information
March 2011
security news the security awareness newsletter for YOUR COMPANY
5 Simple Netiquette Rules to Follow at Work
Moms and Maiden Names:
Protecting yourself and your children on social networks
Building
Better Security Into Passwords
PUTTING BIO INTO SECURITY
The current and future states of biometric security
Plus Monthly Regulars including Incident Response & Coming Soon!
Ha Che ve ck qu ou es r o Le tio ut t u ns? ne w s kn Co de ow mm sig ! en n! ts ?
Identifictaion & Authentication Methods
2 your cash. After several years, this form of Two Factor Authentication became the norm. Weak as though one might consider the ATM method, it has largely worked over the years, with the most successful attacks being: 1. Roping the ATM with a chain and tugging it off its foundation with a truck. The bad guys load it up and break in from a distance.
Identify Yourself! Your face is your identification. Right? Maybe. Your name is your ID. Right? No, not really. Your password is your identification. Right? Nope. Identification of a person – you – in the digital domain is not nearly as simple as you might think. In the ‘old days’, the Middle Ages, a person carried his ‘patents’ which were handwritten documents to prove one’s identity and lineage. (Remember the movie “A Knight’s Tale” and you’ll get the idea.) There was a tremendous amount of trust and belief in the integrity of the ID papers that officials carried. Fraud? Possible but merely occasional. The late 20th century was, in retrospect, treated identifcation very simply. The bank manager knew you and you could remove money with a simple ‘hello’. The grocer and hardware store knew you and you could ‘charge it’ as you walked out of the store, without an actual ‘charge card’ (or credit card). Identification for air travel was no more complicated than holding a boarding pass, in almost any name: it didn’t matter if the name on the boarding pass matched your ID since they only looked at the boarding pass before letting you on the plane. (Not
like today, by any stretch.) Even in the early days of the internet and e-commerce, before fraud had reached mammoth proportions, your name (actually, any name) and a credit card number was all it took to buy a TV or a book or shoes. The problem with that bygone era of naïve identification was its inherent simplicity and trust in the goodness of people. But with online crime reaching over $1Trillion annually, (an incredible study done in 2009), something had to be done. Banks always had an extra incentive to provide strong authentication, and perhaps nothing more than the introduction of the ATM, or cash machine, caused a fast rethink of what is meant by strong ID. ATM cards were functionally a no-brainer, aimed for simple use by the consumer and that procedure is still in use today. The bank issues a card with a mag stripe containing some personal data about you. This is called ‘Something You Own.” Upon inserting the card into the ATM, you are prompted for a password. This is known as “Something You Know”. In security parlance, this is a Challenge Response mechanism. The card by itself is insufficient to get cash, but with the added level of security provided by a passcode, usually a 4-digit number, voila! You get
Incident Response
2. Installing a fake ATM machine in a retail location. Consumers inserted their cards and punched in their personal codes, and then were told the machine was broken. In reality the fake ATM captures and stores the contents of the mag stripe and the password. Later, the thieves make ersatz ATM cards and they have your password. Cash in their pocket. Fast-forward several years and enter the online world of fraud and paranoia about ID theft. Today, if you want to pay online with a credit card, it seems as if you have to provide your entire life history. In fact, though, the credit card authorization process often includes: 1. Something you know. Your name, address, credit card number and expiry date. 2. The magic 3 or 4-digit code on the back or front of the card. Something you own. 3. Sometimes you need to identify a picture or icon as further authentication. 4. There might be a ‘Captcha’ to prove you are a human and not a hacking machine. 5. A security question you have to answer, like, “color of first car”. In theory, if your credit card is stolen electronically, the bad guys won’t know enough to impersonate you. Also, in theory, if your physical card is stolen, they can’t use it without your ID and signature. However, despite using the approach of Something You Know & Own, realistically they could still use your credit card because much of your personal data is easy to find once they
Report all security incidents immediately!
