Tuesday, May 9, 2017

Are security questions secure?

Many online sites have a mechanism where a user who has forgotten a password can get a new password by answering one or more 'secret' questions.  In some cases these questions may be used as a second authentication factor.

The questions tend to be of the form "what was the name of your first pet," or "what is the name of your first grade teacher."  They are intended to be personal but also easy to remember.

The problem with this is that it may be possible to learn enough about a person using open source intelligence tools to answer these questions correctly.  In 2008, VP Candidate Sarah Palin had her Yahoo e-mail account hacked by a young man who correctly answered security questions about her birth date and where she first met her husband.

Even worse, a researcher at the University of Washington has pointed out that popular surveys encountered on social media could provide enough information to compromise these questions.  For example, consider the currently popular survey in which a person lists 10 concerts, 9 of which they have actually attended.  The game is to figure out which of the 10 they have not attended.

Although this seems harmless, and in most cases is harmless, it is possible to develop a profile of the users age, culture and interests from these surveys.  The general advice is that "secrets make bad passwords when those secrets can be discovered or guessed."

So what can you do?  In many cases the secret questions are required.  My advice is simple, answer the questions but lie, and remember the lie.  It helps if you have a basic scenario, such as Star Trek, to use in constructing your lies.  For example - "What was the name of your first pet?"  Answer: "Tribble."   "What was the name of your High School?"  Answer: "Starfleet Academy."

If you have a scenario in mind (Star Trek, Harry Potter, Lord of the Rings, etc.) it will be easier to construct lies that can be remembered.  Just make sure the scenario cannot be easily determined from your online presence.

Sunday, April 16, 2017

Happy Easter! A bit of reminiscing.

I recently came across a number of articles explaining that a second 'great spot' has appeared on the planet Jupiter. We know this because our Juno spacecraft has been orbiting the gas giant and has been looking at the poles for the first time.

The Great Red Spot on Jupiter is an enormous cyclone that lies in the south temporal belt of Jupiter. It has been studied since the development of the telescope.  It changes over time, sometimes completely disappearing but eventually re-emerging.

The new spot, which lies at Jupiter's North pole, has been dubbed the Great Cold Spot, since its temperature is lower than surrounding clouds.

Back in 1968, I had learned programming through a cooperative venture between my high school and Carnegie-Mellon University. Programs were exciting for me and I looked for some way to apply programming to my life-long love of astronomy.

So I wrote a Fortran program to calculate when the Red Spot would cross the meridian of Jupiter, as seen from our perspective. The program would be seeded with data from Sky and Telescope magazine, and did a pretty good job.  My high school teachers were amazed, and they sent me to a weekend science education conference and I presented on my program.

This really has nothing to do with security but it is a fun memory.

Happy Easter to you all!

Friday, March 31, 2017

Cyber-Criminals targeting Anonymous FTP Servers

Last week the FBI issued a warning that cyber-criminals are actively targeting FTP servers used by medical and dental organizations. Their goal is to steal publicly-identifiable information. The purpose, according to the FBI site, is to ‘intimidate, harass, and blackmail business owners.’

So what is FTP?  It is one of the original protocols of ARPAnet and the early Internet. Its purpose was file transfer. It was developed to allow researchers to transfer data from local, insecure (likely University) computers to secure military computers for computation.  FTP would likely also be used to return results to the local computer for final formatting and publication. This was in the 1970’s and 80’s.

Seriously, there is little reason to run an FTP server today. The Word Wide Web can often serve files better.  In the few cases where it is necessary, administrators should ensure that ‘anonymous’ access is not enabled. FTP comes standard with any version of Linux/Unix – but in the vast majority of uses it is not needed.  Admins of networks and systems for health-care providers are advised to check their networks to ensure that anonymous FTP is not enabled.

The typical home user is not likely to use FTP for file sharing when there are better alternatives.  There are, however, home FTP servers – I have used them.  I find BOX, or some cloud-based variant, to be more convenient and safer. If you wanted to, for example, share documents or pictures with family members. Don't forget to encrypt important files just in case.

Still, users may want to ask their doctor or dentist if they have heard about this. Never hurts to ask, and it is their diligence, or lack of it, that we need to worry about.

Monday, March 27, 2017

What you can do about your privacy when it is out of your control.

Unfortunately, the only real control you have over your information and privacy is when it is in your possession. After you have made an online purchase or even simply navigated to a Web page information about you is stored on the servers of your ISP and the company or organization with whom you have done business.  Trying to stay entirely off the grid is virtually impossible today, since every bill paid, every phone call made, and even pictures of your automobile license plate will result in digital records tied to you.

Common advice is to only work with reputable online businesses. This sounds good, but how does someone decide which businesses are reputable and which are not?  At some point there may be something like a ‘good housekeeping seal of approval’ that indicates that a company's systems and security measures have been audited and approved.  However, at the current time this is a difficult task.  One might have assumed that Target, TJ Max, and Home Depot are reputable businesses.  However, in hindsight all three had vulnerabilities that allowed hackers to compromise customer information.

