depicus

changing the digital world one bit at a time...

Blants (noun) the rants of a blogger

  1. Joint Waste Solutions – Piss Poor Security & Why Amey Nor Surrey Heath Borough Council Care

    June 14, 2018 by The Man

    I come across a few web sites with errors or issues and normally I’ll eventually find somebody to report those errors to and some are great, will fix and thank you, others will just fix and some never bother and their sites still have issues but the vast majority are not so piss poor secure I just move on. I don’t need to be thanked just for them to fix their sites.

    So over a month ago (may 2018) I came to https://www.jointwastesolutions.org so I could sign up for green waste collection, all pretty mundane until I tried to register on the redirect at https://jointwastesolutions.amcsgroup.com and it threw an error. Of course anybody who has ever worked with Windows, IIS and ASP.NET the first thing you should do is make sure custom errors are turned on, indeed they are now by default so somebody has gone out of their way to make the site less secure.

    The main reason for turning on custom errors is that without your site exposes information. In this case we can see that the site is running ASP.NET v4.6.1 which is currently 4 version out of date. It also shows that the server is using Windows 2012 which is “End of Life” in October 2018. So outdated software on a server running a nearly EoL operating system. A quick scan of the server shows it may not have been rebooted for over 400 days – so no Windows Updates !!!

    Well then let’s just hope it was set up securely….

    Nothing has been done to even remotely secure the server which leaves it open to all sorts of compromises e.g. cross site scripting. As you can see this cloud based server fails miserably.

    https://securityheaders.com/?q=jointwastesolutions.amcsgroup.com&followRedirects=on

    But at least it’s using SSL I hear you cry…. yes but much like the proverbial chocolate fireguard it’s so poorly configured as to make it almost pointless. It still uses SSL v3, is vulnerable to DROWN and POODLE, supports piss weak encryption. Now I never got as far as being able to put in credit card details or even bank details but this is clearly not PCI-DSS compliant.

    https://www.ssllabs.com/ssltest/analyze.html?d=jointwastesolutions.amcsgroup.com&latest

    You’d think that a company would be happy for somebody to quietly point out their errors but so far other a month I’ve been told by Amey’s social media team that they would pass on the information, and when nothing happened they just ignored me. Surrey Heath Borough Council originally told me as this was reported before 25th May 2018 it was not covered by the GDPR !!! So I emailed both data protection officers with the information and Amey have yet to reply and SHBC have sent two holding emails.

    I’m still trying to get to the ICO https://ico.org.uk but they seem very busy – let’s hope somebody else doesn’t or hasn’t found this childishly comically configured server. Personally I’d treat the server as compromised but then I’m averagely good at my job.


  2. Plus Addressing (RFC 2822) and why it’s important

    January 15, 2018 by The Man

    The interweb is a scary place for even the most tech savvy users and handing out your personal information to all and sundry with their laissez faire attitude to data security is crazy. There are sites where you have to provide legitimate data, i.e. where you are purchasing something, so knowing which sites have poor data security can help you (and others) avoid them in the future. This is why I always use plus addressing.

    Plus addressing, username+siteyouarevisiting@emaildomain.com, is supported by many of the major mail vendors like Gmail and Outlook.com so plus addressing is available to most users. The genesis of plus addressing are from RFC 2822 and specifically s. 3.4.1 and s. 3.2.4 which basically define the part before the @ sign as the “local part” and should only be interpreted by the receiving domain. This allows for characters such as ! # $ % & ‘ * + – \ = ? ^ _ ` { | } ~

    Ok but why is this important, aren’t you just being anal ?

    Well the first time I knew it worked was when a company I’d booked a running event with sent me an email about buying email databases (the irony) now clearly there were two possible explanations. First they had sold my data or second that they had been hacked. Thankfully the credit card I’d used had expired. The second time was with Feiyu Tech who I suspect were hacked as they were sending me mail about buying womens bathroom products.

    Today I tried to make a donation on virginmoneygiving.com and got the following error.

    So a company as large as Virgin cannot get email validation right – what does that tell you. Well first that their developers probably just copied an email validation routine off the web without understanding what it does and their testers also signed it off. Secondly would you trust a company that cannot get the basics right with the storage of your data and credit card information ? I don’t.

