Feeds:
Posts
Comments

Posts Tagged ‘internet safety’

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.

THE BASICS, REITERATED

First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.

TO AVOID BEING HONANED — ACCOUNT LINKING

This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.

TO AVOID BEING HONANED — EMAIL

All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.

FINAL SUGGESTIONS

Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.

Advertisements

Read Full Post »

Lets say that you are using all the right techniques for protecting yourself out on the Internet — as outlined in my previous posts (here, and here), including using an ID / password database like LastPass.  But right on your own machine you have sensitive and personal files, perhaps your tax returns, your investment worksheets, private letters, or the details of your opinion of your manager at work.  You don’t want these to be broadcast to the world, or to fall into the wrong hands.  But if they’re on your own computer they’re safe, right?  Wrong, for two reasons:

  • You might lose your laptop — someone might steal it, or you might accidentally abandon it in an airport, a cab, or a cafe.  Your files just became available.  This problem is magnified if you keep these files on a USB drive — a pocket or “thumb” drive — which is easier than a pencil to lose.  Note that an astounding 12,000 laptops are lost in US airports every week, and 2/3rds of them are never recovered.
  • Your computer might ingest some virus, worm, or other malware specimen, that just might be trained to browse around and transmit to who knows who anything interesting it finds in your machine.

So, relying on physical custody of the machine, or relying on it being in your bedroom but still connected to the Internet, is not a winning strategy.  Before you take to filling out your tax forms in longhand, there is a very good solution: store these files in an encrypted vault on your hard drive, a vault that only you have the key for.

There are products out there that get advertised as “secure” and “encrypted by a secret, proprietary method,” and you should stay away from these as they can be broken into quite literally in minutes.  You need to use something that uses the standard encryption approaches that the government uses — AES (the Advanced Encryption Standard), Twofish, or the like.  These will protect your vault — if you choose a strong key — literally centuries after you are dead and gone.

The best of these is a package called TrueCrypt, which I use myself.  And please note that I receive nothing whatsoever from them for this endorsement, I recommend it because I use it and for no other reason.  Plenty of heavy-duty security gurus are TrueCrypt users, so you don’t have to take my word for it.  And it comes for Windows, Mac, and Linux systems.

Here’s what you do.  Go to the TrueCrypt website, download it, and install it.  Then, when you’re ready to create a private vault, decide how many megabytes you want in the vault, and follow their instructions to allocate and create it.  Create a strong password — a really random one — perhaps using LastPass to generate it.  TrueCrypt will format the vault, and thereafter it will behave just like another disk drive on your machine: you can copy to and from it, edit files in it as if they were not encrypted, and so on.  TrueCrypt encrypts and decrypts “on the fly” as you use it, you are never aware that this is anything but a real disk drive.

And this works on a USB drive, too, and you can even encrypt the entire USB space if you want, it’s that flexible.  Each TrueCrypt vault has a password associated with it (they could always be the same, I suppose) and anyone who looks at them will see only a mass of gibberish — no file names, no nothing at all.  The secret is in the password.  Use a package such as PasswordSafe, LastPass, or a website like Steve Gibson’s password generator, to get a nice, long, really high-entropy one that will resist even a focused, brute-force attack.

Just as a sidelight, TrueCrypt can be handled in a way that effectively hides even the existence of the vault in such a way as to provide plausible deniability that there is any encrypted data at all.  They describe this in their documentation here.  Needless to say, dictators and repressive regimes throughout the world are very displeased with TrueCrypt for this reason!

One of the things you have to do when you start to deal with Internet security is to make the assumption that the worst will in fact happen, and take steps for that eventuality.  TrueCrypt should be one of these steps.

Read Full Post »

This adds onto my recent series of posts on personal security on the Internet, with some suggestions on software that can help you secure yourself more completely.  OK, so even if you’re following my suggestions in my last post (here) for a simple password scheme, it can get a little confusing, so here’s a few software products that can help out.  We’ll start out discussing password databases, and then a file-encryption vault in the next post.

Storing passwords.

The problem here is that if you get some malware on your machine, it will snoop around looking for the file you made called “passwords” and send a copy of that file off to it’s master somewhere.  Even if you called this file “Uncle Otis’ Birthday,” most malware is smart enough to just look inside your files and find the neatly-arranged ID / password pairs and presto: you are penetrated.  The way you avoid this is by having this data in an encrypted data store, where only you know the key.  Don’t even think about using Excel and having Excel “encrypt” the data, this is baby-step encryption and it can be brlken in less than 3 seconds by several password crackers on the market.

