Archive for the ‘Uncategorized’ Category

Passwords

Posted: January 29, 2016 by uszik11 in Identity theft, Password need-to-knows, Personal safety, Uncategorized, Vulnerabilities
Tags: , , ,

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

Be the change … for information privacy! Part 2

Posted: April 20, 2015 by IntentionalPrivacy in Uncategorized

Continued from Part 1

Case: Identity theft

I first became aware of identity theft in 1996 when my credit card number was stolen. I had rented a car, and my application had every piece of information that they could dig out of me, including a copy of the front and back of my credit card and my driver’s license. I can picture the rental agent leaving my file on the desk in her cubicle while she went to the car lot to check out a car for her next clients, who were sitting at her desk. While she was gone, they copied my information. At the time, I lived only a couple of hours away from the Canadian border. When the credit card company called to alert me because the card usage was not in line with my card profile, they told me somebody in Canada used my card to buy “services” over the phone. The charge was only $75, but it took forever to get it off my bill: paperwork, registered letters, phone calls, time, and frustration.

Of course, the car rental company (a nationwide chain) denied everything, but it was the only place I had used my card where the information was out of my sight, and the thieves had details such as my address.

Outcome: I persisted and eventually the charge was removed from my statement.

Case: Confidential information sent in email

We used the same accountant for years. One year after we completed the intake for our taxes, I asked him when we could stop back to pick up the completed forms. He said that he would email them to us. I asked if they would be encrypted and he said yes. I nodded and we left. Three days later, I received an email with our taxes attached as a PDF.

I was livid. I called his office, and asked why he had sent our taxes in an unencrypted PDF through email. He told me they were encrypted.

What he meant was that he filed taxes with the IRS using SSL encryption. He said that his IT staff told him they could not encrypt email attachments.

Email is not a secure method of communication. While it may be transmitted using TLS encryption (Transport Layer Security protocol provides encryption for transmission between servers), when receiving email servers do not accept encrypted transfers, your email is sent in unencrypted plain text.

I tried to explain to him that he could even use a compression program like WinZip (which I knew he had) with a shared password. Nope. He would not listen. I sent him a letter where I carefully explained cryptography and options for using it that were inexpensive and not difficult to implement. Then I explained that because he would not consider them, I was ending our business relationship. That was very difficult because our families had been friends for years.

Outcome: I changed our tax accountant.

Case: My financial institution leaked my information when they changed the monthly statement format.

I use online bill payment to pay most of my bills. I always reconcile my paper statement against my checkbook register. A couple of years ago when I glanced through my statement, I saw to my horror that both my social security number and my credit card number were printed in the transaction section of the statement. I realized that one of my Sallie Mae loans was using my social security number as the account number when they returned payment information.

I called the bank immediately.

The customer service representative did not understand my concerns. When I hung up, I wrote a letter to each board member at my financial institution and sent copies to Sallie Mae and my credit card company. The credit card company did not understand either, but Sallie Mae stopped using my social security number as my account number (which they should not have been doing anyway, it’s against the law).

Think about how many people this could have affected! If a breach of the banking website occurred, if someone at the printer looked through the statements, if the statements got lost in transit, if someone had stolen mail from a mailbox … there are a number of scenarios where statements could have been used by the nefarious.

Outcome: Sallie Mae changed my account number, and on the very next statement, only the last four numbers of my credit card number printed on my statement.

Case: Doctor’s office wants to submit my information to a research project.

I made an appointment with a new physician. Part of the paperwork was a permission form to submit my information to a research project. There was no ending date for permission to stop, no information about the research project, and no information about how they de-identified data. I asked the receptionist to clarify some of these details for me, so she called the nurse in charge of the research project. The nurse said de-identified data means that you cannot be identified. I asked her what specific identifying information they used in the study. Instead of answering me (I am pretty sure she did not know), she told me not to sign the form as the study was not being conducted any more anyway. Which brought up another question in my mind: If they were not using my information for a study, why were they asking me if they could use it?

Unfortunately, it takes very little data to identify someone by comparing identity information to public records such as voter registration. One such study conducted at Harvard University by Professor Latanya Sweeney showed that 87% of the population can be uniquely identified through three variables—a patient’s birth date, zip code, and gender.

Outcome: My information is not being used in a research project.

