Practically unbreakable (but memorable) passwords

Originally posted 07/01/2011 on lubbockonline.com

A month ago in the June 1st edition (episode 303) of his Security Now! podcast Steve Gibson announced that he had experienced an epiphany on what makes a secure password. The traditional requirements for a secure password have been missing an important point. What's the point? That a secure password doesn't have to be what is known as a 'strong' password.

Basically, you want to make the search for your password as hard as possible. The way we are usually told to do that is to make passwords as far from normal words as possible. Unfortunately, that results in impossible to memorize 'passwords' like rP$23)JL#j01p3a!9h9. Steve's revelation was that it isn't the complexity of the password, it's the length and the size of the 'alphabet' it uses that makes it really secure. Alphabet size is easy to understand. If you only use lowercase letters, your alphabet size is 26. Add uppercase and it's 52. Add digits and you've added another 10. Symbols add even more. On top of that, as Steve points out, figuring out a password is all or nothing. Hollywood makes a nice show of computers figuring out one character of a password at a time, but it doesn't work that way. You try a password and it works or it doesn't. If it fails there is no indication if it was too long, too short, or should have had that 'a' capitalized. So for the most secure password you don't have to make something impossible to memorize, you just have to make it long with a large alphabet. So pick a length - I'll use 20 characters - and this is what you do:

1. make a base passcode that has at least 1 lowercase letter, 1 uppercase letter, one number, and one symbol. For example, aB3$. For that I just used 1,2,3,4 - a (1st letter), B (uppercase 2nd letter), 3 (number 3) and $ (shift-4). Large alphabet, but easy to remember.
2. Next add padding - it really doesn't matter what as long as you can remember it. I'll use 8 '!' and 8 '&'.
3. Combine your padding with your base. I'll put the base in between the padding.

My new password is !!!!!!!!aB3$&&&&&&&& and it's extremely secure (except you know it), easy to memorize and hard to crack. But by traditional standards it's extremely weak. There is too much repetition and not enough randomness. But if I hadn't just shown it too you it would be very hard to crack because an attacker won't know how long my password is, won't know how large the alphabet is and will have to try every possible combination from 1 character (well, I'd probably start with 4) and work until he made it up to 20 characters and then guessed my password. Not a simple task.

Steve has created the Password Haystack to help show how effective these types of passwords are. Note that the page does not test the strength of the passwords, just their security.

If you need more evidence strong passwords aren't, here's an interesting link on 'strong' passwords in the era of cheap GPU's (graphics processing units). It's one of many on Steve's 'Password Haystack' page, but this one points up the importance of long, large alphabet passwords: Cheap GPU's are rendering strong passwords useless

So rethink your password strategy and put in some hardcore secure passwords that are easy to memorize.

Is the FBI an agency out of control?

Originally posted 006/30/2011 on lubbockonline.com

Kevin Gosztola at Alternet.org looked at 5 types of FBI abuse of power. That abuse of power was, and is, assisted by the FISA court. The FISA court is supposed to oversee the FBI investigations, but unless oversight means rubberstamping electronic surveillance (1506 requests in 2011, 1506 approved) it's falling down on the job.

The court also granted "National Security Letters" on 14,000 people. National security letters pretty much give the FBI full access to your life:

They were also generous with granting “national security letters," which allow the FBI to force credit card companies, financial institutions, and internet service providers to give confidential records about customers’ subscriber information, phone number, email addresses and the websites they’ve visited. The FBI got permission to spy on 14,000 people in this way. Do they really think there are 14,000 terrorists living in the US?

With that backdrop, Kevin tells us that the FBI is seeking greater investigative power, and tells us of 5 types of investigations that show the last thing the FBI needs is more power:

1. Warrantless GPS tracking (I blogged about this last year)
2. FBI Targeting WikiLeaks and Bradley Manning Supporters. The FBI intimidated peole involved with the "Bradley Manning Support Network," a legal grassroots organization, for one.
3. FBI Spied on Children While Using 'Roving Wiretaps,' Intentionally Misled Courts on Freedom of Information Act Requests. Comparing documents from different FOIA requests discovered the deception.
4. FBI Entrapment of Muslims.
5. The Criminalization of Travel by the FBI. Vocal activists (not terrorists) are targeted because of disagreement with policy and travel abroad.