3 have your name and with that information they could impersonate you well enough to use your card. That’s why, often today, you will be asked an additional security question like what is your favorite car, mother’s date of birth and so on. Still something you know, but more importantly, something the bad guys won’t know without putting in extra effort. (Though we would highly recommend that birthdays be removed as identifiers these days since so many people post theirs on social networks!) Two Factor Authentication is becoming the norm, more and more. Credit cards often require a picture ID, as does a boarding pass. Even Amtrak requires picture ID. This is far from perfect, but still provides an additional layer of Identification & Authentication (I&A). In the coming years, your ATM card and credit card will be incorporating a third possible means of identification: Something You Are. You are your fingerprint. You are your retinal scan, hand geometry and facial capillary structure. The biological you can even constitute the way you type, the way you speak and other features which make you unique. In a few years, you will have a fingerprint sensor on your keyboard to make purchasing from eBay, Amazon or other online vendors more secure. At 7/11, you will have to insert your credit card and your finger to validate a charge. Identification alone is pretty useless. Identification with authentication – the Challenge Response – has finally taken over to the great relief of insurers and fraud specialists. The next big change will be to enhance I&A with the biometrics of Something You Are. If the security and risk analyses are correct, we will also be a lot better off with this additional layer of security and hopefully be able to reduce the hundreds of billions of dollars that are lost every year to fraud.
Incident Response
You are your fingerprint . . .The biological you can even constitute the way you type, the way you speak and other features which make you unique.
Moms and Maiden Names Some of us love Facebook. And some of us love to hate it! Regardless of our feelings about it, social networking is here to stay and we can continue to enjoy all the good things this connectivity can bring. You know you need to watch your security and privacy settings. You know you need to be cautious about what you post. You know there are LOTS of good AND bad guys out there looking. But let us point out a special security concern for married women. This security concern is the maiden name. Additional security authentication (to banks and other online transaction sites) often includes questions for secondary identification, password verification, and recovering a password by asking for a simple, seemingly innocuous piece of information: Mother’s maiden name. Women who put up their maiden name on a social network page can become more vulnerable to identity theft because this single data point is so often used. That much is obvious. But there is another person potentially at risk here. A child. If your children (note this is for ALL aged children) are also listed in your profile, then your kids have another piece of information out there for identity thieves to grab. What is your mother’s maiden name? Kids get this question often when setting up accounts, logins, etc. and they probably won’t hesitate to use this as an authentication method. We all know that if someone wants to find out your private information badly enough, it can be found. However, we CAN make it more difficult by refusing to use this type of info when identifying ourselves electronically or when filling out forms. Pick another question/answer than something so often used for critical identification. If you don’t need your maiden name included on your public profile, don’t put it there. Be mindful of what you post and be aware of what is posted about you.
555.555.1212 x321
•
contact@response.com
4
Building Better Security Into Passwords Have you changed your password recently? Is your password too easy? Are your passwords safely stored? You haven’t shared your password, have you? Sound familiar? Redundant? Like old news? Despite years and years of education, computer users both at work and at home are still using overly simple and guessable access codes like “password1!”—or simply attaching a few numbers, like “123,” to the end of a simple word. And don’t forget that computers are not limited to desktops and laptops. We have tiny computers called cell phones, smart phones, PDAs, tablets and who knows what else will come out next week? Just how many times a day must we login or logon? Passwords, passcodes, passphrases are just part of life and we are responsible for making them difficult for someone else to guess, but NOT difficult for us to remember. The problem with weak, guessable passwords has been known for more than thirty years, and the problem is not going away anytime soon; passwords still represent the vast majority of authentication methods used for corporate, personal and mobile applications. Users must now create several, often dozens, of passwords for different systems and then must change them every 60 or 90 days both according to their own corporate policy and also in order to remain as security aware as possible in their own personal password uses.
It’s understandable that many users choose the least complicated password that their systems allow, and make only minor variations when forced to change them. Users also take that same approach to their home and personal account passwords. Why? It’s just easier. Unfortunately for users - but good for the bad guys - such passwords are often just too easy to guess. Easy passwords lie at one end of the password spectrum. At the other end of that scale are passwords that are randomly generated by software, but they are difficult for users to remember because they aren’t based on real words or any sort of recognizable pattern (and therefore, are much harder for password crackers to crack). So what’s a decent middle ground? Here are a couple of ideas that may help you build strong, hard-to-guess but easy-to-remember passwords whether you’re at home, at the office, or accessing business systems remotely:
Incident Response
1. What is the maximum size password you can use and what sort of characters are permitted? Some older systems were limited to eight characters, which is by no means sufficient to protect against even the simplest password hacking tools. 2. Can your business systems distinguish between UPPER CASE and lower case Alpha (A-Z, a-z)? 3. Which special characters are permitted and allowed? (!@#$<{? Etc.) Some characters may be specifically excluded. 4. Do you have a list of the password re-
quirements for every system you need to access? For example, Minimum 12 characters, maximum 48 characters, 0-9, UPPER/lower and these special characters. (Don’t write down the passwords! But it will make it easier if you know and can refer to the rules.) 5. How often do they need to be changed? Now it’s strategy time. One of the most popular techniques that security experts like to use is creating a passcode based on song titles, lyrics, book/movie titles or phrases and other easy-to-remember, hard-to-guess character sequences. Then you can apply a personal algorithm (simple process and rules) to generate a fairly large number of much easier-to-remember and harder-tocrack (or guess) access codes. See how this might work. Let’s try it with a simple song lyric but you can easily select any song that works for you.
