Archive for the ‘Everyday Security’ Category

Recently some folks with Tor, the open source project behind the global decentralized anonymizing network, released a beta version of a new chat client. It’s designed to be secure by default, but usable by normal people. This is something that has escaped many previous efforts, so it’s a welcome development

It encrypts messages with OTR (so only you and the person you are chatting with can see them) and sends them via the Tor network (to hide where you are on the Internet.) These are very, very good things and I’m happy to see user-friendly applications building on the excellent work Tor has been doing.

The difficulty for me is how it fits into the way I use chat, specifically that it’s impossible to save chat transcripts. While that has a benefit for the purest of high-impact security, what doesn’t exist can’t be compromised, it is exactly the opposite of how I use chat.

It seems that many people use instant messaging only for one-off communications. I treat it like email and constantly go back to reference something I’ve sent or information I received. This is a major reason I’m still using Apple’s Messages client, because it makes searching chats trivially easy.

But despite Messages allowing you to use a whole collection of different chat services, it doesn’t provide encryption for anything other than Apple’s own service. (Which I don’t use for reasons too long to go into right now.) I’ve tried other clients, but haven’t been thrilled. Even without getting into if or how they use encryption, I’ve found them clunky. And, most importantly, hard to reference old messages. The best of them, Adium, has a custom viewer only usable from inside the app but the archive chats use a tiny fixed size font that can’t be changed. That makes it useless for me.

Between encryption by default and using the Tor network, I really really want to like Tor Messenger. I dug around and with some help from the Tor folks figured out how to re-enable chat logs, but the results were not usable for several reasons:

First, it creates files in JSON format, something designed to be easily readable by computers. While it’s true that JSON contains text, it isn’t in a human-readable format by any rational definition because it contains a bunch of required formatting and other control structures that get in the way of human understanding.

Next, that file is overwritten every time the program starts. Unless you have your own way to save the contents automatically (and this is a far more difficult problem than it sounds) you lose your history anyway.

Finally, it’s located deep inside the app’s install directory. This is not a problem for me, but would certainly be an issue for anyone not very familiar with technical aspects of OS X. And that also means it’s excluded from Spotlight, Apple’s disk searching tool.

I still have hope, because it’s early and also because it’s open source. When they are able to release the Mac build instructions, I can just go change what’s annoying myself. (And if I’m going to choose an open source project to work on, I’m thinking I might prefer the more security-focused Tor over Adium. Sorry Adium friends.)

But for the moment, unless I’m willing to forge onward into the wilderness of creating my own custom version of something, I’m still stuck with the choice between secure and annoying, or insecure but fits into how I work.

I wish I could make a joke and say this is some new country music dance I’ve invented. But authorization problems are not very funny, particularly when it’s with something that is supposed to be helping me.

I’m going out of the country for a while, so in addition to the usual figuring out how to fit 10 pounds of travel gear in a 5 pound suitcase, I’m preparing my digital equipment as well. It started off simply enough, making sure I have the latest operating systems on all my devices. (Well, not really, but I’ll spare you the tedious Genius Bar conversations.)

The real problem is with my Apple ID and Apple’s two-step verification.

I have been using two-step verification, what the security world calls two-factor authentication, which means when I do certain things involving logging in with my Apple ID, I have to enter a code that is sent to my phone. That’s all well and good, to make sure the person logging in is actually me.

But what happens when you don’t have that phone? Or, relevant to my situation, when you’ve replaced your usual SIM with one you’ve bought in another country. Suddenly you can’t get those messages anymore, and you aren’t allowed to do whatever it was you were trying to do.

In theory, I could just register my other SIM as a “new device.” But to do that you need to have access to both devices at the same time, the old one to login to your account to make changes, and the new one to authorize it. But I don’t know what my phone number will be when I get there (my SIM from the last trip might have expired) so I can’t do it before I leave. And my home SIM may or may not work (or be hideously expensive to use) in my destination country. And in either case, since it’s only one physical phone, I can’t have both of them active at the same time. I have other devices, but this process requires one that can receive SMS and the wifi-only devices can’t.

Because of all this, I decided to disable two-step verification while I’m away.

Hugely Important Reminder: you should make any updates to your Apple ID before you leave, while you still have access to your regular phone number.

So I login, and disable two-step verification. Now that I’m not using it, I’m required to set security questions for my account. Security questions are horrible, and the way they are used make your account less secure, not more. (Here’s an article about that: Study: password resetting ‘security questions’ easily guessed.) But this is what Apple requires, so here I am making up yet more passwords that I have to remember.

