Sunday, March 17, 2013

So you've got a strong password do you?


Really? I've got some advice for you and your strong passwords. This is easy. Don't use them if you can get away with it. Passwords have been the bane of InfoSec professionals for decades. I've had my GMail account hacked once or twice, and my friends and family have had their various emails hacked a couple of times. A lot of it comes down to human nature. We want a password that's easy to remember. . . mostly because we have so many damned passwords to remember. We all do it. We all try to make our passwords difficult to guess by someone who doesn't know us, but easy for us to remember.

For example, a user might make their password: Dynomite78!. This type of password generally fulfills most site requirements of a "strong" password. There are lower and upper-case letters, symbol(s), and numbers.

To make it even "stronger," they might use "leet speak," or replacing letters with numbers and symbols: Dyn0m1t378!. This type of password generally fulfills all of the requirements above, and in addition, makes it so the password is not based on a dictionary word, which is usually a requirement by systems that are more strict.

The sad truth is that the above passwords are trivial to guess when the bad guy has an unlimited number of attempts and a "dictionary" of millions of password combinations. There are also programs that the bad guys can use that mimic human nature in the event that their dictionary fails them. In the previous example, we have the password "Dynomite!78." When password requirements are levied on us, it again is human nature to try to find the easiest password to remember that fulfills the requirements. A word that starts with a capital letter, followed by 2 numbers, followed by a symbol -- Easy to remember, but fulfills the requirements. So. . . hackers can use programs that allow them to customize formats to help crack passwords. It's just muscle memory for us to start a sentence or password with a capital letter, followed by some lower case letters. Add a couple of numbers, maybe your birth year or day, and a symbol, like "!" or "$." These programs that hackers use are easily customizable and can help re-create human nature and muscle memory. They can create and entire dictionary of possible passwords based on requirements using a specific format. For example, something like %U%l%l%l%l%l%l%l%n%n%s would help generate passwords that match our first example above.

The truth is most passwords are easy to crack, especially for online services that don't limit the number of login attempts. Unfortunately, most online services want to make it easy for users, so they don't limit the number of login attempts, allowing the bad guys to try as many times as they like to try to break into your account. Take a look at this site  that lists the top 500 passwords. If your password is on it, stop reading and go change it now! I'll wait...

Is there a solution to this password dilemma? Not really, but there are ways we can make it harder for the bad guys. First; stop using passwords. Start using passphrases, AKA sentences. They can be song lyrics, or lines from a book or poem, or pretty much any number of different things.

For the sake of argument, let's say I created a passphrase from a famous song. I could tell you the song was written by Bob Dylan, and it still would be nearly impossible for you to guess my password: "I heard her say over my shoulder, we'll meet again someday on the avenue." That's a pretty strong passphrase. You could even make it more difficult by removing (or adding) punctuation or spacing, and maybe even modify the phrase slightly so that it's not "easily" guessable. This particular quote is two lines. What if we added a word or two from the previous and following lines: "awayiheardhersayovermyshoulderWellmeetagainsomedayontheavenue,Tangledup" I'd say that's a passphrase that is nearly impossible to crack, but easy to remember.

So, since we're not supposed to use the same passwords/phrases for more than one website, do we need to memorize dozens of lyrics or quotes? I'd say no, unless you've got a knack for remembering things like that.

My guess is that most people have two to four accounts that they use on a daily (or greater) basis, and the rest are accounts that we log into once or twice a month (or less). For the latter, my suggestion is create a password that even you can't remember, and use the "forgotten" password reset functionality built into almost all web sites.

If I create a 40-character password from this site using punctuation, it comes out something like this:

#!#?6N%u|l?h.P"3^".|_o%/c_O"Jx7G>G]_3i$=

There is no way in hell I'm ever going to remember this password, but there's also almost no way in hell a hacker is going to be able to guess this password, especially not using a simple dictionary. You have two choices at this point: You can write this password down, or you can just accept that you're never going to be able to remember this password, and next time you need to log on to a site with this password, you just use the "forgotten" password reset feature, and create another 40-character password.

The latter approach is similar to what folks in "the biz" refer to as a one-time password. A one-time password is exactly as it sounds. It's a password that's used once, and then is no longer valid. Technically the 40-character password is stored in your online account, is valid, and your account can be accessed if the username and password are correct. However, if every time you log on to a site that you very infrequently visit, and generate a new 40-character password, you're essentially mimicking a one-time password policy, and as long as your password is sufficiently "strong," it's one of the most secure ways to control access to your data. (Pro-tip: the aforementioned site can generate passwords from 5 to 100 characters with, or without punctuation. Use as many characters as your site will allow.)

