Analysing Risk – A Story

Just like my last blog, this is based on an internal blog that our most experienced software tester wrote. She seems to love Michael Bolton, but not the singer. Michael Bolton is also the name of a software tester that is the co-Author of Rapid Software Testing (see About the Authors — Rapid Software Testing (rapid-software-testing.com)).

Michael Bolton

She said that Michael Bolton was asked the following question:

Q: My client wants to do risk analysis for the whole product, they have outlined all modules. I got asked to give input. Do we have a practical example for that? I want to know more about it.
Tester

Michael: Consider the basic risk story –

Some victim will suffer a problem because of a vulnerability in the product (or system) which is triggered by some threat.

Start with any of those keywords, and imagine how it connects with the others.

Who might suffer loss, harm, bad feelings, diminished value, trouble?
How might they suffer?
What kinds of problems might they experience? What Bad Things could happen? What Good Things might fail to happen?
Where are there vulnerabilities or weaknesses or bugs in the product, such that the problem might manifest? What good things are missing?
What combinations of vulnerability plus specific conditions could allow the problem to actually happen?
When might they happen? Why? On what platforms? How?

Our tester stated “This is a brilliant definition of risk. It is also a somewhat intimidating list of questions. If you are looking at this and thinking, “That’s hard!” you’re absolutely right. Good testing is hard. It’s deep, challenging, exhausting. It will make you weep, laugh, sigh from relief. But it’s also tremendous fun.”

Rockstar Games cracked sales

Blog Based on Modern Vintage Gamer’s video:

Rockstar Games created big franchises like Grand Theft Auto, Red Dead Redemption, Max Payne, and other games like Bully and Manhunt.

Rockstar are quite protective of their Intellectual Property, and will take game modders to court, but were recently caught selling their own games with a cracked executable created by software cracking groups “Razer 1911” and “Myth”. The cracked executable files remove anti-piracy DRM (Digital Rights Management) checks from the game. On analysis of the executable file, you can see the group’s logo in there.

Rockstar had apparently placed the games on storefronts like Steam with this cracked file for their games Manhunt, Max Payne 2, and Midnight Club 2. Ubisoft has also been caught using cracked executables as well for Rainbow Six Vegas 2.

These software cracking groups would work on “No CD cracks” for many games, which would remove the requirement of having the CD-ROM in the disc tray. It would normally be a requirement to check if you have a valid copy of the game, otherwise you could just fully install the game and return it/sell it/let your friend borrow it.

These groups could also bundle the cracked file along with the full game to be illegally downloaded and shared, which meant piracy was rife in the PC market. They obviously didn’t have the aim for software preservation, but it seems they have provided that role in the current day.

Not only do many modern PC’s not have disc trays and are digital only, but some of the other DRM methods are obsolete. This was also a problem years ago when Microsoft removed the “Games For Windows” DRM, so you had to try workarounds to bypass the checks. People that legitimately own the games can struggle to play them on modern hardware.

The alternative for game publishers is to find the old source code, rebuild without the DRM checks, then publish this on a digital store. It’s not as simple as that though, because many game’s source code goes missing over time and as game companies go bust, or be taken over. To even build the game in old tools could be problematic if you need to install and run other software which itself could be hard to locate or get running. If successful, they would need to dedicate a small team to develop and test the product. It’s probably just easier to “illegally” download their own game along with the crack file, then sell it.

It raises an interesting dilemma. Since the cracking groups have performed some work, should they get credit and maybe even receive payment? Even if the likes of Rockstar take criticism for their actions, they can probably simply ignore the criticism and keep on doing it for any old game they want to resell.

How Everything We’re Told About Website Identity Assurance is Wrong

Troy Hunt, the cyber security expert, has a great blog on website certificates (DV/EV) which is worth a read:

https://www.troyhunt.com/how-everything-were-told-about-website-identity-assurance-is-wrong/

The TLDR is as follows:

He discusses false advertising in regards to extended validation (EV) certificates. Websites which had it used to show the green URL bar, but now browsers don’t do this.

