Securing your ass-ets…
Thursday, July 4th, 2019 Updated 7/7/2019 see note at bottom of article.
This week we are going to study a few different ways to secure your data and things to keep your computer and phones secure and their pros and cons.
First off some basics. Everyone knows about passwords and this has been used since the beginning of time or with computers and other devices. Passwords, secret phrases, secret handshakes and club words… Everyone knows you have to have the inside passcode to get in to the party.
So for computers what does that mean?
1) Use a lengthy password.
- It is shocking to no end that today after all the hacks and data breaches and ransomwares some websites or security programs only give you 4 characters or 6 to 8 characters to work with. Most people know that the human mind works in chunks and can remember sequences and phrases up to 7 to 10 characters in length. That’s why phone numbers and social security numbers are also roughly that length and it also introduces randomness and several permutations of number sequences that can be used. Unfortunately we have seen people that don’t even know their own phone numbers since they don’t call themselves all that often but you need some long and short passwords depending on the level of security risk.
- If a program only gives you 6 characters use the most characters you can or find some other alternative. The latter might not be possible but whoever programs these programs should make programs a minimum length that makes security automatically more hardened and difficult for brute force and crackers to be used. Computers are getting insanely fast. We have an article about 10th generation Intel processors coming at the end of the year. If you compare that to the earliest computer using 8086 processors with 5MHz speeds, the recent ones will obtain 5GHz speeds. That’s nearly 1000 times faster in the span of about about 42 years since 8086’s came out around June 1978. Of course that’s roughly because it doesn’t take into consideration other factors such as Turbo Boost, 64 bits, Hyperthreading and AI.
2) Use a combination of numbers, letters and special characters.
- There is no excuse to not use the full range of alphabet characters and numbers mixed in and characters other than laziness and also difficulty to remember. You might occasionally have a place to look up your passwords but nowadays you need this to prevent hacking and bruteforcing of passwords with Xeons and other phishing techniques. Unfortunately this makes remembering so much more difficult and people resort to have to writing it down and may lose what they wrote down or need password managers.
Now here are some cons about the whole password world.
A) If you use password managers you risk having all your passwords in one place and also if you use a password manager that’s connected to the cloud you risk having that hacked and exposed.
- This has not been shown on the news as much but there are many password managers that are now industry standards like LastPass and 1Pass and Dashlane. While there are many good features which we will illuminate on here as time goes on, there are also the aforementioned disadvantages. – There are keyloggers also that can capture input from your keyboards that will take words you type and send it to another server and also possibly reroute traffic. There are also wifi sniffers that can capture data packet traffic. So nothing is perfect. The other aspect is that if you do a copy and paste for a password. Let’s say you did a password that was 20 characters with various upper and lowercase characters and special characters. There is still a possibility that if you copy your password from your password manager that there is malware that can copy from your clipboard, much less they keylogger. So even if your use a right click paste it may see the data in a MITM or “man in the middle attack” where you are unaware that someone is monitoring and intercepting your traffic.
- Some higher security computers and government contractors likely also use password managers that autofill and guess when there is a textfield or password field required and automatically send this data. It keeps down the fact that you might forget your password and have to reset or lower the chance of other issues and also reduces data reports of failed false positive brute force attempts versus just accidental typos.
B) Nowadays you really need to also consider the fact of using what’s called Two Factor Authentication or 2FA that is using a second password as a backup or second security mechanism.
- So the concept with 2FA is that you might have a drawer cabinet that you can’t access without a key but then inside that cabinet you have another smaller mini-safe that needs another key or combination code. But the problem obviously is that in this scenario someone could just walk away with your mini safe and use a hammer to get into whatever is inside. So translated into the digital world you have a password phrase that you make up with let’s say 30 characters of various letters, numbers, upper and lower case, special characters (because this increases the difficulty of guessing and bruteforcing of a computer). According to various searches on the Internet a great eight character password takes about 45 years (Thycotic Force website). But a diferent site said five days. So there’s not a good answer. According to the same site (BetterBuys) 10-character passwords take four months. 11-characters take 10 years. 12 characters take 200 years. So you should be doing at least 10 to 12 character passwords at minimum and possibly changing to stronger passwords over time so that whoever is trying to access your machine can’t get in and can’t stay in.
- The other problem with 2FA is that you have to occasionally give up your identity information possibly because most use some kind of SMS program. There have been many videos on YouTube and hacker news stories that show that a person’s phone can easily have the SIM changed or portforwarded to another number and again there’s also possible man-in-the-middle attacks that can be done.
