Sunday, October 11, 2009

Good Newsweek article on Passwords

Good article in Newsweek on "Building a Better Password" laying out some of the issues with good passwords and how the issues are changing, for example phishig replacing brute force attacks. And some good discussion on possible replacements - text messages and an image-based scheme.

Tuesday, October 6, 2009

Some more security podcasts I'm enoying

I've been traveling a lot recently and listing to a number of podcasts, including some good security podcasts, so I thought I'd mention a few of my favorite security podcasts.

I previously mentioned the Security Now podcast, which I'm still listening to. But I've added a few more to my subscription list.

Gary McGraw of Cigital has a pair of podcasts that I enjoy. The Silver Bullet podcast is a series of interviews with security researchers and practitioners, which spans a wide array of security personalities. (I particularly found the interview with Fred Schneider interesting.) These interviews touch on technical and non-technical aspects and I think would be interesting for people with a range of security interest.

The Reality Check podcast, also from Gary McGraw, is a series of interviews with folks leading secure software programs. It's a little more technical than Silver Bullet, but definitely of interest to anyone interested in secure software developent.

I've also been listening to the OWASP Security podcasts. These are fairly focused on issues of web application security and tend to get somewhat into the minute, but in terms of educating oneself on that set specific area, are reasonably good.

I've also got some Rear Guard podcasts in my queue, but haven't listened enough to them yet to really comment

Roger Johnston's Security Maxims

I was reminded of Roger Johnston's great list of Security Maxims while listening to a recent (#215) episode of Security Now. Well worth reading.

For example:
Arrogance Maxim: The ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof”.

Sunday, September 13, 2009

Good article on setting up a wireless network.

InformIT has a nice article on setting up a wireless network. Only a couple tips are security related, but they boil it down simply:

#4 Use WPA2 Encryption

#5 Save the Encryption Key/Passphrase

See the whole article for more details.

Friday, June 26, 2009

A call to stop password masking - I agree

I came across this post by Jakob Nielsen (via Bruce Schneier) that calls to end the practice of "password masking" - that is showing asterisks instead of the typed characters for passwords:
Username: vwelch
Password: *********
I believe this is a security best practice that carries over from a very different time (~30 years ago) when computers were too expensive to be private systems, but existed almost exclusively in public places (remember computer labs?) Hence passwords were almost always typed with someone potentially looking over your shoulder.

These days 95%+ of the time, I'm typing when I'm the only one in the room or with my back to a wall or other situation I'm just not worried about someone spying. I'm also typing on a variety of devices with alternative keyboards, e.g. iPhones, that make typing long passwords difficult and there is nothing more frustrating to type a 24 character password only to be told there is something wrong with it but not being see what (reminds me of a demented game of Mastermind).

Now certainly there are situations where masking is good - you are sitting in a airport, giving a demo, etc. - so I believe there certainly should be an option to mask (or maybe there is the default and there is an option to unmask, that seems like a minor point). But I believe not giving the user the ability to tune this particular security-usability trade-off to fit their situation is a mistake. This is something that I believe people will intuitively know when to do unlike many other security decisions as it is very much rooted in the physical world where people's intuition works reasonably well.

The main lesson here is that "best practices" are often created for a certain time and environment. Things change - very rapidly where the Internet and computers are concerned - and we need to regularly re-examine these things and not accept them as gospel.

Saturday, May 30, 2009

Deleting vs Securely Deleting

I listened to a NPR story "How To Erase Old Hard Drives Without A Drill Bit" by Skye Rohde (yeah, I'm behind on my podcasts). I thought the story did a good job on the subject, but only touched on the issue of deleting vs securely deleting files and what that means, so I thought I'd discuss that a bit.

Backing up, the basic problem is you have a computer you either want to dispose of, sell to someone, or donate to your favorite charity ("reuse" is always good!). But you've got various personal information on that computer, credit card numbers, personal correspondance, home movies, photos, etc. that you want to get rid of before you do so.

So why not just delete those first?

Well to put it simply: deleting files on a computer doesn't really delete them.

It's legitimate to say "huh?" at this point.

The easiest way I've found to explain this is to think of files on a computer like chapters in a book: there is the chapter itself with all the text, analogous to the data in the file, and there there is a entry for the chapter in the table of contents, in technical terms, a reference to the data.

