Accessibility, Story telling

The current way of my blogging – Part 1

During the years, I slowly changed my way of blogging. I can just write about is, but I also want to add some thoughts about it. Welcome to my first State of the Blogging.

The first step was to put the whole blog post in a mind map on a mobile phone. I liked the auto complete typing. Then I copied all the text into a Word document.

Brewing blog posts

In the past I used the mind map intensively for blogging. I edited the first rough version with MindManager on my Android phone and then extracted the information with FreeMind on my PC.  Nowadays I use an iPhone and I could not find the right software, so I started blogging in Word right away. Like now.

The basic idea is still the same. I put little pieces of the blog post in a Word document. Then I expand the pieces to readable paragraphs. This is based on the Fieldstone method of Jerry Weinberg.

Most tech related blog posts can be quite boring with abundance of dry facts and tips. So, I tend to add jokes in the blog post. If I need to retrieve some information from a blog post, then it is easier for me to consume.

Nowadays, I put a rough overview of a blog post or serie of blog posts with similar theme into one Word document. In case of several blog posts, I split the overview in different parts. Yes, you are currently reading the first part.

Making it accessible

In the past I tried to make my blog posts better readable for other people. I added extra headings, so I had to add extra code for CSS or Cascading Style Sheets. I used the following code:

blockquote {
	color: black;
	padding-left: 5%;
	font-weight: 400;
}

h1 {
font-size: 20px;
line-height: 1.5;
}

h2 {
font-size: 18px;
line-height: 1.25;
}

h3 {
font-size: 16px;
line-height: 1.1;
}
Then I limited the size of the paragraphs. My thumb of rule is maximal 3 lines in Word, which leads to a reasonable paragraph in WordPress.

During editing, I tried to simplify the language, so a beginning engineer can understand my blog posts. Example: the previous version of the last sentence contained “to reduce the level of my language to a level of a beginning engineer”.

In one blog post I added a warning for people, who uses screen readers to read the text aloud. Most of the time it is tiring to listen to every period and comma in a sentence. So, a lot of people set the level of the screen reader to skip these characters. But this this is not handy, if source code is shown.

Bonus tip: I also used warnings for readers to avoid situation, which trigger things like anxiety.

Just checking

English is not my native language, so I try to use proper words. On the web I regularly asked for the meaning of a word. If I find a reference to urban language, then I need to change the text.

Fact checking on the web is also included in my blogging. Especially, if laws are involved. Luckily, they are published on the web. They are great link fodder.

Use the Source, Luke.

To be sure, I added a disclaimer, that I am not a legal expert.

Word offers spelling and grammar checks. I prefer to use English UK. There are a lot of people who like to speak Oxford English, but use American words or phrases. Yes, I am one of them.

Using open standards

A Word document cannot be copied and pasted on the Web. I prefer HTML, the language used to make web pages. Then I store the Word document with the option ”Web page (filtered).”.

To be continued.

Secure things

Reverse Engineering an Account Takeover or what I discovered while updating my email address – part 3

In the previous blog posts, I wrote about my observations, which could lead to an account takeover.   Under certain conditions this was possible using the laptop of some one

 else. But if there is no laptop available,
then there might be other opportunities.

Observations

During the period updating my email addresses, I found several ways to find the Account section. I could search for the word Account.

Another way was to scan for an icon. A circle above the upper halve of a circle is a Profile menu. The picture resembles a head above a pair of shoulders. Another picture of three horizontal bars is a more common way to indicate a menu. For the fast-food lovers, it is also known as the hamburger.

And there is a third way. On a day I could not find the word Account or some similar symbol like profile. It costed me several attempts to stop searching on my own.

Who you gonna call? The helpdesk.

The friendly call center agent asked me, which help could be offered.  I just called to change my email address. In return I got a lot of questions to authenticate, that I was the rightful owner of the account. Questions were about personal information like name and other private information.

The call center agent told, that my email address would be changed. I would get some emails. One of them contained the message, that my account was removed.  This was not my initial plan.

Not on my call.

But there was something wrong with the security. There were some dangerous things, which could go wrong.

Hiders in the storm.

Discoveries

If there is a way to change things, it only takes one call.

