Monday, September 8, 2014

Computer Security Analysis of Register for Download Pages.

The day job is interfering with being an authoress again.

One thing I've had hammered into me by a curmudgeonly professor is that you have to enumerate the cases when looking at security issues. One of my books has made it to a big download page. Hurrah, it means it was worth stealing. Of course it's awful that none of those sleazeballs will wander over to goodreads or amazon and share their ratings. That would make it easier me to legitimately sell content.

Case1: Normal piracy. The login page is there to prevent automated copyright violation searches. This is actually a fairly likely scheme. The initial input page was in "markdown" and you have to manually copy the links to the search bar. Therefore Amazon and Google and whatever don't see the internal website because they don't log into it. There aren't links for the web robot to follow. Can you spell "turing test?"

Case2: Password harvesting. The whole front end could be a fake. The login site harvests information from the "registration" step. Most people reuse their passwords on several accounts. So they could ask some permutation of the n-tuple (Email, Password, Personal question 1, ..., Personal question n-2). That linked information then makes the account owner very very very vulnerable to attack. Even if you switch passwords, if you've answered the questions correctly all the attacker has to do is to say it has forgotten it's password and then answer using the personal information. (I don't dignify such attackers with a personal pronoun).

Case3: Virus/worm download. You get a few friends along for the ride. The content is the bait and you willingly install the hole in your system. Though with most consumer O/S's this is probably more than you need to do to attack them. Still the Russian mafia does own the world's largest supercomputer, it consists of "powned" machines working part-time on cracking passwords and encryption keys.

Reality is somewhere in between. Since you are dealing with people who are willing to act in what is, after all, a criminal enterprise, there is nothing stopping them from delivering content and harvesting information.