I think you should go read the whole article. It's 6 pages, but they're short, and the details he provides are compelling. The last point strikes me a little harder than the others because if I travelled internationally, I could be one of the people targeted. As it is I'm just a harmless crank who blogs in Lubbock, TX and occasionally emails congressmen and the President on issues I feel strongly about. But how long before that isn't enough to protect me from harassment?

LulzSec ends hacking business

Originally posted 006/27/2011 on lubbockonline.com

LulzSec Security is closing it's doors. As reported on Mashable and a host of other places they are claiming that the intent from the start was to disrupt the security industry for 50 days in an attempt to restart the 'anti-security' movement. They believe they have fulfilled that goal. They might have, but I doubt it. Not for very long, anyway. 

I also have my doubts that they are disbanding because the time they decided on for their fun was past. I think it has more to do with the arrest of a British youth and their own carelessness. For a group of law breakers involved in activities traditionally performed in secret (for good reason) they didn't take many pains to cover their tracks. Unlike most black hat hackers who work in secrecy and often don't admit when they've performed a hack, LulzSec loudly proclaimed their accomplishments. They setup a Twitter account and a Facebook page. It wasn't their illegal activities that did them, or some timeline, it was their own pride and belief they couldn't be caught.

Should teachers know students have criminal backgrounds?

Originally posted 06/16/2011 on lubbockonline.com

Megan Ryan of the Houston Chronicle reports that a bill requiring teachers to be informed when a student has a criminal history is sitting on Gov. Perry's desk waiting to be signed. The goal is greater safety for teachers and for other students. I'm torn on this one. Juveniles are generally protected from exposure because there are a lot of crazy, dangerous and even violent things done by minors who straighten up and become model citizens. When you know someone has a history, there is a tendency to treat them different because of that history. So keeping the students criminal history secret makes it possible for them to be treated like any other kid instead of as a menace to society. But if the student has a violent history, don't the teachers have a right, even a need, to know so they can better protect themselves and the other students? Texas State Teachers Association spokesman Clay Robinson believes they do and that the information will make it possible for teachers to avoid dangerous situations: "If the kid needed help after class, you could call a security guard to stay with you or stand out in the hall," he said. "If you were walking to your car and you saw the kid lurking about, you might want to ask a security guard or another teacher to walk you to the car." How many students with criminal backgrounds get in altercations with school staff? How does that number compare with the number of students without criminal backgrounds that get in altercations with school staff? Is there enough difference in the numbers to warrant exposing students to fear and suspicion from teachers?

Full body scan - shield or show?

Semi-Originally posted 06/14/2011 on lubbockonline.com

Due to technical problems, this is a repost from January 4, 2010

Full body scans in airports - they're getting a lot of attention again, both for and against. One blog feels that just by agreeing to fly we are consenting to scanning. Another story on Canada.com agrees. It asks the seemingly reasonable question, "Do we need to see hundreds or thousands killed for the privacy objectors to back off?"

Privacy groups are against the full body scanners, saying they are invasive and demeaning. Flyersrights.org and the ACLU are both against the scanners. In a release on its website the ACLU says:

"We should be focusing on evidence-based, targeted and narrowly tailored investigations based on individualized suspicion, which would be both more consistent with our values and more effective than diverting resources to a system of mass suspicion," said Michael German, national security policy counsel with the ACLU Washington Legislative Office and a former FBI agent. "Overbroad policies such as racial profiling and invasive body scanning for all travelers not only violate our rights and values, they also waste valuable resources and divert attention from real threats."

I have to admit, I lean more toward the ACLU position. Yes, I know that a full body scan might have caught the explosive in the bombers undies - although there are claims that the bomb would have made it through a scanner. But that isn't really the issue. The issue is that we don't need to add any new security measures, we need to properly use the ones we have.

I can't say it enough. The system is broken. People are saying, "We need full body scans to keep anyone else from getting through." No, we need to start making full use of the intel we're gathering. Bush dropped the ball when he didn't follow through on his order that the U. S. intelligence agencies, FBI, CIA, NSA, etc. share information, and Obama is following his example.

