Tag: passwords

5 security tips from Santa

Have you been naughty or nice this year?

If you’re reading this in 2019, it’s less than a month to Christmas (as celebrated according to the Western Christian calendar), or Christmas has just passed.  Let’s assume that it’s the former, and that, like all children and IT professionals, it’s time to write your letter to Santa/St Nick/Father Christmas.  Don’t forget, those who have been good get nice presents, and those who don’t get coal.  Coal is not a clean-burning fuel these days, and with climate change well and truly upon us[1], you don’t want to be going for the latter option.

Think back to all of the good security practices you’ve adopted over the past 11 or so months.  And then think back to all the bad security practices you’ve adopted when you should have been doing the right thing.  Oh, dear.  It’s not looking good for you, is it?

Here’s the good news, though: unless you’re reading this very, very close to Christmas itself[2], then there’s time to make amends.  Here’s a list of useful security tips and practices that Santa follows, and which are therefore bound to put you on his “good” side.

Use a password manager

Santa is very careful with his passwords.  Here’s a little secret: from time to time, rather than have his elves handcraft every little present, he sources his gifts from other parties.  I’m not suggesting that he pays market rates (he’s ordering in bulk, and he has a very, very good credit rating), but he uses lots of different suppliers, and he’s aware that not all of them take security as seriously as he does.  He doesn’t want all of his account logins to be leaked if one of his suppliers is hacked, so he uses separate passwords for each account.  Now, Santa, being Santa, could remember all of these details if he wanted to, and even generate passwords that meet all the relevant complexity requirements for each site, but he uses an open source password manager for safety, and for succession planning[3].

Manage personal information properly

You may work for a large company, organisation or government, and you may think that you have lots of customers and associated data, but consider Santa.  He manages, or has managed, names, dates of birth, addresses, hobby, shoe sizes, colour preferences and other personal data for literally every person on Earth.  That’s an awful lot of sensitive data, and it needs to be protected.  When people grow too old for presents from Santa[4], he needs to delete their data securely.  Santa may well have been the archetypal GDPR Data Controller, and he needs to be very careful who and what can access the data that he holds.  Of course, he encrypts all the data, and is very careful about key management.  He’s also very aware of the dangers associated with Cold Boot Attacks (given the average temperature around his relevance), so he ensures that data is properly wiped before shutdown.

Measure and mitigate risk

Santa knows all about risk.  He has complex systems for ordering, fulfilment, travel planning, logistics and delivery that are the envy of most of the world.  He understands what impact failure in any particular part of the supply chain can have on his customers: mainly children and IT professionals.  He quantifies risk, recalculating on a regular basis to ensure that he is up to date with possible vulnerabilities, and ready with mitigations.

Patch frequently, but carefully

Santa absolutely cannot afford for his systems to go down, particularly around his most busy period.  He has established processes to ensure that the concerns of security are balanced with the needs of the business[5].  He knows that sometimes, business continuity must take priority, and that on other occasions, the impact of a security breach would be so major that patches just have to be applied.  He tells people what he wants, and listens to their views, taking them into account where he can. In other words, he embraces open management, delegating decisions, where possible, to the sets of people who are best positioned to make the call, and only intervenes when asked for an executive decision, or when exceptions arise.  Santa is a very enlightened manager.

Embrace diversity

One of the useful benefits of running a global operation is that Santa values diversity.  Old or young (at heart), male, female or gender-neutral, neuro-typical or neuro-diverse, of whatever culture, sexuality, race, ability, creed or nose-colour, Santa takes into account his stakeholders and their views on what might go wrong.  What a fantastic set of viewpoints Santa has available to him.  And, for an Aging White Guy, he’s surprisingly hip to the opportunities for security practices that a wide and diverse set of opinions and experiences can bring[6].

Summary

Here’s my advice.  Be like Santa, and adopt at least some of his security practices yourself.  You’ll have a much better opportunity of getting onto his good side, and that’s going to go down well not just with Santa, but also your employer, who is just certain to give you a nice bonus, right?  And if not, well, it’s not too late to write that letter directly to Santa himself.

1 – if you have a problem with this statement, then either you need to find another blog, or you’re reading this in the far future, where all our climate problems have been solved. I hope.

2 – or you dwell in one of those cultures where Santa visits quite early in December.

3 – a high-flying goose in the face can do terrible damage to a fast-moving reindeer, and if the sleigh were to crash, what then…?

4 – not me!

5 – Santa doesn’t refer to it as a “business”, but he’s happy for us to call it that so that we can model our own experience on his.  He’s nice like that.

6 – though Santa would never use the phrase “hip to the opportunities”.  He’s way too cool for that.

What is a password for, anyway?

Which of my children should I use as my password?

This may look like it’s going to be one of those really short articles, because we all know what a password is for, right?  Well, I’m not sure we do.  Or, more accurately, I’m not sure that the answer is always the same, or has always been the same, so I think it’s worth spending some time looking at what passwords are used for, particularly as I’ve just seen (another) set of articles espousing the view that either a) passwords are dead; or b) multi-factor authentication is dead, and passwords are here to stay.

