Posts

Creating A Secure PassPHRASE and Ditching PassWORDS

In a nearly two decade career in technology, mainly in security, I can count on my two hands the amount of times that I’ve changed my personal behavior because of something I’ve heard in a meeting. Typically it would happen as I was sitting in the audience watching a presentation at some con, and a sudden realization came over me that if I tweaked my behavior just a bit I could better secure myself. At the same time I’ve been really lucky to sit next to super smart security people, literally, at work each day and listen in as they detailed why what I was doing was WRONG (or dumb, or idiotic…). Unfortunately, it isn’t always done with grace. There’s nothing I hate more than a smug reminder of how insecure I am with no suggestion of how to make it better.

Last week in a cramped conference room in Boston it happened again, but this time it was done with such ease and simplicity I not only wanted to change my behavior, I wanted to punch myself in the face for not having realized it sooner. The conveyer of this great idea – though not the first person to say it – was Jayson Street, well known throughout the community and of course on this blog for saying what he means, telling it like it is, and always trying to help all of us in need. The advice might be old hat for some, but it hit me like a ton of bricks.

The one thing you can do to better secure yourself in 2016 is to ditch your passwords and start using passphrases.

Yes, I know, many of you have been talking about and doing this for years. Even Edward Snowden got on the bandwagon earlier this year. Simply because it’s been talked about doesn’t mean people are actually adhering to the advice, and that means we have to keep talking about this one as much as possible, since our biggest threat remains the uneducated consumer. AND, yes, the strongest password is the one you can’t remember…but people outside of a very few in security simply laugh at the absurdity of that statement.

Now, with that all behind us, let’s talk about how to implement this into your connected lifestyle.

5 Ways To Create a Secure Passphrase…and Ditch Passwords

Think of a passphrase as a complex sentence, versus a password that is simply, well, a word that maybe has some digits or a few symbols (yes, you are SO tricky using ‘$$’ as ‘ss’). But there are a few tips you should follow (or share with your employees) to create the strongest passphrase.

1. Use The Space Bar

Most online accounts will now support the use of blank spaces in your passphrase, this will allow you to create that sentence we talked about above, but it also makes it harder to figure out by both humans or sniffers.

2. Go Long…15 or More Characters

Most password crackers will slow when the passphrase hits 15 or more characters, and that’s when they get past the NTLM hashes and have to actually work at it! Can they still figure it out? Sure, but the longer it takes for them to get your password your chances of them giving up rises.

3. Use a Passphrase That is Personal, but Unique

The beauty of a passphrase is that it should be something that you can remember a bit more easily, but it can’tcreate a secure password be something that people would easily guess. Say, for example, you are a huge Star Wars fan (I hear there is a new one that came out recently), so you decide to create a passphrase of “May the force be with you!”. Look at you, it’s more than 10 characters, it uses the space bar, and even that pesky exclamation point. Nice work, but it’s not stronger than you’re old “w00ki3” password.

Most likely you have already liked Star Wars on Facebook and everyone knows you were at the midnight showing dressed as Jenga Fett. While that passphrase was personal, it wasn’t unique. You may have, instead, chosen something that was both personal and unique, maybe:

Think of something you’d tell someone close to you, but not your coworkers. Unforgettable? Slightly embarrassing? (“I actually like Episode one. Don’t tell anyone!”) Perfect.

“I actually like Episode one. Don’t tell anyone!”

4. Keep Being a Character

No, not you personally, your passphrase. Still use those exclamation points, hyphens, ampersands…they are even more effective in a passphrase. Building on our example:

“I @ctually like Episode 1. Don’t tell anyone!”

5. Variety is the Spice of Live…and Passphrases

Here is where I’m still going to tell you that you need different passphrases for different accounts. Now, is it realistic that you’ll have a different passphrase for every single site, app, and account? Probably not.. Doesn’t mean we can’t try. One suggestion here is to create a variety of passphrases that also will help you remember where each one belongs. Example:

“I @ctually like Episode 1. Don’t tell anyone at the bank!”

Feel better? Feel more secure? Good! Now, make it your 2016 resolution to replace passwords with a secure passphrase.

Google Tackles BYOD with Android for Work

People love their mobile devices; between gaming, social media, and simply browsing the web, more and more people are turning to a smartphone or tablet for their personal computing needs. For many, work now represents the most time they spend on a traditional desktop or laptop computer. This shift in personal computing is only going to get more pronounced as mobile devices get cheaper and more capable; why even bother purchasing a home computer for web browsing and light work when your tablet or even phone is already more than capable of it?

