Whenever a news story breaks about information security (usually a radically bad FAILURE thereof) then “security researchers” or “consultants” get trotted out by the media to give expert soundbites. David Kennedy was a keynote speaker at the recently-concluded Rochester Security Summit, so he’ll do for my example:
David is a security researcher – which means he’s a hacker. No, I did not just accuse him of a crime. He’s a wonderful guy and I would totally invite him to dinner.
The media have abused the the term “hacker” for years now. The original meaning of the word was simply, “One who is expert at programming and solving problems with a computer.” That expertise, together with an insatiable curiosity driving one to exercise it, is what genuinely makes a hacker.
Cyber-criminals may or may not be hackers. For example, if they wish to crack their way into some company in order to plunder its money or sensitive info, they might exercise their own high levels of technical skill. But they might hire technical capability, and not exercise it themselves. Or they might be what we call script-kiddies, people who find easy step-by-step recipes for creating digital mayhem, and use them to good effect against poorly secured targets. They might not even be criminals: they might be state-sponsored, and thus their actions are legal. At least under their nation’s laws.
But hacking is a set of problem-solving approaches, and a toolbox of techniques. It’s a way to accomplish a goal, and the goal’s goodness or badness is not relevant. Hacking is morally neutral. If, and only if, the goal of the hacking is a crime, then a hacker also happens to be a criminal.
Security researchers (like David) are employed to find ways that our information systems can be exploited. They might do malware reverse-engineering, or vulnerability discovery and analysis, or refinisng social engineering techniques. Most of our companies don’t employ them: it’s too specialized. Large providers and specialty firms (Verizon, FireEye) provide researcher talent, and we consume the output in the form of reports and alerts.
Independent researchers also work as consultants. They may help companies figure out what happened after an attack, or they may routinely provide bug reports to manufacturers. They may work on Red/Blue team exercises, where attacks are simulated and defenses are tested. Without question, Security Researchers are hackers. If they aren’t, they cannot function in that job.
Where? To the Rochester Security Summit of course! It kicks off tomorrow for two days of security geeking-out. I am looking forward to it plenty. My talk is on Friday at 2PM about full and responsible disclosure of bugs, bug bounties and so on.
This weekend I will make a post here, covering that topic.
Advertising supports a lot of the content you enjoy on the Internet. The economics of it should be simple. An advertiser pays a certain amount to get a commercial message in front of many readers or viewers. Some percentage of those viewers make a purchase. When enough revenue comes back to the advertiser, the ad is a good investment: returning more in margin to the business than it cost to produce and place. In practice it’s a lot more complex than I state here, but the backbone of advertising remains just that simple.
This simple idea has recently started to create problems of the sort that show up in the Safer Computing inbox. Advertisers realized that a digital advertising message can be a lot more than a picture with words or a short film to watch. This means you can experience web pages with ads that are mini-games, ads that follow you around a page as you scroll, ads that follow you from page to page as you browse, and more.
You may also be aware that ads make and store all sorts of inferences about you — inferences they gather from what goes on in your browser and on the rest of your computer. These inferred personal profiles are scooped up by data brokers and packaged to be resold to other marketers. That’s supposed to be done in enough volume to make each individual profile impossible to identify. But recent research has shown that, with so many different data points being collected, working backward from a large “anonymized” data set to reliably identifying individuals is far easier than anyone suspected. Yet, without enough different data points, the package is not attractive to marketers. It will not find a buyer.
Another very disturbing trend in advertising is the enormous number of computer virus and Trojan infections that the ad networks now make possible. Remember that the ads are more than just pictures or films, they have all kinds of sparkly interactive features. They dance, they sing, they explore the bleeding of edge of being so annoying that you want to throw the computer out the window and go for a walk instead. And how do they accomplish these things?
Every one of those ads is a small program that you have half-consciously invited to run on your computer. Your browser was instructed to bring these programs along with the content you wanted to see. The intent of these programs appears to be delivery of a commercial message — but other functions are often hidden there. Viruses delivered within web ads have infected hundreds of millions of computers around the world with everything from botnet spam clients to ransomware. The websites that deliver these ads don’t often know what they are sending out; they simply allow ad networks to deliver whatever they like within broad guidelines and accept the payments for what is passed along. The networks that aggregate and place these ads do not have the resources to check out all the ads they deliver, from what may be thousands of sources. What’s worse, they don’t have the incentive. With enough layers of middlemen, there’s nowhere for liability to land.
