Archive — Security

New sim swap hacks highlight carriers’ wobbly securityMartha DegrasseLight Reading

Diagram demonstrating how the attack works

Researchers at Princeton University called three of the four major [US] carriers and tried to convince customer service representatives to move phone numbers to new sim cards. Verizon, AT&T and T-Mobile each received ten calls from the researchers, who posed as customers.

Astoundingly, in all 30 cases the fake customers successfully convinced the carriers to move the numbers to new sim cards.

This matters because so many other services (such as banking systems) rely on SMS for authentication. If you only need to convince one customer service representative to swap a phone number, you could potentially have access to… almost anything.

1 comment

Scapegoating user experience designKhoi VinhSubtraction

Stylised photo of a Nest camera

An article published yesterday in The Washington Post demonstrates the danger of design’s failure to broaden popular understanding of our craft.

The article pinpoints Nest’s focus on reducing friction as the reason for their cameras’ weak security.

Khoi Vinh points out that…

…the concept of user experience writ large is not to blame here; what’s actually at fault is bad user experience practice.

The point being that good security is fundamental to good user experience. As any good designer would know, they are not in conflict. Quite the opposite, in fact.

It strikes me that Nest are using ‘reducing friction’ as a poor excuse for not implementing better security. I’m sure they’re not the only ones guilty of this.

On another point, this article got me thinking about journalism. Khoi Vinh refuses to blame the Washington Post’s perspective on “lazy journalism”, perhaps correctly.

But any time I read a mainstream/non-specialist journalist write about a topic I know a little about (motorsport, the web, whatever), I’m always astonished at how many basic errors are made. It’s a challenge if designers want the help of journalism when “explaining what it is that we do to the world at large.”

Comment

A more complicated web — Christian Heilmann

A more complicated web — Christian Heilmann

A useful explanation as to why we can’t return to “a simpler web” that enabled anyone to easily become a publisher.

What we consider a way to express ourselves on the web – our personal web site – is a welcome opportunity for attackers… [I]t can be recruited as a part of a botnet or to store illegal and malicious content for re-distribution.

So, to me, there is no such thing as going back to the good old web where everything was simple. It never was. What we need now to match the siren call of closed garden publishers is making it easier to publish on the web. And to control your data and protect the one of your users. This isn’t a technical problem – it is one of user interfaces, services and tools that make the new complexity of the web manageable.

I’m not sure I fully agree with (or even understand) his proposed way forward. But it’s useful to think about how we can balance the desire to encourage self-publishing with fully robust, secure solutions. The game changed long ago.

Comment

For owners of Amazon’s Ring security cameras, strangers may have been watching — Sam Biddle, the Intercept

Ring doorbell footage

For owners of Amazon’s Ring security cameras, strangers may have been watching — Sam Biddle, the Intercept

This is jaw-dropping stuff about lacklustre security practices at Ring, the smart doorbell manufacturers — as well as a story about rather lacklustre technology problems. Perhaps I’m naive, but I’m amazed that unencrypted live video footage is available to Ring employees at all. It makes me think twice about internet of things gadgets.

Comment

Security design: Stop trying to fix the user

Security design: Stop trying to fix the user

On the tendency of security approaches to rely on somehow educating users on this complex problem.

I’ve read dozens of studies about how to get people to pay attention to security warnings. We can tweak their wording, highlight them in red, and jiggle them on the screen, but nothing works because users know the warnings are invariably meaningless. They don’t see “the certificate has expired; are you sure you want to go to this webpage?” They see, “I’m an annoying message preventing you from reading a webpage. Click here to get rid of me.”…

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do.

The same could be said for usability of any kind — but it seems especially vital in this case.

Via Khürt Williams.

2 comments

Stylish browser extension steals all your internet history

Stylish browser extension steals all your internet history

If you use the Stylish browser extension, you ought to have a read of this. It might make you want to uninstall it immediately, as I did.

It appears that last year Stylish began collecting users’ data, including their full browser history, and even the contents of Google search results.

The above blog post explains exactly what is going on, and why it is a problem.

This is a great shame because Stylish provided a brilliant function enabling you to improve bad or unsuitable web designs very easily. I even created a style that improved the user interface for live timing on Formula1.com — which I still used up to last weekend, and has been installed by almost 500 others.

Not any more — I have uninstalled Stylish from my browser.

1 comment

Note — 2018-01-30

Virgin Media have sent an email suggesting ‘safe’ passwords for people to use.

"As an example, ‘Password’ is weak and easy to break. But ‘v!rGiNM3d1A1’ or ‘Z89_!3b2aa43’ are much harder for hackers to crack."

…They’re not much harder any more. 🤦‍♂️

Comment

Triple Meltdown: How so many researchers found a 20-year-old chip flaw at the same time

Triple Meltdown: How so many researchers found a 20-year-old chip flaw at the same time

In transpires that Meltdown and Spectre, the two major security bugs recently announced in processors, were discovered by several researchers who all had the same idea at a similar time. This is despite the flaws having existed for decades.

Something happens in the community and it leads people to think, let’s look over here. And then they do. And it definitely occurs way more often than chance.

This fascinating article also considers how long intelligence agencies may have known about this and other computer security issues.

Comment