Case: My employer changed insurance companies

For the last 2 years, I have worked as a contractor. My employer decided to switch health insurance carriers. The experience was very disorganized from several standpoints, but from an information privacy perspective, it was a nightmare. The insurance company they chose (not Anthem)—very large and very old—combines a social security number with a three-digit employer code into an account number used for signing up. I called and asked if there was an alternative method of signing up. No.

Against my better judgment—since I needed medical insurance—I decided to sign up. The sign-up website is hosted by a benefits administrator subcontractor. Their privacy policies were a mess, mixing up personal pronouns with collective nouns in several places. A company that is careless about privacy policies often has gaps in other parts of their infrastructure.

Curious about how they treated passwords, I tried using a four-character password. It worked! Of course I changed it to something more secure immediately.

I wrote my employer and the insurance company’s senior management about my concerns, and sent copies to the US Department of Labor. The insurance company response explained that they and their benefit administrator used industry-standard security measures.

Two weeks later, the Anthem breach happened. So much for industry standards.

Outcome: I discontinued insurance coverage.

Case: Conference attendee information thrown in a wastebasket

I volunteer at events a couple of times a year. I like to work the registration desk because I meet a wide variety of people. As we were packing up the registration desk, I saw a listing of conference attendees—name, email, employer, and phone number—in the trash. I plucked it out, and said to the registration coordinator that the list should not be in the trash.

She said she did not have a shredder. I took the list home and shredded it myself.

The next day, I discussed it with the conference coordinator.

Outcome: New procedures to shred confidential information were implemented

Ask questions. Speak up. Nobody cares more about your data than you do! If you see private information leaking, it is very important to point it out. If you do not want to take the time to do it for yourself, do it for your children and your grandchildren. Do it for your older family members. Do it for people who do not understand how important privacy is. Do it to protect your job.

The fallout from a breach affects customers (identity theft and raised prices), employees (lost jobs and closed stores), and stockholders.

Be the change you want to see!

Be the change … for information privacy! Part 1

Posted: April 20, 2015 by IntentionalPrivacy in Uncategorized

Personal information about us leaks every day in multiple ways.

A friend told me recently that he has no expectation of privacy, and that no one else should either. He thinks that a lack of privacy will affect each of the six generations (according to NPR) that are around today until we work out what information should be private and how to protect it:

  • The GI generation is anyone aged 90 or older; their probable privacy impact will be in the financial and medical information areas, or their identity could be stolen.
  • The Silent generation is between the ages 72 to 89; their probable privacy impact will be in the financial and medical information areas, or their identity could be stolen. The privacy impact could be greater if they are still working or using social media, email, or electronic banking.
  • Baby Boomers are those people between the ages 50 to 71, and they should think about the privacy of their information, especially if they still work. Many people in this generation use email, social media, and electronic banking. So tax returns, financial information, medical information, and other confidential information could be affected. Like every generation, they should protect themselves, their school-aged children, and elder family members against identity theft.
  • Generation Xers are between the ages 35 to 49 and they should definitely consider privacy issues; many are far too free with their information on social media and through email. Financial information, medical information, and other confidential information are just some of the areas that could be affected, but they also must consider privacy issues for their children and elder family members. Like every generation, they should protect themselves, their school-aged children, and elder family members against identity theft.
  • Millennials are between the ages 14 to 34; these people should definitely be concerned about the privacy of their information; many people in this age group are far too free with their information. Sometimes people in this age group even post photos of their credit card on Facebook (argh!). Financial and medical information, and other confidential information are just some of the areas that could be affected, but they also must consider privacy issues for their children. They should protect themselves and their school-aged children against identity theft.
  • Generation Z (also known as the iGeneration) are children between the ages one to 13. Children have to depend on the ability of other people to protect their information. For instance, some parents do not understand that they need to check their children’s credit ratings as well as their own. By the time a child has reached an age where he or she can take out credit, their identity could have been stolen and their credit ruined. Bad credit can affect a person’s ability to get a job, rent or buy a home, or buy a car.

Most people do not understand the need for information privacy (until it affects them) and many organizations—because they are made up of people—do not understand either.

So, what do you do when you realize that an organization is not protecting your private information? Explain to them the change you want to see. I start with a phone call to customer service and if I do not achieve my goal, then I write letters to executives and send copies to regulatory agencies. I may not achieve the results I wanted, but I let them know that if they cannot address my issue, I will choose to move (whenever possible) to a different organization that is more supportive of my needs.

Maybe the organization will not listen this time, but they may be more receptive for the next customer.

Part 2 delivers case histories.

