Tuesday, December 1, 2015

Keep Your Spirits Bright

The holiday season is upon us, the time of year when we defy our normal spending and travel patterns. A bicyclist in Los Angeles hops on a plane to visit friends in Omaha where they spot a great deal on a putter that they ship to their favorite uncle in Texas. A Memphis lawyer spends Cyber Monday hunting for the best deals on imported wine for pickup in an NYC shop for their former college roommate. Best friends head to Las Vegas for a break from the early Colorado winter.

Why are these activities important? Because banks and credit card processors use automated fraud detection systems that "learn" our normal spending habits and locations then raise alerts on anomalous behaviors. The bad guys look forward to this time of year as much as kids await the season's first snow day. Fraudsters can count on consumers breaking their own models which may slow down these anti-fraud detections, giving criminals more time and flexibility for identity theft.

Some banks are better at detection than others, of course. But the onus isn't completely on them. There are simple steps you can take to protect yourself.

First and foremost, everyone should have a security freeze on their credit. Sometimes called a "credit freeze," this requires your direct participation to grant explicit access to your credit report in any request for information or application against your social security number. It's a bit of a pain to implement because you need to contact all of the "big 3" credit reporting agencies - Experian, Equifax and TransUnion - but the hour or so out of your life is worth the peace of mind knowing that fraudsters can't open new accounts in your name. You can learn more about security freezes at the FTC website here: http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

There are other steps you can take to keep the criminal Grinches at bay. Check your bank and credit card activity online more closely during the holidays, at least once a week. And while you're there, enable two-factor authentication ("2FA"), sometimes called "advanced access" or "identification code." This is a huge step in preventing bad guys from brute-forcing and/or phishing your login credentials. You can read more about that topic in my previous post, "What's In a (Pass)word?" Since that post was first published, more online services offer 2FA including banks, email providers and social networks.

With these few precautions, you can spend less time worrying about identity theft, or, worse, cleaning up the aftermath of fraud, and spend more time with loved ones. Happy holidays!

Friday, September 25, 2015

One Woman's Perspective

The topic of women in technology has come up a lot this year. I have never wanted to be included in any group, team, or job simply because my gender meets some diversity quota. I have always expected (and sometimes demanded) to be recognized for my unique skills and talent. What sets me apart, and I've noticed a similar trait among the other women in cyber crime fighting circles, is that I'm not just competent but also confident. I can only speak from my own experience but that confidence started with my parents. They told me - and showed me - that I could be or do anything and I believed them.

My mother led by example, breaking barriers as the first female stadium announcer in the US; she was the voice of the Reno Silver Sox, a now-defunct minor league baseball team. When we left Reno she worked as a temp in our new home town and soon rose to the executive level at that agency. In my house, gender inequity was something we saw on TV that my parents had a heck of time explaining to me.

As a little girl I broke things to figure out how they worked then I put them back together. Sometimes I made them work better than they were before or added capabilities. I started with radios and telephones, graduated to televisions and small appliances, and, ultimately, found my way to computers and software.

So, what did my parents do during my auspicious early years? My dad gave me a corner of his workshop and some basic safety instructions then turned me loose. He took me to Radio Shack to spend my allowance on electronic components when I wanted to build things from scratch just to see if I could. He gave me old junk that hadn't worked for years so I could tinker or cannibalize the parts for other projects. I have a brother who showed similar interests. My dad treated us exactly the same.

That's where the magic happened and that's where I think the we can all effect real change - if you have a daughter, feed her curiosity, encourage her enthusiasm and give her the confidence to follow her passions. If you don't have a daughter, it's a safe bet you know someone who's a parent of a daughter, whether they're your friends, your cousins, your in-laws, whatever.

Accomplishments take perseverance and perseverance requires a "damn the torpedoes" attitude which comes from within, not from someone saying "we need more <insert your underrepresented group here>." I believe I can accomplish any goal because I don't stop until I do and I now have a track record to prove it. That's the challenge I throw down in front of each of you, and will continue to tackle myself. Mentor girls. Inspire girls. Encourage girls. Be among the people they remember who gave them the confidence to keep going.

Sunday, April 5, 2015

What's In A (Pass)Word?

Prevailing wisdom among information security practitioners is that passwords are outdated as a secure means of authentication. However, until a better way achieves wide adoption they are a fact of online life.

