards as banks.  Both of these sites claim to have “bank-grade” security, but what does that actually mean?

To be honest, I really do trust PayPal.  I haven’t ever had a problem with them or their security.  Then again, I do the maximum I can, enabling 2-factor authentication and having a strong, unique password.  Venmo, I don’t have any history with them, but they are owned by PayPal and from what I can see, they do a lot of the same things.  They also have 2FA, and are very happy to send you email notifications when things happen on their site.

I read this PSA post about distrusting online payment processors with a grain of salt.  The one thing that did strike a nerve with me is the advice: “never link your primary checking account”.  I agree with that.  I follow that pretty religiously with my online bills.  If a payee wants to do an autopay, I’ll allow it only if they allow payment on a credit card.  If they only allow payment by checking account, I use my bank’s bill pay.  Simply defined, I’ll push cash out of my checking account, but no one has the ability to pull cash from the account. 

It sounds convenient to set up my mortgage company to just withdraw my mortgage payment from my checking account monthly, but what if, just what if, they got a bug up their ass, or something went weird, or all hell breaks loose and they decide, we’re going to make your loan payable in full immediately.  And to satisfy this loan, we’re going to make a payment for as much of your balance as possible.  Now, I don’t have $90k sitting in my checking account, but, if they pulled everything they could, it would put a damper on my liquidity.  It’s just not a situation I would like to have happen.  So instead, I schedule a payment from my bank to them once a month.  It ends up working exactly the same.

Of course with online processors, the big fear is getting hacked.  And if your primary account is linked, the hackers can pull all your money just as easily as my mortgage company could.  Even if you have fraud protection, you’re still talking about a big hassle and lost money for a period of time.

The PSA had a poor suggestion to not link your bank account at all, but also had a good suggestion to link a secondary bank account instead.  So that’s what I did.  In PayPal, I had three banking accounts linked, so I removed two.  In Venmo’s website, I began the link to the same account I left active in PayPal.

This is a good thing.  That secondary account only has $15 dollars in it, which becomes my maximum monetary risk in case of being hacked.  But what are the limitations of this?  Well, right now, I couldn’t pay anymore more than $15 unless I transfer more money into the account.  Fortunately for me, like a lot of online banks provide, I have multiple accounts with that bank and I can instantly transfer money between them.  So, there’s no significant time delay on when I can make funds available for payment.  There’s only the delay in having to log in to the bank and transfer the needed money from my main account to my designated “PayPal/Venmo account”.

Still, though, security is always at odds with convenience.  I’m a little more secure now (even more), but I have to do a little more work now.  And note that this inconvenience is only for cash transactions.  Credit card stuff is always protected, so I’ll use that whenever I don’t have to pay the transaction fee.  The PSA also had the questionable advice that paying the 3% fee was worth it for the fraud protection.  Maybe.  But if you can save that fee and still be secure, that’s the best way.

Maybe it’s time to audit all your account links and make sure you don’t have any weak entry points.

The Eye in The Sky

There’s a lot of people that are really paranoid, scared, and angry about “the police state”, government surveillance, and loss of privacy.  I’m sort of in that group, but not really at the level some people are at.  There are other people who just sit back, point their finger and say, “Hey, you asked for it.”  These people are referring to technology like GPS, cookie tracking, integrated Facebook everywhere (that goddamn Like button on every web page that tells FB you’ve been on that page without you doing anything), and more recently, bullshit always-on microphones like on Alexa, Google Home, and Apple Home.

Those are all personal privacy invasions, and they are all opt-in.  You have to buy the devices that snoop on you.  You have to visit the websites that track you.  The other level of privacy invasion is at the societal level.  Things like security cameras, traffic cams, EZ Pass in your car, GPS on your phone.  Things that monitor and track you while you are in public.  At no point did anyone really opt-in to being monitored while in public.

Advocates will argue that these systems provide a great improvement in public safety (albeit reactive and not really proactive).  Detractors will say it’s not worth it to be watched all the time for the rare case something bad happens.  And the finger-pointing starts – If you’re not doing anything wrong, why are you opposed to it.  So, security by this means is naturally controversial.

And with that lead-in and disclaimer that I understand what I’m going to get into, I’m going to propose more surveillance.  And it’s for a very specific police use that would piss off some people.  But you know what?  I don’t fucking care, because you people need to be shut the fuck down.

