Monthly Archives: October 2013

Security can be tricky

Qantas CashQantas has recently launched Qantas cash, a pre-paid Mastercard which you can charge up with cash in multiple currencies. The contemporary equivalent of traveller’s cheques, cards like this can be as convenient as a credit card with the added advantage of reducing the uncertainty associated with exchange rate volatility. If you have a rough idea of how much you will need in euro, you can charge up the card with euro at today’s exchange rate without having to worry about the Australian dollar dropping in value while you are half way through your trip.

As a Qantas frequent flyer account holder, I received a Qantas cash card in the mail and it seemed worth investigating. However after activating the card, my interest in the card itself was quickly displaced by disappointment in the insecure design of the Qantas cash website.

Computer security is not easy. It should be left to the experts. I am no expert myself, but I have listened to enough of the Security Now podcast to recognise poor security when I see it.

The first sign of trouble came with setting my password. The password had to be 6 to 8 characters long. A maximum of only 8 characters? The longer the password length, the more secure it is and 8 characters is far too short for a secure password.

Somewhat disconcerted, I pressed on, creating a password made up of 8 random characters. Random passwords are far more secure than real words (or even transparently modified “w0rd5”). They are also impossible to remember, but there are plenty of secure password storage tools (such as LastPass) that make that unnecessary.

Having set everything up, I was then prompted to log in. Unexpectedly, instead of being prompted to enter my password, I was asked to enter the “3rd, 4th and 5th character of the password”. Alarm bells started ringing. Quite apart from the irritation that this caused as it prevented LastPass from automatically filling in the password, it confirmed my initial fears that the website’s security model was flawed.

What I had realised was that Qantas servers must be storing passwords. For anyone unfamiliar with password security, this may seem blindingly obvious. If the servers don’t store the password, how can the website confirm you have entered the correct password when you log in?

In fact, there is a far more secure approach, which makes use of so-called “one way functions“. A one-way function takes a string of characters (a password, for example) as input produces a different string of characters as its output. The key feature of a one-way function is that it extremely difficult to reverse the process: given the output, working out what the input must have been is computationally highly intensive. Applying a one-way function is also known as (cryptographic) “hashing”.

Armed with a good one-way function, instead of storing passwords, a web server can store a hash of the password*. Then, whenever a user enters a password, the web site applies the one-way function and compares the result to its database. The password itself can be discarded immediately. The webserver’s user database should only ever contain hashes of user passwords and never the “plain text” original version of the password.

While this approach to password storage is well-established practice in the security community, many corporate websites are not designed by security experts. Back in 2011, hackers were able to get hold of more than a million passwords from Sony which had been stored in plain text.

Unfortunately, it would appear that Qantas cash is not following best practice in its website security. If the site was only storing hashed passwords, it would be impossible for the site to verify whether users were correctly entering the 3rd, 4th and 5th character of the password. Taking a password hash and trying to determine individual characters of the original password is just as difficult as reverse engineering the whole password.**

I then called Qantas cash to seek clarification. I was assured that all passwords were “encrypted” using the same security techniques that any other commercial website, such as Amazon, would use. Furthermore, the requirement to enter individual characters of the password was an additional security measure to prevent users from copying and pasting passwords.

This did not reassure me. Even if the passwords are encrypted, the Qantas cash server itself clearly has the capability of decrypting the passwords, which makes it just as vulnerable as Sony. I am also sure that Amazon does not use this approach. And preventing copying and pasting is a furphy. By preventing users from using secure password stores, this approach simply encourages the use of weaker passwords.

The Qantas cash developers may think they have come up with some excellent security features. But these developers are clearly not experts in security and, as a result, have produced a far less secure site. The call centre promised that the technical team would email me more details of the site’s security. My hopes are not high.

Needless to say, I will not be using the Qantas cash card. This is an e-commerce site, not a movie chat forum. When money is involved, security should be paramount.

Keep your eyes open for news about a Qantas cash website hack.

* Strictly speaking, a “salted hash” should be stored to add an additional layer of security and protect against the use of rainbow tables.

** In principle, Qantas could store hashes of three character combinations (56 hashes would have to be stored or 336 if order is significant). In practice I doubt this is being done.

Cats

Somehow September has passed by without a single post. During that time, the Mule has travelled to the other side of the world and back (primarily for a one day workshop in Switzerland). Also, James Glover (regular contributor to the blog) and I have been exploring the statistical significance of global temperatures. That will, eventually, crystallise into a future post but in the meantime James has been driven to reflect on cats rather than climate.