It’s only natural that those same personal computing habits start to bleed into working hours. Users have started bringing their smartphones and tablets onto the work network and whether the administration likes it or not, it’s inevitable. Pushing back against users bringing their own devices, or actively trying to block them, adds aggravation and stress for everyone involved. Workplaces today seem to be faced with a simple choice: adapt to the changing times and institute a well thought out Bring Your Own Device (BYOD) policy, or waste valuable time trying to fight a coming tidal wave.

To help workplaces cope with the changing landscape of personal computing, Google has unveiled “Android for Work,” which the search giant hopes will reign in the billions of Android devices and get them ready for their new part-time jobs as business tools. While it still won’t be easy to balance BYOD and overall security, standardizing a framework for the world’s most popular mobile operating system is definitely a step in the right direction.

 

Work Profile

“Android for Work” builds on the multi-user support included in Android 5.0 by adding a dedicated profile on a user’s phone or tablet that separates business related applications and data from the user’s day to day profile (older releases of Android will require the installation of a special Android for Work application). When a user is under their personal profile they can use the device as they would normally, but once they switch over to the work profile, there is a completely different set of applications which are visually set apart by a small briefcase overlay on their icons.

Google has also included “Google Play for Work”, which allows administrators to whitelist applications that can be installed while users are running their work profiles. Businesses can use this to not only control what applications are being run on their network, but to distribute their own internal applications without having to put them up on the main Google Play market or sideload them manually onto every users’ device. Applications can even be silently installed or removed remotely, so internal applications required for work can be automatically installed, or previously whitelisted applications which have found to be troublesome can be purged.

It’s even possible to remotely wipe just the Android for Work profile without interfering with the rest of the files and applications installed. So if a user is no longer with the company or decides to stop using their personal device, the work profile can be remotely wiped and everything will go back to the way it was.

 

Half the Equation

Android for Work is definitely a big improvement to how mobile devices integrate into the business environment and will certainly help many businesses which are looking to strike a balance between convenience and security; but it still doesn’t solve the BYOD problem. The most glaring issue is, of course, users who bring in their devices without telling anyone. Android for Work can only control the devices which have been registered by the administration, it does nothing to control personal devices which users simply bring in and connect to the network without permission.

Users sneaking in their personal devices without permission of the administration is arguably the crux of the BYOD issue to begin with. A complete BYOD solution still requires vigilantly protecting the network against incursions from any and all unknown devices. Deploying Android for Work won’t mean much if a user can freely connect their device to the network without anyone knowing about it.

Lenovo Puts Ad Revenue over Security with Superfish

We have been talking for quite a while now about the obvious “rogue” devices hiding in your enterprise, but there is another issue highlighted in our post on gifts that has resurfaced again: potentially vulnerable devices within your network that are not obviously rogue.

The security and privacy communities have been on absolute fire since news broke about the “Superfish” advertisement software Lenovo decided to pack in with some of their Windows-based machines in 2014. While everyone agrees that Lenovo pre-installing malware designed to push advertisements onto users’ screens is pretty, Superfish is looking to be considerably more dangerous than your standard manufacturer bloatware. Superfish messes up the HTTPS standard so badly that many in the industry have been left wondering how the companies involved could possibly have signed off on something so against standard security practices.

Many are calling this the worst security gaff from a major tech player in recent history, and it has already been compared to the infamous Sony rootkit debacle of the mid 2000’s. Superfish has even gotten the attention of Homeland Security, which released a statement calling it a “critical vulnerability”. For its part, Lenovo claims they had no idea about the security implications of Superfish and have been working with Microsoft to get it automatically removed by Windows.

 

How Superfish Works

Superfish is described as a “Visual Discovery” platform, essentially software that matches the content of images with what they actually are. The creators claim this software helps consumers do things like identify what items are even if they don’t know how to textually describe them.

In the case of Lenovo computers, Superfish was included to analyze the images users were looking at and suggest advertisements that were relevant to them. So if the user was looking for images of dogs on their computer, they may start seeing advertisements related to animal adoption agencies while browsing the web. This is not unlike Google’s AdSense, just using images instead of text keywords to generate contextual ads. In other words, it might sound shady, but it isn’t something we aren’t already dealing with on a daily basis.