Have you ever seen a video of a car fleeing the police on a highway, flying through traffic, weaving in and out of the other cars?  Of course you have.  That is what it is like driving to and from work every day for me.  That is every fucking day.  Every day, there are people who drive 15-20+ miles an hour faster than others and cut in and out between 3 and 4 lanes of traffic.  I am sick to fucking death of these people.  This needs to fucking stop.

These assholes cause trouble for everyone else in multiple ways.  The most obvious is that they could wreck into someone and kill themselves (boo hoo) or others.  And when wrecks happen, we all lose.  Traffic comes to a crawl or a standstill.  Do the goddamn math sometime you are in a traffic jam.  Count how many cars you see, measure how much time you are losing on your drive and multiply that by an average wage to see how much money is being lost sitting in traffic that didn’t need to happen at all if people didn’t drive like fuckasses.

There are not enough officers on the road to enforce better driving practices and even when they do enforce them, the fuckasses still ruin it for everyone, because we all have to slow down for emergency vehicles.  An asshole gets pulled over and we all pay for it.  But another issue is that an officer on the side of the road monitoring traffic may not be able to spot a fuckass.  The officers only have a limited view and even if they are running radar, they may or may not catch the driver when they are embedded somewhere in 3-4 lanes of traffic.  So this leads me to my solution.  Aerial surveillance.

Leave some quadcoptors hovering over the highway where they can monitor traffic at a greater level.  You can spot drivers that are weaving through traffic and generally being unsafe.  This is something you can’t do at ground level.  Once a car is spotted behaving erratically or unsafely, a trooper can be dispatched to intercept.  Or it could be handled later.  Record the video and address it in person at their house.

It doesn’t even have to be speeding.  I came up with a formula to calculate a driver’s assholosity based on speed and number of lanes changes per mile.  This targeting could almost be completely automated with machine learning (formerly known as AI).

Does this sound invasive?  I don’t fucking care if you think it is.  This is a problem that affects all highways drivers in both safety and financial aspects.  And while the problem is chronic, it isn’t widespread.  The few are ruining it for the many, and we shouldn’t have to live that way.  There’s a lot of that shit going on right now and I’m pretty well sick of it.

Annoying You Into Better Passwords

There are some people that have, over time, integrated security into their daily routine.  It’s just the way it is for these people.  And I would encourage everyone to begin working towards that goal.  There are other people who see security as nothing but a hindrance, an obstacle to them getting done what they want to get done.  Even after getting hacked multiple times, security is still a burden to these people.  And this burden is most often felt in the workplace.

It is sad, really, when people don’t take security seriously and their lack of concern becomes a liability for their employer.  And when the employer tries to enforce their required security practices, the users simply try to get by with the least amount of effort possible.

The two main constraints on passwords in the workplace are complexity and expiration.  The password must contain certain characters and be a certain length and you have to change it on a regular basis.  A recent article came out where NIST (The National Institute of Standards and Technology) made the following recommendations:

  • Remove scheduled password change requirements (must change password every 90 days)
  • Remove complexity requirements (one upper-case/lower-case/number, no two successive characters)
  • Require screening of new passwords against lists of commonly used or compromised passwords

On one hand, I think this is good, but I also don’t think the average user could be trusted to not create a secure password, even if it was checked against a blacklist.  So I have what I think is a better solution.  And the solution has the benefit of discouraging bad behavior.

Keep the first two items.  Eliminate complexity and expiration.  But, in place of (or addition to) the third item, there should be a server on the network that tries to crack account passwords 24/7, via both dictionary and brute force.  When it succeeds, the compromised account gets locked and the user has to change their password.  The cracking server would also send an email explaining that their password was cracked in X number of hours/days and they need to choose a more difficult password.  The email would provide tips for creating a better password.

The result of this process is that the people who choose weak, shitty passwords will have to change their passwords more frequently.  Those that choose more difficult passwords will be rewarded in that they don’t have to change their passwords often at all.  If you’re sick of getting your account locked out, the fix is simple.  Make a better password.

Wasteland Highlights

Two trips to the hometown in one year!  Wow!  I mean, wow.  I actually mean, meh.  No really, blah.  So, to summarize the best/worst highs/lows of the trip, here we go.

Before I even left for the airport, six hours before my flight, my flight was delayed.  The flight was already a late one at 7:00pm, now it was 7:30.  When I got to the airport, they announced, “your plane will not be arriving until 8:00.”  A very odd way to announce a delay, but that’s what they did.

