Wednesday, September 23, 2015

Use a Password Manager

Recently, I saw a picture trying to extoll people to use better passwords. That would seem like a good idea and at some level it is. However, it is no longer a good idea. That's right, trying to get people to use better passwords isn't a good idea any longer. Now, having said something so controversial, let me explain why.

It's not that strong passwords aren't a good idea, and the idea of using them is certainly good.  It is just that people are essentially incapable of creating truly secure passwords. The example in the picture (hopefully linked to here) is in fact the proof. The "99ballons" is an obvious phrase (18 bits of randomness) and even after obfuscating it, it isn't that random.

To back that statement up, I need to explain what a truly secure password is. A truly secure password is one that is an encoding of a random number of sufficient bits that it takes too long for the attacker to guess it.

The problem with people generating passwords is that they aren't really random. In fact, in most cases they are very poor approximations of random. Sadly, even the best advice doesn't get people to generate truly random passwords. It simply gets them to generate ones that are better.

Let's analyze what people do to generate passwords.

First, we have the obvious bad examples, where people use common words or easy to type key sequences. Everyone knows "password" and "123456" are bad, but so are "fido" "giants" "rachel" (pets, sports teams, significant others, and common phrases). Anyone who picks a password in the list of 100 (or even 1000) most common passwords simply hasn't picked a password at all, especially if you pick a password that can be associated with you.

But, what if you pick an obscure word? Password hackers have long know how to use dictionaries of common passwords to look for passwords. The number of words in your typical language is simply too small. The typical English speaker's vocabulary is about 20,000 words. The estimate for all of English is still only about one million words and most of those are so rare and obscure no one will pick them as a password. However, a competent password dictionary could easily include them all.

Well, what if we put two words together to make our password. We just roughly squared the number of possibilities. So, 20k * 20k = 400m. That would be much better if people actually randomly picked two words. However, we are still only at about 20 bits of randomness. Thus, with a dictionary and guessing pairs of words, we are still guessing the password in a small amount of time. Here the key thing to remember is that many password attacks are not trying to type your password into your computer and seeing if it works. Many password attacks are on copies of the secret stored password file that have been stolen by a hacker. Yes, that password file is encrypted, but the encryption method is generally known because it is one of the standard ones (and some of the standard encryption methods are even easy to break). Still with a copy of the password file, the attacker can generate as many passwords as they want and encrypt them and try them against the file. The only question is how long it will take. Moreover, there are techniques like rainbow tables which can significantly speed up the process.

Well, what if we force the user to mix case. We've gotten a little better. We have doubled the number of spellings once for each letter in the word, i.e. dog becomes also Dog, dOg, doG, DOg, DoG, dOG, and DOG, so for 3 letter words we have 8 possibilities and 5 letter words 32 possibilites and for a pair of 7 letter words, 2**14 or 16,384 possibilites. If we multiply that by our two words, we are still only up to 20+14 or 34 bits of randomness. That, of course, depends on the user picking the letters to capitalize at random. If forced to use mix case, the user is much more likely to switch the case on the beginnings (or perhaps ends and/or one other letter) of the word. Thus, in practice we have only multiplied the number possiblities by around 6 bits, thus only 26 bits of total randomness.

Make the user add a few digits, adds around 4 bits per digit, with 4 digits one might have 34+16 or 50 bits of randomness. However, back to the more likely case the user will add 1 or 2 digits and only at the beginning end or in-between the words. Thus, we have only add about 10 bits of randomness by requiring numbers, letters, and some case shifting, if we add that to the 26 bits of randomness we are only up to 36 bits.

Using (or adding special characters) adds a bit more complexity, but if you always use @ for "a" or "g" and "!" for "i" or "l" etc. and never for other letters of the alphabet, you have significantly reduced the amount of complexity you have added. The number of special characters that people normally substitute is small and again the hackers already know those tendencies and thus have encoded them into their dictionaries.

So, with a fair amount of work one *might* get a password with about 60 bits of randomness. In practice, a user is more likely to get on the order of 40 bits and that requires dedication, in fact as I approximated the number of bits in the secure password, I got roughly 40 bits of randomness (by my estimate, the more charitable estimate from my password manager is 63 bits, while the average generated password by the same tool is 100+ bits).