The point in this is not that a scanner would have stopped this guy before he could turn himself into a eunich. It is that he should never have made it to the point where he would have to go through a scanner. We had more than enough info to forbid this guy to get on a plane. He was on a watch list, then his father notified the U.S. Embassy that he had been radicalized and might do something dangerous. That would have put him in a "watch very closely" list for me. Not for the U.S. government. According to examiner.com:

"On November 20th the embassy sent a "Visas Viper cable" to the State Department which detailed the father's warning.  The information was then given to the Counter-Terrorism Center in Washington D.C. which ruled that their was insufficient information present to revoke Mutallab's visa."

While people are screaming for more measures to limit our freedoms and take away our rights, the real problem is that the information we are gathering has everything we need to stop these terrorists, if we would only use it. Putting scanners in the mix will not make us safer, it will only be one more layer of false security.

No matter what methods we devise to detect explosives at the airport, our first and best line of defense will always be gathering data to stop terrorists before they can get a ticket. And the evidence shows we're doing a good job of gathering it, we just aren't using what we're getting.

Security vs Privacy: It's not what you think it is, part 2"

Originally published 06/06/2011 on lubbockonline.com

Last week I told you about Daniel J. Solov, the author of "Nothing to Hide: The False Tradeoff Between Privacy and Security" and his article, "Why 'security' keeps winning out over privacy," on salon.com about the bogus reasons security trumps privacy every time the two come into conflict. We looked at the first two mistaken arguments in his article last Wednesday.Today we'll look at the last three. Eventually we may look at the wider list of faulty security vs privacy arguments, but these will do for now.

The next argument we will look at is the "Pendulum argument." This is the idea that in times of heightened risk we should blindly allow privacy concerns to fall to the wayside because when things calm down the pendulum will swing the other way and privacy will be reinstated. The problem is, when risk is low, there isn't a great deal of demand to violate privacy for security, so the need to protect privacy isn't as great. In times of heightened risk the desire to be safe makes us less likely to question measures that supposedly increase our protection. So we get measures that sound good, but really do little. Solove mentions the Japanese interment in World War II and the "Red Scare" of the Mcarthy Era." Our problem is a little more hidden, though no more subtle. The ongoing monitoring of as close to every landline phone in the U.S. as possible (that's pretty close). In 2003 the Census Bureau gave the Department of Homeland Security the cities and zip codes of Arab Americans - supposedly to help decide what airports needed signs in Arabic. The implementation of full body scanners and gropedowns at airports to prevent bombings. These are just a few examples of actions taken to improve security that did little for security but cut deeply into privacy and liberty.

The War Powers argument looks good at first glance. It's the job of the President to lead our nations in time of war, and nothing should hamper his ability to do that. The NSA wiretapping is justified because, even though it violates the Foriegn Intelligence Surveillance Act (FISA), the the Presidents ability to lead our country in times of war is more important than any law. The implication is that there is nothing the president can't do if we are at war. He can put citizens in concentration camps, ignore Consititutionally garaunteed rights, and have people pulled from their houses and shot without explanation if he is doing it under "War Powers."

Last, we have the Luddite Argument. The Luddite argument says that if you're not willing to embrace technology you're holding security back through fear and ignorance. But the truth is, often these technologies haven't been vetted properly, and may not be ready for prime time. The anti-bomb "puffers" put into service to protect us from bombs are a prime example. But Mr. Solove's example of biometrics is a very good and timely example:

 

To see the problems with the Luddite argument, let’s look at biometrics. Biometric identification allows people to be identified by their physical characteristics -- fingerprint, eye pattern, voice and so on. The technology has a lot of promise, but there is a problem, one I call the "Titanic phenomenon." The Titanic was thought to be unsinkable, so it lacked adequate lifeboats. If biometric data ever got lost, we could be in a Titanic-like situation -- people’s permanent physical characteristics could be in the hands of criminals, and people could never reclaim their identities. Biometric identification depends on information about people’s characteristics being stored in a database. And we hear case after case of businesses and government agencies that suffer data security breaches.

 

He goes on to point out that if someone steals your SS# you can replace it. Making sure you understand all the implications of using biometrics before ditching our current system is wisdom, not ludditism.

There are a number of arguments used to 'prove' security is more important that privacy, and that privacy is a danger to security. The truth is that there are few situations where privacy and liberty are incompatible with security. But to some government officials and law enforcement the idea of privacy is synonomous with chaos. We can't let them have the last word on security and privacy policies.