What is your password policy? How often must you change them? If you don’t know your company’s password policy, find out today!
Report all security incidents immediately!
5 Somewhere over the rainbow The first letters are: sotr Let’s first alternate UPPER and lower cases. SoTr Now, pick a four-digit sequence you will easily remember. 2323 (Michael Jordan fans can relate) The 8-digit access code generated from this method could be: S2o3T2r3 Let’s say you want to make it stronger; after all, this is only 8 characters. You could add a special character after each number, making it this: S2@o3#T2@r3# Now it’s 12 characters but no harder to remember. Do you understand why? Look carefully. We added the special character associated with each number on a standard keyboard. Play with this approach and see how you can use the same personal algorithm and how easy it is to come up with many, many
variations of a passcode, all based on things you already know and remember. No one trick is right for everyone. Another approach that you might prefer works when longer passwords are permitted is to use a complete phrase – of long, but reasonable length. HumptyDumptySatOnAWallxxx` That’s 22 characters, but none are special, so let’s add some strength. Humpty1Dumpty2Sat3On4A5Wall6 Now we have 28 characters, each word separated by a single numerical digit. Longer to type, yes, but still fairly easy to remember. Play with these types of variations for your personal and business accounts. You will, with a little practice come up with a method that works for you. At home, you can test your algorithm and your passwords at http://www. hammerofgod.com/passwordcheck.aspx As always, follow company policies and procedures when accessing the internet from any company machine or mobile device. Keeping passwords simple for you, with just a few personal twists, can give you incredible front-end security.
How did we do? We tested our sample passcodes. Check out the results!
Password
How Long to Crack?
sotr
.00034 seconds
SoTr
.0063 seconds (20 times better, but still poor)
S2o3T2r3
44.89 hours (pretty decent for an 8-character password)
S2@o3#T2@r3#
708,581 years: (12 characters)
HumptyDumptySatOnAWall
1.185 sextillion years
Humpty1Dumpty2Sat3On4A5Wall6
2.7 decillion years
Incident Response
555.555.1212 x321
•
contact@response.com
6
Putting Bio into Security Humans forget things and lose things. These are two of the reasons that password security is so inherently weak. We have hundreds of passwords and access codes for the myriad aspects of our online lives at work, at home, for fun, education and shopping. Tokens, the Something You Own component of Identification and Authentication, can easily be lost. Unless you write down your password on the back of the token, though, the danger of someone gaining access to your accounts is small. But you wonâ&#x20AC;&#x2122;t have access either and that can be a pain, expensive and time-consuming. The Something You Are component of I&A is developing fast and
we are going to all be experiencing it first hand. Hereâ&#x20AC;&#x2122;s what weâ&#x20AC;&#x2122;re going to see. You may find yourself interfacing with many of these I&A methods in the coming years, at work, at home and wherever you conduct business. Expect to see more and more appearing, especially in the transportation and financial areas, sooner than later. In the meantime, you should definitely follow recommended password creation methods and do your best not to lose the Something You Own component of your I&A.
Fingerprint identification is already used on some USB drives for security and some keyboards already have thumbprint readers built in. Great, except Amazon, eBay and others are not on board yet. They will be. We will be seeing thumbprint scanners for retail credit card purchases in the next 24 months with your thumbprints built into the credit and debit cards. If you lose your thumb(!), though, no worries. Many of the new fingerprint technologies also look for body heat and a pulse.
Voice recognition is used more and more for voice-based telephone transactions, customer service, travel reservations and just about anything else during which a human can be replaced. Cell phones are providing better voice management capabilities and talking to your computer is something humans can be trained to do. For security, though, this often-hyped technology is not good enough to provide accurate unique identification without false positives and negatives. Give it ten years.
