Sweden in Plain Sight

Don't pay heed to the quack of the ducks around you.

Get It Try It

OXENSTIERNSGATAN (Rixstep) — As the rest of the world is held hostage by hysterical conjecture about the perceived disappearance and/or demise of one Julian Paul Assange and the unexpected emergence of a young cat in starched white collar and striped tie, people inside Sweden's hallowed duckpond have another issue getting them panicky: the revelation by public service SVT that almost everyone in the country had their passwords hacked.

SVT set up a special domain where people can test their accounts. SVT have over ten million accounts in that database. For a country of only nine million inhabitants.

https://dold.svt.se

It's been found that this hack affects even prime minister Stefan Löfven and Gustav 'I Can Fix Anything' Fridolin.

The important part of this story is that SVT, who didn't actually hack anything but were guided into hacker sites where massive password databases could be found, were able to read off passwords in the clear.

Here's part of the legacy Unix password file /etc/passwd as found in Sierra 10.12.

root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
_taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false
_lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
_postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false
_scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false

The password field '*' in all of the above is neutralised, as Unix uses a more sophisticated system today and as no password can be synthesised down that way.

But the meaning is clear. Unix originally used a 56-bit version of the Data Encryption System (DES) which was especially 'contaminated' so encryption was not reversible. It was supposedly Unix co-father Dennis Ritchie who came up with 4096 'salts' for the DES algorithm so that no one - not even those with access to the data - would be able to reconstruct user input.

Early IBM mainframe systems prior to 370-XA suffered from a flaw: their encryption was 'one-to-one', in that the encryption would always be of the same length as the original. A hack that needed no more than five minutes work (with the appropriate RACF authorisation of course) could reveal passwords for thousands of users in a flash of a second.

Ken Thompson and Dennis Ritchie, who'd had extensive experience on IBM mainframes, didn't fall into the same trap. Unix password fields, in place of the '*' above, were always reduced to 14 bytes, with the first two bytes being a 'salt' randomly chosen. So an authentication process went something like this.

1. User sits down at Unix terminal which tersely says only 'login'.

2. User submits username. Terminal responds ONLY with 'password' prompt.

3. User submits password, and Unix first looks up the username, plucks out the first two bytes from the corresponding password field in /etc/passwd to get the 'salt' algorithm to be used, then 'crunches' the submitted password with the same 'salt'.

4. If the two match, the user gets in, but if they don't match, the user is told only 'incorrect login' (unlike Gmail today).

The 'encryption' wasn't strictly speaking an encryption: it couldn't be reversed. The only important thing was that there be no 'collisions' - that two random input values couldn't result in the same 'digest'.

The key to the above - the wonderful thing about it - is the proprietors of the host system never actually know the passwords. The encrypted fields cannot be reversed. The fact that the digests of user passwords are stored on disk means nothing. Not more than a WikiLeaks 'insurance file'.

Contrast with Sweden's catastrophe today. Ordinary, even semi-intelligent, systems use a variant of the DES method, although 56-bit has given way to 256-bit and even 512-bit. (It was the NSA who insisted on reducing the original DES spec from 64-bit as their supercomputers had to have a chance of crunching passwords if needed.)

But passwords in the clear?

How did all those websites - many Swedish but many international, such as LinkedIn, as well - ever get passwords in the clear in the first place? There was no way they could have those passwords unless they'd actually stored them as plain text - in plain sight - on disk, which, as everyone knows, you're never supposed to do!

It doesn't take a hacker to compromise you. Anyone at the hosting company can do it. Anyone.

OPM

Bankers generally know how to take care of other people's money. That's their business. But the era of the Internet ushered in a new class of fly-by-nighters who have no clue and no clue they even need a clue. Radsoft worked with Wired in the 1990s to alert websites and their clients to the need for site security. Fred Björck, the PhD student who traced the origin of the ILOVEYOU worm, found that the Stockholm stock exchange website, maintained by Logica of the UK, put authentication data - including the actual clear text passwords - in plain sight as part of the URLs in the browser's location bar. And so forth.