Want a good reason to back up your devices?

Posted: January 5, 2015 by IntentionalPrivacy in Uncategorized

Read Alina Simone’s story in the New York Times How My Mom Got Hacked.” Lessons learned, she says, are:

1. Back up your stuff!

2. Keep your operating system and applications patched!

3. Do not open email attachments!

Sony …. holding out for a hero!

Posted: December 19, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Intellectual Property, Security Breach, Uncategorized
Tags: , , , , , , , , , , ,

On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.

While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There are spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.

Sony, you get to play the whimpering coward sniveling in the corner. Who is going to step up to be the hero or heroine? That is the real question. Bonnie Tyler says it best, I am holding out for a hero/heroine.

As I see it there are four possible hacker group combinations:

  • The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
  • One or more disgruntled Sony employees took the data. To look for possible disgruntled employees, let’s count: How many people has Sony laid-off?
  • The North Koreans and the disgruntled employees (and possibly other groups) separately hacked Sony.
  • The North Koreans managed to get someone inside Sony.

In my opinion, stealing 100 terabytes of data took some time and someone inside Sony had to help. How did they get the data out? USB drives? According to Numion.com, to download 100 terabytes at 10 Gbps with 50% overhead would take over 33 hours! Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. It has a personal feel to it. No, it’s more than the North Koreans.

For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.

North Korea: if you’re reading this, it’s just a movie. Get a sense of humor! Americans have made several movies about US presidents getting assassinated; here’s a few examples:

And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.

I agree with President Obama that pulling the movie was a mistake. This is not a movie that I would have wanted to see, much less paid for. If you’d let it run, it would have been a brief news article, a week or two in the theaters and then … consigned to the $5 bin in Walmart. Now I want to see it!

However, there are some lessons we can all learn here:

  • Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
  • This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
  • Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your corporate or personal information safe.
  • Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data. What were Sony’s security people doing?
  • If the company you work for does not take information security and privacy seriously, find someplace else to work. According to Forbes.com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented in the article. Were any of these breaches about tons of data spewing from Sony?

How can you tell if your employer is taking information security and privacy seriously? Do they say “information security is important” but cut the budget? Do they train employees on information security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?

  • If the company that you buy goods or services from does not protect your information, take your business elsewhere.

Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.

My bottom line? I’m outraged—both at Sony’s sloppy information security practices and their cowardice.

Codes and Ciphers

Posted: December 23, 2013 by uszik11 in Uncategorized

Codes and ciphers are about more than sending secret messages, though there is that.  When the first public key cryptosystems were being publicized in the 1970s, authentication was a suggested application.  How do you validate a digital signature?  If you have the answer to the public key question, then you must hold the authenticating string. Although the first Diffie-Hellman knapsack system was later exposed for weaknesses, the problem itself and the algorithms for instantiating it remain as possible platforms. Others have been invented since.

Whether or not you rely on cryptography, and independent of which (if any) system(s) you choose, codes and ciphers are in and of your daily world. They make credit card transactions and cellphone handshaking possible.  They allow the efficient compression of messages. In fact, the common zip command on your computer is one way to encipher any message. It is easy to break, but the message is no longer in plaintext. Many other simple systems are available, no better or worse than the Yale or Schlage lock on your front door, they do stop all honest people and many who are not.

This week, news about more of Edward Snowden’s leaks revealed that RSA (now an EMC label) took $10 million from the NSA and installed weaknesses to allow backdoors to its encryption.

Of all the secret messages from World War II, many remain unbroken. The need is gone. A code or cipher only needs to be as good as it needs to be.  Of all the “unbreakable” codes, the one-time pad and the dictionary code remain easy and effective.

Book cover "The Code Book" gray and black. Just words with random numbers no pictures.

All About Unbreakable Codes (1983)

 In the University of Texas library stacks, looking for the early history of word processors, I was in the Zs and discovered that my book on codes and ciphers was actually checked out.  It took three editions to get it right.  The first 3000 years were easy enough to understand. I wrote programs in Basic that transposed and substituted right up through the Playfair and Vigenere ciphers.  RSA was a tough nut to crack; and I finally just cut-and-pasted one of their own graphics and quoted their own abstract.

As the IBM-PC finally overtook the TRS-80, other amateur cryptographers published more complete books of programs for personal computers.  By 1993 or so, with Phil Zimmermann’s PGP becoming common in sig lines and footers, applied personal cryptography sped light years past high school algebra in Basic. PGP is now part of the Symantec suite.