So what to use?  My most basic suggestion is called PasswordSafe, a free program invented by security maestro Bruce Schneier.  I have used PasswordSafe for several years and it’s a fine product and is supported by bombproof, government-grade encryption.  What it does is keep an encrypted database of ids/passwords (and other stuff, like the idiot “secret questions” and so on that some sites demand).  You open the database with one password, and double-click the appropriate site’s entry.  The password is copied to the clipboard, from whence you paste it into the password field on the website.  PasswordSafe then erases the clipboard.  It has lots of other features including the ability to generate completely random passwords for you if you wish.

PasswordSafe has served me well for several years until I started using LastPass, which I’ll discuss below.  Its very straightforward to use, free, and available here.

I have now started using a different password repository called LastPass, available here.  LastPass does everything PasswordSafe does, but with a while bunch of added features.  Mainly, it interacts through a plug-in with your browser(s), so that when you have it opened and in force, and it arrives at a site where you have an account, it fills the ID and password fields, and can even hit “enter” for you if you want it to.  You don’t have to pull up PasswordSafe’s panel, find the site, double-click it, and paste it in.  LastPass does all that for you, slick as anything.  You can set it to auto-log you in to familiar sites, ask you to review it’s form-fields for some more sensitive sites, and even demand another login to LastPass for some sites, as for instance your bank.

LastPass is cross-platform (Windows, Linux, and Mac) and has plug-ins for essentially all the browsers in common use — IE, FireFox, Safari, and Chrome.  So you are totally covered.  And it has a host of very cool capabilities, for example generating and managing some one-time passwords for use if you’re on public machines, and the ability to use an on-screen, mouse-driven keyboard for entering your LastPass id and password (to foil keyboard-logging software on a public machine), and the ability to work off of a USB drive.  It’s an extremely well thought-out and comprehensive platform and I recommend it highly.

One of it’s other key features is it’s ability to transfer and sync your encrypted database across all the machines you use, so you never have to do this yourself.  And it can do this without the company having access to your passwords at all, they do store it but they don’t have the password, only you do.  If you’re interested in the detailed security features built into all this, I recommend Steve Gibson’s Security Now podcast, specifically this one.

The password to your passwords

Both of these make the assumption that you have one password that is the master, that unlocks the vault for you.  With both products, you need to remember this password at all costs, since if you forget it, they can’t help you — the company doesn’t have it either.  So, write it down in a couple of places (NOT in a file on your computer!) such as in your wallet, or even a copy in your safe-deposit box, or whatever.  Make sure this password 1) is not a word, or a series of words, 2) is not something obvious like your phone number or social-security number, and 3) that you can easily remember.  If you’re stuck about this, you could use the first letter of a phrase that means something to you — but mix in some numbers and capitalize one or two of the letters.

Hope this helps you out!

Read Full Post »

This is part three of a series on the new threat landscape of the Internet, and how you as an average, non-technical user, can navigate it safely.  Part 1 discusses why ordinary people often don’t take even basic precautions: they feel the cost-benefit balance not worth it to them personally, and mainly they’re right.  Part 2 defines overall Internet-based security threats.  Now in this post we’ll deal with an effective, and minimally-invasive, strategy for keeping safe — four simple rules.  OK, if you’re a security geek, you will think these are woefully inadequate, but I believe that if the average person will follow them, their security effort-expenditure will be acceptable and they will be protected from the the most significant exposures.  To the security geeks among us, average people aren’t following the rules and guidelines we’ve been publishing anyway, so if they follow just these, they’ll be much better off.

Preparing To Face the Internet

First, I strongly suggest that you take your machine to someone who will do a “full system backup” for you.  This is not your data files, just the computer’s programs and settings.  If you get a serious malware infection, the only way to get rid of it is to wipe the disk and restore the system, and this will make that faster and easier and get you back in business.  Find a good local help-person or go to Geek Squad or someone like them.

Then, take a few minutes to develop a couple of passwords for yourself, for which I have a few hints below under Password Strategy.

Finally, turn on the Windows firewall and Windows Defender if you have a recent machine, or get a techno-friend to install a good firewall and basic anti-virus program.  They’re not perfect, but they help a lot.  There are free ones for Windows, including Comodo, AVG, Avast, and others.  You don’t need a massive, full-featured “Grand Internet Security” system, take it from me.  You don’t need much, but you do need something.  If you have trouble doing this, go into the store or get a consultant.  The hour or so you will pay them will be, in the long run, very much worth it.