- Speaking of interception of data, if you are connected to a public wifi or other public device you could be monitored or connecting to a malicious actor’s fake wifi server or opening yourself up to state-sponsored attacks.
Now there are newer ideas also for security. You might see these in new technology and especially if you’re familiar also with people that deal with digital currencies.
1) First the concept of key cards have been around in video games for some time and you see this tech in credit cards, proximity cards and door access readers and RFID chips. In order for you to gain access it is likely a good idea to have this to ensure that you are actually at a location. You can’t unlock for example a workstation without a proximity or card reader that reads from that machine. But unless you’re Batman or someone we’ve always wondered if you could fake the security token electrically or digitally. It is possible. But a word about capacitive touches later.
2) If you own a USB cryptographic wallet or storage device you might be familiar with pressing buttons on the device. Again this requires that someone is there to press the device to enable a transaction or event has happened for a transaction to go through.
3) There is a new type of password authenticator method such as Google Authenticator, Authy that uses OTP or One Time Passcodes to also ensure that you are the one that’s there and reading the passcode and it’s a human and gaining access to a device and not a hacker program. The thing about that is there are ways to get access to a phone or maybe send to a phone that’s not yours or read this online. And there’s the fact that not everyone might have a phone to link it to. These methods may send you a unique 16 digit code that you a linked to that generates these passcodes. There are also free open source versions of these.
4) Another standard that’s out is a Fido2 standard. Fido stands for Fast IDentity Online. The standard uses a public and private key that you may be familiar with in digital currencies. How it works is that let’s say you want to use a site’s services. You go and register for the service and it creates a key pair on your security device. So for example you’re using a special electronic card that does this. This key pair like a real key pair in life has a public key and private key. Sort of like a master key that you have that you can access everything but the public key is like if you give to a real estate agent who just needs to show prospective buyers. (Very basic analogy). The private keys have to be unlocked on your special security key manually by the user. This can be done with something like touching a button with your finger, entering a pin on the device, and speech as just a few examples.
- Some devices that used this type are the Yubikey and the Google Titan as a few examples. – Benefits: very secure. – Cons: Some devices like the Google Titan had BlueTooth that was able to be compromised. Yubikey had a RFC algorithm also that wasn’t as strong, but upgraded in later versions.
Another important thing to note are there are obviously additional methods of unlocking. If you have watched Batman, James Bond or Iron Man you may have seen the fingerprint scanners which laptops have. You see retina and eye scanners that phones kind of have and facial recognition as well. Is fiction and sci-fi creating reality or reality imitating art? Pretty neat as this stuff is improving all the time and you can see it make its way into Microsoft Kinect Xbox One devices and programs like Snapchat for following body movements.
This week we recently placed an order for a few different security keys to try them out and will wait with bated breath to test them out. Here are some interesting things to note.
1) Yubikey was one of the first to come out with the USB authentication devices and they are reminiscent of smart card devices in a sense as well. They do have FIPS keys that can be used if you work in government work. And it is interesting because they support a lot of platforms. They were founded in Sweden but moved to the United States to Silicon Valley to continue development with the hopes to strengthen security worldwide.
2) Google has a heightened security 2FA that they advertise for people that are at high risk for being hacked or compromised like “journalists”. Interesting that they would be exposed but they are out there in the public all the time and so it is a sobering notion that our message deliverers are at targeted risk for hacks.
3) Google worked with Yubico to get standards but also ended up having their own key they came out with based on a Chinese company called Feitan but it seems Google uses its own firmware to flash onto the devices in effect making it secure for U.S. The key they advertise is the Titan that costs $50 for a kit that has different sizes it seems with support for NFC and for mobile devices. The Bluetooth one was replaced due to security issues.
- NFC and Bluetooth uses Near Field Communications and a type of wireless sort of like your car key fob or RFID in simple terms. For credit card chips that use this wireless technology it’s recommended to shield the card wireless from accidentally tripping the device and having someone steal your information. You may have heard of gas station skimmers for instance. These devices have a pro which is you don’t have to insert it in your device slot meaning less wear and tear on the USB port but with the trade off that if someone is close by as you are accessing a service or trying to gain entry to your program you could end up leaking data. Caution is advised. Also for some devices currently only Bluetooth may be supported such as your Apple device.