If you're too lazy to use the one-time password approach, I still suggest using the strong password generator to generate as strong of a password as your particular online account will allow. And, much to the disappointment of security professionals everywhere, if you don't feel like keeping all of your passwords in an online service such as LastPass or an offline database like KeePass, I'd say write this password down in a "secure" location, meaning your house or other living establishment -- something only you should have access to. Keep a record of your passwords in something as simple as a Rolodex for easy access.  After all, if your house is broken into, you're going to have bigger problems than trying to remember what your passwords are.

For additional security (an in case your house gets broken into and someone steals your Rolodex of passwords), it's good practice to keep a list of all of your online accounts in a safe place -- I'd recommend an actual safe or fire box if you have one. I would also recommend that you add a copy of this list to your will so that your loved ones are able to safely and effectively close out and 'delete' any of your online accounts should you come face to face with a pack of wild dogs. . . or zombies.

Tuesday, May 8, 2012

How to Encrypt and Share Items on Google Drive


This tutorial is based on Windows 7 and GPG4Win, but the basic idea can be translated to any operating system and GPG Key Manager. The goal is to be able to encrypt the contents of your Google Drive. There are numerous ways to do this. For example, you could make a Truecrypt volume, but syncing this would be a nightmare. You could also use Visual Subst ) to map a Windows drive, then use TrueCrypt, but you'd still have the syncing issue.

 So, we're going to use GPG. GPG is the "free" version of PGP, and it's just as good. You can get more info here. GPG is a public key encryption system. Basically the way it works is users create a key pair -- one public key and one private key. The public key is published to a server where other users can access it. In order to encrypt something only viewable to you, a user would encrypt a document with your public key, and the only way to decrypt that would be with the corresponding private key (you MUST protect your private key).

A couple of caveats: 
* You will not be able to "preview" documents. You will have to download them.

* You will not be able to search encrypted documents -- but neither will Google ;) 

* You can "Backup" your private keys and sync them with your smart phone if there's GPG software available for your phone (if you trust your smart phone OS not to phone home with it). This will enable you to still read files that people share with you. I currently use an Android device, and there is no up to date free GPG software. There is a program that costs <$3, but I did not test that.

* Setup is not tedious. I've purposely tried to include as much info about setup as I could think to include, so this post looks a bit long-winded; but it took me a total of 10 minutes to download and install the software, set up and publish my keys. Once you encrypt files a couple of times before sharing them, it will just become second nature.

The first step is (obviously) to set up Google Drive. As this is not a Google Drive Setup tutorial, I'm going to assume that you've gotten that far, and have a local Google Drive folder that's syncing.

The next step is to download and install GPG4Win, located here

Once Installed, open GPA (if you used the defaults during install, this will be under Start -> All Programs -> GPG4Win -> GPA. Now we're going to set up our keys. Go to the "Keys" Menu and select "New key..."

You can leave the algorithm and key size set to the defaults. Enter your name and your email address, and a comment if you like. If you prefer, you can set your key to expire. In theory, this is a good idea, but it may not make sense for everyone to do this. Once the key is generated, it will show up in your Key manager shown below:


Now we have to publish our key (otherwise no one will know how to encrypt the items they wish to share):


Once you select "Send keys..." the default server is fine. A couple of seconds later, your public key is published, and folks can share and encrypt stuff that only you will be able to see (You'll need to be able to tell them your Key ID (It's in the first column in Key Manager) and server where your key is located.



So, now we've got our public key published. We're going to assume that someone you wish to share a file with has gone through something similar and has published their keys to the GPG key server. We need to download their public key into our key ring. Select the "Server" menu, and the "Retrieve keys..." Enter their Key ID, and it should be imported.

Now let's say that there's a document that we want to encrypt and share with a single person. We first need to import that file into GPA. In the Key Manager, on the top toolbar, there's an icon titled "Files." Click it, and your File Manager Window will open:




Go ahead and Click the "Open" icon and select the file you wish to encrypt and click the "Open" button:


Once the file is open, if it's the only file, it should be highlighted. If not, highlight it and click the "Encrypt" button on the toolbar. You'll be prompted with another window where you can select the public key of the person you wish to send share the file with:


Select their key, and click OK. By default, it will save the file in the same folder as the original, with the extension ".gpg" Here's what an encrypted file looks like in Notepad:


Don't worry. It didn't translate your precious document into Chinese and then send it off to China. Those characters are just the Windows way of translating extended ASCII characters.

If you want to encrypt files that only you can read at a later date, just encrypt them with your own public key (it should by default be in your keyring).

