Friday, December 14, 2012

The Two Step Verification Dance

Practicing good security habits is not too unlike learning to dance. The steps can be a bit clumsy at first, but once you get in the habit of it you'll be able to handle security with the grace of Fred Astaire and Ginger Rogers on the dance floor.

Though two factor authentication has been around for years in corporate and high level government settings it is fast becoming more common for everyday computers users to see it as a security option. Two step verification, also known as two factor authentication, or multi-factor authentication is a dance more and more of us can learn to further protect ourselves. It offers better security than single factor verification because it requires two separate pieces of information to validate identity, increasing the difficulty for a hacker to gain access to your accounts. So, what is single factor verification, and how does it differ from two factor authentication?

The single method of authentication is simply entering your username and password to gain access to your online account. This has been the de facto method of logging into online accounts. Up to a point it has been fine, however, the strength of our security needs to keep pace as hackers become more sophisticated. Strong passwords are still incredibly important, but that alone may no longer be the best practice. So, what if we were to add a layer of protection to our login credentials? That added layer is where two factor authentication comes in.

The two parts of two factor authentication are generally thought of as "something you know", and "something you have". Two factor authentication requires you to enter your password along with that second piece of information, typically a six digit number (your token). The token is generated by a source outside of the account you are accessing. The token can be sent as a text message to your phone, be generated by an app on your smartphone, it could be a USB drive, smartcard, or even a keyring device. When you attempt to login to a two factor aware site you will first enter your password (something you know), and second, you will provide the token (something you have) before login completes.

What makes two step verification more secure than single step verification?
  1. The risk is lower that your account will be compromised by a hacker because they would not only need your password, but also, have access to the device providing your token.

  2. Unlike your password, which changes infrequently, tokens are one time use only and expire typically after 30 seconds. Each time you login to the service you need to provide a new token. There are some caveats to this which are discussed below.

  3. The online service to which you are connecting does not permanently store the token. If a hacker steals your login and password from the service they will not have the token needed to access your account.

  4. Tokens increase security even if you have weak passwords because it is used in addition to your password to confirm your identity. The token merely assists you in keeping hackers out of your accounts, it is not a supplement or replacement for strong passwords. Strong passwords are still an essential part of a good security strategy.

What is the downside of two step verification?
  1. Two factor authentication can be clumsy to setup. Setup consists of enabling it for your account with a site that supports it. You indicate in your site preferences how you want to receive the token. Then setup any third party apps used on tablets and phones that you want accessing your account. The downside is that currently there are few phone and tablet apps that are two factor aware. These legacy apps end up using a permanent token to authenticate and log you in, which in effect renders the two factors moot. You are no longer using the randomly generated "something you have" in addition to your password to authenticate because you allowed the app to keep the same token, and unlike browser token cookies these don't expire.

  2. As I alluded to above, your web browser can store a token in a cookie on your computer if you don't want to have to enter a new token each time you login. Sounds great, and simplifies access to the site. The downside to this is that your browser could be susceptible to a man-in-the-browser attack potentially allowing a cyber criminal to infect your computer with malware that sends the token back to them. In attempts to mitigate problems with discovery of the token the cookie will have an expiration date, generally 30 days from the time it was established, after which you will be asked if you want to save a new token in your browser.

  3. It can be inconvenient to use two factor authentication particularly if you don't have the device with you that provides the token. Also, the "something you have" can be lost, stolen, or damaged. Some sites will allow you to generate a series of one time backup or emergency tokens that you can print on paper and carry with you in the event that you don't have the token device with you. The downside is that these codes can be lost, or stolen too. Imagine if you were carrying them in your wallet, then had your wallet stolen along with your identification. It's a cyber crook's dream.

  4. Entropy of the generated tokens is critical, that is, the randomness of generated tokens. Systems that do a poor job of randomizing tokens can give criminals an opportunity to determine the sequence by which codes will be generated, and allow them to generate fake tokens.