4) Some of the program devices recommend having TWO of the FIDO devices. That would mean either two Titans or two Yubikeys just as a backup if for some reason your device goes bad (which electronics are gonna fail eventually) and also if you lose access to a pin or something in the 2FA process. The recent key being advertised and pushed are the Yubikey NFC and the Yubikey 5 Nano. The first costs $45 for only one key. The second is $50. We haven’t gotten a chance to compare the two devices against the Titan yet.
- Also note that Yubikey’s website had a quiz that tries to help you figure out which Yubikey is right for you but after trying out the quiz and changing the questions it never gave me options for the other older 4 device options available. (Possibly security reasons or just upselling the latest ones). They do have cheaper options like the Security series for $20 or one with NFC for $27.
- Checking online we found other comparable products like SoloKeys and another device on Amazon that we will try later to see how that works.
Most of these devices are standard now across many industries. Google reportedly has all employees using these 2FA type devices and hasn’t had a security incident since. These devices are supposed to be good because you have to touch a button to let the device know you authorize a device sort of like a cryptocurrency device key before you send a transaction to send payments. On some of the devices they use a capacitative touch meaning it uses the sweat and oils and natural electricity generated from your body to produce a charge when you swipe your finger across to let it know you want the transaction to go through. Could someone in essence tweak the 1’s and 0’s of the pins, and the charge an the private and public keys and also have the password in the first attempt in the 2FA sequence to magically get everything to go through? Maybe but not likely although not impossible. Some of these devices also send your key also directly to the website as the site is coded to send at the same time which checks that you’re using a genuine site. So there’s the added security there. Sort of like a password manager on the device in effect and you’re almost doing 3FA or 4FA in essence, “amiright”?
Overall no device is perfect and no security is perfect. There’s always a chance that you could mess up and leak something and security is only as good as its weakest link. The best we can do is what we currently have and to be vigilant.
1) Don’t click on links. It’s so important to check headers of your email and not get cocky or complacent. One of the easiest ways to be a victim of the attack vector is the person knows something you like. Maybe you’re looking for a good deal for cars, or fan of some adult star, or a singer or celebrity or other topic and you open up the topic in the link with your guard down thinking it’s a funny cat or pet video or coupon for free food or big on recipes or whatever it is that you have an interest in. It could even be some politically or emotionally charged even like what’s in the news and you open it up and bam, your device accidentally is exposed to some zero-day or malware or Trojan or virus.
2) Don’t enable pictures and embedded media and content to open up on your device or email by default.
3) Keep your important files and documents separate from stuff you access the net on a daily basis. If it is quarantined off then it is less likely to get infected or get deleted or affected by ransomware.
4) Familiarize and read up on tech news and information on tech sites, critical updates and alerts and informative social media. Be a bit skeptical in your dealing with any site. Check the site is a secure authentic site. Some sites have a plugin authenticator that make sure you’re truly accessing the site. Or you could bookmark the site. But be careful and be careful of plugins as they may secretly “phone home” and transmit or pull man in the middle attacks to intercept your data.
- Many people working for companies and even some state workers recently had their systems compromised and had to pay ransomware and other things to get back their files back. This is quite unfortunate as backups are highly recommended for high profile entities. Critical patch updates are recommended and offsite storage of critical infrastructure. Familiarize your organization with security protocols and use it and be regular and strict about it. Even if it seems like it’s a hassle one mistake can open up your organization up to major unexpected costs, damage control, PR nightmares and legal costs as well as a unrecoverable reputation, not to mention lack of sleep.
These are just some basics for IT security and passwords and we hope it was useful. As always, do your own research and keep reading and alert to security and tech news.
Update 7/7/2019: Tried the Yubikey and it works quite well with Facebook and also some other services. Right now am having some trouble trying to get it to recognize the NFC on an Android device using Chrome. According to its website you need to have Chrome and Google Authenticator installed but perhaps the keys need to be reset using an app. Will try this again later on the website and test it out. Also certain phones have thick cases and batteries. If you are using an extended battery for your phone with a thick case the NFC reader might not be able to read the NFC chip on your Yubikey as it often needs to be flush against the device. Using another phone with the original metallic case that was NFC compatible it read the Yubikey but then tried to send me back to a demo site on the Yubikey site. Perhaps the Yubikey was not configured correctly at the time.
Facebook seems to be very security friendly lately with the integration of recovery codes, text & sms options, security keys and Google authentication and similar apps. It also incorporates the ability to use GPG and PGP technologies for emails it sends you.
Consider reviewing and hardening your security in your web services periodically.