With all that to consider, I decided a while ago that I would block ads everywhere I could. There are two counter-arguments to blocking ads I did consider. One is, how will I support the websites whose content I am enjoying? Simple: I actually become a paid member or supporter of any sites I read frequently enough. Some sites I visit for the first time, say they won’t serve me content unless I disable my ad-blocker. Fair enough, I say, and click away to find a similar item elsewhere.
The other counter-argument is, how will I learn of cool new products or services I might want to try? Since I was never one to find such things through ads, I consider this a small loss if any. But the truth is, I check out new things that are any larger than tiny impulse buys at recommendation sites like Wirecutter, Sweet Home or Consumer Reports. I prefer unbiased comparative reviews to advertising content, for decisions to purchase.
My current ad-blocker of choice is uBlock Origin by Raymond Hill. It’s a very low-profile browser add-on for Firefox, Chrome or Opera. I say “current” because my choice has changed a few times recently. Other ad-blocker providers have gradually been seduced by money and become ad networks in themselves, serving what they call “safe” or “white-listed” ads. Their users have had varying levels of choice about this, from “a little” to “none.” With uBlock Origin, so far so good. If things change, I will add an updated recommendation in this space.
Backup is the most basic information security measure. Whatever else happens, your worst-case, baseline fall back is: restore from a backup and get back to work. So you always want to make sure your backups are rock-solid. A rule of thumb for how to ensure that is easily remembered as, 3-2-1.
3-2-1 backup means that you should:
Have 3 copies of your data (minimum)
Keep backups on at least 2 different media
Store at least 1 backup offsite
So you can see that this is not as hard or as involved as it might seem, I can give you an example from real life — from my own desk, my own PC. I had been using CrashPlan Home for all backups here, but they just announced that the entire Home edition of the product is shutting down over the next year. The deadline they have given me to get off is mid-January of 2018.
It’s true, I have two things that some home users do not: a second hard disk in my PC and a file server. But the same effect can be had for anyone with, say, a large USB drive and a network disk like a Seagate Central. The other thing I need, and that you’ll need, is a cloud storage service.
Backup #1: goes to my second hard disk. There are many hazards backups protect against. Probably the most commonly realized one is what we call PEBKAC. That means, Problem Exists Between Keyboard And Chair. In other words, this one is for when I am an idiot. It will not protect me against hardware failure (unless that miraculously spares the one disk drive). So, in that case, I move on to…
Backup #2: my file server. This one will be OK even if my entire PC fails. It’s also the one that I encrypt, because it’s also the source for a file-sync routine that goes to…
Backup #3: my cloud storage provider. This is the one I will have to count on if the house burns down. To do this, I chose a storage service that, like DropBox, does a continuous synchronization as its contents are updated. Once primed, it will update every time the source backup updates. I selected pCloud for this, because the yearly price for 2TB of storage was the most competitive, while still supporting the essential sync function.
Because I don’t trust the encryption at the file storage service alone, I am using a backup software that provides local encryption. For the software, I chose Duplicati. It’s simple, it’s free (but make a donation, if you can!) and it’s open-source. It also supports a vast array of cloud storage providers, so if I want to switch in the future, I will probably be covered.
3-2-1: make sure you can get a working copy of your data if you need to. Somewhere!
The Cloud! It sounds so… ethereal. We’re all going to have computers floating around in the air? What’s going on here, really? Today, let’s look at data storage “in the cloud” and how we can use it more safely.
A sticker on my laptop says, “There is no Cloud. It’s just someone else’s computer.” At its most basic, that’s what we mean when we talk about “the Cloud” for any computing or data storage need. We can host the website on a server we buy and maintain, or we can pay someone to host it on their server. We can store our photos and music on disks we buy, connected to computers we own, or we can pay someone to store them for us. When we pay for the service in money or personal info or both, then we’re users of “the Cloud.” If you keep music, video, pictures or documents in Google Drive, DropBox, SpiderOak, OneDrive or iCloud, you’re a cloud user. If you host a website on SquareSpace, Weebly, GoDaddy or any similar services, you’re also a cloud user.