When you delete the file, it's analogous to deleting the entry for the chapter in the table of contents. While it looks like the chapter is gone, it's still on the pages and if someone goes flipping through the book they can find the text. Similarly when deleting a file, you just delete the reference to the file, someone with the right tools can go looking through the hard drive and find the data.

A "secure delete" on the other hand not only deletes the entry from the table of contents, it goes to the pages with the chapter and wipes those pages clean of any data. In other words, it actually makes sure the data itself is deleted, not just any references to the file.

Granted if you do a normal delete, eventually the data will get overwritten as the computer reclaims the space as you write new files to replace it, but this is a unpredictable process. It could happen tomorrow, or could still not be done a year from now.

If my explanation doesn't work for you, there are certainly many others on the net. One I found that I like is LifeHacker's post on "Properly Erase Your Physical Media".

So how do you go about securely deleting files?

Unfortunately, as mentioned in the NPR story, it's not always straight forward. Here are some links to software or methods that I've found useful. Note that these are all assuming you are deleting individual files as opposed to wiping (or formatting) the whole disk, which is more complicated and a topic for another post.
  • Macintosh computers have the ability to securely delete built in
  • For Windows systems there is software such as SDelete
  • For Linx there software such as srm (also works for Mac)
And of course, if you aren't planning on having the drive be reusable, you can apply the physical methods to the drive they mention in the story - take it apart and break the platters (the round things in the drive the data is actually written on) or drill a hole through the drive.

Frankly, unless you think the NSA is interested in your data for some reason, just taking the drive apart and scattering the platters into different trash cans should do it - that will make the job of reconstructing the data more complicated than all but the most dedicated privacy thief is interested in.

Sunday, April 26, 2009

Cool way to check for Conflicker

Conflicker is the latest worm infecting Windows-based computers. And while worms aren't really my area of specialty and I wouldn't normally comment on them, a clever person came up with a way to use this to test to see if your computer has a conflicker infection just by visiting a website that I wanted to give kudos to.

If you visit that site you should see a set of images like these below (without the word "SAMPLE"):

If you only see a subset of the images, you might have a problem (see the site for details). The page also gives suggestions for cleaning conflicker from your system.

How does this work? One of the things conflicker does is block the computer it infects from connecting over the network to various anti-virus websites to prevent the computer from installing software that might remove conflicker. The images on the web page are actually loaded from the websites of the security companies and since conflicker will block any connections to those sites, it will block the images from being loaded by your browser and you won't see all of them.

Pretty clever in my opionion and I wanted to pass it on.

Wednesday, April 8, 2009

Good SciAm article on Phishing

On a recent flight I had an opportunity to catch up on my reading and found a Scientific American article on How to Foil "Phishing" Scams to be a good read. For those of you not familiar with the term phishing, it has nothing to do with the band Phish, but instead refers to the malicious practice of sending email in order to trick people into revealing personal information, usually by directing them to a website masquerading as their bank.

I thought the following point in the article was particularly interesting. Basically people are more likely to learn from educational material about phishing once they have fallen for a phishing scam.
With some of these insights in mind, members of my team, Ponnurangam Kumaraguru, Alessandro Acquisti and others, developed a training system called PhishGuru, which delivers antiphishing information after users have fallen for simulated phishing messages. The program incorporates a set of succinct and actionable messages about phishing into short cartoons, wherein a character named PhishGuru teaches would-be victims how to protect themselves. In a series of studies, we demonstrated that when people read the cartoons after falling for the simulated phishing e-mails that we sent to them, they were much less likely to fall for subsequent attacks. Even a week later our test subjects retained what they had learned. In contrast, those who read the PhishGuru cartoons sent to them by e-mail, without experiencing a simulated attack, were very likely to fall for subsequent attacks.
The article then goes on to describe attempts to create training that simulates being phished, hopefully kicking in the increased chance of learning without the consequences of falling for a phishing scheme first.

I think this pattern is typical across security education - until someone has been harmed by a security failure, they don't see the motivation to try and improve things, by learning or other means. Perhaps the idea of incorporating simulation into security training to kick in this response might have good application across other aspects of security as well?

Sunday, March 29, 2009

LifeHacker collection of user password stories

An entertaining LifeHacker post collecting reader password stories that is worth a read. A couple suggestions for generating passwords also thrown in.

Monday, March 23, 2009

What is identity on the web these days?

Identity is a funny thing. It seems intuitively obvious, but like many such concepts, it becomes really confused when you move it from the real world to the Internet.

