Poor-quality passwords at a major Canadian bank

At TD-Canada Trust I just noticed their passwords must conform to the following ridiculous password policies:

  • be 5 to 8 characters in length
  • not contain spaces or special characters (e.g. #, &, @)

Now I have no inside knowledge of what TD is using to store their passwords, and I have no inside knowledge of what hardware and software they are employing to protect their network. However, this password policy is both strange, and incredibly scary. A 5 to 8 character password is not very strong, and mandating that it NOT contain special characters further weakens the strength of the password! The rest of the internet is trying to make passwords stronger, and this major Canadian bank is forcing its customers to use weak passwords!

These are VERY weak passwords

With only a to Z and 0-9 there are 26*2 + 10 = 62 possible characters for each position, which means there are 62^8 = 218,340,105,584,896 possible TD EasyWeb passwords. This sounds like a large number, but it’s really not. Here’s why…

Let us assume that this bank is using IBM WebSEAL – which is very popular with banks and insurance companies – and incredibly it only supports SHA1 for password hashing (in version 6.1 at least).  This is a VERY poor choice for mathematically protecting passwords.

A free and easily accessible tool such as Hashcat can try 2,136,000,000 SHA1 password combinations a second on a Windows 7 x64 bit computer with a single AMD graphics card.  This number goes up when you add more of these graphics cards to your computer.


So if we take the total possible number of passwords and divide them by the speed at which Hashcat can crack those passwords, we get: 102,219 seconds, or 28 hours! We can reverse-engineer every possible hashed SHA1 8-character password in a little over a day with an average computer.  Of course, if we could get the list of user-ID/passwords for their website then we wouldn’t need to crack every single possible password, we could just crack the ones that are actually used.

So if we can steal get the log-in credentials for TD EasyWeb then we could easily reverse engineer these passwords and log in to EasyWeb.  That’s a pretty big if, but it’s not impossible.

Of course, you probably use your bank password at other websites as well – it’s supposed to be secure right?  So if attackers can get this password where else can they now get access to?

The recent TD Denial of Service

What makes this low-strength password policy scary is that on Friday TD Bank was recently hit by a “targeted” distributed denial of service  attack. A denial of service attack is when attackers use hundreds of computers around the internet to bombard a website with requests, overloading the webservers and preventing legitimate users of the website can’t get through.  The bank has said that “the security breach did not compromise clients’ accounts or personal data.”

However, attackers frequently use denial of service attacks to camouflage
data breach attacks. In December of 2012 the US Treasury Department issued a statement saying:

A DDoS attack seeks to deny Internet access to bank services by directing waves of Internet-based traffic from compromised computers to the bank. …  Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover).

So while the bank has indicated that no data was lost, if this DDOS was actually camouflage for a data breach it may be some time before the nature of the breach surfaces.

Conclusion

Again, I have no inside knowledge of TD’s systems, security measures, password storage mechanism, etc. I am just a concerned computer security person writing about a possibility.  It is my sincere hope that TD uses incredibly strong password hashing algorithms combined with secure password salts. I also hope that this DDoS attack was launched by a bunch of script-kiddies or a group like Izz ad-Din al-Qassam Cyber Fighters that are just looking to disrupt things for the bank for a while.

Nevertheless, if you bank with TD EasyWeb then I recommend that you change EasyWeb your password, and any other websites using that same password. If during the DDoS the attackers were able to compromise TD’s systems and steal their credential data (user IDs and passwords) then changing your password now could help protect your bank account. If no data was stolen, you probably haven’t changed your banking password in a while anyway and changing it now to something new is a good idea anyway. 🙂

Robert

PS.  If you’re looking to improve your passwords in general, then I strongly recommend you check out KeyPass password manager.  It’s free and can create very strong and very long passwords – and then it remembers them for you.  🙂


WordPress comment thank you plugin

I really wanted to thank people for commenting on a post. After some searching I found the perfect and very easy to use WordPress comment thank you plugin: Comment Redirect.  The plugin is written by the same gentleman that writes the WordPress SEO plugin Joost de Valk. that I love.  Joost seems to have a knack for creating powerful yet easy-to-use WordPress plugins that make websites better.  Basically, what the plug-in does is take a user to any page you configure after the user submits a plug-in.  In my case, I made a thank-you page that users will see after submitting a comment.

Installing the plug-in

Installing the plug-in was easy; I simply went to the “Plugins | Add New” menu item:

Adding-a-plugin-1

Then typed in the name of the plug-in:  “Comment Redirect”:

Wordpress searching and installing a plugin by name

Then followed the prompts to install and activate the plug-in.

Configuring the WordPress comment thank you plugin

The settings are under the plug-in menu, which you can see here:

Configuring the WordPress comment thank you pluginThe settings page is pretty simple, and allows you to choose a redirect page using a drop-down.

So then I wrote a thank-you page, and choose that page from the Comment Redirect setting page.