Security vs privacy - it's not what you think it is.

Originally published 06/01/2011 on lubbockonline.com

Daniel J. Solove is the author of "Nothing to Hide: The False Tradeoff Between Privacy and Security." Yesterday (May 31,2011) he published an article, "Why 'security' keeps winning out over privacy," on salon.com about the bogus reasons security trumps privacy every time the two come into conflict.

According to Solove, the arguments used to win security over privacy are flawed, and he examines a few of those arguments to show how. We'll look at a couple today and a couple tomorrow:

• The all or nothing fallacy - this fallacy says that you have to go all the way, or do nothing at all. He uses the example of surveillance, "In polls, people are asked whether the government should conduct surveillance if it will help in catching terrorists." Of course people say yes, the question implys that we are unprotected and saying "no" means leaving ourselves exposed to terrorist attack. The government already has the right to conduct surveillance, but must follow certain rules. As Solove puts it:

   

  We shouldn’t ask: "Do you want the government to engage in surveillance?" Instead, we should ask: "Do you want the government to engage in surveillance without a warrant or probable cause?"

   

  The former question pretends protecting privacy requires a complete loss of security. We weren't without protection before 9/11, and the protection isn't that much better now despite the increased "security" forced upon us.

• The deference argument says courts should defer to the executive branch in security matters. But it is the courts job to be a check on the executive, examining what the executive does and making sure that it does to secure us is actually worth the trade-off. A simple, basic example is the TSA body scanners and patdowns. Will they even stop a slightly determined bomber? Probably not. A policy of deference by the courts means that our civil liberties are trampled on for no reason and the people who are supposed to gaurd them are looking the other way.

That's just two of the many arguments used to trump privacy for security. Tomorrow we'll look at two more.

The bad guys are phoning for access

Originally posted 05/31/2011 on lubbockonline.com

Jason Halstead of the Winnipeg Sun reports that a woman in Winnipeg, Canada was almost a victim of an unusual blended attack on her computer.

61-year-old Val Christopherson answered her phone and a man told her he was from an online security company that was receiving error messages from her computer. He claimed to want to fix her problem over the phone and convinced her to go to a site called Teamviewer.com and let him connect to her computer. Then he tried to sell her antivirus software and let him install it. That was when she got suspicious and hung up.

Ms. Christopherson was smart. When the man called back she hung up on him again, then unplugged her computer and contacted her ISP and bank to reset her security credentials and let them know her computer might have been breached. Letting herself be talked into letting an unknown person to connect remotely to her computer was a lapse, but perhaps an understandable one. As often as we warn against clicking on strange links and ok'ing popups, we never warn about letting strangers access your computer, either in person or remotely. A computer attack initiated by calling the prospective victim is, in the case of private individuals, extremely rare, so no one warns about that type of attack.

So if you get a phone call from someone asking you to give them access to your computer, tell them no. If they are from your ISP or the company you get your anti-virus from, tell them you'll call them back and hang up. Then use the number from the phonebook or the internet to call them and find out if they had been trying to contact you. Don't ever trust an anonymous phone caller with access to your computer.

New MacDefender variant doesn't ask for admin password to install

Originally posted 05/26/2011 on lubbockonline.com

If you use Safari, go to Safari-Preferences and select the General tab. Uncheck open safe files option (see image). If you surf the web in your admin account, create a normal user account and start using it. There is a new variant of Mac Defender that doesn't require an admin password to install if you are logged into an admin account. If you wind up at one of the bogus download sites, are logged in as admin and have "Open Safe Files" selected, it will install without asking your permission. Most people in the Mac community still use the default account setup when they first started their Mac. That is an admin account.

MacGuard is still a relatively low risk piece of Malware. Intego is rating it as a medium threat, but it's hard to say if that's an over or underestimate. It is a step up the threat scale from MacDefender. It won't just affect naive users who say ok to any dialog that pops up. No dialog will pop up to ok.

It might be too early to say that if you run a Mac you need to run anti-virus, but if you're starting to get antsi about it, Sophos' free version of it's Mac anti-virus protects against Mac Defender and I'm sure will be quickly updated to protect against MacGuard. And there are always the paid version from Sophos as well as Symantec, Avast, and others.