Passphrases might be better if we picked them randomly, i.e. don't pick well known ones like "Kings play chess on Fridays generally speaking" or "Fifty shades of gray" or even "Love means never having to say you are sorry". My guess is that the hackers are building dictionaries of passphrases already.

That means if you are serious about your passwords you might get a decent one (or even a decent set of a dozen), but if you have fifty places that needs passwords, you are likely to run out. Moreover, you are going to have to memorize those passwords. If you make them really hard and keep them unique, you are going to have a lot of difficult information to remember. That means that typical users will never be able to follow such etiquette. You will always have easy to guess passwords for many cases. Or you will have users that write their passwords down.

The last step isn't as bad as it seems. Sure posting a sticky note on your screen with the password to the computer administrators account is a bad idea. However, having something else remember your hard to guess passwords is perhaps a good thing.

This is where password managers come in. A password manager is simply a program the remembers your passwords by storing them in an encrypted file for you and tells you which password you used for which site. If you are wondering if this isn't vulnerable the same way that a system password file is, the answer is not really. The hacker when getting a system file, gets the passwords for many users once they decrypt the file. The hacker only gets your passwords if they get your password manager file. Now, if you are the President of the United States, that might still be worth getting. However, if you are an "average" person like me, it isn't valuable enough. So, yes it can be cracked, but in most cases it isn't worth the effort to do so.

The other thing a password manager generally does, is that it can actually generate the passwords for you, and it won't do so by picking a couple of dictionary words and then trying to obfuscate them. It will pick a random password (or at least as random as its random number generator can produce). Thus, if it picks a password with only 60 bits of randomness, you can reasonably expect that some hacker using a dictionary attack is not going to find it, no matter how good their dictionary is.

So, with a password manager you don't have to remember the complicated passwords and you get ones that are likely to be safer than any you can generate yourself, short of rolling dice to generate passwords. Thus, take the easy way out, don't try to generate hard to guess passwords. You aren't likely to do so. Let a password manager create them for you and remember them. Your life will be much easier.

Moreover, if you are a security person, get in the habit of making that your recommendation, rather than suggesting how a user can generate a hard password. You will be doing all of us a favor.

Saturday, May 21, 2011

Biggest Threat To Mac Users

These are my personal opinion and not pronouncements by Intel.


FUD -- Fear, Uncertainty, and Doubt -- a campaign designed to use a person's fears against them to cause them to either act against their own best interests or keep them from acting.

A lot of security work is raising awareness of real threats and sometimes of potential threats. However, like the boy who called wolf, the strategy doesn't always work and sometimes backfires. In my humble opinion, that appears to be true for threats against the Apple Macintosh today. As security workers have zealously tried to show that Apple users were not immune to threats, nor are Linux users, we have inadvertently paved the way for exactly such threats to happen.

While Apple users are not immune to threats, the raising of fears has enabled a specific kind of attack to be leveled against them. An attack that the more smug and naive among them would ignore and be immune to. It is poetic irony. The ones who listened are at the highest risk.

The attack is Fake Anti-Virus Software (sometimes referred to as "Rogue" AV). This is software the claims to be software to protect your computer, but which is actually a virus. So, yes, it is a virus that attacks Mac users. However, it only attacks those who are trying to protect themselves from such viruses. Thus, the conundrum.

The truth is that there are real anti-virus programs that do help protect your Mac. Running one of them is a good idea. You will be safer if you do. However, a real anti-virus program is not likely to be sent to you in an email, nor if you get a virus is it likely to pop-up on your screen and fix your program if you just send money to a web-site. Those are most likely fakes.

The real issue is that most attacks are still Social Engineering attacks, con games designed to mislead you. No program can protect you against bad judgement, especially not when coupled by bad luck. If you click on a link (or read an email attachment) that promises too much, it is likely that the link (or email) will download a virus onto your system. Some viruses such as those running on FaceBook don't even need your computer, so it doesn't matter what kind you have.