I pick the set of questions I’m going to answer, open up my trusty password manager, and generate a bunch of random text strings like I do for passwords. I copy the first string and paste it into the appropriate field. I copy the second string, but when I switch back to the browser, it resets what I just put in for the first one. This means that I have to actually type each security question answer. That is a recipe for fail if I manage to mess up the complicated string I’ve just generated. So it’s back to using real words that I can (usually) get correct the first time.

If you want to know why I don’t like to do this, you can read this on Wikipedia about a particular type of password cracking: Dictionary attack.

I then compose a phrase for each question and save those in my password manager. I go to type it into the form and I can’t because it’s too long. The answer field is size limited, so my carefully crafted phrases are useless. I have to come up with shorter (less secure) phrases, that I can type without errors, and they must be unique. I make one, and then start sticking numbers in it for each question. Of course, I can’t do anything helpful like include information about the individual question, because that reduces the randomness. In a short string particularly, if any part of it is less random that severely reduces its password strength.

Now I decide to set a recovery email, which Apple will use to notify you of authentication matters regarding your Apple ID. It’s a good idea, because if somehow you lose access to your primary email you can check a different account and get the alerts. I make up a new email address (because I can do that) and save everything.

I’m not really done, because I haven’t responded to the recovery email verification message, but I’ll get to that in a minute. Now I get to repeat the process for my second Apple ID. (FYI: very not recommended, it has been nothing but problems and I wish I hadn’t been forced to.)

I get through everything for my second Apple ID, and go to set the recovery email. I use the same email address that I created earlier, which it happily accepts. Now I go look at the emails generated by this process: most are confirmations, but the ones about the recovery email need to have the address verified. Ok, fine.

First ID recovery email: go to the link in the message, type in Apple ID number one, it says that email address can’t be used. What?? So now they tell me that I can’t use the same recovery email for multiple accounts. And because of this, I can’t verify it. I have to go back and login as each ID (answering the security questions which, thankfully, can indeed be pasted from the password manager) and change the recovery email addresses to something else. Yet another thing that has to be saved in my password manager, in such a way so I don’t later confuse them between the two accounts.

NOW finally I’ve disabled two-step verification. I have six new unique passphrases and two new email addresses to keep track of, and my accounts are less secure than before. Win?

I’m packing for a trip and came across this article about RFID blocking wallets and such:

The Skimming Scam: RFID-blocking wallets can work. But do you really need one?

They block RF signals from reaching passports, credit cards, and other contactless data sources that can, in theory, can be accessed remotely by anybody nearby with the appropriate reader. I have a bunch of shielded stuff, and I use it. Why bother?

“What’s less clear is whether RFID skimming is a threat worth worrying about in the first place. For all the hype about the theoretical danger, there have been few if any reports of actual crimes involving RFID skimming. The technique appears to be far more popular among security researchers than it is among thieves, and for good reason: There are much easier and more effective ways to steal people’s money and data.”

I don’t think they are completely a waste for average people, but it’s certainly a marketing thing for the manufacturers. I do it because I’d rather share less data than more and, more importantly, because I hang out in places with security researchers.

Now I do buy bags with security features, many of which come with RFID blocking pockets. I like that they do, but it’s the other locks, clips, security straps and so on that are the reason I’m willing to pay more for them. (I look for them on sale or discontinued.) These kinds of physical security features are the primary interest, and are absolutely worth it for me.

And I thought a single highly disturbing security story was enough for one day. I’m not even all the way through reading the article from The Intercept about how GCHQ and NSA have the keys to decrypt a huge swath of the world’s mobile phone communications and I have the urge to throw away all my computers and hide under a rock.

The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle

Normally I’m not prone to hyperbolic statements like “There is nowhere to hide” but for people who use any communication technology it’s more and more true. You are being monitored and archived. Maybe you are boring and uninteresting to government spooks. At the moment. Maybe forever. But how does it make you feel knowing that could, by deliberate action or entirely by accident, change at any time? It certainly doesn’t make me happy.

I woke up this morning to see that an actual computer hardware manufacturer has shipped machines with actual deliberately included “To improve customer experience” adware that compromises SSL for the user. Because capitalism, I presume.

Even with my non-expert understanding of digital security, reading this researcher’s discoveries was terrifying. And the manufacturer is claiming the impact is minimal because “Superfish was preloaded on to a select number of consumer models only.”