Now you are supposed to click the padlock icon and inspect the details, but different browsers show different things.

If it shows the name of the company that issued the certificate, how do you know you should trust them?

“EV only works if people change their behaviour in its absence and clearly, that just doesn’t happen”
Troy Hunt

People now use mobile devices to browse the internet, and the security information is even more hidden in the browser. On iOS, you have to download a separate app!

Even “website checkers” are misleading.

A site seal is just an image, and therefore can be spoofed. Troy has registered digicert-secured.com to troll DigiCert and is still up a year later. It has a nice picture of a seal (animal).

Password Discussion

In a previous blog, I wrote about some routine training courses we need to do each year. I briefly discussed some security questions but there is one example I forgot to add. One course we did, my manager was raging that he got one of the questions “wrong” and he seemed more annoyed that he knew this course was one that NHS staff must also do. He Googled the question to see if anyone was complaining, and he found a post on stack exchange.

The question is as follows

Which of the following would make the most secure password? Select one:

a. 6 letters including lower and upper case.
b. 10 letters a mixture of upper and lower case.
c. 7 characters that include a mixture of numbers, letters and special characters.
d. 10 letters all uppercase.
e. 5 letters all in lowercase.

The answer we went with is B, because it’s the answer that contains the most characters, and as a bonus, has a mix of upper and lowercase.

However, this is apparently wrong, and we should have chosen C.

The Stack Exchange user, Robin Winslow, then referred to the famous XKCD comic, which illustrates what is now commonly thought of as the best type of password.

The key thing is that a password is useless if the person cannot remember their own password, and forcing complexity at the expense of this fact means the person is then most likely going to write it down. Additionally, forcing certain types of characters into the password also makes it more predictable.

If you ask me to choose a password, I may choose a memorable word, eg “programming“.

If you tell me I cannot have that because it needs to have an uppercase letter. I could add another character, or choose a random existing character to be uppercase, but that makes it hard to remember, so I am gonna choose “Programming“.

Then if you tell me it needs to have a number. Again, I could add a number somewhere in there, or substitute a letter, but that can be hard to remember, so I am going to put it on the end. There could be a significant number to me, or I can just choose the number 1 and put it at the end, because that is easy to remember, or easy for me to guess that I did that. So now it is “Programming1“.

Exactly the same thing happens if you tell me it has to be a special character. Probably end up choosing “Programming!1“. It has more characters than my initial password of “Programming” but it’s at the expense of memorability.

Another aspect to consider is password expiry. At work, we used to have to change our passwords every three months, but now it’s currently six months. However, what’s my next password going to be? Probably “Programming!2”. So if the aim is to stop people accessing the system if they somehow got my old password, they still will get in because they can just guess the new one.

I wasn’t sure what the rationale was to change the expiry from 3 to 6 months because if you think it’s not a great feature, then you would just outright remove it. When the Head of Security started working for us, the first thing I saw him do was walk away from his laptop without locking it – so maybe that illustrates how good his skills are.

Troy Hunt points out that Microsoft’s latest policy is to not use expiry at all.

I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa
— Troy Hunt (@troyhunt) October 6, 2022

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire
Microsoft Azure

Troy makes some follow-up points

Geez there’s some debate about this one! Mostly support but also some misunderstanding so let’s fill some gaps: Firstly, password managers don’t solve this problem, not when you’re talking about the credentials to logon to your PC. That’s a rare case where you need to type it…

…unless you’ve gone passwordless via security keys, biometrics etc. Clearly this negates the need to use the password with such frequency thus reducing the opportunity for compromise. There may still be a password (e.g., fallback from biometrics), but exposure is much less.