The virus writers of the world are out to trick you. If they can do so, by playing on your fears, they will do that too.

So, do some research and find a reputable anti-virus vendor that makes a Mac version and downloaded it before you are infected. Doing that in a calm time where you can way the options will help you make a rational decision.

However, if you don't follow that advice and find yourself infected, don't just click on the software the pops up on your screen promising a quick fix. That's most likely a scam. Again, calm down and find a reputable place to have your computer repaired. It may cost you a few days to do so, but in the long run it will probably save you money, because the virus will actually get removed and you won't have sent the virus writers any money rewarding them for their efforts.

Sunday, September 26, 2010

The Fresh Round of Twitter Hacks and Attacks

Whenever I talk about security, it is important that I remind you that I write solely my own opinions and not official positions of Intel. Hopefully, you find this useful advice, but that's all it is, advice from someone who is interested in safety.

Well, twitter has been "safe" and quiet for some time. People have begun to let their guard down. However, a new set of vectors for exploits is being mined. It started about a week ago with a tweet exploit that became a worm and spread porn and other unsavory stuff. Now, a second version has appeared. It looks like this new version has been nipped in the bud. However, the risk is ever present. There are people out there looking for security holes and when they find them, either playing pranks or spreading something more vicious.

Sadly, it is the nature of software to have such flaws. Thus, it is only wishful thinking to hope it goes away. We can erect better fences, but there will always be someone who finds out how to scale them and uses that ability to their advantage and our disadvantage. As a result a certain level of caution, vigilance, and even paranoia is appropriate. But do so in balance, if you let fears dominate your life, the result is just as bad, because your fears will cause you to miss opportunities.

So, keep the following in mind. There are people out there who are out to trick you and they are very clever and have very little scruples. These people are anxious to imitate anyone you trust as that's a source of leverage for them. Thus, they will pretend to be your bank, the government, some famous company, your friend, a web site that you often visit, a new web site with an interesting game, anything they think that will get you to trust them They will do this by every means possible: by spam emails, by links to sites that download malware, by sending misleading tweets, by hacking into your computer, by hacking into the computers of places that have your info. The more valuable they think your information is or the easier they think it is to get, the more effort they will spend getting it.

However, in most cases, they are not targeting you specifically, they are just looking for the easiest mark that will fall for their trap. Therein lies your advantage. You don't have to outrun the bear, just the other hikers. This is why fish swim in schools. Sure that makes the entire school a large target and the fish along the edge do get eaten, but the ones in the center tend to survive and breed a new generation. Your goal is to be in the safe part of the school.

Thus, when you read safety advice on the internet, remember that it is not fool-proof. Some people who do everything right will still get hacked. However, it is the best advice we have. It will keep you from doing things that are too risky and too likely to get you into trouble. It will increase your odds of using the internet safely.

See the next entry for some safety advice recommendations.

Common Sense For The Fresh Round of Twitter Hacks and Attacks

Whenever I talk about security, it is important that I remind you that I write solely my own opinions and not official positions of Intel. Hopefully, you find this useful advice, but that's all it is, advice from someone who is interested in safety.