Of course, the fact that it’s someone else’s computer means that we don’t have as much control as we might over how the data we store there gets handled. This is where the security considerations require more thought. Every cloud service will tell you how secure they are. Every one will tell you about their use of encryption. Encryption matters, a lot. But what matters more is a careful consideration of the “What-Ifs”. It’s what we securty guys call “threat modeling.” You have to imagine the ways in which your information could get compromised, and see if the security measure in place actually protect against the threats you care about. So when DropBox tells me that they have strong encryption I have to think, what is encrypted, and how are the keys handled? When I poke a little further, I learn that they encrypt the data I send there “in transit” and “at rest.”
“In transit” means, when I send the data from my computer to Dropbox’s, it travels over an encrypted connection. That’s good. But my “what-ifs” didn’t seriously include, “What if someone eavesdrops on my network connection while I upload the file?” What I did wonder was, “What if someone hacks access to Dropbox’s data center and can go wandering around on their servers, looking at stuff?” The fact that my data arrived there safely last week doesn’t help me now, does it? So now I consider the fact that they also do “at rest” encryption. That means the data is encrypted while stored on their disks waiting to be retrieved. OK, that’s pretty good. But then one more thing bugs me: DropBox controls the keys needed to open those encrypted files and retrieve them in their original state. If those files are my tax returns, or sexy shots of my lover, I certainly don’t want anyone with access to the keys to be able to look at that! Yet, in this hacker-in-the-DropBox-servers scenario, that is exactly what becomes possible, because the same baddies who can get to my at-rest data can also probably get to those keys.
When I decided to use DropBox (or any of the similar services), I considered these kinds of things. A compromise I made when I decided to go ahead and use their service was, accepting that the data I stored there would indeed be vulnerable to this kind of threat. I also knew I had two ways to mitigate the risk, and I use a combination of both. The first and most important is, I am simply cautious about what I put in there. I put things there that I want to share, that I want available from my mobile devices, and that I don’t care that strongly if they were disclosed. No tax returns, and no cheesecake shots of my sweetie. Yes to pictures of my cats, social media memes or raw materials for blog posts.
The other mitigation is what I apply to the few things that do need protection but also need to be more widely available: I add my own encryption. If you think of encryption as a secure box to which you hold the key, then you’ll see why this helps. I encrypt my secret data — I put it in a box and lock it. Then I send it to DropBox. DropBox gets a file from me, encrypts it with their key, and stores it. Now, it’s a box within a box. If someone hacks DropBox’s data center, they can open the box locked with DropBox’s key only. When they get to what’s inside, it’s still locked with my key. And I never send that to DropBox, so my secrets are safe.
Encryption is a lock. Who holds the key, that’s what really matters.
The easiest way to add your own encryption to a file or several is to use one of the widely available utilities that create “Zip” or similar archives out of files or batches of them. All of these, in their latest versions, have the option to encrypt the resulting archive with a very strong and reliable system called AES – Advanced Encryption Standard. Just make sure you create a good strong password or phrase (as I wrote about here). And record that passphrase anywhere butin the cloud service where you store the resulting archive.
So do mine. What can you say? Maybe I should write that, p@5SW0rdz? It doesn’t matter. We all use passwords. It’s the simplest and most popular method systems and sites have to authenticate us. But let’s face it, passwords suck. There are lots of problems with how we use passwords, and my aim today is to help sort some of those out.
The main thing you need to know about passwords is that they are typically not used well enough to secure much of anything, because humans have certain mental patterns that are difficult to break out of. One is that we will tend to choose, as “secret words” that we know we need to remember, things that have a particular meaning to us. A child’s name, a wedding anniversary, a favorite sports team. The advantage is that these things don’t change, so we can reliably remember them. But that is also a huge disadvantage, especially since we make it easy for anyone to learn these things about us, via social media.