Tweaking the thank-you page

The only trick was that I didn’t want comments on the comment thank you page!  So on the “Pages | All Pages” screen in WordPress I hovered over the thank-you page, and then clicked on “Quick edit”.  Then I turned OFF “Allow Comments”:

Wordpress Turning off comments for a pageNow when people post to my blog, the WordPress comment thank you plugin automatically takes users to a special thank-you page.  I really enjoy getting comments (even negative ones) because it’s feedback for the hard work of writing a post, and a reminder that people are actually reading (and sometimes appreciating) my content.  So thanking them makes sense!

I hope that helps!

Robert

Chrome never loads any pages

While I’m building my websites I am using IE, Firefox and I wanted to use Chrome (v25.0.1364.152m). Unfortunately, it just hangs forever, and never loads any page. I’ve turned off firewalls, etc. but to no avail.

Finally, I found this link pointing to this helpful page.

Basically, Chrome doesn’t agree with my NVidia graphics card when also running DisplayLink (I have three monitors).

To tell Chrome not use the GPU for rendering pages, open Chrome and type in this URL: chrome://flags

Now scroll down to the “GPU compositing on all pages” and change the drop-down to Disabled.

Things seem to work pretty well now, and I can actually use Chrome to browse to pages.

Unfortunately, Flash doesn’t work, as demonstrated by this YouTube screenshot:

But at least I can test my website with Chrome.

A better Chrome/DisplayLink solution

A better solution is documented on the DisplayLink website: update the Chrome start-up icon to use the -reduce-gpu-sandbox (it’s spelled incorrectly on the DisplayLink support page, but correctly in their image):

Add this:

Chrome now works and Flash still works:

Other problems with DisplayLink

This is not the first time DisplayLink has caused me problems. Rotating my 3rd monitor to portrait mode regularly crashed the DisplayLink driver, and under Windows 8 DisplayLink caused the entire computer to crash or blue-screen regularly.

When I posted to their forums the response was dramatically unhelpful. If you can use a different USB display adapter I would recommend it.

Robert

Choosing a great website creation tool – found!

So in my search for a great small-business website creation tool I had tried Drupal, and then tried a whole host of .NET content management systems.  None of these allowed me the freedom to easily create a small business website.  However during this process I had learned something very important:  my original goals were incomplete.  They were too focused on functional requirements, without any consideration for non-functional requirements.

The new non-functional requirements I had discovered were:

  1. Open source: or at the very least a product with no content amount restrictions.
  2. Great support: When something isn’t working and I need help it should be quick and easy to find.
  3. Flexible and extensible: my needs for the website are frequently changing, so the selected website creation tool should have enough extensions that this is easy to do.

So once again I started searching for a great content management system, but this time I tried searching with Google Trends.

Using Google trends to find a small-business website creation tool

My first search was still on .NET content management systems (CMS):

Google Trends - .NET CMS comparison

Which was very interesting: DotNetNuke’s popularity is clearly waning, while Umbraco’s popularity was increasing.  This was more reason not to use DotNetNuke, and I had already ruled out Umbraco for other reasons. Then I compared basically all of the major .NET CMS website creation tools against the popular open-source PHP-based website creation tool WordPress:

Google Trends: WordPress vs .NET CMS tools

WOW! WordPress makes the .NET CMS tools look like they’re flat-lining at zero!  Additionally, WordPress just keeps getting more popular!  And unlike Umbraco, the core WordPress community seems to really think really hard before they add features to the core.

So now I was curious; how did WordPress as a small-business website creation tool compare to other open-source PHP based CMS tools?

Google Trends: PHP CMS tools

It seems clear that WordPress rules the open-source content management world, and just dominates any kind of .NET CMS tool.  Interestingly, WordPress overtook Joomla around 2009-2010, around when WordPress 3.0 introduced custom-post-types, allowing content authors to create their own content types (much like Drupal’s CCK).  This is an incredibly important feature I’ll blog about soon because with the right plug-ins custom post types allow WordPress to separate content from presentation.

Choosing WordPress

So the masses of internet denizens obviously really like using WordPress.  These graphs also mean that WordPress will almost certainly meet my functional and non-functional requirements.

Non-functional requirements

First, let’s examine my newly discovered non-functional requirements for a website creation tool:

  1. Open source
    Obviously WordPress is open-source and free and I can store as much content as I want.  It runs on MySQL (or Maria DB – more on that later) which should be able to easily handle the amount of content I could ever hope to generate.
  2. Great support
    As the graphs above demonstrate, WordPress clearly dominates the Google search results, so it should be easy to find help.  In using WordPress for the last few months any time I have had a problem or issue with WordPress somebody else has already solved it and written about it on the internet.  This means that I can solve most website problems within 10 minutes.  Amazing.  This was just not the case with the .NET CMS tools.
  3. Flexible and extensible
    I have found that WordPress has thousands of plug-ins that can do anything you need.  I have yet to search for some extensible behaviour and not find ten plug-ins offering the required functionality.  So far this has meant I can easily customize my websites in any way I want.  And the plug-ins are almost always free.
    With the .NET tools if it didn’t come with the CMS it was unlikely to exist.  The one exception was DotNetNuke, where most plug-ins were expensive, and/or seemed to be very poor quality (probably why its Google Trends graph has been decreasing for so long).