In reality, the only protection you have once your information is out of your control is from laws and regulations.  As examples, HIPAA grants legal protection to healthcare records and FERPA grants legal protection to educational records.  But aside from a few laws governing special situations, there are no laws defining a level of due diligence for companies to protect customer data.

In fact, the situation seems to be evolving in a way that will actually lessen customer privacy controls. Just last week the US Senate voted to remove protections that would prevent ISPs from sharing your information.  This opens the door for ISPs to share your browsing history, and possibly intercept, and modify, your communications (such as inserting ads or tracking cookies).

So what can you do?  If your privacy is important to you, you should contact your State and Federal representatives.  In the case of Federal representatives, let them know that your privacy is important and demand that they strengthen, not weaken, privacy laws.  In the case of state representatives, let them know how important privacy is to you and urge them to pass state laws requiring compliance with stated rules of due diligence. Some states, such as Illinois, are already considering such laws. Your voice may be heard louder at the state level than at the Federal level.  However pressure needs to be applied in both places.

Please understand that privacy means different things to companies than it does to individuals. To a company, privacy means that it has the right to decide how information assets (customer information) are used.  To the individual, it means the right to control who has access to their information.  Because of these two views, the interests of the company will be at odds with the interests of the individual.  Only by having strongly-defined rules of due diligence under law will we be able to assure consumers that their information will be protected.  This allows for company ‘good faith’ use but also allows provides standard controls for what is now still a ‘wild west’ environment.

Wednesday, March 22, 2017

Slide set for tonight's session

I know many people who cannot attend tonight's presentation on practical tips for protecting your data and privacy in cyberspace.  So, here is a link to the slide set in PDF form.  I will be updating the presentation soon and will post updated slides when I do. Be safe!


I am also happy to give this presentation to schools or civic groups.  No pay necessary but it would be great if you can cover my travel expenses.

Sunday, March 19, 2017

Protecting your Privacy Online - talk on Weds March 22

About passwords and 2FA

If you are like most users, you have a dozen or more userids and passwords on various services such as Google, Facebook, Yahoo, etc.  It gets pretty complicated remembering all of these. So what is the security-savvy user to do?

What you DO NOT want to do is use the same set of userid/password credentials for multiple systems!  The reason for this is simple, if your credentials are stolen from one system the hackers will try them on other systems, such as social network sites or bank sites.

According to a recent article in The Hacker News, over 1 million sets of Yahoo and Google credentials are available on the dark Web. Information gleaned from these sites can then be used in various ways, such as creating spear phishing attacks.

One of the best methods for protection is 2FA, or Two-Factor Authentication. This requires a second method of authentication, such as a code sent by SMS to a cell phone. Some services, such as Google, provide for 2FA as an option.

Another popular approach is to use a password manager program.  These programs are like an encrypted database.  Here is a link to an article about the best password managers of 2017.

Yet another simple approach is to write them into a notebook and carry that with you. Or create a text file with the various credentials, print one or two copies to keep in safe places, then encrypt the file using Zip or some other method and store it on the cloud..  If you lose the paper copies or want to make a change you can retrieve the encrypted file from the cloud and edit or print it. Now you only need remember the decryption key, and your cloud credentials.

Your choice of password is also very important. Stupid passwords are easy to decrypt. One very simple exploit is to simply hash the top stupid passwords and compare them with the giant hashed password file.  You are likely to get at least a few hits.

Instead of a password, use a pass phrase. A simple sentence such as "I love hash browns with ice cream" can be extremely hard to crack. So how to you remember the phrase? Take your favorite poem, short story, or song. Employ the lyrics along with a userid helping you remember which lyric or sentence you are using. Avoid extremely popular pieces such as the Bible. You might also employ the approach of changing some characters to others, such as 4 for a, 0 for o, etc. A simple algorithm for this is easy to remember.

To give an example, my home network has WPA2 PKS for security. I have seen methods for cracking WPA2 PSK, but they rely on having a password of 12 characters or less, otherwise the time involved is too great. So my pass phrase is 27 characters. When I travel I turn the router off, but that is a story for another day!

Friday, March 10, 2017

What are ‘exploit kits’ and why should you fear them?

The Malwarebytes ‘Cybercrime tactics and techniques – 2016 Wrapup’ gives special mention to the rise in the availability, use, and complexity of exploit kits.  Many people have not heard of them so I thought I would make a post.

To understand what an exploit kit is you first need to understand what an exploit is.  There are many vulnerabilities in software. Some are in applications and some are in the operating system. When a cyber-attack is successfully mounted against one of those vulnerabilities, it is said to have been exploited. The attack itself is called an exploit.