There are, apparently, two kinds of people. Those who like cats and those who don’t have personalities. I am of the former and am onto my 5th and 6th cats (a mother/daughter pair of rescue cats). I’ve been reading (another) book on cat behaviour which traces the domestication of the cat from solitary hunters to domestic pets (John Bradshaw’s Cat Sense: The Feline Enigma Revealed). Most domesticated animals are herd beasts whose natural behaviours lend them to domestication. A really great read on this is Jared Diamond’s Guns, Germs and Steel. Cats, however, are naturally solitary creatures whose real benefit to humans became obvious when agrarian societies stored grains which attracted rodents, the cat’s natural food source. It’s hard to imagine now, when we get our daily bread from Woolies, but think back to the day when farmers were (literally) plagued by mice and rats, and cats served to control them.

As a kid growing up in suburban Townsville we had an un-neutered tom cat called Whiskey. We weren’t allowed to play with Whiskey, and I have vague memories of him bringing home litters which lived briefly under the house and my mother throwing him the occasional piece of liver on the back steps. He wasn’t what you would call a friendly cat. As an 8 year old we moved and I recall driving with my father to take Whiskey to a “cat home”. I still have an image of dozens of cats climbing up the side of a large wire cage. I am guessing Whiskey didn’t last there for long, and, of course was happily re-homed with another loving family. Yes, that’s what happened.

Almost every website on cats says not to feed them cow’s milk because adult mammals don’t produce lactase, the enzyme required to break down lactose in milk, into sugar. Mammals stop producing lactase once they are weaned because their mothers no longer provide them with milk and they instead produce enzymes which turn proteins, in animal and vegetable matter, into sugars. Producing lactase would be pointless and require resources better devoted to other enzymes and hence has been adapted against. The idea is that if cats can’t digest lactose, it stays in their gut and bacteria feeding on it leads to an upset stomach and diarrhoea. But I see several problems with this view.

  1. Humans can produce lactase as adults*, due to a variety of different genetic mutations which stop the shutdown of lactase production in adults. So the genetic mutation doesn’t have to suddenly find a way to produce lactase, just a way to stop stopping it. Basically this is because of the nutritional benefits of cow’s milk to dairy farmers which started about 10,000 years ago. Comparisons of 10,000 year old human DNA to modern descendants of dairy farmers show this is a widespread adaptation due to its obvious nutritional benefits. Indigenous Australians and Inuit don’t have this mutation because they have no dairy farmer ancestors. This is still an open question however as curdled milk and cheese doesn’t have much lactose so do not require lactase to digest them. Personally I suspect that hunters which killed a lactating cow were able to drink the milk immediately and benefited. Other theories say cow’s milk, as an alternative to water, may have saved them from diseases. Not all humans can do this. My own father, for example, can’t drink milk.
  2. Cats are quickly put off foods that make them feel sick and my cats love milk. It’s possible there is something in milk which they love (like cat nip) even if it makes them sick, but they are quick learners and I doubt it.
  3. There is a lack of eye witness evidence from vets and catteries back in the day when cats were fed milk that they suffered diarrhoea when they drink milk. But none of the evidence against cats drinking cow’s milk seems to be based on this. I’ve not found a single account of someone whose cats were fed cow’s milk and suffered.
  4. Cats have adapted to human living rapidly in the last 2-3 thousand years. This is equivalent to 4-5 times the length of time for humans due to their shorter lifespans, about the same time humans have adapted to drinking milk as adults.
  5. It makes sense that cats which were given milk by humans, and could process it, would have a better chance of reproducing. It would have a nutritional advantage over cats which couldn’t, the same evolutionary pressure on humans should operate on cats and they should (most of them anyway) have adapted to being able to drink milk as adults.
  6. I can’t find a single study which shows cats can’t produce lactase as adults, it just seems to be assumed because they are non-human mammals.

My guess is that cats descended from European cats can (most of them anyway) drink cow’s milk safely. If they drink it and come back for more it probably doesn’t upset them. My own cats, when they drink milk, run around like kids on sugary drinks, displaying very kittenish behaviour. That makes me think they are turning lactose into sugar, which means they are still producing lactase as adults.

I still find it quite amazing how memes like “cats shouldn’t drink milk” propagate across the internet without any back up evidence–like an actual study which shows it. Like climate skeptics, cat people latch onto “evidence” which supports their point of view. In any event if anyone has firm evidence that adult cats don’t produce lactase I would be happy to hear about it.

JG-cats

Two cats both called Minoo because cats don’t actually know their names

* Editor’s note: a recent episode of Science Friday touched on this and other evolutionary changes in the human diet. The theme of the podcast is that humans are still evolving, faster than ever. So, perhaps cats are too, as James suggests.