Now, Here Are the Rules!

Versions of these same “average-person” rules have also been promulgated by Leo Laporte, Steve Gibson, and others, they’re not unique with me.  But I say, follow these and be safe(er)!

  • Set Windows Update or the Mac Software Update to run automatically.  This is by far the most powerful weapon you have, and it’s free, and self-running.  Yet large numbers of people for reasons I can’t imagine don’t do it.  This, by itself, will protect you from more trouble than you will believe.
  • Never click on a link in an emailNever.  Better to highlight the URL (the HTTP:// . . . thing) with your mouse without clicking it, and copy / paste it into your browser’s address bar.  The problem here is that the actual link destination is hidden under what is visible (which is a label, even if it looks like a URL), so even if the visible link looks OK, the real destination might not be.
  • Don’t open email attachments.  These are also sources of malware infections, one of the chief ones.  This is especially true of presumably funny ones forwarded all around, the ones that end in .wmv (Windows Media Player files).  Tell your Aunt Doris to have her pre-teen daughter post it to YouTube or Flickr or whatever, if she thinks it’s so great.  but don’t open it from the email.  When you put something on YouTube, for example, it’s filtered and anti-virused and you’re safe looking at it there.
  • Stay away from questionable websites.  This includes almost anything “free”  — porn (even soft porn), free music, free software, and the like.  These sites are laden with viruses and trojans — that’s why their music is free, because they’re being paid by somebody to load malware on your machine!

A New, Simpler, Password Strategy

In the past, I’ve repeatedly produced careful recommendations on constructing strong passwords, great long strings of gibberish that can withstand a brute-force attack for on average several years.  However (see Part 1) these recommendations have been almost universally ignored because the time and effort to implement / forget / recover / look them up and so on actually exceeds the expected average loss to the average user.  So, ever congruent with reality, I’ve revised my suggestions to make them much simpler and more in alignment with the effort people are actually willing to put in.

Now, you only need two or three passwords, and they can be something you can remember.  But please, not “password” or “letmein” or “asdflkjh” or something like that.  If you’re in Minnesota, it should not be “vikings.”  I mean, don’t just give away the keys.  Choose something meaningful to you, yes even English words (a common recommendation is “nothing in a dictionary”), your dog, or whatever.  But not “111111”

You need just two, and maybe three passwords:

  • One for almost everything that makes you register: every newspaper, weather site, and all the other things that think they need to recognize you personally when you return.  Use the same username (if you can) and a nice, comfortable password.  To the extent that these are really trivial sites, respond “yes” when the browser asks you, “shall I remember you next time?”
  • Financial sites believe strongly in “trial by ordeal” for you to get in, and of course it’s in their best interest to strongly authenticate you as it reduces their fraud costs.  So they will probably have more or less elaborate rules, like mixed-case, letters-and-numbers, X characters long, and all that.  My suggestion is to select one that meets their minimum standards, write it down, and put it in your wallet (without the bank name or userid on it, of course).  That’s all you need.  Note that these sites are now all aflame with the concept of multiple questions, “secret pictures” and other hassle-laden rubbish.  Do what they demand, of course, but I can tell you that these things really don’t work and they’re just a huge hassle for you.
  • Optionally, you might want to have a different password for your email accounts, different from the throwaway one, this is up to you.  I do, but I’m a little more freaky about this than maybe you are.  The actual incremental safety from this is fairly small, but I do it anyway.

So that’s it — four rules, two or three passwords, and you will have made yourself fairly safe at a very minimal cost / effort.  So if you do nothing else, do these!

Read Full Post »

This is the second in a three part series on a highly revised approach to keeping yourself safe and sound when you’re on the Internet.  (If you missed it, the first part is here).  This is an entirely new approach, because the whole threat profile we face has been changing, and most of the recommendations passed out by presumed security gurus (including yours truly) are no longer appropriate or effective.  This post is going to describe the current threat landscape so that my recommendations on protecting yourself will make a little more sense; those will be in Part 3.

