So… this happened. A web developer for Time Warner Cable left data files unprotected on an Amazon Web Services machine. It held personal information on four million TWC subscribers. Possibly including me?
They won’t tell me.
I had an interaction with their customer service desk which included the rep telling me it was “fake news.” In spite of the fact that Time Warner has acknowledged the breach and stated that they are investigating. Then they generated a “ticket”, but I have received exactly zero communication about that.
Companies that have a data breach have a legal obligation to notify the affected people, but that has various deadlines, mostly measured in increments of months, 30, 60, 90 days. I suppose I will hear from them eventually, but I did not appreciate being told it’s fake news, and I did not appreciate being fobbed off with a (probably) fake ticket number.
Two? Two what? Heads? Maybe it’s true that two heads are better than one. Depends on how alike they are, but also how different. Too much alike, and they can reinforce their mutual weaknesses as well as strengths. Not to mention, make the same amount of work simply require more effort without more benefit. That’s all true, too, of the topic I am writing about today: authentication factors.
Authentication factors for computing resources are the ways you prove to the system that you’re the authorized user, and get in to gain access to programs and files. Most frequently, the authentication factor you encounter in the digital world is, your user ID and your password. And that is the first type of factor, out of three. When security pros talk about authentication factors, we talk about three broad types:
Something you know
Something you have
Something you are
You can see how user ID and password fit the first category. You have also probably noticed that there are many sites that will allow you bypass creating yet another user ID and password combination, by logging in via one of your social media accounts. This is a great convenience, when the developers of a web resource have gone to the trouble of integrating their authentication process with one or more of the popular social media platforms. You have the added convenience of having one less password to remember.
Just don’t forget: every time you take advantage of this convenience, you raise the stakes a bit on the logins you have to the base sites. Now a compromise to your Facebook, Twitter, LinkedIn or Google+ login is that much bigger an issue. So it’s all the more worthwhile to consider a way to make the “cracking” of those high-stakes logins much more difficult.
It’s good practice to have two of the three factors for any high-value authentication. For consumers, that means, banking and investment accounts, credit and insurance sites, anything with a financial impact, in addition to social media sites that can have reputational impact, and can be leveraged for other sites you use with integrated logins. Pretty much everywhere you go uses that first category, something you know. Your user ID, and especially your password, are bits of knowledge you carry around in your head (OK), or on bits of paper in your wallet (not so OK), or on post-it notes stuck to your monitor (very bad), or stashed safely in an encrypted password vault (verry goood!). Okay, we’ve got #1 covered. Now we need #2 or #3.
“Biometrics” is the techie term for #3: something you are. It’s growing in popularity. Fingerprint unlocking is not optional anymore on some Apple and other products. Facial recognition is the unlock mechanism they’re furiously pushing for the coming devices, including the iPhone 8. Fingerprint locks are almost ubiquitous in data centers and other places that want to look very secure.
Look secure. I’m not sold on the genuine superiority of consumer-level biometrics sensors. Biometrics sensors all have a measure called the “crossover error rate.” Think about it like this: there are two ways a sensor can be wrong. It can mis-identify someone else’s fingerprint (or retina, or face, or whatever…) as yours. Or it can see yours and not get that it is yours. The first type of error is called “false-positive,” and the second “false-negative.” The charming nature of biometrics devices is, they will always present both kinds of errors. You can tune the device to present less of one, but that increases the rate of the other. And vice-versa. When you balance the two so that the total number of errors — of both kinds — is at its lowest, that is called the crossover point. The false-negative and -positive curves cross there. And the difference between a $4 sensor part and a $40 sensor part? The crossover point is a lot higher in the $4 part.
With an unavoidably substantial number of errors of both kinds, I tend to shy away from recommending biometrics in small-budget situations. The way I prefer to go for a second factor is not, something you are, but something you have. In the past, his has often been a dedicated token with a display that puts up a numeric code every minute or so. This is synchronized with the user’s identity record so that the code entered gives assurance that the user logging in is in possession of that unique key.