The TSA experience on the way out wasn’t too bad (oh, just you wait for this one…).  A couple new regulations (aren’t there always?) to deal with.  Everything electronic larger than a cell phone must be taken out and all liquids must be out as well.  Ok, no big deal, a couple of Kindles and shampoo.  I went on with my life.

nerdcat-t-shirt-tn-258x2581At my destination, I went to pick up my rental car at the ungodly hour of 11:30.  When I went up to the counter, the agent just stared at me with a big smile on his face.  I said, “Hi, I have a reservation” which seemed to break his trace and he said, “that… is awesome.”  And I understood.  It was my shirt – “Quattro Gato”.  Basically, this image here on the right, colorized and duplicated four times over. The agent asked me if I liked cats, had a cat, what type of cat, etc.  Naturally, cat people are awesome.  And awesome cat people get… Mustangs!  Or at least that’s what he believed.  Me paying for the cheapest rental car, and wearing a cat shirt, means I get upgraded to the sports car category.  I guess I’m ok with that.

wp_20171015_13_42_02_proI got my car in the lot.  There are SO many goddamn buttons on the console and steering wheel.  What the fuck.  I don’t touch anything.  I try to get GPS directions out of the airport to a familiar highway (I always take the wrong route), but my phone has no signal.  Finally, I get a weak signal and a route.  I leave the airport and immediately get in the wrong lane and miss the proper exit.  GPS simply changes the route, without even scolding me with “ROUTE RECALCULATION!”.  Not sure exactly how much time I lost in that, but I made it to the motel and fell into bed at 1:30am.

I thought I had everything planned out well for this trip, which meant little to no personal time for me.  In the end, I had way too much personal time because my brother kept bailing on our plans.  So I saw and did everything I could think of.  That’s a very short list in a very small town.  And I ended up sitting in my upgraded rental, parked downtown for extended periods of time.

Everything’s closed in the wasteland.  The mall lost Sears and JCPenney anchor stores, leaving only The Bon Ton.  I asked a couple people I visited, “where do you buy clothing?”  The only options were KMart, WalMart, and the Bon Ton.  One said Amazon, the other said the outlets (a 45 min drive).  How can you live like that?

After only two days, I was ready to get back home.  My outbound flight was at 3:30, a time where you either get to the airport super-early, or risk being late.  I chose the former, since there was nothing else to do.  I got to the airport, returned the car, and chilled in the airport lobby for an extended time, reading.

When I got up to get some lunch, I found out all the food was behind security, so I guess I’m going through security now.  I was ready.  I remembered the changed regulations, even though none of the agents were making announcements about it.  Ha!  I was ahead of the game.  I put my laptop and kindle and shampoo in a tray and confirmed with the agent that was right.  He said the laptop had to go in a tray by itself.  Fine.  Anything else?  Shoes.  Oh crap.  How did I forget that?  Shoes on the conveyor.  Then over to the scanner.

I got chided last time about doing a body-building pose when they told me to lift my arms, so I kept it simple.  I got out and the guard stepped in front of me.  “Anything in your pockets?”  I patted my pockets.  Oh fuck.  My phone.  I usually put my watch and phone in my carryon while I’m in line.  I forgot.  I pulled out my phone and handed it to him.

“Anything else?”  I patted again.  I had my handkerchief, which I didn’t think was any big deal, my passport, which I sometimes have in my hand when I get scanned, and oh crap, coin change.  I pull the change out sheepishly and hand it to him.  “Anything else?”  Ok, I’m stressing now.  My passport?  He takes that too.  “Anything else.”  Uh, a handkerchief?  He has everything now.  He calls for a bowl from the other agents and sends everything off to get scanned.

“So, you want me to go through again?” I ask.  The agent replies in a very annoyed tone, “No.  Since you had so many things in your pockets, you’re going to have to be patted down.”  Ohhhh FUCK.  The agent then goes into a very long and detailed description of all the different ways he’s going to feel me up.  I’m somewhat in shock, so I don’t hear much of it.  He asks if I want a private room or just do it here.  I said here is fine, as if I give any sort of a shit right now.

I have to take off my belt (which should have come off earlier, I guess), and hold it.  Not much to say.  I got groped plenty around my balls and swiped and rubbed.  That might be bad, but hey, they gotta do their job.  But here’s the stupid thing.  They wiped my hands with some sort of device that probably was checking for explosive residue or similar.  Now, if I was a “t-word”, would I have been so stupid to leave my pockets full going through the scanner?  Bad guys are smarter than that.  I’m just an idiot, and you’re checking me for residue?