A common strategy used to attack password security is brute force: just guess all the possible passwords until you get a match. Once an attacker knows your kids’ names, your milestone dates, your favorite teams or bands, the range of things they have to guess just got a lot smaller, so getting that match just got a lot easier. Almost as easy for an attacker, is when your passwords are not based on your life, but still are real words. Now we have a refinement to brute-force guessing: the “dictionary attack”. This can reduce finding a password using modern computing equipment to only seconds, instead of hours or days. And it’s usable even if you take your favorite fruit, say, “pineapple”, and cleverly change it to “p1N3Appl3”. Dictionary-attack software takes all those transformations into account, and it’s only slowed down by a few heartbeats.
There’s another habit we have as humans that makes life easier for criminals; we reuse passwords. Having more occasions to type in a given password makes sure we are likelier to remember it, doesn’t it? Well, all this means to a criminal is that once they figure it out for one site, they have it for everywhere we go. Now, even as hard as it is to remember a single good password, here’s that mean old Safer Computing blogger telling you to make up a new and different one for every site. This is ridiculous! You can’t do this! Heck, Safer Computing can’t! Nobody can….
Nor should they. No, the human brain is not up to making or remembering good passwords. Because p@5SW0rd is a pretty lousy one, and so is p1N3Appl3. A good password is actually something like Kg52k$hm^YG@yuR%WD. But I don’t want to type that, and I don’t want to have to remember it. Lucky for me, I don’t have to. There are a number of good password managers out there, which are systems that create, set and use good complex passwords for you, without giving you the headache of dealing with strings like Kg52k$hm^YG@yuR%WD. The one I would recommend from my current tool kit is LastPass (https://www.lastpass.com/). It integrates into your browser so you can let it automatically log into sites for you. When you’re signing up for some new service, it (usually) detects that and offers to generate a gnarly unguessable password for you. And if you load your current set of passwords into its database, it will offer to fix problems like weaker passwords and duplication. All in all I have been happy enough with it to upgrade to the paid version for several years now. But start with the free version, it’s got more than enough power for most folks. If you want to try something else, try taking a look at 1Password (https://1password.com/) or for a stand-alone program instead of a web-based database, try KeePass2 (http://keepass.info/). I have no affiliation to any of these products.
Finally, let’s talk about ways to make your passwords less important (they suck, remember?). The best way to do this is to add a second factor to your authentication on anything important. If the password is the only thing you need to get into a service, then having that password compromised is a disaster. But if getting in to, say, your GMail requires both a password and the code for GMail on the Authenticator app in your phone, then losing only one of those is much more like annoying rather than disastrous. Any important website (email, social media, banking, stock trading, etc.) that offers two-factor authentication, you should absolutely accept that offer and set it up. The second factor will often be tied to your phone, but that’s actually just about ideal. You already have it, and it’s something you have that a crook who just guessed a password does not have. This makes everyone safer (crooks excepted).
If an important site you use does not offer two-factor authentication, ask them some questions: Why not? When WILL they offer it? and of course, How do I transfer my account to a competitor who DOES offer it?
Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die[*]. While we each have a will to cover our possessions and assets, how many of us include in that document what to do about digital assets? More to the point – if someone dies and leaves no will, the law is reasonably straightforward about what to with their possessions and finances. But our legal system has not yet really begun to address consistently what to do with the dear departed’s Facebook or Twitter accounts, their email, websites, and so on. These are digital assets but there’s not necessarily a physical item that corresponds to any of them. To make sure these are handled according to my wishes after I die, I have made a “data will.” Note: I am not a lawyer and this is not legal advice. If you want your “data will” to be enforceable as part of your actual, legal last will and testament, you must consult a lawyer.
What’s in a data will? This will differ in the details for everyone but I think these major sections are a good starting point. First and foremost, passwords. If you are using some kind of password management tool (as I suggest!), this will be easy. You will only need to tell your survivors where the password data resides, and what is the master password to gain access to it. If there’s no password manager wrangling all your individual passwords, you’ll have to list them all in this document, or an attachment. The password list or manager also provides a map of where you had an online presence and business or personal relationships, which will help in other ways.