Naming the term

Security questions are questions, which can only be answered by the owner of the account. It is like two factor authentication as mentioned in the previous blog post.

Naming the conditions

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover.

Sketching a test idea

Here is a rough description to take over an account.

Collect personal information about a person.

Call the help desk and tell, that the email address must be changed.

Answer the security questions using the collected personal information of this person.

After receiving the mail, that the email address has been changed, then it is time to change the rest of the account.

Later, to the login page, press on the link ‘Password forgotten’, and follow the instructions.

Change the password and then the user name. password. The account has been taken over.

Maling a concern

After the incident with the call center, I mailed the security issue to the company.

Recommendations for the system administrators

Configure the system in such way, that calls about changing user settings are recorded. There are systems, which can record phone calls. This includes the phone numbers.

Check the login patterns. using the log. E.g. if the user entered a wrong password once every 3 attempts and only right passwords are entered, then is a change that another user is using the account.

Check patterns of changes of accounts. E.g. if several accounts of team members have been changed within a short period of time, then there might be someone who uses personal information to take over accounts.

Check the use of two facto! authorization.

Check new email address on a frequent base.

Automate checks. Determine new metrics to act upon, make code to check it, and mail the strange patterns to the administrator. E.g. the use of the account during the night.

Looking backward

For better, for security.

Secure things

Reverse Engineering an Account Takeover or what I discovered while updating my email address – part 2

In the previous blog post, I wrote about my observations, which could lead to an account takeover There was no check on changing the personal information like the email address.

Observations

Another day, another email address update. Another Login screen. I entered my user name and password. I found my way to my account settings and clicked on the Edit button to change the email address. I entered the right email address. One check away to verify the change.

At that moment I was requested to enter my password. It reminded me of two factor authentication. To change important things like email address or home address, extra information had to be entered.

A user could change my email address using my password. That is only me. The developer was probably minding my security, which is a nice thing to experience. Security first was in his or her mind. I liked that,

The web site was still waiting for my password. I retrieved the password from my password manager and pressed the Enter key. Then I logged out and logged in with my user name. The update of my email address was successful.

But there was something wrong with the security. I did not like that.

Discoveries

Naming the terms

A password manager is a program or app, which stores user names and passwords for several accounts.

In case of two factor authentication, there are two checks, whether the user is the person, who claims he or she is. For example, a user can be asked to give the membership number to use certain benefits. Then an extra check is done by asking additional information like a name.

Naming the conditions

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover.

Sketching a test idea

Here is a rough description to take over an account.

If a laptop is not locked, an account has been opened and the password manager is opened, then change the email address in the Account section using the password from the password manager.

 

If the mail with mail address change is sent to the inbox, remove it in the inbox. Then remove the mail in the Trash.

Later, to the login page, press on the link ‘Password forgotten’, and follow the instructions.

Change the password and then the user name.  The account has been taken over.

Highlighting

Asking for a password is not two factor authentication. A password is not an additional check. With the current number of accounts, a password manager is frequently used to memorise passwords.

Let me describe another situation. If a hacker has the user name and the password, then it is simple to provide the password in order to change the email address.

Recommendations for the developers

Make a log. This can be used to find any relevant changes to the account afterwards.

Add two factor authentication. Nowadays authentication apps are interesting solutions.

Check on the location or the device, which is used for logging in. This can lead to notifications to the user. Consider using the mailbox or notification feature of the app.

Offer the system administrator to make a list of disapproved email addresses. If a company uses an app, then email addresses with certain domain names are not allowed. For example, domain names of competitors and certain countries.

Offer the system administrator to make a list of approved email addresses. For example, for an app with a company subscription only email addresses with the company domain name can be used.

Check, whether the new email address has some connection with the user. An alert should go off, when mister Smith has an email address jones@company.com.

Verify the user requesting additional information, which cannot be easily found on the internet.

Note: in May 2025, a fraud with collecting music royalties was detected in the Netherlands. An account with wrong email address had been created.

Looking forward

In the next blog post I will describe another situation to take over an account using a phone. For the record, there is no contact with the computer of the target.

To be continued.

 

 

Sharing knowledge about testing and other things on my mind