The argument of “well what if the password is exposed a year later” could just as easily be “well what if it’s exposed a month later” when there is a 90 day rotation cycle. Different windows of risk, so why not make the cycle a week? Because it’s painful…

…plus, the solution is the same: MFA. The usefulness of a password alone for AD login has dramatically reduced with the mass adoption of multi factor. Mandate it on your AD tenant and the value of rotation dramatically reduces.
Troy Hunt

Also, there are always ways around policies for those more-determined users

I used to be at a company that did that. Someone quickly came up with a script that changed the password ten times in a row and set it back to the original (last ten passwords were not allowed).
Kerry W. Lothrop (https://twitter.com/troyhunt/status/1578149402304094208?s=20&t=Uk9uhXXLK2vPj2EA_pE4uw)

I’m not sure I 100% agree on the “well what if the password is exposed a year later” point. Expiry does remedy that in some cases but no expiry will always leave you vulnerable. You are relying on knowing there has been a breach.

Troy Hunt has discussed that the best security involves a mixture of methods. It generally comes down to

Something you know
Something you have
Something you are

Aaron Toponce did recently post on Twitter about this, but his account has since been deleted. This is why dumping things into OneNote is useful. Troy Hunt has also discussed this idea many times.

Not sure what Taylor Swift has got to do with it. Maybe she pretends to be happy.

So if your account has all 3 types associated with it, even if someone knows your password, they cannot get in because they will need your token (Authenticator app on your phone). If they have managed to also steal your phone, then they can’t get in if they also need your fingerprint. If they are holding you at gun-point to make you unlock your account using your finger, then you have bigger problems.

Aaron’s musings was this:

If a password is stored in a password manager, is it still something known, or does it become something possessed? A password manager vault can be stolen.

Knowledge of where the passwords are stored and how to retrieve them then becomes “something known” and the vault itself “something possessed”. No?
Aaron Toponce

This has since become quite topical in the recent LastPass breach where keyvaults have been posted on hacking forums. If the master password is then cracked, then hackers will have access to many people’s accounts. I was always intrigued by password managers, but I did feel you really are putting your trust in one company.

Training

Cost

One of the software testers was saying that they have been asked if they are interested in participating in a C# Programming course, with the aim of gaining skills to possibly allow them to write automated tests.

My opinion is that a 3 day course probably isn’t going to teach them anything that a video course wouldn’t (such as LinkedIn Learning or Pluralsight which we have access to). Also, there’s plenty of free resources like Microsoft’s own websites.

I was shocked at how much the training courses cost:

Programming Foundations (3 days) – £2975.00
The C# Programming Language (4 days) £4425.00

Maybe these courses include some kind of mentoring (which give an advantage over online videos), but given we employ loads of developers, surely a couple of people would be willing to volunteer to run some sessions internally. It would be much cheaper as long as they can spare the time.

Earlier in the year, to transition to a different form of Agile development (SAFe), we were sending some Product Owners on a training course. But not all of them. The ones that were sent were expected to then train the others. Nice money saving tip there.

Agile Training

Even when you go on training courses, how much information do you even retain? We did hire a SAFe trainer to present to the entire department, giving a general overview, but it was about 3 hours long and I couldn’t focus because the content was boring.

A week later, I was discussing how we currently worked and wasn’t sure where some responsibilities lie.

Colleague: Why are the roles/responsibilities so blurred? Where are the clear definitions of who does what?
Me: If you turned up to the training and listened, then you would know...but I turned up and didn't listen

Another colleague said that the training apparently costs £900 for 1 person – and it was for everyone in the department. Crazy.

Compliance Training

Every year, we have to complete some basic training courses. It just involves reading pages of information, then completing a multiple choice test. We have so many of them that we basically do 1 or 2 per month. There’s often a few questionable questions that we end up having a laugh about.

Fire

“If you hear the fire alarm, wait a moment to see if it is just a test.”

That’s not the normal advice is it? I’m sure the previous training has always said that you should be told the exact time when a fire alarm test is going to be. Any other time you hear the alarm, then you leave the building promptly via the nearest fire escape. If you are supposed to wait, you may as well use that time to grab your belongings. How long is a “moment” anyway. It never stated how you verify it is a test.

Security

Natalia’s Instagram has been hacked. Should she change her password first, or tell her customers

Why haven’t the hackers changed her password already? If they haven’t, surely you need to do it before they do. It only takes a minute to change your password. Surely, that comes first, then you can tell your customers. The training said you should inform your customers first.

you don’t have to follow the same level of security for all of your accounts.