Of course, there is three factor authentication which relies on the "something we have", the "something we know", and adds the biometric layer; the "something we are" such as a fingerprint, or retinal scan. Alas, there is no perfect security. It's an evolutionary process. But, instead of waiting for something better to come along, this holiday give yourself the gift of two factor authentication.

Friday, October 19, 2012

See No Tech, Hear No Tech, Speak No Tech

In the past several months I have had several conversations with several people several times regarding several aspects of online security. There were enough "severals" to make me decide that now is a good time to further espouse my technology philosophies.

I spoke with one person that said he does not have the Internet at home because he fears a hacker will get his personal information, yet he uses a public computer for conducting personal transactions. Someone else I spoke with told me she was getting on her neighbor's unsecured wireless network to do her online banking when she was having issues with her home's router. Another person told me that she is required to have an online account with her child's school to manage the student's affairs. She was concerned that by having online access her family's personal information would be stolen. And, a fourth person told me that he did not need malware protection on his home PC because his Internet provider is handling it on their end.

Most of the people I spoke to had some rudimentary understanding that there are dangers in using the Internet, and some of them have become more careful in how they interact with businesses over the Internet. Others were nearly paralyzed by their fear simply because they are unable to accurately determine the risk of their computing habits. And, judging by the examples I cited above, it is clear there is much work to be done in getting people to understand and successfully evaluate the risks of computer use.

It is erroneous to think that public computers are safer to use than a home computer. It is unwise to think that because you are on a secure website it is safe to use an unsecured wireless connection. It is also unwise to think that if you have no access to your online information no one else will either. And, despite what you think your Internet provider is doing to thwart malware you still need to use an anti-malware application on your computer.

You are better off on your home computer where you have more control over the security of your personal network, computer, and Internet use; provided you are using a firewall, anti-malware protection, secure websites for transactions, strong passwords, and you are managing all of these things.

My personal feeling is that any time I can create an online account with a service, company, agency, financial institution, school, medical office, etc. that already has stored my information I am going to do it. I want to know what they know about me, and even if I can only have a teeny weenie bit of control it is a big piece of mind. I want to be able to monitor the information that is out there about me, even if I am unable to change any of it.

Consider this: your information is already out there, sitting on a server somewhere, with any number of entities who have "sworn" to protect it. Your information is potentially obtainable by undesirables whether or not you choose to have access to it. Covering your ears, closing your eyes, and screaming, "Lalalalalalalalallalalalala" doesn't change that fact.

Wednesday, September 12, 2012

Ask Me Some Questions and I'll Tell You Some Lies

Would you believe me if I told you that using technology today is about as easy as striking a match to start a fire? And, would you believe me if I told you that technology and fire could be equally difficult to manage if you weren't taking proper safety precautions? Technology is not unlike lighting a match to start a fire. With technology there is a disparity between ease of use and, taking appropriate security measures. People tend to choose ease of use over being careful. So, providers of services have to find a balance between making it easy to use and protecting the end user. One of the ways they attempt to do this is through asking a series of security questions which must be correctly answered in order to prove you are who you say you are.

Security questions, though not strictly enforced, have been used to secure medical and financial information when making in person or telephone inquires. Being asked a specific question, and then providing the correct answer, allowed you access to the information you sought when your identity could not be otherwise confirmed. Online accounts continue to use the same methodology in trying to confirm a user's identity. If you get locked out of an account and correctly provide the answers to your security questions you will be granted access.

Since the early days of security questions, up until about a year or so ago, one of the most common questions was, "What is your mother's maiden name?" The problem with using only one question, and worse this particular question, is that every account that needed to be secure would have the same question and answer. An answer, at that, not difficult for the average person to discover with a small amount of legwork. If used in a nefarious way to access one account it could easily be used to access any other account. Bad people can easily pretend to be you and claim they were locked out of your account. Armed with some basic knowledge of you they can be granted access to your account relatively easily.

Secure websites have been attempting to increase security through the use of multiple security questions. Many online accounts now require that you setup three security questions. Some typical questions include:

What was the first car you owned?
What is your favorite car you drove?
What was the worst car you ever drove?
What was the name of your first grade teacher?
What is the first name of your oldest sibling?
What is the name of the first company you worked for?
In which city were your born?