This is now possible at a superbly low cost, because the function of the hardware key is now taken by an app on a smartphone. Shown here is a typical screen from Google Authenticator. You install Authenticator on your phone. When you enable a second factor for authentication on any website, you perform a synchronization that shares a randomized secret between the web application and your instance of Authenticator. That seeds a process in Authenticator that generates a six-digit code every minute. You give the current code when logging in to that site thereafter.
There are some sites that send second-factor authentication codes via SMS text, or via email. This is not preferred because of the many intermediaries in those messaging protocols and therefore the difficulty of accounting for the authentication code through the entire process.
Even if using the inferior methods of SMS or email, and certainly if using a smartphone app like Authenticator, it’s always encouraged to use two-factor authentication for every service that matters.
If the service provider does not offer two-factor authentication, I would recommend inquiring of the provider why it doesn’t, and if that will change soon. If the answer to that last is No, then it might be well to switch to an alternative provider.
Confidentiality — keeping what must be private, private
Integrity — making sure no changes are made without your authorization
Availability — making sure you can get to everything you rightly should be able to
Everything I am going to suggest to you in these pages supports at least one of these elements.
There are a lot of things to talk about, and some of them need a pretty detailed discussion. But to begin, I am going to ask you to look at the most basic – even unglamorous – things that are just so important they should never be neglected. So let’s start right out with the most unglamorous one of all, but also the one most effective at helping you recover from the greatest variety of hazards.
All your important data should be backed up, ideally in two or more different ways. For example, if you copy everything to Google Drive or Dropbox, you should also get an inexpensive removable drive like a Passport or a MyBook and copy everything to that.
Backup is really cheap protection against so many hazards, everything from a ransomware infection to a house fire. Using different locations diversifies your protection. If the MyBook is in the house next to the computer when fire breaks out, it’s not likely to be usable as the backup. On the other hand, if you need to get files back quickly after a mishap like an over-enthusiastic disk cleanup, a MyBook will be five to fifty times as fast as pulling data back down from somewhere on the internet.
Make sure that however your backups run, they don’t require you to remember to do something every time. You can set them to be scheduled for a certain time or choose a backup scheme that runs continuously, monitoring for new or changed files all the time and backing them up in the background. The schedule you choose determines how much data you can expect to lose after a disaster. What this means is, if you suppose you might lose your main disk at any random time, and you have a backup that runs once a week on a schedule, then your data loss from what hasn’t been backed up can be up to seven days’ worth of changes. If that’s tolerable to you, then a weekly schedule may be just fine. But if you cringe at losing even seven hours – never mind seven days – of changes to your data, you should be looking for a backup that runs daily or continuously.
Finally, a bit that too many people forget: testing. Every so often (I would suggest once a month: set a calendar reminder), you have to test your backup to make sure it does what it says on on the tin. Pick a file at random from a recent backup, and restore it. Don’t overwrite the original; choose another location. You want to be able to confirm that the restored file and the original match. Besides confirming your backups actually work, it also keeps your hand in on working the restore process. In an actual emergency where you need to restore critical data, deer-in-the-headlights is not a good look on you.
A wide variety of free and low-cost backup software is available. Check out these superb write-ups from Tech Support Alert, a site that specializes in reviews of freeware. For Windows, browse to http://is.gd/WinBackup and for Mac, http://is.gd/MacBackup
I call this blog “Safer Computing” because I want to evoke some of the same ideas we think about when we talk about “safer sex.” We know sex with others can’t ever be 100% absolutely safe. So we are being clear-eyed about those risks when we intelligently reduce them until the benefits outweigh the risks.