Is that even good advice? I mean, most people probably do it like that, but everything should be secure. If someone can gain access to one of your accounts, they may be able to use that to get extra information about you to help them hack into your other accounts.

It is okay to write passwords down, but not on post-it notes.

I’ll write them down in a book labelled “Passwords Do Not Read”. Seriously, what does that advice even mean? A good password is one you remember. But writing it down is probably better than not being able to get into your own account. Maybe that is the point but the course didn’t explain it well.

Me 14:57:
someone follows you into your workplace and asks you to hold the door as they have forgotten their access card. Should you stop and challenge them?
-to a fight
-Rock paper scissors
-to a quiz
-Pokemon duel
Paul 14:57:
LOL
Are they actual answers??
Me 14:57:
no, it was true or false

Work Environment/Health & Safety Training

Good posture requires you to keep your feet flat on the floor or on a footrest.

Don’t footrests make your feet at an angle?

I love doing training about good posture whilst leaning forward at an angle. I do find it hard to sit like the training implies. It seems unnatural to have everything perfectly straight. I tend to slouch and constantly change position throughout the day.

The air in your environment should not be uncomfortably dry – you shouldn’t find your eyes or nose drying out.

is that even a thing?

Welcome to this course on Display Screen Equipment (DSE).

“Take appropriate action to prevent ill health when using DSE”

Do we really need an abbreviation for that? Can’t it just be “monitors”. It makes it sound like we work with asbestos or some hazardous material.

“Your wrist and forearm must be supported when using a pointing device”

I’m trying to picture someone using a laser-pen with their wrist and forearm strapped to a plank of wood.

There was a section on different decibels of various environments. Libraries are apparently fairly noisy…

Me 16:20:
which is louder, a library or living room?
Andy 16:20:
libraries are notoriously quiet
Me 16:21:
have you done this Health and Safety training?
the library is louder. Even a wooded area is quieter
Andy 16:21:
this sounds rubbish
Me 16:21:
what happens if you have the TV on
or is that with the tv on
because it's a lot louder than a bedroom
Andy 16:22:
there aren't any of those areas at work
maybe a 'wooded area' at a push
Me 16:23:
did you know a conversation is louder than an office?
Andy 16:24:
haha shut up now
Me 16:25:
well, that's one way of reducing noise!

How can a conversation be louder than an office when offices contain several conversations? Is it comparing a face-to-face conversation vs a silent office?

Later on, there was a question about why water is bad for electricals. Since it is multiple choice, some of the answers are a bit silly.

Me 16:32:
Water can increase the power of the electricity and cause the equipment to work too fast.
Andy 16:32:
haha
Me 16:32:
I once overclocked a PC by spilling a drink on it
we should log a ticket - "build server is performing slow and needs to be watered"
Andy 16:34:
do you mind watering our build server while we're away on holiday and feeding the Load Balancer?

Bribery and Corruption

There were various scenarios and you have to state if it is a bribe or not…

“An offshore agent was dishing out bribes”

I think you have just given away the answer.

“We uncovered inappropriate payments…”

Sometimes I think these training courses have no effort put into them. It’s innappropriate, so I would say it is a bribe.

There was a question where it says something along the lines of: “Sean happens to have a relative who works for your company, and Sean is bidding for a contract. The company wants to accept Sean’s offer because he has put forward the best proposal. Is there anything wrong with this?” Options are:

Yes, Sean should not have sent the offer because it’s unprofessional
We will look conflicted if we do any future work.
Not at all, provided Sean has the skills that we’re looking for

I selected the last option, but I was wrong, it is the second option. An explanation was provided “recruiting people who are related to employees, clients or suppliers is not prohibited, but the appointments must always be made on merit and in line with company policy.”

Wait…I was correct then. It is fine to accept Sean’s offer.

