HSBC Poor Security Policies

HSBC for several years have provided a key fob to login and authorise transactions in their web site.

Recently they have upgraded their mobile applications to have the ability to generate secure codes, therefore removing the need to have a separate device, that probably gets lost.

During signup it asks a few questions and for a new password. The text states that passwords must be over 6 characters, so for security i used LastPass to generate a 30 character password.

This was accepted, however only 8 characters were shown on the screen. After double checking it turns out that the application silently ignored the other 22 characters and set my password to a 8 character password without warning.

I feel this is especially dangerous for the following reasons:

  • If i hadn't of paid attention i wouldn't have noticed
  • If you follow the XKCD recommended password system of 4 words joined together your password will be very insecure.
  • Who thinks 8 characters is acceptable.

So I asked HSBC Help UK on Twitter.

@HSBC_UK_Help why are passwords for digital secure key limited to 8 characters? Not very secure 4:03 PM - Mar 22, 2015

@addersuk Hi Adam. It is a business decision, as we believe it’s long enough to be secure but short enough to be remembered.^JB — HSBC UK Help (@HSBC_UK_Help) March 22, 2015

@HSBC_UK_Help so why does your app let me enter a longer password and then truncate the password

@addersuk I am sorry if this has caused you any inconvenience Adam. Have you managed to set up a password now?^JB — HSBC UK Help (@HSBC_UK_Help) March 22, 2015

I feel this raises security concerns about HSBC if they are willing to have poor security on their systems.

Alternatives to Microsoft SQL Server

Microsoft SQL Database licensing is expensive, however you do get the benefit of very good development tools and integration. They have three versions:

  • Web – no performance tools, SSIS or replication
  • Standard
  • Enterprise

Alternatives to Microsoft SQL Server are:

  • MySQL – Currently owned by Oracle and is slowly being moved away from Opensource. Its a quick database, however is misses alot of features of SQL Server and it very slow at stored procedures and views that your current system uses extensively. MySQL simplifies database development and this is why it is the most popular database system. There are a number of compatible databases including MariaDB and Percona Server.
  • Postgres – Fantasic open source database that has excellent performance and features. Originally based on the Ingres database system (which is the original base of SQL Server), it is under
  • constant development and they have recently added a number of features to compete against nosql databases like MongoDB.
  • Ingres – Sadly neglected by owners over the past 10-20 years
  • Other commercial databases – IBM DB2, Oracle, etc all very expensive

If i had to choose a database system for a new system, i would go for
Postgres, however there are a number of risks with Postgres when migrating an existing project:

  • Current system will need changing to work. Postgres driver and database might not have the same abilities and features as provided by Microsoft drivers.
  • Migrating to a different database will be difficult and possibly need training and support for current staff. You would need significant downtime to migrate the data from one system to the other
  • Less used in industry, so experienced staff are not easily available.
  • Development tools are not fully integrated into development tools like Visual Studio etc.
  • Less documentation/blogs/advise available due to lower usage.

Unfortunately there is no simple replacement and although you might save money on licensing fees, you may end up spending the savings elsewhere.

However if your starting a new project, i would use it.

Installing Ruby 1.9, Ruby 3 and Passenger on Debian Lenny or Squeeze

The following is how i got a Ruby on Rails app running on Debian Lenny.

First edit your apt sources list to add Squeeze backports to get a stable Rails

apt-get install ruby1.9.1-full gem1.9.1 install rails gem1.9.1 install rubygems-update gem1.9.1 install rake

These commands will install the ruby libaries in /var/lib/gems/1.9.1/.  You can now to deploy the Ruby on Rails app to the web server. You may need a few development pacakage for mysql, xml and xslt, so you may need to install the following.</p>

apt-get install libxml2-dev  libxslt1-dev libmysqlclient-dev

Once this is complete change to the directory and run /var/lib/gems/1.9.1/bin/bundle install

This will install all the required Gems for the application.

Now we need to install passenger.

gem1.9.1 install passenger

If you use Apache, you will then need the passenger apache module.  This requires a number of development libraries, that might not be installed.  They can be installed using: apt-get install build-essential libssl-dev zlib1g-dev apache2-prefork-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev

Once that is complete run the following: /var/lib/gems/1.9.1/bin/passenger-install-apache2-module

vi /etc/apache2/mods-available/passenger.load a2enmod passenger /etc/init.d/apache restart

Netgear ReadyNAS Bacula backup

Bacula is a enterprise open source network backup system that can backup all your servers to a central place.

It works by running a Bacula File Service on each server that communicates to a central controller that manages the backup and restore requests to storage daemons. I use a Netgear ReadyNAS and these can run the Bacula Controller and Storage daemons therefore keeping your backup solution in one place.

Securing SSH

SSH is a great service, however it is open to dictionary attacks that can allow hackers to get access of the server.

One great tool for limiting the success of the dictionary attacks against your ssh services is DenyHosts. This monitoring the authentication logs of your server and if it detects 3 failed logins from an ip address, it adds that ip address to /etc/hosts.deny.

To improve the service further, it has an optional distributed service that will notify you of ip addresses that are actively attempting to login to ssh servers by synchronising with a central server. Therefore you can block an ip address before it even attempts to login to your server.

The only downside of DenyHosts, is useless developers/users of your servers have a tenancy to forget their passwords occasionally and they then get totally blocked from the server, but that can be easily fixed.