Computers were originally conceived to be super-calculators. Even the so-called “killer app”, the one that caused the IBM-PC to explode in popularity in the ’80s, was VisiCalc. VisiCcalc was one of the earliest commercially successful spreadsheet applications. But most of those early PCs were also being connected by their owners to modems, and later to LANs at work, DSL and broadband at home. We all quickly discovered that these things were not only super calculators, they were also supercharged communicators. And since communication involves other people, sooner or later there were bound to be problems with some trying to victimize others. Not to mention the potentially disastrous results of honest mistakes.
On this blog, I will discuss various security and safety issues involving computers, tablets, smartphones and connected devices. The things we do with computers are really not new or complicated. Buy a book. Read the news. Pay our bills. Catch up with friends. If I can explain these things as we do them digitally so they are as easy to understand as going to a bookstore or opening a newspaper, I will consider my mission accomplished.
Technologists are quite proud of the new and efficient and somewhat complex ways they’ve worked out to do these otherwise simple things. They want you to appreciate the engineering marvels they have wrought. So they can sometimes back up a dump truck full of technical terms, and make up a few new ones, and bury any plain meaning there might have been. The way to make my points about using computers, smart devices and the Internet more safely will be to DE-mystify the concepts. You will not find a lot of technical jargon here, and on the rare occasions you do, there will be a plain-English definition. If using your computer and the Internet to pay your bills electronically can be as easy-to-understand as writing checks and sealing them in envelopes, we’re all going to have a good time.
And one more thing: I want this to be interactive. I want to make sure that I deal with topics of concern to you. Therefore, I have opened an email inbox for you to send me your questions. Please, send your questions to firstname.lastname@example.org and I will answer all that I can, here.
The password advice we all hate – upper and lower case, numerals and punctuation, change it frequently – is wrong. We knew this in our guts, but now Bill Burr, the original author of the NIST report that started it all in 2003, has recanted.
The Electronic Frontier Foundation has word lists you can use for this. They recommend dice to safeguard your picks from any system compromise you may have. If you’re a little less paranoid about it, you can use this Google sheet I have prepared from the SOWPODS.
Finally… DON’T change the pass phrase you make, unless you have a positive reason to believe it’s been compromised. Changing passwords on a regular schedule makes people tend to use predictable passwords. And no good can come of that!
Employees at Three Square Market, a vending machine maker in Wisconsin, have been given the opportunity to be chipped (like an AKC puppy!) and allow that chip to serve as their employee ID, computer login, and purchasing token at the vending machines in the break rooms.
The company has “offered” their employees the “opportunity” to sign up for this, “voluntarily”. They will be chipped at a “party” to be held August 1. Was that enough “scare quotes” for you? I trust my readers to “get it.”
As with all ransomware, the defense is simple: Backup, backup, backup. The fresher your backups are, the less work it will be to reconstruct your data and the less temptation you will feel to pay the criminals.
Backup, backup, backup.
Microsoft is blaming the NSA, and the NSA is blaming Microsoft. A pox on both their houses.
Backup, backup, backup.
Anti-virus can’t help you until they catch up, and can’t help you again once it starts to mutate.
Backup, backup, backup.
Someone found a “kill switch”. By accident. Uh-huh.
Trust that, do you?
Rochester B Sides is always fun and enlightening. The keynote was by @dualcore about techniques that malware writers will use to defeat memory forensics so that their hard work developing payloads is not trashed.
His talk was punctuated with those infamous clips of goats emitting disturbingly human-like screams. I have no idea why, and I am not even that curious about it. His talk was still good…
But then he had a slightly longer break while a data harvesting process ran. And he played this.
Between LastPass pooping the bed (again!?) and Congress telling your ISP to spy all they want on you, my recommendations fromback in November are now looking mighty thin without including a VPN service, to try to stick one more finger into the dike.
I will plan to do a roundup of decent and non-evil (as far as we can know) VPN services by this weekend. But you should also start looking for your own.
One thing you can do right away that’s easy and free, is start using OpenDNS for your address lookups. ISP spying on users always begins with DNS, so the first thing I always do is get the heck off the ISP’s DNS and on to OpenDNS or Google’s.