I worked doing computer security at a large national laboratory (ORNL) and in a nationwide network of supercomputers (Teragrid). I keep scratching my head when I read about the security breaches at companies such as Sony, Target, Home Depot, ...
Static passwords should be passé, especially for system administrators who hold the keys to the kingdom. They are too easily stolen, and often easily cracked. There are some things you should understand about passwords, their use, and their storage.
Any proper computer system stores it passwords as a hash, and uses a seed number to make things even more difficult to crack. Hashes are actually much more useful than encryption. Hashes are one-way manipulations of some text that produce a smallish hexadecimal number this has several nice properties:
- Every source text should produce a different hash
- Knowledge of the hash should not let you recover the source text
- They should be fast to compute
- If two hashes are the same, you should be able to assume that the source text was the same.
There are no perfect hashes, and recently there have been examples showing that two business letters, one recommending a person for a job, and one not recommending the same person for the job, had the same hash. However, for password purposes, let's assume that the hash mechanism is perfect. How can one crack a password if it is stored as a hash?
You can buy a set of DVDs (called Rainbow Tables) that have the hashes for every possible 8-character password. (You need at least 10 characters to be secure—fortunately the number of combinations increases exponentially with the number of characters.) Then you compare the hashes to the password table and poof! if is cracked. However, this assumes that you have access to the password file, which would already be a big security breach.
Hint: If your password is stored by some "insecure" entity, you want your password to not be in the Rainbow Tables. Your hash will not be found if your password is long enough and good enough. Why stop at 10 characters? Use 12 or 16. Maybe type in a shorter password twice. Then your password will be safe, even if the password file is stolen.
Some sites are so insecure that they let a remote attacker guess passwords over and over again. This should never be allowed. On Linux systems (most servers), there is a program called fail2ban that can be adjusted to increase the delay between allowed password guesses after each failure, up to, say, an hour. The program can even turn off the account altogether, but this would act as a denial-of-service attack on the legitimate user.
Hint: The remote attacker also needs the user name for a legitimate account, so creating a non-obvious user name provides an extra layer of security.
Remote attackers try to foil fail2ban by using many (a network of hacked computers) different computers to do the guessing. Rather than using the Rainbow Tables, they first try the "juicy" passwords such as: password, 123456, etc. And they have software that guesses every dictionary word, perhaps in combination with digits or special characters. Clearly the weaker passwords will fall first. If an attacker is targeting you, they will try to use your personal information as a password: Your spouse's or kid's names, pet names, birthdays,...
Hint: Most passwords that you can remember are NOT good passwords! Use a password generator and a password manager (see below).
Especially when security counts, static passwords should not be used at all. Then there is nothing to steal! How do you do this? National Laboratories, for example, all use one-time-password tokens (in addition to a password).
Here is a sample of different one-time password tokens. Some generate a new password every minute or so; others generate a new one when you press the button. These generated passwords are used in addition to your normal password by prepending oir postpending them to the password. In particular, I point out my PayPal token. PayPal has full access to my bank account, so I want to be sure that I am safe by using a token. When I bought this token, I think it was $5, but now they are $29.95.
Banks require two-factor authentication for their customers (usually some lame questions to answer, but sometimes using a password token). JP Morgan just got hacked because they forgot to enforce two-factor authentication on one server.
There is an obvious problem with password tokens. One token is great but carrying all of these in your pocket ()from different organizations) would be infeasible, and furthermore, some of these cards require their own PIN that you would have to memorize.
All of these methods require you to produce something you have (the token) and something you know (the password or the PIN), which is why it is called two-factor authentication.
But most of us already carry a "thing that we have" around in our purse or pocket—our cell phone. There are two main ways that a cell phone can be used for two-factor authentication. First, when you log on with your user ID and password, the site can send you a text message (charges may apply!) with your additional one-time password. Second, you can use the free Google authenticator app, which works not just with Google, but also with other sites such as Dropbox.
The authenticator is time-synched and seeded by the site's server and generates a new passcode for you every 30 or 60 seconds. If you often log in from the same (secure) place, you can request that the token not be required. Google also has application passwords (e.g., for Thunderbird login) that allow each application to use a different password.
One issue with the authenticator app is that officially, it only works on one device at a time. You can get around this limitation by lining your devices up and initializing them simultaneously. At the last step (for each site), be sure to push the different device buttons as quickly as you can.
I think that using our smart phones will be the key to better authentication security. A consequence of this is that we all need to secure and not lose our smartphones!
The only way to manage conventional passwords is to use a password manager. There are a bunch of them, but most have not been vetted (for security) by an outside source. I like and use Last Pass. You should use a different "good" password for every site. You cannot easily make up a bunch of good passwords. A password manager can. Here are a bunch from Last Pass:
There is no way that you can remember these, let alone type them. Password managers can do this for you for all Web sites that you access. All of your passwords are always stored and transmitted to and from Last Pass while encrypted. Password works on every browser and on every operating system. It also works on your mobile phone. Last Pass is free for computers, but requires a premium subscription to bve able to fill in passwords on your cell phone apps. Last Pass will check all of your existing passwords for duplicates and strength. You do need ONE strong and long password that you must remember to secure your password vault.
You always hear about firewalls being the first-line of defense to a system. They are necessary to keep out the low-level unskilled attacks (and you should have a good on on your computer), but they are highly overrated. Someone once described a firewall as being like an M&M—a hard crunchy exterior surrounding a soft tasty inside.