So, that's pretty much it. Again, as I said before, this isn't a Google Drive how to. I'm going to assume that you know how to upload and share documents via Google Drive. Using the built in access control that Google Drive provides (I have to safely assume that Google knows a little about access control and ensuring only the folks you select to share the document are the only ones able to actually see it), and GPG, you can safely encrypt and share documents in the "Cloud."

Wednesday, April 25, 2012

How is CISPA Dangerous

What's CISPA?

It's the Cyber Intelligence Sharing and Protection Act of 2011, and is technically an amendment to the National Security Act of 1947. It allows companies (ISPs) to share your information with the government for "national security purposes."

Why is it dangerous?

Numerous sources say that the wording of the bill is "painfully vague," and could allow for misuse and abuse under the guise of "cyber" security. As with SOPA and PIPA, your right to a reasonable expectation of privacy is obliterated. This bill will override any current privacy laws in place. One may argue that anything we do on the Internet is not private. While I might agree for certain things, I should have a reasonable expectation of privacy when surfing the Net. Oh, and they don't even have to tell you when there's been a request for your personal data.

I'm all for protecting our infrastructure against "cyber" (I really hate that word) attacks, but our forefathers put checks and balances in place for a reason. If you require my personal data, either I give you permission to access it, or you have just cause for a warrant, signed by a judge, to obtain it. None of this:

GOV:"Plz can we have sum dataz?"
CORP: "Sure! Herez some really juicy stuff on Joe Schmoe"
GOV: "Sweet! OMG! Look at all this cyber informashunz! You rock, CORP!"
CORP: "NP!"
GOV: "Kthxbai!"

How does it differ from SOPA?

Well, here's a link that explains a little about how it's different. Basically it boils down to CISPA being aimed at protecting against "cyber" attacks, while SOPA was aimed at protecting intellectual property. Second, it protects companies that share your data against lawsuits that one might bring against them for not protecting your private information. Lastly, the main difference is that it has the support of some of the corporations that were against SOPA, e.g. Google and Facebook.

Why are they for this bill?

Simple. It protects them from losing millions of dollars in a possible lawsuit brought against them for sharing your private information. It also takes the job of policing the Internet out of their hands as they would have had to do with SOPA -- again, saving them millions of dollars.

Want proof that our country is run by "we, the corporations" and not "we, the people?"

With the support of major corporations, and a massive protest by the people, SOPA was defeated. Without the support of major corporations, but with massive protests by the people, this bill will probably pass. Luckily, the Obama Administration is opposed to the bill in its current form, and has threatened to veto it.  Unfortunately, this bill has bipartisan support, and may be able to override a veto. It currently has 112 cosponsors, with more congress critters claiming support every day.

What the hell can I do to stop the bill from passing?

Go here to send a "TMI" Tweet to your representatives. Fun, but not really effective.

Go here to look up your congress critter and send them an email with your concerns; or call them.

Above all, if we continue to vote for the types of people who care more about corporations than they do about the people, then we deserve what we get. My email to my rep will clearly state that if he votes "yes" on this bill, he will not be getting my vote in the next election. I ask you to do the same.

Kthxbai!

Friday, April 6, 2012

How working in IT prepared me for being a dad

I've worked in IT for probably a decade. My wife and I have a 10 month old son. Looking back on the first 10 months of my son's life, and what in store for us in the future has shown me that there are a few parallels that can be drawn.

Troubleshooting:
That's what some IT folks do for a living. I've spent a few years as a sys admin, and that's what I did for a living. I like to think I was pretty good at fixing problems that sometimes seemed illogical. With computers, it's always a logical problem. It's either a "one" or a "zero." But looking at a problem, sometimes it's difficult to see the one or zero. My Bachelor's degree has nothing to do with systems administration. My degree is in Graphic Design and Computer Art -- which believe it or not has helped me see illogical solutions in logical problems. So, I like to think that I was pretty decent at troubleshooting. However, experience helps. The more you've seen, the better prepared you are to fix a problem, and you always do what you know first. Can't get to the Internet? Can't get email? Can't figure out why a server is being 'illogical?'

"Have you tried turning it off and back on again?"

Reboot. If all else fails, call in support.

How in the hell did this help prepare me for being a dad?

Baby won't stop crying. Is he hungry? Is he wet? Did he bump his head? Do what you know first. If that doesn't work, reboot the baby. It's amazing how sometimes the simplest solution is a nap. I wish I could take naps more often. I think I'd be more productive. And if that doesn't work, and you're lucky enough to have a great partner/wife/mother to your child like I do, call in support.