The flaw in security questions is that they only offer a modicum of security because the questions tend to revolve around personal information about ourselves that is common knowledge or could be easily discovered. Questions are designed so that the answers we provide would be easy for us to remember. And, because it is natural to make things easy to remember we stick to what we know. And, because we stick to what we know we answer these kinds of questions honestly.

Maybe your moral backbone prevents you from lying but, I assure you, there is no better time to lie than when it comes to creating answers to your security questions. Lying really is the best policy. Falsifying answers makes it harder for other people to guess or otherwise discover the answers. You can use the same security questions for multiple accounts but, randomize the answers for each so that if one account was compromised through your answers it only impacts that one account. The best way to retain your questions and answers is by using a password manager. Most people seldom need to retrieve this information so it only makes sense to store it someplace secure.

Since the answers to the questions should be nonsense I suggest that the questions should be nonsense too so that everyone is forced to use a nonsensical answer. How about something like:

Question: If the four sides of an isosceles triangle are not square but circular what is the angle of the left side?

Answer: 15 gallons

Thursday, March 15, 2012

Know the Code: Paper Malware

Say hello to the new barcode on the block. QR codes (Quick Response Code) is a code that is used to store data much like a barcode, but with the ability to hold exponentially more information. QR codes look a little like a Rorschach test; those ink blots that you stare at while telling a guy in a white lab coat what you think it looks like, then he nods and says something like, "Ah, mmm hmm, yes very interesting, interesting indeed." QR codes are square blocks of black ink (seemingly placed in a random patten on the page) that you are more and more likely to encounter on movie posters, in magazines, and on the packaging of products you buy, etc.

Truth be told, QR codes aren't really that new, they have been around since the mid 1990's having been created by the automobile industry. QR codes continue to evolve. The tighter the spacing of the blocks the more data a code contains. QR Code version 40 is capable of containing 1,852 characters. In contrast, version 4 could only contain up to 50 characters.

These codes have been adopted in the mainstream because of the versatility they offer over traditional barcodes. The inundation of smartphone technology has aided the increase use of QR codes. Every smartphone with a camera instantly becomes a code reader (with an app that can scan these types of codes). Manufacturers include QR codes with their products as a way to tell a customer more about those products, or additional services the company provides. In years past the industry would advertise their web address with the hopes that it would entice potential customers to visit their site. A company would have to bet on the consumer remembering the address, then later entering it into a web browser on their computer. But, once the initial interest wore off, few people would bother to do this. A QR code and smartphone app together makes this process seamless. Simply scanning the barcode can automatically launch your web browser loading the website programmed into the code.

I purposely put the words "paper malware" in the subject of this post to get your attention. As with all things technology, you can't sleep at the switch. There is nothing inherently wrong with scanning QR codes, but you do have to be careful not to let curiosity get the best of you. There is such a thing as a malicious QR code. In September of 2011 the first such malware was discovered. This malware targeted Android phones simply due to the "open" nature of the platform. Open platforms allow anyone to create apps without having to go through a clearing house to vouch for the decency of the app. In contrast, Apple has a basic vetting process for approving apps for their proprietary iOS, in part, to reduce potential malware; this does not mean however, that iPhone users can't be harmed by malicious QR codes.