Environment Training

This last answer made me laugh:

Why is it important for our Company to care about the environment?
A) To increase our productivity and cut costs
B) Because the environment is an invaluable source of resources that are necessary for our continued business
C) To take part in the latest management fad despite it having no real benefits

MANAGEMENT FAD.

Troy Hunt: The Responsibility of Disclosure

Troy Hunt is a cyber security expert and creator of the popular website Have I Been Pwned. I do read his blog and listen to his podcast in which he mainly discusses cyber security (obviously) but also discusses some life events and hobbies.

YouTube recommended me a presentation he did for AusCERT2017 about responsible disclosures. It’s actually an interesting topic how some companies are very welcoming for people to report security vulnerabilities, whereas others are very distrusting and can threaten to sue.

You can watch the presentation in full:

AusCERT2017 Day 1 Troy Hunt: The Responsibility of Disclosure

Otherwise, here is a summary of the presentation.

He begins by telling a story of how someone found a security vulnerability on a website, extracted loads of data, used some of the login credentials to get in. He filmed it all and put it on YouTube. He got arrested.

Even though someone like that could claim to not be malicious, he would clearly violate some laws like Computer Misuse Act.

So how can you investigate a security flaw?
How can you disclose it?
Where is the line between being responsible and irresponsible?

Troy has a “Sinéad O’Connor” test. Enter her name in the data entry field of the website. If the apostrophe in a name gives you an SQL error, then you know there is a vulnerability – it is prone to SQL injection. You don’t need to go any further and actually carry out the attack; illegally accessing data to prove it.

If you grab 1 record, the company is obligated to disclose this to the user who lost their data. If someone takes 10,000 records, it’s a bigger problem and more inconvenient to the company. Just 1 unauthorised access to a record sufficiently illustrates the point. Accessing more than you need is more likely to be met with a negative response and possible legal action.

He then goes through some more notable examples and attitudes to the disclosure:

PayAsUGym got breached and ignored the hacker. Although the hacker was trying to extort money, by ignoring them completely, PayAsUGym had no idea how bad the breach was. Initiating the dialogue could have at least given them more information to attempt to limit the damage.

Cloud Pets had a security flaw in their toy, but also had a publicly exposed MongoDB database which attackers wiped and ransomed. Later on, when journalists contacted the owner, he responded

“you don’t respond to some random person about a data breach“.
Spiral Toys CEO

As Troy says, random people are exactly the people that will tell you about a problem.

Australian Red Cross Blood Service disclosed their breach very quickly, put out communication through multiple channels, and apologised. Troy was impressed with this response. The problem was a third-party who placed backups on a public-facing server so they could have easily downplayed it or passed the blame.

For more info, Troy also has a blog about disclosures, including the example of Cloud Pets.

Ukraine Cyber Attacks

Our security expert in the IT department made a security announcement last week:

“Due to the growing tensions in Ukraine, it is not surprising that the UK may be subjected to increased cyber-attacks”
Security Expert

When I started reading this, I’m thinking “why is it not surprising that we would have increased cyber-attacks?“; it is written like it is stating the obvious, but why are we under threat? My immediate thought is that Russians aren’t able to tell the difference between the UK and Ukraine. I mean, they do sound kinda similar.😁

So I read on, and I was a bit confused when the following paragraph goes on to say “whilst there is no specific current threat to UK organisations…“. I guess the keyword is “specific“, because much later in the post, he finally clarifies what he means. He was referring to the usual phishing attacks and donation scams. For example: emails asking for donations to help Ukraine, and you could be likely to click links and hand over cash for a worthy cause; but you will be handing money to criminals.

So it will be true that there’s more “cyber-attacks” across the world, so no idea why he mentioned the UK then had to clarify that it wasn’t specifically the UK in the very next paragraph.

He also wrote

“instructions have been issued to all areas of the business to bolster their cyber security measures”.
Security Expert

I find this a bit of a nonsense statement really; shouldn’t we already have max security? After all, just like he also states: “We take data security very seriously and it requires all of us to play our part.“

So are we at our most secure or not? It makes me think that we aren’t. Anyway, after instructing everyone to be suspicious of clicking links, he then provides some links for us to click to find out more.