 

Man-in-the-Middle

The real problem is that Superfish was configured to intercept all of the data a user was sending out on the Internet, even if it was encrypted. It did this by installing it’s own self-signed root certificate, essentially making the computer think that Superfish was the issuing party for all SSL certificates. It then had free reign to view and modify the data the user was seeing in any way it wished, even though the browser said the page was encrypted and they had a secure connection to the site.

In other words, Superfish performed a classic Man-in-the-Middle attack against SSL encrypted sites. A trick that usually requires taking over the entire network with specialized software was done out of the box by the friendly folks at Lenovo.

But it gets worse.

If each installation of Superfish had a unique private key, this would still be an invasion of privacy on a large scale, but not exactly unheard of. For example, anti-virus software often installs a root certificate unique to each machine so it can check HTTPS encrypted sites for malicious code. But the company that provided Superfish with its SSL certificate, Komodia, decided to use the same private key for every certificate that got installed on a machine running Superfish. Which means anyone who has that key could fool a Superfish-equipt machine into believing they had a secure connection to any site they wished.

It only took a few hours for the private key Komodia used to get discovered, aided in no small part to the fact that they decided to protect the key with the password: “komodia”.

 

Lessons Learned

It’s becoming clear that more software than just Superfish was using the faulty Komodia private key. It’ll likely be awhile before the practical implications of the Superfish/Komodia software combination are fully known. How many machines are really affected? How likely is it for an attacker to leverage this against a victim in the real world?

But in the end the real point here is that the software included on a new machine simply cannot be trusted in an era where companies are playing fast and loose with users’ privacy and security. A full wipe and operating system reinstallation should be standard operating procedure on any new computer, whether it’s for personal or for business use.

With employees unaware of the potential dangers of their personal devices, it is vitally important to be aware of all devices connecting to your network.


New Call-to-action

White House Security Summit Urges Cooperation

Amid a rising tide of security threats both foreign and domestic, the White House recently convened a Summit on Cybersecurity and Consumer Protection aimed at increasing security cooperation between government and private industry. Since the widely publicized attack against Sony Pictures, issues of cybersecurity have become a hot topic for the current Administration, culminating in this meeting of the minds between government, industry, and the public. When announced in January, President Obama said the goal of the Summit was to “bring everybody together — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students — to make sure that we work through these issues in a public, transparent fashion.”

While few would argue that increased cybersecurity is something the nation should have a dialog on, the Summit was not without critics. Some questioned the White House’s motives when pushing for greater transparency and exchange of information with private industry, and there was the ever-present concern over privacy and respect of civil liberties. The true impact of the Summit on Cybersecurity and Consumer Protection won’t be known for some time, but there’s no question that it has already raised some very interesting points.

 

Government Information Exchange

At the Summit, the President explained that security was not something that either party should be working on in isolation of the other, “Government cannot do this alone. But the fact is that the private sector can’t do it alone either because it’s government that often has the latest information on new threats.” To this end, the President revealed his Executive Order entitled “Promoting Private Sector Cybersecurity Information Sharing”, which laid out the ground rules information exchange in as near to real-time as possible.

The very mention of government exchanging data with private industry is a red flag for many privacy advocates, and for good reason. Collecting even cursory data about an individual’s Internet usage can divulge a treasure trove of personal information, and print an eerily accurate image of a person’s digital life.

For what it’s worth, the Executive Order does attempt to address these concerns from the start. A sentence early on in Section 1 of the Order explains that collection and transmission of the data must be done in the most secure way possible, and always done with privacy in mind:

 

“Such information sharing must be conducted in a manner that protects the privacy and civil liberties of individuals, that preserves business confidentiality, that safeguards the information being shared, and that protects the ability of the Government to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States.”

 

But a keen eye will note the second half of the sentence, which notes that any methods used must not interfere with “the ability of the Government to detect, investigate, prevent, and respond to cyber threats”. In other words, while protecting civil liberties is important, the government still needs to be able to fully utilize the data however they see fit if it is deemed to be an issue of national security.

 

Getting the Cold Shoulder

Despite the President’s hope that the Summit would bring together all the major players in the technology world, it seemed many companies didn’t take the event quite as seriously as the White House would have liked. According to Bloomberg, Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer, and Google’s Larry Page and Eric Schmidt all turned down invitations to attend; leaving a conspicuous gap in attendance at an event that was supposed to represent the tech industry as a whole.