The problem with firewalls is that if you want to do things on the internet (browse, transfer files, send mail, ..) then you must allow these applications through the firewall. And most of us are very bad at securing our applications (e.g., patching) or unskilled in their use (e.g., clicking on spam attachments).
Teragrid, the NSF 40 Gb/s supercomputer network, had no firewalls between the dozen or so member sites because firewalls did not function well at these speeds. Many say that firewalls give you a false sense of security. But they do keep outsiders from probing your internal network.
Assume your clients are hacked
I cannot stress it too strongly: you must secure your computer. It takes time, money and effort. Most people (friends) I admonish about this say something like "I don't care, there is nothing important on my computer." That just is not true, and the security state of personal computers is getting worse.
Hint: If you are hacked, you probably do not know it.
Hacked computers (in the millions) are a multibillion dollar business. Hackers can use your computer (and your bandwidth) to launch attacks on others (as outlined above); or to store kiddie porn that can land you in jail. It is to the hacker's advantage to allow you to be blissfully ignorant.
Last week I want to get a physical exam. I had to fill out and sign many consent forms concerning my private information and its use. When I was taken in for the first diagnostic tests, I noticed that their computer was running Windows XP. XP has had no patches since April 2014, and there are known vulnerabilities wide enough to drive a truck through. How can I believe that my personal information is safe? I went to my dentist, and saw he had an ancient version of Acrobat reader, also vulnerable. These are examples of willful failure to apply best computer security practices. Sony stored their passwords in a folder labeled "passwords," and I suspect that they were not encrypted.
My personal information got stolen on Experian's site because one of their contractors got hacked. This is especially heinous because I have no business relationship with Experian. They should have required one-time password tokens for access to sensitive financial data (all my credit card activity). Target also got hacked via a subcontractor account. This is unacceptable.
So on Teragrid, and at the National Labs, we always assume that anyone accessing out system might not be who s/he says s/he is. What can we do about this?
- Segment your organization's network so that all external traffic is isolated from internal business-related traffic. This is easy to do using modern routers. Set up a guest network for visitors. You can do this at home on most modern routers.
- Isolate the remote computer connection from the rest of the remote computer using something like Citrix Receiver. You can also scan the remote computer before allowing the connection.
- Set up systems to detect unusual activity (easier said than done). On Teragrid, we were quite paranoid once we got badly hacked by a teen in Sweden.
- Keep good computer and network logs. Look at them! The first 100 characters of access attempts can tell you a lot about the access source. At home, the better firewalls keep detailed logs of access attempts.
- Manage your personnel properly
- Require good computer security training, especially on how to detect phishing
- Revoke credentials of ex employees or people who have not accessed the computer in a while
- Encrypt sensitive data and backup tapes. Encrypt any e-mail you would not like to see on the front page of the New York Times. I keep my passwords in an encrypted spread sheet. I do not think Sony encrypted anything.
- Encryption is not without its problems. You cannot use data when it is encrypted. For example, if your laptop has whole-disk encryption (a good idea), the disk gets decrypted when you log in. If your laptop gets stolen when it is off and it has an encrypted disk, it makes a good boat anchor. But if A hacker has remotely accessed your computer while you are using it, s/he cannot see the encryption.
- I think there are databases that only encrypt the data that responds to a query. This dramatically reduces the bandwidth of the information leakage.
- Someone must have the encryption key. If you manage a large system, do you want to go out in the middle of the night to type in the unlocking key?
- Scan all computers on your network for vulnerabilities. Vulnerabilities are the things that are used to gain access to your valuable information. Patch, Patch, Patch!
Hint: See my blog on how to secure your home computer
As Bruce Scheier, a respected and non-alarmist computer security expert, said in today's Wall Street Journal, a smart and determined attacker can almost always penetrate your system. Another expert I heard a week ago said that he succeeds in 99% of his ethical hacking penetration attempts. So the bad guy will get into your system. If you make it hard for him/her, hopefully they will try a less-fortified site.
Businesses (and you!) must be prepared for a disaster. They happen quite often; not just major things like fire, flood, earthquakes, etc., but also things break, especially hard disks. I was really impressed by a talk I heard given by DeLoitte and Touche. They had their accounting offices in the World Trade Center during the time of the first attack (in the garage), which occurred just before April 15—their busiest time of the year. The hubbub and dust from the event forced them to shut off their computer systems and close the office. They had a disaster plan that worked, and the next day all of their employees had desks and computers at other sites. And they spent money to have all of their disk drives taken apart and cleaned. Tenants who did not do this later lost most of their data.
I have over 66,000 of ripped CDs on my computers. These took years to do and are very dear to me. I have five copies of everything on different disks and computers. You might think I am paranoid, but twice I have had dual backups fail. Hard drives fail. Laptops get stolen. Back up!
Mac users have Time Machine, which works very nicely (usually). Be sure to put the backup on a disk that is different from the data source, or it will be useless. But this is now sufficient, and so I also make periodic (monthly-ish) backups to an external drive using SuperDuper.
Windows users must be more proactive. Most backup programs just backup the things in your personal area (your documents). But it can take days to rebuild a Windows machine, reinstall all your apps (you have those registration numbers I hope?), and to apply security patched. You need to back up all of C:\ to save you this grief.
Disk drives are cheap now. Buy some for backup purposes.