Here are some basic safety principles and examples of their use:
  1. Don't trust unsolicited information.
    1. If you get an unsolicited email or phone call or direct message or @ message or wall posting etc., don't presume the sender is who they claim to be, especially if they ask you to do something you wouldn't normally do (e.g. give out your bank account number or phone number).
    2. If you do believe that you need to something in response to a message (e.g. you are worried your account might be overdrawn), use an alternate channel for taking action. Don't click on a link embedded in the message. Log into your bank in a separate browser window by typing in the address you know (or have written down from a safe and calm time). Better yet, don't do it online--call or visit your bank.
  2. Keep your secrets safe.
    1. Don't post details about upcoming trips when you will be away from your house for a significant period of time.
    2. Check that public information sites like spokeo aren't giving out information that can be used to impersonate you.
    3. Don't post pictures of your kids nor give out their names and ages.
    4. Don't post details of your life (or pictures of yourself) that you aren't willing for the world to see. Don't even send such pictures to friends.
    5. Use strong passwords. Not a word in a dictionary. Not an easily typed sequence of numbers. Not something about you that can be guessed or looked up online.
    6. Don't reuse the same password for multiple places, especially not important ones. Make certain that even if one of your passwords gets cracked, your other passwords are still not easily guessed.
  3. When something bad happens, don't panic.
    1. Calm yourself down first. Realize that it probably isn't as bad as it seems right away.
    2. Plan the steps to limit the damage before doing anything else. That will force you to be more focused.
    3. Make sure you are thorough. For example, if you have an account that is hacked, make sure you take all the steps to make the account secure, check your computer is secure, and then check to be certain your other accounts are safe also. If your the account broken into has a password, change it to a new one as part of the plan.
    4. Don't do other things until you have verified that you have solved the problem. If you have a hacked FaceBook account, don't check your bank until you've fixed that problem first and verified that you don't have a virus or keylogger on your computer. If you skip steps, you make spread the problem to other parts of your life. This is where making a calm plan can come in handy.
  4. Stay aware.
    1. Watch for alerts as problems are spreading. There is often specific advice on things not to do as they are found.
    2. Read various sources on the issues. Get a variety of opinions and guidelines so you can make informed choices.
    3. Keep your protections up-to-date. Don't just download a virus tool and think the problem is solved. Get updated definitions regularly. See if there aren't other tools you should use. Also, change your passwords at least from time to time, even if you haven't been hacked that you know of.

Hopefully, the above list doesn't seem too long. There is a lot of good that can come from using the internet. It can make your life easier, richer, and more fulfilling. If you make the above into "good habits", they shouldn't take much time at all. Moreover, these good habits aren't just for using the internet. They are more "common sense" things that you should practice everywhere. While the internet has its own unique risks because it brings the whole world right to us, much of the most dangerous things were already in our life. Most of us have already learned to cope with them.

Friday, July 2, 2010

Foursquare: Don't Bury One's Head In The Sand

The opinions expressed here are purely my own and not those of Intel. However, what I write about is clearly influenced by my job and exposure to ideas at Intel.
As an introvert, many parts of social media aren't intuitively obvious. Foursquare is a pretty good example. My intuition immediately links it to PleaseRobMe.com. Thus, I find it hard to recommend for someone wanting to protect their privacy, safety, and security.

However, to ignore the changes in modern society is simply to be an ostrich and assume that ignoring something will make it go away. Yes, sometimes that works, but it isn't a sound strategy.

Moreover, people enjoy games and that adding fun to one's experience actually enhances one's life. This can be coupled with many a corporations desire to know more about you. A big part of social media is trading our privacy for some other benefit. One common way corporations attempt to extract that info is by involving you in games and contests.

Much of this blog is trying to help you avoid making that trade unintentionally, giving away your privacy or safety for something of dubious value. That is still a sound principle. Being aware that most internet and social activities are designed to extract information about you and repackage it for resale is important.

I (sadly at one level, but ultimately peacefully) gave up playing games on the internet almost ten years ago, because I realized that the information I was giving up and the risk I was putting myself in were not worth the value I was receiving from playing. This was particularly true for the online lotteries. Although the aphorism that you can't win if you don't play is true, in the end I determined that I probably couldn't win by playing either and was simply putting myself at risk for downloading malware.

The same holds true for me for a host of other online games. At one time in my life, I truly enjoyed the fantasy of role-playing games. I can even understand those who are willing to get dressed up in costume and go to conventions for their favorite escape. However, the risk for me of having my privacy invaded by participating keeps me far on the sideline.

Given this context, you can understand why I would be reluctant to recommend Foursquare to anyone. Using foursquare certain gives away information about you. I would certainly recommend anyone considering it to think carefully through what you are trading, for what you are gaining. You need to be clear that you are getting something back for that information you are giving away.

When will using foursquare put you at risk, and what will it put you at risk for?

After assessing that, what potential will you possibly gain from using foursquare.

At the same time, you need to consider those alternatives rationally and honestly and realize that by our very nature, we as humans are particularly poor estimators of risk and the trade-offs between risk and reward. As humans our tendency is to over-estimate risks that seems particularly detrimental and under-estimate ones that involve common-place events. Otherwise, we would never get on a chair as a substitute ladder to reach something just a little bit too far away and ending up falling--a surprisingly common error we all make.