Did you know that your face is unique? Truly unique? In this case, security is truly skin deep. Underneath your epidermal layers, blood flows through capillaries, and our capillary structures are as unique as our fingerprints. No matter how much makeup or facial disguise a bad guy might use, or if you have an awful cold, or are wearing a mask or scarf, your capillaries remain unique and constant. This technology is expensive but works at distances of 50 meters or more. It has seen substantial use scanning large crowds, looking for known criminals or persons of interest where proximity is a problem.
Incident Response
Some of us have already had our retinas scanned for unique and exceptionally strong access control. The popularity with the public, though, is low due to an inherent fear of putting your eyeball next to a laser, no matter how safe it might be.
Some security portals use hand geometry as a unique security identification method with reasonable accuracy. However, carpal tunnel, arthritis, cuts, scrapes and other slight deformities can make these I&A machines almost useless. Fingerprints win out by a mile since they can be so easily embedded into thin film technologies (like on credit cards) and the readers are so much smaller.
Authentication is something you have, something you know, and something you are when you add biometrics. I think right now users see authentication methods as separate items. The technology is there, but the idea is not. - Charles Kolodgy Report all security incidents immediately!
7
5 Simple Netiquette Rules
online. You need to know the rules and expectations. And, when in doubt in either area, ask! Most of these are in writing and are explicit; some may be less clear as new technology introduces both security and netiquette. (Facebook comes to mind quickly!). At home, a simple set of expected security and netiquette guidelines for the family helps in both areas, too. 3
You, of course, are a paragon of good security behavior at work. You also practice the optimal internet behavior at work. You do it right and proper. Always. Well, you would like to think so, right? No one is perfect, but we all need to be aware of our own behavior. How many of these social faux pas have you ever observed around you? Rude e-mails (that can harm morale and reflect poorly on a company). It’s important to remember that anyone with a corporate e-mail address is a company ambassador with every note he or she sends. Rude smartphone use. Talking too loudly in public areas is distracting to everyone around you. BlackBerries buzzing in meetings — and then responding to text messages or e-mails — shows you’re not interested in what’s going on around you. About two-thirds of employees say PDAs are a distraction in meetings, according to a Lexis-Nexis survey. Too much social networking and not enough working. In fact, a 2009 survey estimates that companies lose 1.5 percent of total office productivity to the Book of Face. Now, what can you do to improve and promote netiquette at the office? 1
PERFECT YOUR ONLINE BEHAVIOR. Getting offensive e-mails from coworkers, partners or
customers? What would Mom or Aunt Libby do? Respond with professionalism and kindness, of course. If you’ve ever been frustrated with a customer service rep and lost your temper, they are trained to answer with, “If you insist on speaking like that, I will disconnect from this call.” As one expert wrote, “A better approach is to make the cretin realize how idiotic and childish she sounds by responding with polite and reasonable language.” From a security standpoint, it’s worth pointing out to the offender that if his comments were leaked or lost or posted on the internet, the company could be embarrassed or harmed. “Kill ‘em with kindness” is the go-to approach that HR professionals say works a vast majority of the time. PUT IT IN WRITING. Spell out what you mean in writing, even the most seemingly obvious items. You need to know security policy and appropriate behavior in the office and 2
ACT QUICKLY. If you see a security breach, you need to respond immediately to minimize the potential for
damage. Now, let’s say a colleague’s bad behavior festers. Act quickly, with the coworker or HR. This is most important when you need to correct a new hire’s behavior (if you’re his boss, of course). Maybe send a super nice, “Hi all, quick reminder of office protocol” e-mail to a BCC’ed list. (Even if there’s only one recipient, he’ll get the hint without the ego hit.) This approach works well with minor security breaches you might observe around the office without causing undue embarrassment or having to reprimand the employee. USE YOUR EXPERIENCE. “You know, I found an easier way to store passwords than writing them on a Sticky-Note. Can I show you?” is much better than a “You’re an idiot” comment. Aren’t you just the best co-worker known to man? Netiquette and security go hand-in-hand in so many areas as social networking, tweeting, texting and mobile computing proliferate. Not only do we need to learn how they need to be treated from a security standpoint, but how they are to be appropriately used and affect the organization, for good and for bad. 4
5
SEND THESE TIPS TO EVERYONE YOU KNOW. Obviously.
Coming Next Month: Cybercrime: It’s worse than you think • Nation-state Cyberwar • Targetted Whales • Mobile Cybercrime • Cybercrime VS Cyberwar Incident Response 555.555.1212 x321 • contact@response.com