This is not the end of the Mac experience as we know it, but it is the end of telling people there is no malware on the Mac. The good news for now is, all you have to do protect yourself is do your everyday computing in a non-admin account and make sure you know what it is you're okaying before you click the blue button. And turning off the "open safe files" option in Safari wouldn't hurt.

Managing certificates in Internet Explorer

Originally posted 05/05/2011 on lubbockonline.com

Today we're going to look how to add and remove security certificates from Internet Explorer 8.

1. Click on "Tools" from the Internet Explorer browser menu. Next, select "Internet Options."

2. Go to the "Content" tab and under the Certificates section, click on the "Certificates" button.

3. Select "All" from the drop-down box located next to "Intended Purpose." Use the scroll bar beside the last tab on the right to find the certificates listed by source type. Highlight the certificate you would like to delete. Next, click on "Remove."

4. Click "Yes" at the prompt to continue the removal process.

If you want to add a certificate, click "import" instead of export and go through the dialog, select the certificate and click ok.

What are website certificates?

Originally published 04/26/2011 at lubbockonline.com

Have you ever tried to get to a website and gotten the message, "the security certificate is invalid," or something similar? That message means something about the bit of code that verifies the identity of the site is off. It might mean that the certificate is fake and the site is bogus, or it might mean there is small error and the site is legit. How can you tell?

Site certificates are used when a web site needs to use encryption to protect data in transit. There are a number of organizations that issue security certificates, including governments such as the U.S. and China. In general certificates are issued for two years. The main exception to this is the certificate issuers, who have 10 year certificates.

To tell if a site uses certificates all you have to do is look for "https" in the address bar or the locked padlock in the upper right corner of the browser window - the lock symbol does not always appear.

When you visit a website that uses a certificate your browser will check for a few things in the certificate like the issuer, the address of the website and the issue and expiration dates. If any of these are not correct your browser will tell you that there is a problem with the certificate and give you the option of making a one time or permanent exception. You can, if you want, examine the certificate before deciding what to do.

So how do you decide if you should trust a certificate? Unless your browser reports a problem it all depends on how much you trust the issuer. If your browser reports a problem, there are some things you can check:

 

• who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
• who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
• expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

 

Site certificates are an integral part of web security, but they aren't perfect. You still have to be careful and watch what is happening in your browser.

Toshiba introduces self-encrypting/self-wiping hard drive

Originally posted on 04/15/2011 at lubbockonline.com

Toshiba has produced a secure laptop drive that has built in encryption and can be set to wipe itself if it is removed from the computer or the wrong access code is entered.

The drive comes in sizes ranging from 160GB to 640GB and spins at 7200rpm. It's a respectable drive, and the security measures are awesome. But you definitely have to make frequent backups. If anything happens to your computer your data could be history. But you should be backing your drive up, anyway.

Senators Kerry and McCain attempt privacy quarterback sneak

Originally published on 04/14/2011 at lubbockonline.com

Declan Mcullagh of the Privacy Inc blog at CNET acquired the text of Senators Kerry and McCains proprosed privacy bill. The good news is it is a step in the right direction. The bad news is it has a glaring hole in it's protection. Lord Humongous was right in yesterdays comment when he expressed distrust in the two senators.

The ‘‘Commercial Privacy Bill of Rights Act of 2011’’ is supposed to protect the privacy of U.S. citizens. But Declan says it has a glaring hole:

But the measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users' personal information--in many cases without obtaining a search warrant from a judge.

While disappointing, this isn't really surprising. It's right in line with recent attempts by the FBI and Justice Department to increase their ability to spy on citizens without need for warrants or oversight.

There is a constant struggle for control of information between citizens and governments. The more control over citizens information government has the more control it can have over them. For the first time in history it is trivial for the government to know more about citizens than they know about themselves. It is the nature of government that it will use that ability unless we insist controls and protections be put in place. And we will have to insist. Our representatives may start out working for us, but after a time in Washington (or Austin) they become, by definition, part of the government. Working in our interest becomes a conflict of interest for them, although they don't see it that way.

A few steps to staying more private online.

Originally published 04/08/2011 at lubbockonline.com

The breach at Epsilon has started discussion on how serious having your email address stolen really is. The fact is, having your email address stolen is as dangerous as you allow it to be. To help with keep the danger level down, here are some things you can do to protect yourself:

1. Don't click on links in email. If you want to go to the site, type in the URL in your browser yourself. With HTML email it is childs play to disguise an email as being from someone you trust and hide malicious links behind what looks like a legitimate link.

