Tuesday, May 9, 2017

Are security questions secure?

Many online sites have a mechanism where a user who has forgotten a password can get a new password by answering one or more 'secret' questions.  In some cases these questions may be used as a second authentication factor.

The questions tend to be of the form "what was the name of your first pet," or "what is the name of your first grade teacher."  They are intended to be personal but also easy to remember.

The problem with this is that it may be possible to learn enough about a person using open source intelligence tools to answer these questions correctly.  In 2008, VP Candidate Sarah Palin had her Yahoo e-mail account hacked by a young man who correctly answered security questions about her birth date and where she first met her husband.

Even worse, a researcher at the University of Washington has pointed out that popular surveys encountered on social media could provide enough information to compromise these questions.  For example, consider the currently popular survey in which a person lists 10 concerts, 9 of which they have actually attended.  The game is to figure out which of the 10 they have not attended.

Although this seems harmless, and in most cases is harmless, it is possible to develop a profile of the users age, culture and interests from these surveys.  The general advice is that "secrets make bad passwords when those secrets can be discovered or guessed."

So what can you do?  In many cases the secret questions are required.  My advice is simple, answer the questions but lie, and remember the lie.  It helps if you have a basic scenario, such as Star Trek, to use in constructing your lies.  For example - "What was the name of your first pet?"  Answer: "Tribble."   "What was the name of your High School?"  Answer: "Starfleet Academy."

If you have a scenario in mind (Star Trek, Harry Potter, Lord of the Rings, etc.) it will be easier to construct lies that can be remembered.  Just make sure the scenario cannot be easily determined from your online presence.

Sunday, April 16, 2017

Happy Easter! A bit of reminiscing.

I recently came across a number of articles explaining that a second 'great spot' has appeared on the planet Jupiter. We know this because our Juno spacecraft has been orbiting the gas giant and has been looking at the poles for the first time.

The Great Red Spot on Jupiter is an enormous cyclone that lies in the south temporal belt of Jupiter. It has been studied since the development of the telescope.  It changes over time, sometimes completely disappearing but eventually re-emerging.

The new spot, which lies at Jupiter's North pole, has been dubbed the Great Cold Spot, since its temperature is lower than surrounding clouds.

Back in 1968, I had learned programming through a cooperative venture between my high school and Carnegie-Mellon University. Programs were exciting for me and I looked for some way to apply programming to my life-long love of astronomy.

So I wrote a Fortran program to calculate when the Red Spot would cross the meridian of Jupiter, as seen from our perspective. The program would be seeded with data from Sky and Telescope magazine, and did a pretty good job.  My high school teachers were amazed, and they sent me to a weekend science education conference and I presented on my program.

This really has nothing to do with security but it is a fun memory.

Happy Easter to you all!

Friday, March 31, 2017

Cyber-Criminals targeting Anonymous FTP Servers

Last week the FBI issued a warning that cyber-criminals are actively targeting FTP servers used by medical and dental organizations. Their goal is to steal publicly-identifiable information. The purpose, according to the FBI site, is to ‘intimidate, harass, and blackmail business owners.’

So what is FTP?  It is one of the original protocols of ARPAnet and the early Internet. Its purpose was file transfer. It was developed to allow researchers to transfer data from local, insecure (likely University) computers to secure military computers for computation.  FTP would likely also be used to return results to the local computer for final formatting and publication. This was in the 1970’s and 80’s.


Seriously, there is little reason to run an FTP server today. The Word Wide Web can often serve files better.  In the few cases where it is necessary, administrators should ensure that ‘anonymous’ access is not enabled. FTP comes standard with any version of Linux/Unix – but in the vast majority of uses it is not needed.  Admins of networks and systems for health-care providers are advised to check their networks to ensure that anonymous FTP is not enabled.


The typical home user is not likely to use FTP for file sharing when there are better alternatives.  There are, however, home FTP servers – I have used them.  I find BOX, or some cloud-based variant, to be more convenient and safer. If you wanted to, for example, share documents or pictures with family members. Don't forget to encrypt important files just in case.

Still, users may want to ask their doctor or dentist if they have heard about this. Never hurts to ask, and it is their diligence, or lack of it, that we need to worry about.

Monday, March 27, 2017

What you can do about your privacy when it is out of your control.


Unfortunately, the only real control you have over your information and privacy is when it is in your possession. After you have made an online purchase or even simply navigated to a Web page information about you is stored on the servers of your ISP and the company or organization with whom you have done business.  Trying to stay entirely off the grid is virtually impossible today, since every bill paid, every phone call made, and even pictures of your automobile license plate will result in digital records tied to you.

