Stupid security measures, a contest

Hadmut Danisch hadmut at danisch.de
Thu Feb 13 12:13:27 EST 2003 

On Wed, Feb 12, 2003 at 06:10:56PM -0500, Matt Blaze wrote:
> If I were looking for a "winner" for this, I'd be especially interested
> in measures that end up reducing security rather than improving it.


One of the worst security measures I've ever personally seen:

Some years ago I was invited as an expert (for security) into a german
ministry/government department. I received a paper document which was
classified as "confidential". I was asked to take it with me, read it,
comment it, and then put it in a paper shredder.

As usual, every page of the document was marked as "confidential"
by having a large, bright grey writing from the bottom left to the
top right corner as a background of the text. (like the latex
draftcopy style)

At this time I was working at the University, and the University was 
short of money, so we had only a very cheap paper shredder which was
cutting the paper only in stripes of about 3-4 mm width instead of 
little particles as expensive shredders do. Usually it is still too 
difficult to sort the stripes.

It turned out that it was just the diagonal "confidential" label which
made it absolutely easy to sort the stripes and to reassemble the 
pages within seconds.




Another example:

There's a german bank which provides Internet Banking through a ssl
secured web page, which is after all not a bad idea. When you're on
the web page, it opens a new browser window through java script, which
then gives you access to the banking and asks for account number and
pin.

The web designers decided to open a window without the usual
browser decoration, i.e. without showing the URL the page came
from:

function openwin(){


var WinName='Internetbanking';

if(is.ie){
  var param='"toolbar=no,menubar=no,scrollbars=yes,resizable=yes,status=yes,width=800,height=600"';
  var url='/OnlineBanking/fs_ie.html';
}
if(is.ns){
   var param='"toolbar=no,menubar=no,scrollbars=yes,resizable=no,status=yes,width=800,height=600"';
   var url='/OnlineBanking/fs_ns.html';
}
msg=open(url,WinName,param); 
}



So when you're on this page, you're on an encrypted page and the
browser shows the padlock symbol promising "security", but you can't
see whom you are talking with. So you could redirect the browser to
any other webserver with a valid SSL certificate and provide webpages
with a similar appearence, and ...[you know what].

I've contacted that bank and tried to explain the problem. 
They completely denied it and claimed that they have high
level experts, much more experienced than I am, and that they
all said that they use SSL with 128 Bit encryption, which is
absolutely unbreakable. :-)

(If you wanna see it, try https://banking.diba.de . You could
argue that it is not trivial to intercept and modify this already
ssl-encrypted page to perform some redirection. I've given this 
URL only for those who don't speak german and can't navigate through
the menues. Usually people start at http://www.diba.de, and with some
simple DNS spoofing or attack on a proxy it could simply redirect
telebanking to anywhere.)



regards
Hadmut

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list