Cyber crooks will perpetrate their crimes by placing their own QR code stickers over existing marketing materials. They may also place their paper malware on walls, light posts, or other public places. These criminals are betting on social engineering to get you to scan their codes. The curious and unsuspecting consumer will unknowingly scan codes that contain malicious text and website addresses containing hidden malware. Before the end user realizes what happened their device has been compromised and personal data has been stolen. Malicious QR codes can:
  1. Steal your credit card information if you use your smartphone to shop online
  2. Con you into downloading apps containing malware
  3. Send expensive SMS text messages to premium phone numbers effectively running up the charges on your cell phone bill
  4. Ask you to provide your passwords for your email, online banking account, or social networking sites
  5. Steal information from the contact list on your phone
You can take steps to protect yourself from QR code attacks. The most obvious one would be to never to scan them, but if you do want to scan QR codes, and only do it when you have a genuine interest in the product or service beyond a passing fancy, then follow these basic tips:
  1. Look for codes that are printed directly on the packaging of the product of interest
  2. Scan codes only from trustworthy sources
  3. Avoid codes that are printed on stickers
  4. Avoid those that have no explanation or description accompanying the code
  5. Use a QR Code scanner app that supports URL previews, thus allowing you to see if the code matches the product or service it purports to be.
  6. keep your smartphone firmware and apps up to date since they often provide security patches
  7. Avoid entering a username and password for any personal accounts if prompted by a QR code
QR codes are just another example of something that starts with the best of technological intentions but, can be easily corrupted by those who choose to commit crimes. So, while you ready your smartphone to scan a QR code, reflect back on this post.

Wednesday, February 22, 2012

Get the Message: Email Etiquette

I feel compelled to talk about email etiquette simply because I abhor unclear, suspicious, and unwanted messages. I imagine, as with so many other societal bad habits, that it has taken some time before enough people were annoyed with sloppy email messages to finally come up with proper etiquette. Email, as we know it today, has essentially been around since the birth of the Internet, and yet so few people have a sense of good email manners, or practice good habits. The point of sending someone email is to have it read. There are many guidelines for professionals, but this post is for the everyday home user. So, if you want your message read follow these basic guidelines.

Know Your Audience: Ask yourself a few basic questions before sending your message. Who is my target audience? Is this being sent to friends, family, or business professionals? Will any of the people I intend to send this to find this offensive, annoying, or meaningless? Is this the kind of message I would want people to send to me? In other words, don't send messages with reckless abandon.

Addresses: Respect the privacy of others when sending email to a number of people who are likely not to know each other. It goes a long way in ensuring that your contacts don’t have their email addresses bandied about because you don’t know better. Enter your email address in the "To:" field, and put everyone else's in the "BCC:" field. BCC refers to “blind carbon copy”. It allows you to send people the message without any other recipient knowing who else got it. Remember carbon paper? My first job required me to use carbon paper on a typewriter. Yes, I predated computers in the workforce, but not by so much that I couldn’t change my little part of the work world with technology, but I digress.

Subject Lines: Use subject lines that are short, but help define its purpose and content. Don’t type the main message text in the Subject line, or even part of it for that matter. Messages sent this way could end up being flagged as spam, look sloppy, and careless. If the subject line looks like a toddler with broken fingers wrote it chances are it may not make it to your recipient’s inbox. As an aside, I’ll talk about how spam filters work in a future post.

Composition: Leave the chat speak out of messages unless there is purposeful intent as to how it relates to the subject matter of the message. DO NOT TYPE YOUR MESSAGE IN ALL CAPS! Doing so is the equivalent of shouting at someone. And, if you type in all caps by mistake then fix it before you send the message. Don’t be so lazy that you find it easier to offer an apology rather than retype it. Grammar rules still apply, so unless you enjoy sounding uneducated, do your best to include proper punctuation. Proper punctuation helps keep your meaning clear. That is why it was invented. Modern communication dictates that we get to the point sooner rather than later. Concise messages that convey their point are more likely to be read, and properly understood, than those that ramble with incoherent, or run-on sentences. This is particularly important if you are composing email for business purposes. Keep emoticons to a minimum. If you need to add emoticons to help convey the spirit of the message then you need to revise it, and again use proper punctuation, so that your meaning is clear without having to draw a picture. Re-read your message for clarity. If it made sense to you when you wrote it, that may not be the case the second time you read it. And, never click the send button after composing a heated reply until you have had a chance to calm down and regain your composure. It may be a misunderstanding that could be easily cleared up. It might be easier to speak to the sender in person to clear up any conflict. Messages sent in anger often have a serious and regrettable outcome.