Knowledge:
Being a dad has also given me some insight into my life in IT. No one can fix every problem. No one knows everything. I've been fortunate enough in my profession to be a decent troubleshooter, but I do not kow everything -- far from it. I cannot fix every problem. Not every problem has an easy solution. Patience is key. There will be days when your kid wants to do nothing but be fussy, and there will be days when your servers will be 'illogical.' All you can do is what you can do. After that you're just winging it.

Security:
I've always been security-conscious as a sys admin, and my career path is moving in that direction (Master's degree expected very shortly). I think that's helped me as a father as well. Computer security is all about risk. What vulnerabilities and threats exist that create a risk to your operating environment? Essentially computer security is about risk awareness. While nothing is hack-proof (including your house and your kid), as long as you're aware of the threats to your environment, you're better off -- Remember the "unknown unknowns" comment from a past Defense Secretary?

Hack your kid? WTF!?! Sure (but don't take him apart). Hacking has gotten a bad rap lately, but hacking in its most simple form is about trying to find out how things work. Find out how he works. Find out what makes him laugh/cry/fuss/stare into oblivion. Will your kid hack you and the precautions you've put in place. Absolutely. There's nothing you can do about it. Just be aware of the threats and their associated risks.

My wife mentioned to me recently how every day she sees proof that she's a mom. She recently took our son to a party, and noticed how her priorities have shifted. When you walk into a room with a 10-month old and put him down, you evaluate the potential threats to your son, and what risks they pose. Floor-length curtains? Bad. Accessible wall outlets? Bad. Power cords? Bad. Raised floors / steps? Bad. Unsecured book shelves? Very bad. These all pose a risk to my son, but I'm secure in the knowledge that I'm aware of these risks. I've evaluated them, and I keep a close eye on him to ensure these threats do not interfere with his security.

Education:
I've also learned that whether it's about IT or about my kid, I'm going to be 'in school' for the rest of my life. If you work in IT, especially computer security, and you're not constantly learning, you will go extinct. The same goes for being a dad. You will be learning for the rest of your life, whether you like it or not. As one of my previous bosses put it, "It never gets easier. It just gets different."

Perspective:
Lastly, the most important thing my son has given me is a little perspective. I go to work. I do my job. I won't fix every problem, and that's okay. I'll go home and spend 10 minutes with my son, and completely forget about the dozens of problems I had at work, and how I wasn't able to fix them all. Someone will still not be getting email when I leave. That's okay. It's really not the end of the world.

Saturday, March 17, 2012

Why McAfee is making my computer less secure...

So, my last couple of posts have been a little too political. Hopefully there's some info in this post that will come in handy, but what would really be great is if it 'learned you a little...'

Yes. I use McAfee. Yes, it's a pain in the ass. Unfortunately as of this moment in computer security, if you're using Windows (which for the moment I'm forced to), you need some sort of virus scanning software. Why McAfee? I don't know. I guess because I've had a subscription which I keep renewing rather than go out and research other products. (I'm a bit pressed for free time at the moment.)

So a couple of days ago, McAfee started to fail when trying to update definitions. Today, I finally had some time to figure out what the problem was (with a little help from McAfee tech support). The problem was that my computer was too secure to allow McAfee to update properly. Yes, you read that right. My computer was too secure to allow my security software to run properly. Well... that, plus there was an incorrect setting in my local hosts file. I'm not going to go into why I think McAfee needs to hard code IP addresses. I think that's a little ridiculous, but they may have a valid reason. Doubtful, but hey. Anything is possible.

What they don't have a valid reason for is the following options in IE "Internet Properties:"
--Disable "Check for publisher's certificate revocation."
--Disable "Check for server certificate revocation."

--Disable "Check for signatures on downloaded programs."

--Enable "Use SSL 2.0"


The most frightening one is the 3rd one, checking for signatures on downloaded programs. What's a signature? In the simplest of terms, it is a digital way of verifying that the file you're about to download (and possibly execute) comes from a trusted source. If you don't know that downloading and running programs from untrusted sources is a Bad Thing(TM), it would not at all surprise me if you've got a trojan on your computer, and you should stop doing it immediately. So...

First, don't download programs from untrusted sources. Second, if you can, keep this check enabled. At the very least, it may prompt you with an annoying warning banner. At the most, it might save you from having your computer become part of a botnet.