History

Passwords (or, as Wikipedia points out, “watchwords”) have been used in military contexts for centuries.  If you wish to pass the guard, you need to give them a word or phrase that matches what they’re expecting (“Who goes there?” “Friend” doesn’t really cut it).  Sometimes there’s a challenge and response, which allows both parties to have some level of assurance that they’re on the same side.  Whether one party is involved, or two, this is an authentication process – one side is verifying the identity of another.

Actually, it’s not quite that simple.  One side is verifying that the other party is a member of a group of people who have a particular set of knowledge (the password) in order to authorise them access to a particular area (that is being guarded).  Anyone without the password is assumed not to be in that group, and will be denied access (and may also be subject to other measures).

Let’s step forward to the first computer recorded as having had a password.  This was the Compatible Time-Sharing System (CTSS) at MIT around 1961, and its name gives you a clue as to the reason it needed a password: different people could use the computer at the same time, so it was necessary to provide a way to identify them and the jobs they were running.

Here, the reason for having a password seems a little different to our first use case.  Authentication is there not to deny or allow access to a physical area – or even a virtual area – but to allow one party to discriminate[1] between different parties.

Getting more modern

I have no knowledge of how military uses of passwords developed, other than to note that by 1983, use of passwords on military systems was well-known enough to make it into the film[2] Wargames.  Here, the use of a password is much closer to our earlier example: though the area is virtual, the idea is to restrict access to it based on a verification of the party logging on.  There are two differences, however:

  1. it is not so much access to the area that is important, and more access to the processes available within the area;
  2. each user has a different password, it seems: the ability to guess the correct password gives instant access to a particular account.

Now, it’s not clear whether the particular account is hardwired to the telephone number that’s called in the film, but there are clearly different accounts for different users.  This is what you’d expect for a system where you have different users with different types of access.

It’s worth noting that there’s no sign that the school computer accessed in Wargames has multiple users: it seems that logging in at all gives you access to a single account – which is why auditing the system to spot unauthorised usage is, well, problematic.  The school system is also more about access to data and the ability to change it, rather than specific processes[3 – SPOILER ALERT].

Things start getting interesting

In the first few decades of computing, most systems were arguably mainly occupied with creating or manipulating data associated with the organisations that owned it[4].  That could be sales data, stock data, logistics data, design data, or personnel data, for instance.  It then also started to be intellectual property data such as legal documents, patent applications and the texts of books.  Passwords allowed the owners of the systems to decide who should have access to that data, and the processes to make changes.  And then something new happened.

People started getting their own computers.  You could do your own accounts on them, write your own books.  As long at they weren’t connected to any sort of network, the only passwords you really needed were to stop your family from accessing and changing data that wasn’t theirs.  What got really interesting, though, was when those computers started getting connected to networks, which meant that they could talk to other computers, and other computers could talk to them.  People started getting involved in chatrooms and shared spaces, and putting their views and opinions on them.

It turns out (and this should be of little surprise to regular readers of this blog) that not all people are good people.  Some of them are bad.  Some of them, given the chance, would pretend to be other people, and misrepresent their views.  Passwords were needed to allow you to protect your identity in a particular area, as well as to decide who was allowed into that area in the first place.  This is new: this is about protection of the party associated with the password, rather than the party whose resources are being used.

Our data now

What does the phrase above, “protect your identity” really mean, though?  What is your identity?  It’s data that you’ve created, and, increasingly, data that’s been created about you, and is associated with that data.  That may be tax accounts data that you’ve generated for your own use, but it may equally well be your bank balance – and the ability to pay and receive money from and to an account.  It may be your exercise data, your general health data, your fertility cycle, the assignments you’ve written for your university course, your novel or pictures of your family.  Whereas passwords used to be to protect data associated with an organisation, they’re now increasingly to protect data associated with us, and that’s  a big change.  We don’t always have control over that data – GDPR and similar legal instruments are attempts to help with that problem – but each password that is leaked gives away a bit of our identity.  Sometimes being able to change that data is what is valuable – think of a bank account – sometimes just having access to it – think of your criminal record[5] – is enough, but control over that access is important to us, and not just the organisations that control us with which we interact.

This is part of the reason that ideas such as self-sovereign identity (where you get to decide who sees what of the data associated with you) are of interest to many people, of course, but they are likely to use passwords, too (at least as one method of authentication).  Neither am I arguing that passwords are a bad thing – they’re easy to understand, and people know how to use them – but I think it’s important for us to realise that they’re not performing the task they were originally intended to fulfil – or even the task they were first used for in a computing context.  There’s a responsibility on the security community to educate people about why they need to be in control of their passwords (or other authentication mechanisms), rather than relying on those who provide services to us to care about them.  In the end, it’s our data, and we’re the ones who need to care.

Now, which of my children should I use as my password: Joshua or Rache…?[6]

1 – that is “tell the difference”, rather than make prejudice-based choices.

2 – “movie”.