In the "old days" of the Internet (last century), your identity was an email address. Back then email addresses were not handed indiscriminately - you generally got them from your employer or your school, or you paid for them from a service provider (e.g. CompuServe). An email address was likely to be a reasonable representation of your legal name, unlikely to be reused and the combination of your name and the institution it belonged to usually served to identity you fairly well.

This was the last time Identity on the Internet was simple.

Now email addresses are increasingly disposable. There are lots and lots of places that will give you email addresses with any name that happens not to be taken with no concern about who you are. Plus many that provide anonymity as a feature.

And the the organizations like schools and workplaces that hand out long-lived email addresses have had to resort to various schema to "uniqify" them. The first John Smith may have gotten "jsmith", but a new John Smith showing up today is more likely to get "jas0009". Unique yes, but not very representative of the person's real name.

Also, email is not the primary communication mechanism any more. The Web has opened a proliferation of social networking sites - Twitter, Facebook, MySpace, etc. Even Amazon has profiles for customers who choose to review things.

Each of these sites has it's own concept of identity. Von Welch on Facebook might be vonwelch on twitter which might be Von Welch on MySpace, etc. It's easy for people to have multiple identities across these different sites. Or even on the same site.

In many ways this is a good thing. It's often useful to have different identities for different purposes - for example, one identity for work and one for personal life.

But this does cause some issues. For example, you could jump someones claim and snag their identity on a social networking site they aren't using yet. Even if they are already on a site, you can grab a intentionally similar name and claim to be them. To help counter this, there are sites now to let you check for people impersonating you, but even if you discover someone acting as you, what you can do about it is not always obvious - how does Facebook know which you is you?

What's the upshot of all this? Identities are now longer intuitive. Like the Internet they are becoming more complex and the rules we apply in the real world without much thought just don't work any more.

How we are going to deal with all this is still emerging and I suspect will be for a long time. Being aware of the issue is the first step.

Sunday, March 15, 2009

My letter to the editor regarding Identity Theft

Whenever you consider a security problem, two questions to ask are: Who will suffer if security fails to provide protection? And who is responsible for providing security?

If the answer to those two questions aren't the same person, you have a sticky situation because that means the person in charge of security isn't the one that suffers. That leads to a variety of problems related to a lack of motivation in providing security, at least to the level that the person who suffers would like to see it provided.

Sometime a lot of effort (and money) goes into shifting responsibility to avoid having to provide security.

The subject of "Identity Theft" is one that annoys me, because that is one such area where those who should be responsible (banks, credit card companies, etc.) have done a good marketing job to shift the responsibility to you and I.

After seeing an article on medical identity theft in my local paper, I wrote a letter to the editor hoping to raise awareness and understanding of this issue.

Monday, February 23, 2009

Security Now! - a good security podcast for learning security.

I've listened to a number of security podcasts and most are targeted at either IT professionals who need to know about the latest security threats for their job, or at security professionals with in-depth discussions of the latest research or threats.

From these experiences, I wanted to mention the Security Now! podcast, which has a decidedly educational slant to it that would suit people who want to learn about security. It's not for absolute beginners, some basic understanding of information technology is required, but for someone with a basic computer understanding wanting to learn about security, it's as good as anything I've found.

The hosts, Steve Gibson and Leo LePorte, have lively personalities and do a good job of being entertaining, something not ubiquitous in the world of security podcasts. I have to give them kudos as they have managed to discuss security weekly for over three years now, being up to episode 184 at the time of this writing (granted, every other episode is question and answer).

Here are some specific observations about the show:
  • Steve and Leo are primarily Microsoft Windows users. A lot of what they discuss isn't Windows-specific, but you aren't going to hear much of anything about Macs or Linuxon the show.
  • "TWIT" doesn't refer to a twit but instead stands for This Week In Tech, another podcast Leo does (which I admit I have not listened to).
  • As I mentioned above, every other episode is listener Q&A, which often leads to explanations of complicated issues they previously covered and serves to be educational.
  • While Steve does a good job of preparing technical matter for shows, be a little wary of surprise issues that come up. I've seen them jump to erroneous conclusions at times, Leo in particular. To their credit, they do correct themselves in a subsequent show's errata or, once with a particular bad misunderstanding, Leo will edit in a correction before the podcast is distributed.
So, if you are interested in learning a little more about security, I recommend giving Security Now! a try. The show is available for subscription, direct download and transcripts are also available, all from Steve's web site.