But that was the 1990s, and now it's 2016, almost 20 years on.

Swedes have often been slow on the uptake. From a country once light years ahead of the pack, offering 5-megabit fibre-optic Internet when everyone else was still running dial-up, to the situation today: that's a big drop indeed. And Microsoft's hold on the Nordic kingdom hasn't helped.

'More viewers than Jeopardy', the billboards used to say. Even though Linus is a Swedish-speaking Finn, his operating system never got a foothold. Microsoft had their own software testing lab in Danderyd, a posh suburb north of the capital, Sweden was on the Redmond company's 'most favoured nations' list, and it was always to Sweden that the Microsofties came first on the first leg of their world tours.

When once motoring out with representatives of a training company to a defence contractor, one of this site's staff browsed through the training company's latest 128-page course catalogue, looking for any page that had anything but Microsoft - and found two, back to back, for Linux system administration. The sarcastic remark:

'Hey you got two whole pages devoted to teh Linus? Isn't that overdoing it a bit?'

Was met by the serious reply:

'Actually it is - we're removing the one page for the next printing.'

It's been said that good Swedes can get confused in their supermarkets if they find two laundry detergents side by side on the same shelf. That joke is a bit of an exaggeration, but not by much: things work better if there's only one brand. And so when it comes to personal computing, that brand is Microsoft.

Most Swedes don't even understand that their alphabet characters 'å', 'ä', and 'ö' have to be escaped or qualified by a 'charset' declaration to be used in what otherwise is 7-bit ASCII in web pages online. And they certainly don't understand that Microsoft deliberately used non-standard characters in the 128-255 range to cripple site visitors not also running Windows. And to this day you'll find the occasional site blurting out the incredible 'this site optimised for Windows'.



Swedes live in a vacuum, in a bubble. The world about them doesn't interest them at all - witness their inability to understand that Assange case - and they presume that everything is fine, hunky-dory, and safe inside the pond. Everybody's personal data, including their social security numbers, telephone numbers, mobile telephone numbers, even their addresses down to the actual flat numbers - for all flats are uniquely numbered in Sweden - is available online for everybody without authentication. Yes, they remind everyone, they have an openness policy, of which they seem very proud (yet can't explain why it's such a good idea). But precisely what do they intend to accomplish? Aren't they just sitting ducks?

Once in a great while their media will try to grab headlines with a new computer scare. Few details are given, because the reporters don't know much about computer security. And never ever ever will any rag suggest the issue might be the actual operating system. Because there's only one operating system, isn't there? Don't the big computers run by the banks and the insurance companies also run Windows?

But Sweden's current dilemma is about more than technological naïvety cultivated by Bill's Bastards. The current dilemma is about a doofusness that's spread from the innocent and unwitting end-user to the server end, and to the world around.

Best Practices

It's hard to know, as a prospective customer, which sites to trust and which sites to avoid like the plague. Here a few random tips.

• Try to sign in to the new site without giving up any credit card or other personal information.

• See if the website in question at least uses HTTPS instead of ordinary HTTP. Run for it if they don't.

• Log out and in again, clear your cookies if needed, and tell them you lost your password. If they send your password back - run for it. What they should give you is a personal time-limited URL to log back in. They're never supposed to even know your password. Not ever.

• See if you can get the website's HEAD information. This info is prefixed on all replies to your web browser but normally not shown. There are tools (some of which are online) that can provide this. What you'd really like to see is that they're running some Unix variant, preferably with 'Apache Stronghold'. If they're running anything from Microsoft, such as IIS - run for it.

  // Website of Sweden's parliament riksdagen.se
  Content-Type: text/html; charset=us-ascii
  Server: Microsoft-HTTPAPI/2.0 // interfaces with IIS
  Connection: close

Remember that it's your personal info - your credit card info, your identity - that's at stake. Don't pay heed to the quack of the ducks around you.

Stay safe.