OK then, what does it look like out there?  There are lots of pressing threats, seemingly an infinite number and growing (if that’s possible!).  But as we try to identify how we might best protect ourselves when we’re connected to the Internet, the actual number turns out to be much more manageable.  Here’s a breakdown of the overall threat landscape, from the planetary to you, as I see it now.  It includes:

Infrastructure threats, which target the basic routing and transport of content throughout the globe.  This is not our problem, at least for this discussion, although it is an extremely serious problem for our government and the Internet’s managers.

Organization threats, those that aim at businesses, governments, or other entities, and which are mainly focused on network intrusion, data theft, site defacement, and operational disruption.  I’m not dealing with those here, either.

Personal threats, what we care about here.  These threats, at least the ones that you should worry about, can all be clumped into two main categories:

  • Attempts to steal money from you via account break-in, unauthorized credit-card charges, or (occasionally) malicious transactions aimed at disrupting your life, e.g. as caused by an errant ex-spouse;
  • Attempts to steal account numbers, passwords, and other personal or family data from  you by loading malicious hidden software onto your computer.  In addition to enabling financial theft, this data might allow someone to impersonate you on the Internet and do things like post obscene messages in Facebook or put porn in your Flickr albums.  Malicious software can also take your computer and make it a spam-spewing robot, or a participant in various kinds of attacks against organizations or even against the Internet’s infrastructure itself, and you don’t want to be a part of this, either.

Now, these are significant threats, of course, and you don’t want to be the one caught standing when the music stops.  Just because these are high-order threats doesn’t mean that you can be excused to do nothing.  On the contrary, you need to take some steps to avoid being victimized, but these steps can — surprisingly — be simpler than you might be thinking, or than what you’ve been told in the past.  What is it that has changed over the last increment of time that modifies our approach to personal Internet security?  Lots of things.

What’s Changed

First of all, the bad news is that the attacks are becoming vastly more sophisticated and therefore vastly more difficult to defend against.  When I look at the technical dissection of typical first-line malware, I’m really impressed: these people really know what they’re doing.  If you let one of these things into your machine, you’re gone.  Attack software is exploiting vulnerabilities that the honest software vendors are hard-pressed to patch by the time the attacks start occurring.  And once something gets into your computer, it’s essentially impossible to remove so your only recovery is a down-to-the-metal system restore.  It’s really nasty.

However, at the same time we’ve learned how to cope with it, just as our immune system learns to cope with an infection, and just as (as a species) we and the infectious agents tend to co-evolve in ways that reduce the impact of a given infection, so that not all the hosts die!  When national credit cards became popular, certain kinds of fraud became possible that weren’t possible when the merchant knew every customer face-to-face.  So our financial system developed ways to deal iwth it — transaction limits, anti-fraud software triggers, merchant interventions, and most importantly, consistent rules for managing disputes and apportioning fraud liabilities.  Thus, the worst of the threats are blunted, coping mechanisms are created, the losses are contained, and the benefits are achieved.

Lets consider for a moment identity theft.  Five years ago this was almost unheard of.  People who claimed identity theft were generally not believed, their credit was ruined, they were threatened with arrest, their assets were attached, and they worked for sometimes years to clear things up, all the time being abused by attorneys, police, and everyone else who just couldn’t believe this was real.  What happens now?  It’s a known and accepted risk, kind of like a fender-bender: nobody wants one, but they happen, and we all know what to do.

Now, if you are an identity theft victim, you call the police, fill out a form, send out the form to your banks and other merchants, get new credit cards, and so on.  The average time to resolve an identity theft incident now is about 10 hours of your time, spread out over a couple of weeks.  Like a fender-bender, not fun and worth avoiding, but fixable.

Same principle applies to electronic account access and transfers.  Banks want people to use electronic transfers, it’s much cheaper than teller-assisted transactions or paper checks.  So to standardize everything, the Federal Reserve Board issued Regulation E, which specifically states that it was issued “to protect consumers using electronic funds transfers.”    Under the provisions of Reg E, it’s almost impossible for a consumer to be held responsible for the consequences of unauthorized electronic access to their accounts, the bank absorbs any unrecoverable losses.  Based on the cost savings and customer satisfaction, they come out ahead even with these losses from time to time.

So . . .

So the net of all this is, although the direct attacks are increasingly cunning and vicious, even when they succeed they don’t impact the individual consumer as much as they used to.  “We,” the society, have learned to cope with the resulting losses, keep the unlucky victims from being unduly penalized, and move on.  And given this, the rules for keeping safe and sound on the Internet have changed, too, and actually simplified quite a bit.  I’ll cover them in Part 3.

Read Full Post »