Tuesday, February 17, 2009

Good post on passwords on Daily Cup of Tech

Daily Cup of Tech has a good post discussing what makes for a weak password (that is a password that is easily guessable) and some tips on creating a good password (including a printable worksheet for creating a strong password). Very much in line with my previous post on the subject.

Monday, February 9, 2009

Good discussion on biometrics as authentication

This article by Steve Riley of Microsoft has a good discussion of identity versus authentication and the limitations of biometrics for doing authentication.

Thursday, January 29, 2009

Virtual Machines and Sandboxes

From a security perspective, virtual machines (VMs) and sandboxes are methods of providing isolation. They have other uses as well, but in this post I'm going to focus on this ability to provide isolation.

So what exactly does "isolation" mean? Isolation is the ability to run an application in such a way as to limit its access to other programs or data on your computer. Basically it means preventing an application from being able to modify files on your computer or interact with other applications. In practival terms, for example, it can mean preventing a virus you receive via email from infecting your computer.

So what is the difference between a Sandbox and a virtual machine? Conceptually they are similar, but they are implemented very differently and provide very different flavors of protection.

Virtual machines (e.g. VMWare, Xen, VirtualBox) provide a way of running a whole separate virtual computer in your computer. It literally is a completely different computer - it will have different applications, different files, even a different operating system (e.g. you can run Linux virtual machine on a Windows computer).

Sandboxes (e.g. Sandboxie, sandbox-exec) are ways of running an application on your existing computer but selectively restricting what it can do. So you could sandbox your email client so that it can't write files to your disk, but it can open URLs in your web browser.

Put simply, virtual machines provide a heavy weight, complete isolation between what is running it and your computer. A sandbox provides a lighter-weight, flexible isolation between an application and your computer. (Virtual machines have other non-security benefits in terms of the flexibility they give you to run different applications, operating systems, make snapshots, etc., that I'm ignoring for this discussion.)

"These things sound great. Why doesn't everyone use one or the other all the time?"

Like a lot of security mechanisms, they have a usability trade-off. It's most pronounced with virtual machines. If you were to run your email client in a virtual machine, the same protection that keeps a virus from infecting your computer makes it hard to save an attachment a colleague sent you to your documents folder. Likewise if you wanted to send a document to a colleague, you have to jump through hoops to do so.

Sandboxes are a little friendlier. They let you allow and prevent actions selectively, so, for example, your email client can send URLs to your web browser or write to certain parts of your disk, but not overwrite another application or read your more sensitive files. But it takes you configuring the sandbox security policy to allow that ("configuring the security policy" is fancy talk for either clicking on "Allow this" pop-ups or editing a file, depending on the sandbox application). Depending on how complicated your use of your applications is and how much security you want, this configuration can be somewhat onerous.

So, all-in-all these are great tools if you are doing something with an application you don't trust - e.g. some game you downloaded off the Internet and just have to try, in which case they give you protection angainst any bad behavior of that game. But, they are a little much for the average person to use for ordinary daily activities.

One last word of warning, neither virtual machines or sandboxes will prevent bad things from happening within an application. For example, if a virus infects your email client, a virtual machine or sandbox won't stop it from sending out email. Or if your web broswer gets corrupted, stop it from visiting other web sites and changing your password.

Wednesday, January 28, 2009

It's Data Privacy day...

It's Data Privacy day. This page has a number of materials giving basic online privacy tips, mostly aimed at teens and social networking sites, but not bad advice for all of us.

Saturday, January 10, 2009

Schneier on Impersonation

Good article by Bruce Schneier on Impersonation (aka Identity Theft).

Wednesday, January 7, 2009 on 'http' vs 'https' is a great web site for debunking or confirming urban legends that seem to constantly float around the net. It's the first place I turn whenever I see a questionable story in an email I get.

Apparently there is an email floating around talking about the difference between 'http' and 'https' web addresses (something I touched on when I blogged about web surfing security), and Snopes wrote an nice article on the issue. Somewhat surprisingly for an email floating around the net, the original email was basically correct.

Friday, January 2, 2009

A good collection of security tips from LifeHacker

LifeHacker's post "10 Ways to Lock Down Your Data" is a nice collection of tips for dealing with web security questions, privacy, wireless security along with data security issues.