Password Harvesting

So how do the bad guys get your password in the first place? There are lots of ways:

  • Sites like LeakedIn and Pastebin are popular locations for "dumps," collections of usernames or email addresses and associated passwords found by good guys, disclosed by rivaling bad guys, or posted as proof of an attacker's l337ness.
  • Spammers buy or trade validated credential dumps in underground forums, lists of usernames/email addresses with passwords that they've proven to be active by running them through automated account checking programs to log into the account at least once.
  • Credential-harvesting malware, like keystroke loggers and web form injections, that collect usernames and passwords typed into browsers on victim computers and get sent to a central collection point under the attacker's control.
  • Phishing emails that entice victims to login into replica, or "spoofed," websites that look exactly like popular online banking and email sign-in pages.
  • Brute force attacks against websites built on popular free platforms, like Wordpress and Joomla, or Internet-facing databases using automated scanning and exploit tools.

All of the attack tools are incredibly easy to find and so are credential dumps.

3 Basic Rules

The best defense is a good offense. It's trite but true. Let's start with the basics. Good password hygiene consists of 3 factors: complexity, length, and uniqueness.

A complex password is one that consists of upper and lower case letters, numbers, and special characters. The purpose of complexity is to defeat password crackers, automated programs that compare encrypted or hashed passwords against word lists. This is euphemistically known as a "dictionary attack" for a good reason. Password crackers run comparisons against plain language word lists and obvious variations. The more recognizable the password, the faster it can be cracked. For example, poppy123 is revealed in milliseconds, while pO9Py!@# can take hours or days, depending on the password-cracking program.

Just as important is password length. To grossly oversimplify the description of the computational process, password crackers "recognize" each character of a password, one by one. Therefore, the longer the password, the harder you force the cracker to work. It's kind of like the joke about outrunning an angry bear - you don't need to have the longest password, you just need to have one that's longer than the next guy's. Miscreants who crack passwords are typically going for quantity. They stop cracking when they've decrypted a victim list long enough to be worth their while, financially speaking. The harder password hashes get tossed out or recycled into credential lists they'll later sell or trade themselves for someone else to have a whack at them.

The single most important hygiene factor is uniqueness. This means that every time you register for an online account or change an existing password, you create a password that you don't use anywhere else. In other words, your email password is different from your Facebook password that's different from your Twitter password, banking password, and so on. Obviously, this means we have to keep track of an awful lot of passwords. There are several schools of thought on how best to do this. There are apps called password lockers that let you store all of your passwords and associations in a single place on your computer or smart phone. There's also good, old fashioned pencil and paper - writing down this information in a notebook. Some people I know use "forgot your password" as their preferred method, using this feature on websites to change their password every time they log in, subscribing to the above concepts with zeal because they're not worried about remembering it. Each password management method has its pluses and minuses. The right way is the one that works for you.

Additional Protections

But, wait, you're saying. What about that credential-stealing malware and phishing mentioned earlier? All the clever strategies in the world won't help if you hand your password to the bad guys in these cases. And you're right. This is where two-factor authentication and keystroke scrambling come in.

Two-factor authentication, also known as 2FA, is where you not only need a password but another piece of code to prove that you are who you say you are. Examples of this are cryptographic tokens, like chip-and-pin cards or USB dongles, and SMS text codes, a unique identifier sent to your cell phone that you type into a website to complete the login process. The former can't be easily replicated by miscreants, while the latter can be captured by keystroke loggers but the data is nearly worthless because it's only good for a very limited time. If you notice my equivocation, this is intentional. No 2FA method is 100% hack proof but, again, the harder the challenge the more likely the bad guys will go after easier targets and away from you.

Keystroke scramblers are anti-keystroke loggers, programs that turn your typing into random characters when collected by malware and phishing sites, while sending the real information to the website you're logging into. Keystroke scramblers do this by encrypting each action of the keyboard at the driver or operating system kernel level and verifying the recipient website. Again, this technology isn't 100% guaranteed to keep your passwords out of the hands of the bad guys but it certainly makes your information a less desirable target by wasting their time.

Will passwords be replaced with stronger authentication mechanisms some day? A lot of smart people are working towards this very goal. Until a solution is ubiquitous, these tips should help you stay safer online.