I pass with flying colors, gather my shit and get the fuck out of there.  The experience ruined my day completely.  I tried to eat lunch but ate very little.  I wasn’t upset or scarred or anything.  Just mad at myself that I was so focused on the details I totally forgot the basics.

The flight back was much less fun than the flight up.  Much more turbulence and many more passengers.  Two very large women in my row.  Idiot children in front of me, and a baby across the aisle.

But I did make it home safe and my cat was thrilled to see me.  That’s enough travel for a while, I think.

The Social Security GUID

With the recent Equifax debacle, I froze my credit file at all the places I was able to.  But the news still keeps on coming.  Whenever I read about these events, I think, “Why can’t we just request a new Social Security Number, like we can request a new bank account number?”

Well, for one, there’s not a lot of SSNs available. 1.2 billion at the max, and I’m certain that you can’t have SSNs like 000-00-0000, and there’s probably a few other notable blocks that couldn’t be used, so it’s less than that.  And with people constantly dying and being born, those numbers are always getting used up.  If we were to allow people to request new SSNs easily, we would exhaust the available supply very quickly.

So, if we were to reimagine how our country’s income tracking system could be implemented, we should make sure it’s not going to need an update for a very long time.  And when you think of things that are going to last a long time, I think of 128-bit values – GUIDs.

I understand that the retrofit of a new field in databases around the world to accommodate this new ID value would be nigh impossible, so this is just a thought exercise in what we could want from a national identifier.

Foremost, we would want our ID to be replaceable at will, but we would also need to be able to keep a history of former IDs.  For example, if your ID was stolen or leaked, you would simply request a new one, and the old one would be archived.  The old ID would continue to be valid for existing credit lines and other previously established links, but would no longer be valid as a lookup for new lines of credit or other interests.  Ideally, you would update your old accounts with your new number.  Maybe it would be mandatory to keep your ID up to date within a year of changing it.

Second, your ID should not be able to be guessed or calculated.  There are guidelines for the structure of SSNs that indicate approximate year of issue and state issued in.  With a random GUID, there is no such pattern (although it could be somewhat implemented with the resultant loss of security).  The vastness of a 128-bit space would nearly eliminate guessing.  The length of a GUID also means it would be difficult for people to memorize upon overhearing someone else reciting it.

So, if we were going to do this, do it right, do it big. Go from 10 bits to 128 bits and never think about it again.

They Robbed Me Blind

Saturday morning, I went to get in my car and noticed the door wasn’t latched.  Weird.  I got in the car and my glove box was hanging open and my center console door was open.  Really weird.  Then it dawned on me.  My car had been broken into.  I use the term “broken into” loosely because I rarely lock my car doors.  I figure there’s nothing really of value for anyone to steal, and if they do steal something, it’s just an excuse to upgrade.

I looked around and nothing was missing.  This puzzled me.  My CDs were still there, my GPS/dashcam was still there, my MP3 player was still there.  A card wallet with probably $150 in gift cards in it was still there.  Yeah, I don’t expect anyone to steal my CDs, and yeah, they could have grabbed the MP3 player and said, “Oh, it’s a Zune”, but hey, doesn’t everything have some value to a pawn shop?  Are these smart thieves that only steal things of real value?

So whatever, I closed everything up and went about my day, puzzling over the experience.  I didn’t feel violated or anything, just confused.  Like I had such shitty stuff it wasn’t even worth stealing.  As I think about it now, maybe someone just wanted to know what it was like to sit in a car like mine?  But why wouldn’t they close up the storage areas before they left?  By Sunday evening, it didn’t even really mean anything to me.  As I was driving home, I needed to put on my glasses.  I wear glasses only for distance viewing and I need them especially at night to reduce the halo effect of lights.

Where’s my glasses?  They’re not in their usual place.  Seriously?  That’s what they stole, my prescription glasses?  What good will my glasses do them?  What a stupid criminal.

So now, I have to get another eye exam (which is overdue anyway) and get a new pair of prescription glasses.  Like most “disasters” in life, it’s just an inconvenience.

Never Let Your Guard Down

Today, I learned I had been “hacked”.  I say “hacked” in a figurative sense because there wasn’t really a whole lot of hacking involved.  I somewhat left the door open and someone just fiddled around and got in.