     

     

     


  3. Wake on Tweet – because you never asked for it…

    December 30, 2014 by The Man
    Wake on Tweet

    Wake on Tweet

    tl:dr Just send a tweet with the hashtag #wakeonlan and a properly formatted mac address like AA:BB:CC:DD:EE:FF, an ip address or FQDN and a port number and that is it. Easy.

    It all started a few weeks ago when I was looking at Slack to use at a clients site so we could integrate more. If you haven’t tried Slack I would highly recommend taking a look – it’s WhatsApp for groups with a steroid injection of crazy fun stuff for developers. One of those fun things are hooks where you can define actions when things happen. So I have Slack hook alert to a group called #twitter whenever a tweet mentions @depicus it would call a webpage on a server. Sadly the info Slack passes wasn’t enough for me as it doesn’t include the message body of the tweet. So sadly my brave idea of Wake on Lan via Twitter died….

    (more…)


  4. Yahoo going down the pan

    October 19, 2014 by The Man

    I’ve often read online how much Yahoo sucks but I often thought it was exaggerated until I tried to update my Flickr account.

    First I could not verify my mobile number because of an error

    mobile

    So no two factor authentication for me this week.

    Next let’s try updating our email address …. mmmm ok we can add an alias account fine if it doesn’t mention yahoo but for some bizarre reason an alias address with yahoo in is invalid. Now I like to name my emails after the sites I register at so I know if spam does come in which site leaked my details so for this site it would be username+depicus@domain.com and if ever spam arrives I know who to blame. I do this so much that username@domain.com only gets spam so I simply send it straight to junk unless it’s a reply.

    Screen Shot 2014-10-19 at 13.08.37

    So Yahoo has let me add a few extra accounts for recovery should I need them but they need to be verified. Yes you guessed it….

    Screen Shot 2014-10-19 at 13.11.45

    Yes somebody really needs to look at their validation skills.

    So lets get onto support… nooooooo lets not. There is just an endless loop of banal question and answers but if your question does not fit then forget it. So off to Twitter we go. Lets see what happens.

     


  5. Some good service – Google Wallet

    October 18, 2014 by The Man

    I bitch a LOT about poor service but sometimes companies just get it right and yesterday was one of those days. While trying to sign up for a Google Wallet Sandbox account it kept suggesting I live in the US of A but I don’t. So right there on the page is a help button. That help button leads to a page with contact  information on and the ability to livechat. So a quick livechat later the problem wasn’t solved but I’d had an email to send screen shots and the incident had been escalated. This – on a Saturday – was fantastic support.

    Well done Google Wallet

     

    Footnote : if you have a site with any kind of signup then livechat can be a godsend so if you are big enough I suggest you look at implementing it.

    Update: Sadly nobody at Google could fix the problem which was minor in nature but it’s always a good test of future services how they deal with signups. They were poor so I’ll avoid recommending them to clients.


  6. Paypal – People Rule – But Not To Paypal

    October 15, 2014 by The Man

    We have all seen the ads with the fucking annoying catchline at the end … “people rule” well as like most marketing this is just bullshit.

    If you are a tech nerd like me you will be aware that POODLE SSLv3 was compromised and there is no fix. Ok I understand this is an issue and sites would need to update but would you update your site and cut off your existing clients. No, not unless you are a complete and utter fuckwit. In this day and age we have such things as e-mail, Twitter, Facebook and some people even have their own web sites. Yet Valerio D’Alessio our “PayPal Integration Engineer” thought it was enough to announce the change here.

    This article gives no hint at a fix, simply “In the coming days, we will remove support for SSL 3.0” – No shit Sherlock you have already removed it both on the test site used in your own php framework and at 11am that day on the live site. So now my clients have lost the ability to take payments and I’m scrambling to try and fix an error I have no idea how it was introduced. So half a day wasted and thank god for StackOverflow otherwise I’d have ripped out more code.

    So rude email to Paypal, a few tweets and a Facebook post yet no reply let alone an apology. Indeed my Facebook question was deleted, never a good sign.

    As a footnote this is the comments section of their “blog” come critical news update system. Would you trust your money with these people because they really don’t rule.

    Screen Shot 2014-10-15 at 14.07.04

    Update Just had a call from one of our account managers with an apology – seems they were not fully aware either – which I appreciate – but she has escalated my concerns to the higher ups.

    The lessons: if you annoy developers they will start to look at alternatives and I’m starting to look into Amazon and Google systems, will they be any better ? Maybe not but there is a limit to how many times you can piss a person off.