If some of your online accounts have two-factor authentication such as an app on your phone that generates a 6-digit code when logging in from a new device, etc., make sure the document details where to find that, and how to use it. Also, include information on how to unlock your phone!
Email is still a fundamental service in the online world, especially when it’s the focal point for most sites’ password-reset processes. So make sure your document includes an abundance of information as to where your email is delivered, how to log into it, and pointers to the password manager entries for the email password (or the email password itself).
You may wish some of your online accounts and services to continue running. For example, you may host a family website, or use a backup service that includes your spouse’s or other family members’ data. Instructions as to what should be kept going vs. what can safely be shut down will be useful here. Also consider that any auto-pay arrangements, such as monthly or annual billing to a certain credit card or via PayPal, might not be obvious to your loved ones. Make these arrangements explicit in this document.
Finally, how to notify online friends & colleagues of your death. Many of us are members of virtual communities that might not have visibility to other more traditional ways our death would be communicated, such as local obituaries or even Facebook pages. If you are a member of professional mailing lists or other such niches of cyberspace, make sure your survivors will know how to send a notification to those communities. You may have been working on a joint project at the time of your death: it’s only polite to let the team know you won’t be at the next meeting.
Once you have completed this awesome document, you have two main things to worry about: How to make sure it has the desired effect once it’s needed, and how to keep it safe, meanwhile. I mentioned above that if you want it to be legally enforceable, then you need to consult with a lawyer as to how to make it part of, or an attachment to, your will. Be sure to confirm whether or not it will become part of the public record – if so, you will want to work with your lawyer to conceal the passwords and other sensitive information in your document.
As for the security of the document while you’re still alive, I refer back to the three most basic concepts of information security: Confidentiality, Integrity and Availability. All three of those apply here, with very high stakes. You need to be sure the document is not disclosed to anyone unauthorized, that it is not altered without your knowledge, and that your survivors can get to it after your death without serious obstacles. There are many ways to accomplish each of these three things, but what I will delve into a future post is document storage “in the Cloud”, and how that can address all three of these concerns.
this article originally appeared in the September 2016 edition of The Empty Closet.
[*] – except maybe Peter Thiel but really… who wants to be a vampire?
After every other major breach in recent times, one of the things we’ve all been advised to do is to go to the credit reporting agencies and check for any unauthorized activity. And who are the credit reporting agencies? TransUnion, Experian and Equifax. Now we have news this week of Equifax having suffered a data breach of over 143 million Americans. That is about 40% of the population, and well over half of those who have any credit records at all. To help consumers begin to deal with it, Equifax has set up a site whose URL was apprently inspired by all the Equifax-themed phishing emails their staff have seen: https://www.equifaxsecurity2017.com. Regardless of the terrible URL, that is the correct site.
My personal advice is, go ahead and register for the Trusted ID service that finding your name on https://www.equifaxsecurity2017.com entitles you to. You can also choose to replicate a lot of what it offers by freezing your own credit reports and reviewing a copy of each one, which you can obtain via annualcreditreport.com.
Much has been made over the fact that the Equifax emergency site asks for some pretty detailed personal information before signing you up. My take on that issue is simple: Equifax had that information anyway, and much much more.
Here are a few other links to stories from the past few days. I have tried to filter out some of the more freaking-out ones.
So… this happened. A web developer for Time Warner Cable left data files unprotected on an Amazon Web Services machine. It held personal information on four million TWC subscribers. Possibly including me?
They won’t tell me.
I had an interaction with their customer service desk which included the rep telling me it was “fake news.” In spite of the fact that Time Warner has acknowledged the breach and stated that they are investigating. Then they generated a “ticket”, but I have received exactly zero communication about that.
Companies that have a data breach have a legal obligation to notify the affected people, but that has various deadlines, mostly measured in increments of months, 30, 60, 90 days. I suppose I will hear from them eventually, but I did not appreciate being told it’s fake news, and I did not appreciate being fobbed off with a (probably) fake ticket number.