3 – such as, say, the ability to start a global thermonuclear war.

4 – or “them”, if you prefer your data plural.

5 – sorry – obviously nobody who reads this blog has ever run a red light.

6 – spot the popular culture references!

Change, refuse, report

I’m busy over the next couple of days, and wasn’t going to post, but the issue is important, so I’m taking a few minutes to post.

There are some nasty extortion/blackmail emails out there at the moment.  People are being emailed, with a the subject line including a real password, and told to send fairly large amounts of bitcoin in order to stop incriminating or embarrassing material being spread to friends, family and the public.  Here’s what you should do.

Change

Change your passwords.  Particularly if the one that was quoted in the title or email body is current. Use a password manager, follow the advice here: The gift that keeps on giving: passwords.

Refuse

Refuse to pay.  Don’t even contact the sender.  Even if you’re worried that the material may exist or the threat is real.

Report

Report it to your local law enforcement agency: particularly if you’re concerned that this may be a real threat to you.  There are steps that law enforcement can take, and they can help you.

 

That’s it: be safe, and let’s shut down these criminals by not playing their game.

I got phished this week: what did I do?

I was a foolish – but was saved by my forward planning.

The first thing I did was not panic.  The second was to move quickly.

But what happened to get to this stage, you may ask, and how could I have been so stupid?  I’ll tell you the story.

Every day, like most people, I suspect, I get lots of emails[1].  I have a variety of email accounts, and although I’m sure that I should be more disciplined, I tend to just manage them as they come in.  First thing in the morning, though, I tend to sit down with a cup of tea and go through what’s come in an manage what I can then.  Most work emails that require more than a glance and a deletion[2] will wait until later in the day, but I like to deal with any home-related ones before breakfast.

The particular email I’m talking about came in overnight, and I was sitting down with my cup of tea[3] when I noticed an email from a company with whom I have a subscription.  The formatting was what I’d expect, and it looked fine.  It was asking me to change my payment details.

“Danger!” is what you’ll be thinking, and quite rightly.  However, I had some reasons for thinking that I might need to do this.  I’ve recently changed credit cards, and I was aware that there was quite a high likelihood that I’d used the old credit card to subscribe.  What’s more, I had a hazy recollection that I’d first subscribed to this service about this time of year, so it might well be due for renewal.

Here’s where I got even more unlucky: I told myself I’d come back to it because I didn’t have my wallet with me (not having got dressed yet).  This meant that I’d given myself a mental task to deal with the issue later in the day, and I think that this gave it a legitimacy in my head which it wouldn’t have got if I’d looked at it in the first place.  I also mentioned to my wife that I needed to do this: another step which in my head gave the task more legitimacy.

So I filed the mail as “Unread”, and went off to have a proper breakfast.  When I was dressed, I sat down and went back to the email.  I clicked on the link to update, and here’s where I did the really stupid thing: I didn’t check the URL.  What I really should have done was actually enter the URL I would have expected directly into the browser, but I didn’t.  I was in a rush, and I wanted to get it done.

I tried my account details, and nothing much happened.  I tried them again.  And then I looked at the URL in the browser bar.  That’s not right…

This was the point when I didn’t panic, but moved quickly.  I closed the page in my browser with the phishing site, and I opened a new one, into which I typed the correct URL.  I logged in with my credentials, and went straight to the account page, where I changed my password to a new, strong, machine-generated password.  I checked to see that the rest of the account details – including payment details – hadn’t been tampered with.  And I was done.

There’s something else that I did right, and this is important: I used a different set of account details (username and password) for this site to any other site to which I’m subscribed.  I use a password keeper (there are some good ones on the market, but I’d strongly advise going with an open source one: that way you or others can be pretty sure that your passwords aren’t leaking back to whoever wrote or compiled it), and I’m really disciplined about using strong passwords, and never reusing them at all.

So, I think I’m safe.  Let’s go over what I did right:

  • I didn’t panic.  I realised almost immediately what had happened, and took sensible steps.
  • I moved quickly.  The bad folks only had my credentials for a minute or so, as I immediately logged into the real site and changed my password.
  • I checked my account.   No details had been changed.
  • I used a strong, machine-generated password.
  • I hadn’t reused the same password over several sites.

A few other things worked well, though they weren’t down to me:

  1. the real site sent me an email immediately to note that I’d changed my login details.  This confirmed that it was done (and I checked the provenance of this email!).
  2. the account details on the real site didn’t list my full credit card details, so although the bad folks could have misused my subscription, they wouldn’t have had access to my credit card.

Could things have gone worse?  Absolutely.  Do I feel a little foolish?  Yes.  But hopefully my lesson is learned, and being honest will allow others to know what to do in the same situation.  And I’m really, really glad that I used a password keeper.

1 – some of them, particularly the work ones, are from people expecting me to do things.  These are the worst type.

2 – quite a few, actually – I stay subscribed to quite a few lists just to see what’s going on.

3 – I think it was a Ceylon Orange Pekoe, but I can’t remember now.