In the basic cyber-attack, information is gathered about the servers and other nodes in the network. This is called ‘enumeration.’  Using this information, a database of potential vulnerabilities can be queried. Now the idea is to try exploits on each possible vulnerability, knowing that some may not have been patched.

In the early days of cyberspace, it took a great deal of skill to develop and deliver an exploit.  But like anything else the process has been automated into what is called an ‘exploit kit.’  There are many different exploit kits available for purchase or rental.

Some exploit kits even have user-friendly web-based administrative interfaces, where various options may be turned on or off. The level of skill needed to run many exploit kits is fairly low.  They are a lovely study in usability for cyber-crime.

Exploit kits initially infect networks or home systems through the common channels – e-mail attachment, macro, insecure application, and Web XSS.  These are common vectors for malware, so the same methods as against malware may be used to protect against exploit kits.

  • ·        Always maintain backups and air-gap them.
  • ·        Keep your OS and apps patched as patches are released. Don’t put it off.
  • ·        Always have good anti-virus, anti-adware and firewall deployed and current.
  • ·        Always use a least-privilege account.
  • ·        Do not open email attachments unless you are absolutely sure what is in them and where they came from.

Here are some good references:

Monday, March 6, 2017

Security news tags on delicious

I have long maintained a delicious.com site where I bookmark various links of interest. My security and IT news tags are public and have been available to my students for years.

Here is the link:


Malwarebytes Report - Ransomware

The Malwarebytes "The Cybercrime Tactics and Techniques Report" describes how ransomware has become, and likely will continue to become, the fastest-growing form of Windows-based malware in the foreseeable future, as cyber-criminals find ways to eliminate the middle-man in their scams.

What is ransomware? Very simply it is malware that encrypts some (or all) of your files, making your computer unusable. You are then given a time frame in which you may pay a fee to get the decryption code for your files. This fee is typically paid in bitcoin currency. Whether you actually do then get a decryption code to recover your files is a crap shoot. You might pay and get nothing.

From reports I read, recovering from ransomware can be  a headache or a nightmare. But, there are some steps you can take to raise your protection level:

  • Back up your important data files and air-gap the backups. I maintain at least 3 copies of all backups, rotating the drives. I also use open-source software whenever possible. Should the worse happen I can have my system wiped and re-install everything. A pain but not a disaster.
  • Have excellent anti-malware installed and updated frequently. There are many good, and in some cases free, anti-malware programs available.
  • Apply OS patches as they come out - many have to do with closing vulnerabilities.
  • Always use a Least Privilege Account. This is a user account that does NOT have administrative rights. This simple trick will stop 70-80% of all malware.
Here are some other sources:

Malwarebytes Labs: The Cybercrime Tactics and Techniques Report

Malwarebytes Labs just released a report titled "The Cybercrime Tactics and Techniques Report (2016)"  This report describes a number of trends regarding cybercrime and malware.  In my next few posts I will comment on each of these areas.  The whole report may be found at:


Sunday, March 5, 2017

My Security Basics site

I have been maintaining a free web site to educate people about things they should be doing to protect their information and privacy.  I will be continually adding to this site.


So you're FB has been Hacked - What now?

The first question to ask yourself is how do you know you have been hacked?  One clue would be from people who are already friends asking why you sent a second friend request. Another clue would be if any of your data, such as birthday, has been changed. Finally you may notice new friends who you did not add.

You can check to see if anyone is currently logged into your FB account by going to the arrow in the upper-righthand corner of your FB page and selecting SETTINGS.  Then select Security and finally select 'where you're logged in.'  If you do not recognize any of these you may select END ACTIVITY to temporarily log them out.

Now change your password right away!  Be sure not to re-use other passwords you have used since that may have been how you became hacked in the first place.  If you do re-use passwords you should go to all accounts with the same password and change them. Each to something different.  I know this is a pain, but this is one of the ways hackers turn a single dataset acquisition into many more.

This may be the end of it.  But you can also go to the Facebook help page, click on 'I think my account was hacked' and then click on 'secure it.'  Faceboook will transfer you to a page where you may further secure your account. 

Why do people do this?​ There are a number of theories. According to one theory, there could be as many as 67 million fake Facebook accounts.

One possibility is to spy on people., or their friends. The DOJ has released a document explaining how to use social media in law enforcement. Hackers may be interested in your open source exposure, possibly to compromise your credit or bank accounts. There is even one report that the NSA mines Facebook data looking for terrorist connections. 

Reasons to suspect a friend request may be bogus:

- Account was recently created, person has few friends - none mutual.
- Account has little activity, few pictures
- Profile pictures seem too good to be true (young model for instance).

You might also try a reverse image search to see if they possibly appropriated the image from another person.

Finally, and this goes without saying, limit the amount of personal information you share through Facebook. Better to be safe than sorry.