So, what are these certificate revocations you ask? It's simply a way of verifying you are connecting to the web site or server you think you're connecting to. Sometimes after a digital certificate has been issued to a web site or server, it must be marked as invalid, or revoked. Sometimes this is due to unforeseen errors. Sometimes it's due to the company that issued the certificate being hacked. If you are unaware that a certificate has been revoked, you may be redirected to a web site pretending to be a trusted web site, which (if you keep that "Check for signatures of downloaded programs" option disabled) may be able to install software on your computer without your knowledge. That's a Bad Thing(TM)

Lastly, we come to this SSL 2.0 thing. SSL stands for Secure Socket Layer, and it it as the heart of commerce on the Internet today. It's how you can securely log into your banking web site and transfer funds. It's how you can enter your credit card number into Amazon.com without worrying that a Bad Guy(TM) will get it and go buck wild on your dime. Well, there's different versions of SSL. SSL 2.0 is less secure than SSL 3.0. SSL uses weaker mechanisms to set up a secure connection, and is subject to what's called a man-in-the-middle attack. A man-in-the-middle attack is just how it sounds. Some Bad Guy(TM) gets between you and what you think is a trusted web site. What you don't know is that he can read and manipulate every piece of information sent to and from your computer. For the home user, this didn't used to be a big deal. But with the ubiquity of WiFi, a man-in-the-middle attack is very easy. I'll have a post coming up on some WiFi security measures (when I get some more free time).

So, McAfee, the company that I (for now, unwillingly) trust to keep me safe is in fact, making me less safe. Sure, I trust McAfee not to download Bad Things(TM) to my computer, but these settings don't affect just McAfee stuff. They affect every connection I make to any server in the world, and that's a...

Bad Thing(TM)

Sunday, February 19, 2012

Sneaky Representatives

So, what is H.R. 1981? Basically it is a bill that would mandate our service providers keep track of nearly everything we do and everywhere we go online.

Who brought us this wonderful bill? It couldn't be the same jackass that brought us SOPA could it?

Wait. What? It is the same jackass? You gotta be kidding.

Nope. Not kidding.

In order to try to get something like this through Congress, the bill is titled "Protecting Children From Internet Pornographers Act of 2011." So, basically what this bill is trying to do is pit privacy against child porn, and if you're against this bill then you must be for child porn, right?

We're all against child porn, but we should also be against having our rights violated. This bill would enable the government to request your data, in secret, without any oversight.

Why can't the congress critters just write sensible bills that can stand on their merits? Write a bill that protects kids and doesn't violate our rights. Why do we continue to elect these people if they're not firing on all cylinders?

Against having your rights violated?

Go here, and write your congress person.
(For those of you in the same state as me, one of our representatives is a cosponsor of this bill.)

Monday, January 30, 2012

What the Eff is the EFF?

The EFF, or Electronic Frontier Foundation is associated by some to 'hackers' and trying to get hackers or other alleged criminals out of jail. However, they have a much more sinister motive -- To protect people just like you and me, and their digital rights. In the world we live in, most of our information whether public or private exists in digital format. Is it protected?

Well, there two ways of looking at protected; the first would be protected from the bad guys, and second would be protected from Big Brother. There's nothing we can do as individuals to help protect our data from the bad guys, so let's concentrate on the other.

The EFF works vigorously to help ensure that your data is protected from Big Brother -- usually by fighting for your 4th and/or 5th (among others) amendment rights. Look them up if you don't know what they are. Really. Look them up right now if you don't know what they are. These are your rights, and you should understand them. I'll wait...

Okay...

Some would say that "if you don't have anything to hide, you shouldn't be concerned by Big Brother looking into your data;" but really that's not the point. The point (as so graciously noted by the founders of this country) is that I should not have to fear anyone searching my data without just cause, nor should I fear torture or other means by which I may utter words to incriminate myself.

I attended a conference this past weekend in which there were two talks given by folks that work at the EFF. They are intelligent and well versed in both law and technology -- oh, and they're nice people too.

Do you have a 'rooted' smart phone? You can thank the people at EFF for working to ensure you're not arrested for playing with something you own. (Which by the way is up for debate again.)

Do you use a Tivo or DVR? You can thank the EFF.

In more complicated matters such as encryption, a woman in colorado (yes, an alleged criminal) is being forced to decrypt data that she encrypted. As I said, it's more complicated than that, but the underlying issue is privacy and encryption, Can we say "Slippery Slope?"

They are also staunchly opposed to SOPA/PIPA.

What's the point I'm getting at? Well. . .

Some of you have probably never heard of this organization, and they fight every day to protect your rights. I know it's easy to throw money at a corporation and get a song, playing device, phone, TV, etc. . . Also, might I ask what your congress critter has done for you lately -- or in the past decade for that matter?

How about giving some to the folks who are trying to help protect us from these corporations and greedy fools in congress.

I know it's a tough economy, but please join or donate to the EFF. They're good folks trying to help protect your rights.