Forwarded Messages: Just because you find a message interesting doesn't mean everyone in your contact list will. Some people really only want to hear from you, via email, when you have something to say about yourself, and not when you send an impersonal message that had been forwarded to you after half the world’s population has already seen it. And, when you can’t stop yourself from hitting the send button, please clean up the content so your audience only gets the meaningful portion of the message. No one likes spending 15 minutes scrolling through the dreck in a message looking for the real content. It is a waste of time, and can result in your recipient losing interest in what you sent them. If the message is important to you then it should be worth your time to tidy it up. One last thing, do not preface the forwarded content by saying, “I don’t normally send these on”. If you don’t normally do it then don’t make this the exception to your rule. Instead, offer a meaningful reason why you think the message will interest your recipient(s).

Chain Mail: One of social engineering’s finest achievements. Chain mail politely berates you as being a bad person by telling you that God will no longer love you, you will have an eternity of bad luck, you will die the pains of a thousand deaths, or you are denying a child recovery from cancer. I’ve seen it so many times, and it never ceases to amaze me who sends this stuff on. Chain mail is a waste of time, breaks the “Know Your Audience” rule, and is a form of spam. Sending chain mail may also violate your Internet Provider’s Terms of Service leading to suspension or termination of your account. So, before you send everyone in your contact list that message that says; “a friend’s, husband’s coworker, found out from her boyfriend who’s a firefighter, that her mother-in-law’s sister’s cousin got a suspicious package in the mail when it was left on the doorstep of the next door neighbor’s half brother’s step father’s second grandfather once removed who lives in Chicago on a block associated with known criminals and do-gooders”, do everyone a favor and look on Snopes.com to see that this is so absurd it can’t be real. Then promptly delete it from your email feeling good about that choice.

Wednesday, January 11, 2012

12 for 12: Tech Resolutions

Start the new year with technology resolutions. These are the kind of resolutions that are certainly realistic, and they don't involve exercising (ok, maybe your brain a little), or losing weight, or any of the other things you'd normally promise yourself you'd do in the new year. I won't delve into how to do these things in this post, but I have in past posts, or will in future posts. So, without further introduction here is my list of twelve tech resolutions you can accomplish in twelve months (not in any particular order):

  1. Tech Devices: Did you get a new tech toy for the holidays? Many devices such as tablets, smartphones, and e-readers require you to have an account, password, and computer that are all tied together. Resolve to set up your own device, or re-set up your device if someone else did it for you using their account information. Learn how to set it up for yourself, use it, and manage it since you'll be the one paying for apps and reading material, keeping the firmware up to date, and managing the device on your computer.

  2. Wireless Router: Resolve to, at the very least, change the admin password to your router's settings to something strong. Absolutely change it if you are still using the factory default password, and consider hiding your SSID so your neighbors don't see that you have a wireless network when their device sees the list of networks in the area.

  3. Passwords: Resolve to change passwords for every account you have so every one of them is different, and I mean very different. Make them strong. Check all your passwords for strength. Passwords once thought to be strong may no longer be. Use a password manager that supports strong encryption. A password manager will help you maintain a secure list of passwords as well as offer a safe place to include software licenses, credit card numbers, and notes you want to keep locked up. Some password managers integrate with your Internet browsers making it easier to login to sites while still maintaining its separate security. Many of them also work with portable devices such as smart phones and tablets.

  4. Secure Browsing: Resolve to update your Internet browsers.  The programmers of IE, Chrome, Firefox, and Safari (as well as many of the lesser known browsers) make regular improvements to their browsers to patch vulnerabilities and add functionality.  Having a better built browser means fewer vulnerabilities.  And, most exploits hit us through vulnerabilities in our web browsers.  So, it only makes sense to keep these up to date. When conducting a personal transaction on the Internet via email, retail purchases, or banking; be sure that the connection you are using is secure.  Anytime you are required by a site to provide credentials check for a valid site certificate by looking for the letter "s" after the "http" in the address bar, and check for the padlock icon in the browser's address bar.