– Michael E. Marotta (uszik11@gmail.com)

A good reason to stop using Internet Explorer …

Posted: January 22, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Privacy, Uncategorized
Tags: , , , ,

A new vulnerability reported at bugtraq on December 11, 2012, has just come to my notice.  The compromise occurs if you visit a website displaying an ad containing the exploit, even so-called safe sites like YouTube or the New York Times. If you have any version of Internet Explorer open on a compromised website–even if the page is minimized or you’re not on the page–your mouse cursor movements can be tracked.

Microsoft’s position as stated in this article http://www.securityweek.com/microsoft-ie-mouse-tracking-exploit-poses-little-risk is that this vulnerability would be very difficult to exploit.

There is a demo of this issue in Internet Explorer at http://iedataleak.spider.io/demo. All I could see displayed was when the CTRL, SHIFT, or ALT keys were pressed; no other keys displayed. I could, however, tell when the browser window was dragged to my other screen. Note: Spider.io has a demo game set up. In order to play the game, they want you to log in with your Twitter account. I do not recommend signing into any site with credentials from Facebook, Twitter, LinkedIn, or any other social media site.

As stated in the article, the demo does not work if the URL is entered into a Firefox web browser.

My suggestion is to only use Internet Explorer if necessary, and to close any browser–IE, Firefox, Chrome, whatever–when you are done using it, especially if it has ads on it.

Don’t let Java run rampant in your browser!

Posted: January 14, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Privacy, Uncategorized
Tags: , , , , ,

Oracle, maker of Java, does not have a good track record for fixing holes in Java. A new Java security hole that apparently targets Java 7 (however, some researchers think it also apparently targets  some versions of Java 6) was discovered recently. What options do you have for fixing the problem?

  1. The safest thing to do is to uninstall Java from your computer. If that’s too extreme, then uninstall Java plugins. KrebsOnSecurity has an article listing how to disable Java in Firefox, Internet Explorer, and Google Chrome, which you can access here https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
  2. If you need to use Java for some sites, then the safest thing to do is to use two browsers and disable the Java plugin for the browser you use most often. For example, disable Java in Firefox and use Internet Explorer for the sites that absolutely must use Java. If you decide on this solution, make sure you keep Java up to date.
  3. Another viable option is to use Firefox with the NoScript plugin, available at http://noscript.net/getit. NoScript allows you to choose when to allow JavaScript to run. NoScript can also block Flash Player, which is another problematic plugin.
  4. If you have a PC, make sure you run Secunia’s Personal Software Inspector available here http://secunia.com/products/consumer/psi/ at least weekly to keep up with any updates available for all of your programs.

This vulnerability affects Macs as well as PCs. Only visiting “safe” sites will not help you avoid this issue.

Oracle released an update to fix this issue last night.

Don’t wait! Save your computer, save your information.

Seattle “Creepy Cameraman”

Posted: November 4, 2012 by IntentionalPrivacy in Issues, Privacy, Uncategorized
Tags:

Several online blogs have written about Seattle’s “Creepy Cameraman.” He takes videos of people in public places without asking their permission first. You can read about him and watch some of his videos here: http://www.geekwire.com/2012/seattles-creepy-cameraman-pushes-limits-public-surveillance/

The guy taking the videos reminds people who object that surveillance cameras are everywhere, as if that makes his videotaping without asking permission perfectly all right.

Would you allow someone to videotape you in public? What would you do to stop him or her? The people in the video who objected didn’t seem to make any difference to the cameraman. Should someone using a camera have to ask permission before filming a person going about their ordinary life in public–eating in restaurants, walking in malls, sitting in their cars?

What if the person is doing something–not illegal–but that they don’t want publicized? Possibilities include having an affair, getting medical treatment, going into a building of an employer’s competitor, gambling, drinking …

You might also want to check out these articles on Google’s Project Glass, also known as Google Goggles http://www.technologyreview.com/review/428212/you-will-want-google-goggles/ and http://venturebeat.com/2012/04/04/google-glass-augmented-reality/. The NY Times describes the project here http://bits.blogs.nytimes.com/2012/04/04/google-begins-testing-its-augmented-reality-glasses/. These glasses–as well as many other current electronic devices–would allow someone using them to photograph or videotape someone or something unobtrusively.

As technology changes so rapidly around us, the lines blur more around our personal privacy and security.