Two? Two what? Heads? Maybe it’s true that two heads are better than one. Depends on how alike they are, but also how different. Too much alike, and they can reinforce their mutual weaknesses as well as strengths. Not to mention, make the same amount of work simply require more effort without more benefit. That’s all true, too, of the topic I am writing about today: authentication factors.
Authentication factors for computing resources are the ways you prove to the system that you’re the authorized user, and get in to gain access to programs and files. Most frequently, the authentication factor you encounter in the digital world is, your user ID and your password. And that is the first type of factor, out of three. When security pros talk about authentication factors, we talk about three broad types:
Something you know
Something you have
Something you are
You can see how user ID and password fit the first category. You have also probably noticed that there are many sites that will allow you bypass creating yet another user ID and password combination, by logging in via one of your social media accounts. This is a great convenience, when the developers of a web resource have gone to the trouble of integrating their authentication process with one or more of the popular social media platforms. You have the added convenience of having one less password to remember.
Just don’t forget: every time you take advantage of this convenience, you raise the stakes a bit on the logins you have to the base sites. Now a compromise to your Facebook, Twitter, LinkedIn or Google+ login is that much bigger an issue. So it’s all the more worthwhile to consider a way to make the “cracking” of those high-stakes logins much more difficult.
It’s good practice to have two of the three factors for any high-value authentication. For consumers, that means, banking and investment accounts, credit and insurance sites, anything with a financial impact, in addition to social media sites that can have reputational impact, and can be leveraged for other sites you use with integrated logins. Pretty much everywhere you go uses that first category, something you know. Your user ID, and especially your password, are bits of knowledge you carry around in your head (OK), or on bits of paper in your wallet (not so OK), or on post-it notes stuck to your monitor (very bad), or stashed safely in an encrypted password vault (verry goood!). Okay, we’ve got #1 covered. Now we need #2 or #3.
“Biometrics” is the techie term for #3: something you are. It’s growing in popularity. Fingerprint unlocking is not optional anymore on some Apple and other products. Facial recognition is the unlock mechanism they’re furiously pushing for the coming devices, including the iPhone 8. Fingerprint locks are almost ubiquitous in data centers and other places that want to look very secure.
Look secure. I’m not sold on the genuine superiority of consumer-level biometrics sensors. Biometrics sensors all have a measure called the “crossover error rate.” Think about it like this: there are two ways a sensor can be wrong. It can mis-identify someone else’s fingerprint (or retina, or face, or whatever…) as yours. Or it can see yours and not get that it is yours. The first type of error is called “false-positive,” and the second “false-negative.” The charming nature of biometrics devices is, they will always present both kinds of errors. You can tune the device to present less of one, but that increases the rate of the other. And vice-versa. When you balance the two so that the total number of errors — of both kinds — is at its lowest, that is called the crossover point. The false-negative and -positive curves cross there. And the difference between a $4 sensor part and a $40 sensor part? The crossover point is a lot higher in the $4 part.
With an unavoidably substantial number of errors of both kinds, I tend to shy away from recommending biometrics in small-budget situations. The way I prefer to go for a second factor is not, something you are, but something you have. In the past, his has often been a dedicated token with a display that puts up a numeric code every minute or so. This is synchronized with the user’s identity record so that the code entered gives assurance that the user logging in is in possession of that unique key.
This is now possible at a superbly low cost, because the function of the hardware key is now taken by an app on a smartphone. Shown here is a typical screen from Google Authenticator. You install Authenticator on your phone. When you enable a second factor for authentication on any website, you perform a synchronization that shares a randomized secret between the web application and your instance of Authenticator. That seeds a process in Authenticator that generates a six-digit code every minute. You give the current code when logging in to that site thereafter.
There are some sites that send second-factor authentication codes via SMS text, or via email. This is not preferred because of the many intermediaries in those messaging protocols and therefore the difficulty of accounting for the authentication code through the entire process.
Even if using the inferior methods of SMS or email, and certainly if using a smartphone app like Authenticator, it’s always encouraged to use two-factor authentication for every service that matters.
If the service provider does not offer two-factor authentication, I would recommend inquiring of the provider why it doesn’t, and if that will change soon. If the answer to that last is No, then it might be well to switch to an alternative provider.