2. Use the latest version of Firefox for your web browser. You can argue over what is the most secure browser, but Firefox has some very handy addons.

3. Once you have Firefox, there are two very helpful addons: https-everywhere and NoScript. Noscript can be found using the Firefox addons and https everywhere can be downloaded from the eff.org website.

4. Update your software.

5. Keep your mouth shut and your fingers off the keyboard. Before you give anyone any information about yourself, think about whether you need to.

6. Open a garbage email account. Give it to websites that require you to register. Use your main email account for friends and family.

7. Install anti-virus and anti-spyware and keep them updated.

These are just a few of the things you can do to protect your identity online, but they are a good start.

updated to add important information

Killeen ISD student records found "blowing in the wind"

Originally published 3/28/11 on lubbockonline.com/glasshouses

Andy Ross of the Killeen Daily Herald reports that Killeen Independent School District documents containing students identifying information, including Social Security numbers, were found "blowing in the wind."

According to a school district spokesperson, the school district doesn't have policies on shredding documents. It hasn't used Social Security numbers to identify students since 2008, so these documents may be older than that. Not that it matters, since about the only way you can change your Social Security number is to go into the Witness Protection program.

The school district does have guidelines regarding personal information on staff and students, but if it doesn't include shredding documents before disposal it doesn't mean much. Dumpster diving is still one of the best ways to get information on individuals or businesses - and apparently these records weren't even in a dumpster.

There are state and federal laws covering the use of student data. I suspect some of them may have been broken here, but whether it was the school or someone they payed to dispose of the records I have no idea.

I wonder what policies and procedures LISD has in place to protect and properly dispose of student records? I hope that LISD's policies are more comprehensive and better enforced that those in Killeen.

Encrypt your Facebook sessions to protect data when it takes the scenic route through China

Originally published 3/25/11 on lubbockonline.com/glasshouses

CIO Online reports that Facebook traffic coming from AT&T servers was accidentally routed through China and North Korea. This might not be a concern, but unless you're connecting to Facebook using an encrypted connection everything that you do can be monitored by network operators. China is known for spying on it's users, and once your data is on the Chinese network, it's just like any Chinese users data. Any data you look at on Facebook could be monitored and/or saved for later analysis as it goes through China.

But if you encrypt your data, the network operators can't see it. Encrypting your login to Facebook is easy. Just make sure your Facebook bookmark is set to "https://www.facebook.com" and everytime you login your username and password will be encrypted. But once you login Facebook defaults back to an unencrypted connection. Facebook does realize that you may want to have everything you do on Facebook encrypted, and have a setting to allow that. Go to the 'Account' menu,select 'Account Settings' and scroll down to 'Account Security' then click on 'change'. Check the "Browse Facebook on a secure connection (https) whenever possible" box.

It's almost always a good idea to use encryption on the web. It doesn't use much processing overhead and protects your information as it goes from point 'A' to point 'B'. If you use Firefox there's even an add-on called "https everywhere" that will use https to connect to any website that support https.

Facebook + Separation + defriend = Jail Time?

Originally published 3/24/11 on lubbockonline.com/glasshouses

Ben Muessig at AOL.com reports on another case of someone shooting themselves in the foot on Facebook. The headline says it all: "Man Charged with Poligamy after defriending his first wife on Facebook."Richard Leon Barton, Jr became estranged from his first wife in prison. They hooked up again on Facebook after he got out.

That's fine, but then Richard defriended his wife. But he didn't have his privacy settings locked down, so she was able to see the pictures he posted of him and his second wife.

Oops. He hadn't divorced wife #1 yet.

Encrypt your Facebook sessions to protect data when it takes the scenic route through China

Originally published 3/25/11 on lubbockonline.com/glasshouses

CIO Online reports that Facebook traffic coming from AT&T servers was accidentally routed through China and North Korea. This might not be a concern, but unless you're connecting to Facebook using an encrypted connection everything that you do can be monitored by network operators. China is known for spying on it's users, and once your data is on the Chinese network, it's just like any Chinese users data. Any data you look at on Facebook could be monitored and/or saved for later analysis as it goes through China.