Functional requirements

Here is my original list of functional requirements for a website creation tool:

  1. Quickly and easily choose a skin/theme so the site looks good
  2. Easily edit my content!
  3. Host video tutorials
  4. Provide a help forum
  5. Provide social-sharing buttons
  6. Provide an easy way to download my application, perhaps after the visitor provides an e-mail address
  7. Have good Search Engine Optimication (SEO) to help people find my website
  8. Possibly provide a way to offer an e-mail newsletter
  9. Have a Contact-us form (pretty basic stuff)
  10. Provide version-control for my content, for when I mess something up
  11. Provide the ability to easily use tabbed content, etc.
  12. Integrate with CloudFlare
  13. And of course, provide a level of website security so my business website isn’t hacked!

With the right set of plug-ins WordPress satisfies all of these requirements, and proves that it is a great website creation tool.  Of course, it has taken me several months of searching, comparing and trying different plug-ins, but I now have a wonderful set of plug-ins that allow me to easily craft web pages, separate content from presentation, implement security, etc.  I’m going to write about the plug-ins I found, but the next post will be a quick introduction to WordPress compared to some of the other CMS tools I’ve used.

Finally, while WordPress is the most amazing CMS system I’ve used (short of big enterprise solutions) it’s still not perfect, so I’m also going to write about the shortcomings that I still haven’t solved yet.

Conclusion

Over the last two months I have had more success with WordPress than I have had with any other website creation tool in the last two years.  I created a photography website for my sister-in law in an afternoon.  I created a very secure small business website in a week – and most of that time was researching and writing content.  I’m now working on another small business website with a completely different look and things are going very well.

WordPress is a powerful, easy-to-use and easy-to-extend website creation tool and content management system, and I couldn’t be happier that my search for a good website building tool has ended.

Robert

Website security

I’ve installed several security tools on my website, and what’s interesting is that I get notified whenever somebody attempts to login:

A user with IP address XXX.XX.XXX.XX has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid user-name to try to sign in.
User IP: XXX.XX.XXX.XX
User host name: XXXXXXX.XX

I get about 50 of these warnings a day from different IP addresses/different host names, and my question to everybody trying to hack into the website is why?

Please feel free to comment below.

Robert

 

Upgrading Linksys E4200 with Tomato Firmware

Low-end home routers are typically very poor, so 1½ years ago I bought a high-end Cisco/Linksys E4200. While I was living in the city this router was rock solid, wireless connectivity was great (unlike my previous router) and I basically didn’t think about it. Then I moved to the country, and my internet was up-and-down like a yo-yo. We couldn’t watch Netflix without 5 or 6 interruptions and retries.

Linksys E4200
The Cisco Linksys E4200 – good hardware bad Cisco firmware

The only thing that had changed – I thought – was the new internet service provider (ISP). So I called them, and talked with them, and complained, and nothing. Last week one of their technicians said, “Just do me a favour, and go directly from your computer to the modem”. I figured this was a waste of time, because the router had been so rock-solid while I lived in the city.

To my surprise, the internet was suddenly rock-solid and my download speeds increased about 2 Mbps!

So it was the Linksys router! A quick internet search revealed a Cisco forum with many complaints that the router didn’t work correct with PPPoE. Bingo. The good news here is that I could fix the problem – I didn’t need my ISP to solve it for me. But how to fix it? I didn’t want to fork over more money for a new router that had new problems I didn’t know about.

Open source router firmware for the Linksys E4200

The Cisco Linksys E4200 v1 has the Broadcom BCM4716 chipset.

This InfoWorld article discusses 6 open-source router firmware options. Some research into DD-WRT made it obvious that it may or may not work with the Linksys E4200. However, a search for “Linksys E4200 Tomato” immediately revealed that Tomato would work with the v1 version of the router (not the v2, which uses a different chipset). I found the firmware here and easily uploaded it to the router.

This was the file I downloaded:

tomato-E4200USB-NVRAM60K-1.28.0497.1MIPSR2-Toastman-VLAN-RT-N-VPN.bin

and installing it with the default Cisco firmware upgrade GUI (under Administrative menu option) was trivial.

I then did a 30-30-30 reboot, which is pressing the reset button on the router for 30 seconds, unplugging it while still holding the reset button for 30 seconds, and then plug it back in while still holding the reset button for 30 seconds.

Then I went to http://192.168.1.1 and logged in with admin/admin. I enabled DHCP, configured PPPoE and everything – including the 5GHz – is working wonderfully. I’ve been connected consistently for several days now, and it’s wonderful.

So I would like to thank the Tomato group and Toastman for building such a slick open-source router firmware. Thanks guys!!

Robert