Secure Files

At university, the operating system we used was Linux, and although there was a graphical user interface, we were always encouraged to use the command line. For some people, this was very uncomfortable, and often people didn’t really understand the commands they were typing.

Sometimes we were assigned group coursework, so someone took the lead, and then changed the permissions on their folder so that their team could access it.

The thing is, people didn’t understand what they were typing, or cut corners. This meant that some people gave access to EVERYONE to access that folder. Others granted access for EVERYONE to ALL FOLDERS.

I reported this as an issue because someone could then grab people’s code or written reports, change a few lines and submit it. Easy. It could even be a privacy concern if people have personal files saved on the university system. If you were given permissions to modify, you could delete their files.

The IT guys told me that changing permissions was an allowable feature and it is up to each student to grant the correct permissions, so they rejected my concern.

They could have at least put out a mass email telling people to check in order to alleviate the potential damage.

The good thing was that when I wasn’t sure of what to do on future coursework, I could then check this new source of information for inspiration. 😀

Hoaxes and campaigns

There’s been a lot of hoaxes/campaigns/fake news in recent years, and sometimes a small Google search can easily disprove them.

I’m not even sure if there was an outcome to the campaign against the communication app House Party; which was accused of hacking into people’s bank accounts. Even one of my colleagues shared that one, and actively encouraged people to uninstall the app. I pointed out it was probably just a cause of reusing passwords, which also was the opinion of security expert Troy Hunt.

Another recent example is 5G causing Coronavirus.

Troy Hunt’s blog on Let’s Stop the 5G Hysteria: Understanding Hoaxes and Disinformation Campaigns is brilliant, so go and read his blog instead of mine.

Here is a summary of the headers:

Insight 1: You can tell a lot about the credibility of a claim by observing those attracted to it.

Insight 2: Understand the difference between people who have formed their own opinion versus those who are qualified enough to influence your opinion.

I enjoyed Zombieland, but not once did I stop and think “here’s a guy who looks like he’d know a thing or two about voltage-gated calcium channel activation exacerbating viral replication”. Yet here he is, broadcasting it to 2M Instagram followers. Fortunately, he’s since deleted the post.
Troy Hunt on Woody Harrelson’s level of expertise

Insight 3: Consider whether you believe a claim because the evidence supports it, or simply because you want to believe it.

Insight 4: When faced with alternative theories, consider which one is the simplest and therefore most likely to be true.

Insight 5: Question why you’re being encouraged to influence others and if you’re sufficiently informed to do so.

The Password Reset

Our IT department was configuring a new Laptop for me, and they contacted me stating they need to reset my password so they can do the final stage of the set-up.

Seems like a terrible process to me. Why do they need to impersonate me to configure a Laptop? Surely their privileges should be suitable to do their work?

I try to carry on with my work, but after my machine locked, I tried my new password but it wouldn’t let me in. I tried my old password and Windows accepted it, or at least initially. I then got the pop-up balloon that stated Windows needed my new credentials. So I locked my machine, tried to log back in, and Windows said I was locked out.

So I called IT and they unlocked my account but I still couldn’t get in. The IT guy said he would reset my password again. For security, he said I needed to state my line managers name. I said Alan. He said it was wrong, it is Louise. I said I had switched a few weeks ago. He reset my password.

There’s a couple of things wrong with this approach. I know quite a lot of people’s line managers, and this is information you can look up inside the company. So if someone is off on annual leave, I could ring up IT pretending to be my target, ask to reset the password, state their line manager’s name, and there you go; I have access to their emails and can do whatever I want under their name.

If I was an external attacker, I might not know their manager, or maybe I would have old information and could tell them their old manager. The IT guy should have just said I was wrong, and not tell me what the answer is. Anyone could say “oh yeah I’ve switched managers and your system is wrong”. Even if he did refuse to reset the password, I could just call again with the new information.

Why would you do something as major as resetting a user’s account when the supposed user got a security question wrong about themselves?