Given the government’s track record, it should come as no surprise. Public opinion of the government in regards to civil liberties is at an all-time low, and tech companies are wary of being seen working closely with the government after the public backlash from the Edward Snowden leaks. While Google, Facebook, and Yahoo did send individuals from their respective security divisions to the Summit to take part in the discussions, the absence of their most forward-facing executives is a clear statement that the tech elite aren’t willing to publically work together with the government unless everyone is playing by the same rules.

Massive Breach at Healthcare Provider Anthem

The top tech story over the last few days is certainly the announcement that health care provider Anthem, the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, was the target of a massive data breach. All told, personal information on over 80 million customers has been leaked to an as of yet unknown attacker, making this easily one of the industries largest breaches.

 

Leaked Data

A hastily put together website, anthemfacts.com, attempts to downplay the importance of the attack by saying in large letters at the top of the page there’s no sign that credit card and medical information have been compromised. That makes for a great quote, but reading the full text of the page reveals the true enormity of the situation:

 

“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

 

So while their customers credit card numbers may be safe, attackers seem to have made off with nearly every other important piece of information about their lives. Losing this much data, about this many customers, is absolutely huge. While customer data breaches seem to be becoming something of a monthly tradition as of late, they usually just include credit card numbers and maybe names; after all, most of these breaches have been at retailers.

 

Calls for Accountability

Demands that companies be held liable for loss of data in situations like this is nothing new and are unlikely to go away anytime soon with so much fuel being heaped onto the fire. This breach is yet another example of the increasingly sophisticated attacks being leveled against large corporations in an effort to smuggle out personal information. Given the gravely important nature of the data these companies hold on their customers, and the tenacity of those trying to steal said data, many believe government oversight of IT security processes is a necessary evil.

While it’ll still be some time before we know if the government will directly step in on this case, we’re already seeing some individuals taking action. Bloomberg reports that a woman in California has already stepped forward with a lawsuit against Anthem, citing their failure to properly secure customer data.

Dangerous Precedent Set in Topface Hack

An interesting bit of news has recently come out of Russia, where the popular dating site “Topface” agreed to pay an attacker an unspecified amount of money to prevent them from selling a list of 20 million email addresses that had been stolen from their servers. Topface Chief Executive Dmitry Filatov was quoted as saying his company had, “paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security”, but those in the security industry see it for what it really is: ransom.

Calling this transaction anything other than an act of extortion is a dangerous precedent to set, and if condoned by the media, may end up causing headaches for other companies down the line.

 

Questionable Details

On the surface, it seems straightforward enough: the attacker, known as “Mastermind”, made off with 20 million customer email addresses and was attempting to sell them online, and Topface took him up on the offer and bought the email addresses themselves to prevent them from being released. Presumably the details on the attack would also be disclosed so Topface could plug up whatever leak let Mastermind make off with the data in the first place, which is likely what was meant by “further cooperation in the field of security.” The deal seems to be of questionable wisdom, but otherwise logical.

But the story immediately sounds odd to anyone with experience in the security field. Email addresses, without context or additional data, aren’t worth a whole lot. The spam email industry is proof of just how common lists of millions of email addresses are; you don’t need to break into a company’s server to steal a list of email addresses, you can get those anywhere. So why pay Mastermind for something that didn’t have much street value to begin with?

It seems likely there was more information at stake than what Topface is claiming, such as personal information or passwords. It could be that Topface is attempting to downplay the severity of the breach by saying only email addresses were compromised. Or perhaps what Topface was really purchasing wasn’t the data itself, but the information required to fix the initial vulnerability and potential backdoor from Mastermind’s attack. It may even be that there are some addresses on that list which wouldn’t go over well if the public saw them, such as those of politicians.

It’s a facet of this story that we’ll likely never know, as there’s no reason for either party to spill the beans. But it would be nice to hear just what was so important that Topface was willing to make such a bold public move.

 

Dangerous Precedent

In the end, the details of the attack and subsequent deal are moot. The real story here is the precedent that Topface has set for attackers looking to make a quick buck. Why disclose a vulnerability through the proper channels when you can just steal some data from the target and sell it back to them later? If one company is willing to suffer the slings and arrows of the tech media to get their data back, so will others.

While bug bounties are a popular and increasingly common way to get your systems or code tested, there is an extremely important distinction between offering up a reward for penetrating your system and asking a company to pay you so you don’t reveal the data you’ve already stolen. Topface calling the money they paid Mastermind a “reward” is a simple gesture that makes them look better, but at the same time endangers the security industry as a whole.