But if you encrypt your data, the network operators can't see it. Encrypting your login to Facebook is easy. Just make sure your Facebook bookmark is set to "https://www.facebook.com" and everytime you login your username and password will be encrypted. But once you login Facebook defaults back to an unencrypted connection. Facebook does realize that you may want to have everything you do on Facebook encrypted, and have a setting to allow that. Go to the 'Account' menu,select 'Account Settings' and scroll down to 'Account Security' then click on 'change'. Check the "Browse Facebook on a secure connection (https) whenever possible" box.

It's almost always a good idea to use encryption on the web. It doesn't use much processing overhead and protects your information as it goes from point 'A' to point 'B'. If you use Firefox there's even an add-on called "https everywhere" that will use https to connect to any website that support https.

Facebook + Separation + defriend = Jail Time?

Originally published 3/24/11 on lubbockonline.com/glasshouses

Ben Muessig at AOL.com reports on another case of someone shooting themselves in the foot on Facebook. The headline says it all: "Man Charged with Poligamy after defriending his first wife on Facebook."Richard Leon Barton, Jr became estranged from his first wife in prison. They hooked up again on Facebook after he got out.

That's fine, but then Richard defriended his wife. But he didn't have his privacy settings locked down, so she was able to see the pictures he posted of him and his second wife.

Oops. He hadn't divorced wife #1 yet.

Would you recognize a human-hacker?

Originally published 3/11/11 on lubbockonline.com/glasshouses

As much as we focus on computer viruses, trojans, vulnerabilities and exploits, they are not the biggest risk to security - online or off. The biggest risk is us. Books have been written about it, from Kevin Mitnick's classic "The Art of Deception: Controlling the Human Element of Security" to Christopher Hadnagy's latest, "Social Engineering: The Art of Human Hacking" the subject has been pretty thoroughly covered. But we don't have to space for that kind of detail, so we're going to look at a more succinct study, the Department of Homeland Security's pamphlet on elicitation, (pdf) the art of using ordinary conversation to coax out the information people want to keep secret. From the pamphlet:

In the espionage trade, elicitation is a technique frequently used by intelligence officers to subtly extract information about you, your work, and your colleagues.

Said another way, elicitation is the art of conversation honed by intelligence services to its finest edge.

Elicitation is nonthreatening, easy to disguise (and hard to prove) and it works. Why does it work? Because it's ordinary conversation, the type of thing we do all the time. Is that attractive person you just met so interested in your job because they want to get to know you, or because they're trying to find out something you know? That telemarketer that struck up a conversation with you yesterday - did you really tell him about your vacation plans next month? Just how did he get you to tell him that?

According to the DHS pamphlet the tools are something we all use to some degree:

Appeals to ego: "You must be really important. Everyone here seems to know you." You may respond with a denial, then talk about why what you do isn't really important.

Mutual interest: The person expresses an interest in something you're interested in and uses that to build a bond and increased trust.

Deliberate lies: "I've heard that..." A deliberate lie told knowing you know the truth. Most people have a strong desire to correct the mistake, and we all like to be part of the "in crowd" with insider knowledge.

Volunteering information: It's a simple trade. They give you something in hopes you will give them something. Sales people do this all the time, usually telling you that the price is about to go up, the offer is about to expire or their almost out and it's going to be weeks before they get more.  If it works, you buy whatever they're selling. For a scam artist, you give them your information, such as credit card numbers, name, address, and maybe even SS#.

Assumed knowledge: Just enough is said to give the impression of knowledge in an area so you'll discuss it.

As I read this list I thought about calls I'd received, both at work and at home, from telemarketers. Almost every one of these tools had been used against me in one form or another.  Then in the WalMart parking lot tonight another one was used on me, the appeal for help:

"Could you spare some change? I'm trying to get some food for me and my wife."

I've had my own answer to this type of appeal for years, "Come with me and I'll buy you some food." He said he was getting his wife, got in the passenger seat of a car a row over, and they left.

The DHS pamphlet is aimed at preventing espionage, but the same techniques are used by malware authors and conmen to build trust and encourage us to give them what they want. One reason these techniques are so effective is that they are the things we all do in the normal course of communicating with others. Try going through a day looking for the things you and the people you interact with do as you communicate. Then see if you can tell who is just making conversation and who is trying to get something from you.