Common advice is to only work with reputable online businesses. This sounds good, but how does someone decide which businesses are reputable and which are not?  At some point there may be something like a ‘good housekeeping seal of approval’ that indicates that a company's systems and security measures have been audited and approved.  However, at the current time this is a difficult task.  One might have assumed that Target, TJ Max, and Home Depot are reputable businesses.  However, in hindsight all three had vulnerabilities that allowed hackers to compromise customer information.

In reality, the only protection you have once your information is out of your control is from laws and regulations.  As examples, HIPAA grants legal protection to healthcare records and FERPA grants legal protection to educational records.  But aside from a few laws governing special situations, there are no laws defining a level of due diligence for companies to protect customer data.

In fact, the situation seems to be evolving in a way that will actually lessen customer privacy controls. Just last week the US Senate voted to remove protections that would prevent ISPs from sharing your information.  This opens the door for ISPs to share your browsing history, and possibly intercept, and modify, your communications (such as inserting ads or tracking cookies).

So what can you do?  If your privacy is important to you, you should contact your State and Federal representatives.  In the case of Federal representatives, let them know that your privacy is important and demand that they strengthen, not weaken, privacy laws.  In the case of state representatives, let them know how important privacy is to you and urge them to pass state laws requiring compliance with stated rules of due diligence. Some states, such as Illinois, are already considering such laws. Your voice may be heard louder at the state level than at the Federal level.  However pressure needs to be applied in both places.

Please understand that privacy means different things to companies than it does to individuals. To a company, privacy means that it has the right to decide how information assets (customer information) are used.  To the individual, it means the right to control who has access to their information.  Because of these two views, the interests of the company will be at odds with the interests of the individual.  Only by having strongly-defined rules of due diligence under law will we be able to assure consumers that their information will be protected.  This allows for company ‘good faith’ use but also allows provides standard controls for what is now still a ‘wild west’ environment.

Wednesday, March 22, 2017

Slide set for tonight's session

I know many people who cannot attend tonight's presentation on practical tips for protecting your data and privacy in cyberspace.  So, here is a link to the slide set in PDF form.  I will be updating the presentation soon and will post updated slides when I do. Be safe!

http://personal.psu.edu/gms/privacy/Privacy%20Online.pdf

I am also happy to give this presentation to schools or civic groups.  No pay necessary but it would be great if you can cover my travel expenses.

Sunday, March 19, 2017

Protecting your Privacy Online - talk on Weds March 22


About passwords and 2FA

If you are like most users, you have a dozen or more userids and passwords on various services such as Google, Facebook, Yahoo, etc.  It gets pretty complicated remembering all of these. So what is the security-savvy user to do?

What you DO NOT want to do is use the same set of userid/password credentials for multiple systems!  The reason for this is simple, if your credentials are stolen from one system the hackers will try them on other systems, such as social network sites or bank sites.

According to a recent article in The Hacker News, over 1 million sets of Yahoo and Google credentials are available on the dark Web. Information gleaned from these sites can then be used in various ways, such as creating spear phishing attacks.

One of the best methods for protection is 2FA, or Two-Factor Authentication. This requires a second method of authentication, such as a code sent by SMS to a cell phone. Some services, such as Google, provide for 2FA as an option.

Another popular approach is to use a password manager program.  These programs are like an encrypted database.  Here is a link to an article about the best password managers of 2017.

Yet another simple approach is to write them into a notebook and carry that with you. Or create a text file with the various credentials, print one or two copies to keep in safe places, then encrypt the file using Zip or some other method and store it on the cloud..  If you lose the paper copies or want to make a change you can retrieve the encrypted file from the cloud and edit or print it. Now you only need remember the decryption key, and your cloud credentials.

Your choice of password is also very important. Stupid passwords are easy to decrypt. One very simple exploit is to simply hash the top stupid passwords and compare them with the giant hashed password file.  You are likely to get at least a few hits.

Instead of a password, use a pass phrase. A simple sentence such as "I love hash browns with ice cream" can be extremely hard to crack. So how to you remember the phrase? Take your favorite poem, short story, or song. Employ the lyrics along with a userid helping you remember which lyric or sentence you are using. Avoid extremely popular pieces such as the Bible. You might also employ the approach of changing some characters to others, such as 4 for a, 0 for o, etc. A simple algorithm for this is easy to remember.

To give an example, my home network has WPA2 PKS for security. I have seen methods for cracking WPA2 PSK, but they rely on having a password of 12 characters or less, otherwise the time involved is too great. So my pass phrase is 27 characters. When I travel I turn the router off, but that is a story for another day!