  5. Email: Resolve to think before you click. Don't open spam messages, don't click on links in spam messages, and don't load images in email messages by default. Images can contain a pixel that could alert a spammer that your account really does exist, thus leading to more spam. Don't forward chain email messages. Chain mail is a form of spam and considered a nuisance.  You know the ones I am talking about: "reply to this message to the person who sent it to you and ten other people you know..."

  6. Anti-malware Protection: Resolve to maintain a current subscription to either a paid or free anti-malware/anti-virus application. Don't assume that because your computer came with security software that it is actually doing something. Most people don't realize they bought a computer with a trial version, and that they have to purchase a subscription to keep it up to date. So, install a reputable security suite such as Microsoft Security Essentials, AVG, Kaspersky, Symantec, Eset, Bit Defender, Avast, Vipre, Ad-Aware, or any other legitimate, well reviewed security application. Also, be sure you check the settings within the app to be sure your system has live protection, scans internal and external disks, and is set to regularly download the latest updates.

  7. Firewall: Firewalls keep the bad guys from using your network to hide their tracks when perpetrating their crimes, and from snooping around on your personal network. Resolve to setup a firewall if you don't already have one. And, if you do have one, be sure it is turned on. While your Internet provider may be offering you antivirus protection, they are not providing you with firewall protection. The firewall might be built into your modem if it is a combination modem/router, but you still need to turn it on. Use a strong password to protect your firewall from unauthorized changes. If you travel with a laptop to connect to networks other than your own, be sure to use a software firewall to protect against attacks over that shared network. All modern operating systems have a built in firewall, look for it in the control panel or system settings.

  8. System Warnings: Resolve to pay close attention to pop-up warnings from your system tray, or other security messages. Messages appear for a reason. Read them, and ask yourself if changes to the system should be allowed. Know the name of your security software. There is a lot of scareware that looks like real security software, but isn't. It's malware pretending to be your antivirus application alerting you that it can clean an infection it found on your computer. It uses social engineering tactics to get you to click on it, and when you do that's when things get worse.

  9. System Optimization: Resolve to do some housekeeping on your computer. If you think you need a new computer, because it is running slow, chances are it just needs a tune up. Often, system resources are being hogged by a plethora of programs running that don't need to be; consider what the most important ones are, and turn off the rest. If your computer is a few years old, and you've never cleared your browser's history, cookies, or cache it might be time for a fresh start. Periodically defragment your hard drive. If you are a Macintosh user this will happen automatically.  If you are a Windows 7 user you can schedule the system to do it for you. If you are a Windows XP user you will need to do this manually. Uninstall applications you don't use, clear temporary files, and other system cache. I like a program called "IceClean" for Mac OS X to help take care of this task. Windows has a build in Disk Cleanup utility to do essentially the same thing as IceClean. Also, Mac users should periodically run a permissions repair on the startup disk to keep the system and apps humming along.

  10. Reboot: Resolve to reboot. If you leave your computer on for days, weeks, even months, at the very least reboot it once in a while. Its good for the system to get a clean start in order to clear memory, and temporary files. Rebooting can resolve odd little problems that seem to crop up from nowhere. Reboot as a periodic maintenance task to keep your system happy.

  11. Backup: Resolve to backup your data, even if you think your data isn't important. It is not a matter of "if", but a matter of "when". Eventually, you will be looking for a picture or document that is now lost, corrupt, or is a version that has saved changes you wish weren't there. A backup will allow you to restore to a previous version, or recover a file thought to be gone forever. So, backup to an external hard drive, the cloud, a USB thumb drive, or archive to CD-R. And, backup with regularity. Once a week at a minimum, and consider using a program that let's you automate and schedule the backup.

  12. Electronics Recycling: Resolve to recycle your old electronics. E-waste is one of the fastest growing problems facing the world today, and it is largely ignored by consumers. Many municipalities, and states now require the proper disposal and recycling of electronics. Many counties have recycling events where you can drop of your electronics at no charge. Some, for a nominal fee, will collect from your house at a scheduled time.