In light of that, determine for yourself how much additional risk you are taking by joining foursquare. Are you broadcasting information that isn't readily available already? Can that information be used in some way to your detriment?

To make this concrete, let us consider a couple of specific examples based on the PleaseRobMe.com model.
  1. You are a single 9-5 working person living in an apartment. In this case, it is probably obvious that you work all day and that your apartment is vacant during that time. Incremental risk from using foursquare to check in at your favorite restaurants, probably limited.

  2. You work from home and thus stay at home almost all the time. In this case, tracking the times you are away might be significantly valuable. Especially, if long trips are involved. Incremental risk from using foursquare to check in at Disney, much higher.
The key distinction is whether the fact that you are away is unusual. That makes it more valuable.

However, if one really wanted to do the analysis, one would need some numbers to work with. To my knowledge, no one has yet compiled any comparative statistics on the number of people whose homes were robbed who were using foursquare versus non-users. While I would expect some marginal incremental risk, I would expect that the number would be less significant than the location of one's house. Some neighborhoods just get robbed more than others. I would be willing to bet that the choice of neighborhood was a more significant variable than foursquare usage in home robbery rates.

Therein lies the point. Don't skip using foursquare simply because the fear of a home robbery is so dreadful that you over magnify its probability. Skip using it only if the benefits are dubious to you. If you find something interesting that you might be able to benefit from by using foursquare, the risk from using it is probably not that high, so go ahead and indulge.

For example, if you attend a conference, like IDF, where Intel is involved and you have a foursquare account, there is a good chance that there will be contests and giveaways for those who check-in. By the way when you do so, read the fine print first. Intel has a very strict policy about how it can use the information it gathers, so we will have to tell you what your checking in means and how we might use that information in the future. That's a standard everyone should be held to.

Friday, June 25, 2010

When Will We Wake Up?

As always, these thoughts and opinions are mine alone and not official pronouncements, policies, or statements from Intel. Note that the examples used in this posting are not unique and not the most extreme cases. They are simply ones that have become lodged in my mind.
This is the other half of the issue I just wrote about in this post, where I addressed the need for people to be conscious of how choosing convenience might be lowering their security and privacy.

Here I'd like to ask the question from the implementers point of view. In particular, we have long known that some systems are easy to crack. I am going to list some easy flaws of convenience and ask why haven't we learned to avoid them.
  1. Obvious default passwords and insecure default settings: In high school my friends and I were taught on a large computer and given the instruction manual for the operating system, compilers, and so forth. In those books were the instructions on how to run the system that assigned accounts and passwords and the examples used names like "password" for the system accounts. Gleefully, we tried those passwords, and no one had ever changed them. They were the same as in the book. Since, no one had never heard of cracking accounts back them, those administrators could be forgiven.

    However, in the 2000's when I bought a router, leaving the name as "linksys" and the password as "administrator" would have been tragically foolish. Still the recommended installation procedure did not change those names and in fact connected one to the internet as a required early part of the process. I changed mine, of course, as soon as I had the router to the point where I could do so. However, I'm sure there are many extremely insecure wireless routers out there. Everywhere I go, I find linksys routers, my laptop wants to connect to. If routers become a major pool of malware infections, it will not surprise me.

    Much more security aware is the way that the F-Secure SSH client automatically builds a random number when you install and first use it. The security is turned on right from the beginning and there is no worry that someone will use an insecure password and none for the person to remember.

  2. Back doors and escapes with unlimited power: Many people have spent a lot of time figuring out how to prevent the browser from down-loading .exe files and running them. However, this whole time, one could down-load a .pdf and in it have commands that would down-load the files we were trying to prevent. There are some security provisions built-in, but they are circumventable by social engineering. Sadly, this is not a flaw in some .pdf implementation, but a designed part of the spec.

    Building in an escape hatch or back door is an easy way to circumvent the limitations of a product. However, when that escape allows arbitrary code execution, you have abdicated control to those who would abuse your application.