I have my own email server that manages a few domains.  I have one domain I don’t do anything with, and on that one, I had created a couple of test accounts for, well, testing.  The problem is, I never disabled them when I was done.  It’s been a while since I did that, so either I didn’t think about the consequences or assumed that since I was working on an inactive domain, no one would try accessing it.  You can’t assume that.

Since “hackers” just use a bunch of scripts to automate “hacking”, they can just let the scripts run and go eat some more pizza.  And that’s what happened to me, probably.  A script found my domain, then immediately went to work trying out different common username/password combos.  And although I have security features that will temporarily blacklist an IP address after so many failures, that had no effect.  The script will just wait until the ban is lifted then continue on.  Time is not a concern.

So, once they got some working credentials, then it was time to deliver the spam.  And boy did they ever.  I had gigabytes of log files and 22k email messages queued for delivery.  How I learned I was hacked was by chance.  I happened to try sending an email during one of the spamfests and got the email returned with the message:

DED : You’ve reached your daily relay quota

At the time I got that message, I thought it was being returned by the domain I was sending to.  Later, on a whim, I decided to check my own server and was shocked at what I saw.  I immediately shut down the email service and started clearing out all the trash.  Then I changed all the account passwords and disabled all the unused accounts and restarted the server.  The log files showed someone trying to log in using test2@mydomain.com and failing.  Bastards.

It’s my own fault, for sure.  But it’s terrible that you can’t stop being paranoid for a second on the Internet.  They’re always out to get you.

SpamBastard–1aauto.com

I had an application idea at one time and actually finished writing it, but ended up never doing anything with it once it was live.  It was spambastard.com and its purpose was to catch companies that would sell, lose, or otherwise mishandle your email address info.  The concept was simple.  You sign up for their site using their domain name @spambastard.com and if any email comes in with a mismatch between the FROM domain name and the TO domain name (as the username, before the @), the email address would be considered compromised.

That domain and application is long dead, but I’ve been able to replicate the same concept with my personal email domain.  That eliminates the hassle of creating a second account for every site I sign up for (one with my real email and one with a spambastard email).  To date, I’ve only had a few cases where I’ve had to take action.  Those cases are:

  • albumartexchange.com – There are many people including myself who posted on their forum and complained that they received PayPal phishing emails to their unique email address.  The website did not respond.
  • lakelandlelectric.com – That debacle was chronicled already.  The utility company did follow up with an explanation of how it happened and how the process was unfortunately legal.  They said they would push for tougher laws on keeping customer information private.  This prompted a follow-up email from the spammer who was incredulous that government would try to reduce transparency.  See, transparency is only good when it works in your favor.
  • paypal.com – This got compromised after only nine people knew of its existence.  Whether it was sold or stolen, I don’t know for sure, but I am pretty confident that some eBay seller has a compromised account and a spammer is looting their customer list.

Now we can add to the list – 1aauto.com.  I placed an order with their site in January (remember when the punks broke the mirror off my car?).  Today, I get a political email from John Kasich’s New Day For America to that email.  So I immediately send a message to 1aauto.com saying they’ve either sold or given away my info or their customer database has been hacked.  So which is it?  I got a pretty quick response.

Hello and thank you for your email.

I do apologize that you received a spam email to your account. I can assure you that your information is secure and we have not experienced any kind of hacking. We do keep our customer information confidential and secure and have several measures put in place to prevent against fraud and stolen identity.

Thank you for notifying us. We will keep tabs on this and look into what we can do to prevent this from happening in the future.

So, I guess the answer is the owner sold out his customers to promote his choice of political candidate.  The fact that this happened at all negates the statement “We do keep our customer information confidential“.  As far as what they can do to prevent it from happening in the future, that’s simple.  Don’t do what you did again.

Thanks to spam law requirements, the spam email footer confirms the email address that it was sent to.  It tells me that I was added to the list on 2/24/16 via opt-in (gee, I don’t remember that), and gives me ways to unsubscribe.

There’s no sense in unsubscribing.  The email address is out in the wild and is now worthless.  Do I want to spend my life unsubscribing from every email campaign that gets that email or do I want to kill off the email?  The choice is pretty simple.

This scenario makes me pity people who only have a single email address, like @gmail.com or @outlook.com or @yahoo.com.  They don’t have the option of closing their account or changing their address.  Consider how easy it is for me, every email (except my personal email) is known to exactly one company.  Email gets compromised, only one place to change it.