  3. Installations that require too much privilege: Although this is slowly getting better, far too many applications still get installed with too much access to the system. This is definitely a convenience issue. It is time consuming to get the minimum access an application really needs, especially if you don't know whether someone else sharing the computer might need another feature and more privileges. Users will almost always opt for installing all the features in the most unrestricted fashion when given the choice. That is much more "convenient" than picking a narrow set of features and restricting them and then finding out later one needs more. Especially, in those cases where expanding the privileges might require stopping the application mid-task (or worse rebooting the entire system). The user will always opt for the convenient choice.

  4. Systems that require restarting to reset: Even worse that restarting the application to expand its privileges are those applications that have to be restarted on a regular basis. It makes sense that a system that is holding onto some personal information (e.g. the browser session visiting your bank or the system that allows you to send emails) wants to time-out so that one doesn't accidentally walk away leaving that information unprotected. However, other applications fail after running for a while for no obvious reason. My assumption that this is due to careless resource management and that some resource is eventually exhausted and the application falls over or simply hangs. However, whatever the cause, this practice has tended to train users to expect to re-login to various applications on a regular basis. Thus users are much more cavalier about entering their security information than they should be.

  5. Loading obscure software to build unimportant candy: A pretty user interface is appealing, but many applications put too much emphasis on sizzle rather than functionality. A common symptom of this issue is the web sites that seemed to require a new browser extension for each site. Again, this has improved somewhat, but still in the process, many users were "trained" to download all sorts of software to make their web applications work, and the malware writers took full advantage of this loading first malware via such links and more recently fake malware scanners that were actually malware

    Similar to this problem was the password manager I wanted to download that required loading a completely new-to-me language (groovy) into my browser to run it. Here was a system that I was using to attempt to increase my security, but which required me to perform a potentially unsafe action in able to do so. While password security isn't exactly candy, it isn't core functionality. It certainly isn't obvious why one would need to download a new language onto one's computer to get the browser to export passwords.
These are just some examples of lessons as developers we should have learned where we have traded user security for user convenience. Admitted, convenience is a nice thing. However, we have to be more protective of those who are depending upon us. We made the mess that allows malware to flourish. We could do our part to clean it up.

Convenience Versus Security

As always, these thoughts and opinions are mine alone and not official pronouncements, policies, or statements from Intel.
For a long time, we geeks who built the internet (and I can't take any significant credit for that) have lived in a fairy tale sandcastle in the sky. We believed in the essential goodness of people and thereby developed our hardware and software with our main focus on what what convenient and not what was secure. We also made that worse by concentrating on features rather than stability and lack of bugs.

In the security field, the bugs have gotten a fair amount of attention. People are very aware of the buffer overruns and other ways of breaking software like browsers to introduce malware into your computer or your network.

However, the convenience factor needs equal attention. Some of those lessons have been learned. When I administered my own linux server back in 1995, I learned the hard way (i.e. by being cracked and having a rootkit installed) about the importance of closing up and securing ports. Having an open telnet port was convenient for logging into my server not only for me, but for all the miscreants who thought access and using my computer might be fun or profitable.

Still, this lesson needs to be repeated over-and-over again. The sites the are open to the attacks in this video have not properly secured their assets. If you leave your property open and unlocked, someone will eventually "borrow" it or play a prank on you through it or do something else you don't want and hadn't intended. Especially, if the info on how to do so is on popular sites like bitrebels.

So, when you buy that new webcam or baby-monitor think before you expose it to the internet. The out-of-the-box configuration was probably designed by geeks who wanted to make it convenient for you to use, not to keep your private information private. That doesn't mean you can't make the device secure, just that you will need to do extra work to do so. Work that might not be detailed in the instruction book that comes with the device.

Although we geeks who design and build such devices emphasize convenience and features as that's what we've trained ourselves to do and what the market has traditionally rewarded, if consumers want safer more secure devices, we will make them. Companies are already realizing the need for that. The culture is ripe to grow and spread. Consumers just have to make informed choices that demonstrate that preference.

If you are an implementer and want to ponder some of the ways, we have helped users trade security for convenience, try reading this.