So far I haven’t seen cries of “just re-install the operating system from a trusted source.” Perhaps they are out there and I’m (thankfully) missing those kinds of people from my social media sphere. These are low-end machines intended for average users. And while I can’t comment on how it is in PC-Land, certainly for OS X users the process of re-installing a clean operating system has been made absurdly difficult. I don’t even always do it these days. But this surely points out that I should.

So this came out today:

“Severe” password manager attacks steal digital keys and data en masse

There are lots of nifty helpful password manager tools out there, that will seamlessly allow you to create and use your passwords across all your devices. I don’t use any of them.

I do use a password manager (DataVault, if you are interested.) It has some nifty cloud features that I ignore. I sync by WiFi, on my local network. Only. I had problems with the browser integration, so I don’t use auto-fill. I go to the app, find the password I want, and copy it.

It takes some effort, but it’s not going to be compromised by someone’s poor site security. It’s not that I think all those other people are bad programmers, it’s that they are people and they are programmers and bugs and other problems happen. Even without the slightest bit of poor coding, there could be a weakness in a 3rd party library, operating system, hosting service, or other thing the system is dependent on.

If you think I’m a horrible Luddite disparaging the wonders of modern hosted services, Spouse keeps his passwords as a text file saved in his system keychain and only accesses certain sites from his primary laptop in a secure location. Another perfectly acceptable solution.

Folks who follow me elsewhere have already heard this, so I won’t repeat the whole sordid story. My wallet was stolen on the bus yesterday, by a pair of men who trapped me so I couldn’t move and then unlatched my designed to be secure bag.

What they took was the wallet that had my stored value transit pass, cash, and various random items. A different wallet, in a zipped pouch and tethered to the inside of my bag by a cord, was in the bottom of the same compartment. That has my credit cards and ID, and was not taken. I shouted down the thief and got my phone back, which was much more important to me, but it was less immediately obvious that the transit wallet was also missing.

The cash is long gone and cannot be recovered. The access badge has been invalidated and replaced, as has the transit pass. (I wonder if it wasn’t used because it was a very, very old one: differently branded but still functional. The agency can’t invalidate a card until early the next morning.) Of the remaining stuff, there were business cards, postage stamps, a few “buy 10 get something” cards, and other things.

It’s the “other things” I wonder about. There were business cards with my phone number and mailing address. Credit card receipts, maybe an old doctor appointment reminder or two. None of which I would, by my usual practice, dispose of without being destroyed.

What else? Well, I don’t remember. Sometimes I write notes on scraps of paper and shove them in there. Occasionally I’ve had documents I need to carry copies of. A few months ago the stack was getting pretty hefty and I cleaned it out, but who knows what I was carrying around yesterday.

The good stuff:

The bag, a Pacsafe shoulder bag, worked, for some value of worked. The thief got it open, but it took effort.

The inside bag (another Pacsafe, yes I like them) was further inside and less easy to grab. This is where all the really important stuff is, the strap is clipped to the inside keyring so it doesn’t come out easily.

That both these bags have RF blocking pockets didn’t play a part in this crime, but I have them anyway because it’s an easy thing to do. (Both wallets were RF shielded, and the access card was additionally inside a shielded envelope.)

Now what?

Don’t discount purpose-designed physical security. The police said I should have had my bag at the front of my body, but if you’ve ever carried a cross-body bag you know they bounce around. And being trapped, I could not move it to a safer position. But the latch made it difficult enough to open that I knew immediately what was going on.

Don’t carry things you don’t need. That’s an obvious statement, but as a realistic matter not exactly what it sounds like. I don’t know anybody who routinely selects only the cash or cards they expect to need for the day to put in an otherwise empty wallet. It’s a good technique for special occasions (clubs, festivals, some kinds of travel) but hardly reasonable every time you walk out the door. What that does mean, is clean it out once in a while if you tend to collect junk in your wallet. Don’t keep any sensitive information you don’t absolutely need, like a Social Security card, passcodes or passwords, and account numbers.

Protect different things in different ways. I have the transit wallet and phone easier to access because I need them constantly. The second wallet is harder to get to, but I need it less. The larger, more secure, compartment has things even more a problem to replace like keys. (I have duplicates of frequently used keys on a chain in an outside pocket.)

I’m not hopeful that I will ever hear anyone was arrested, much less convicted. My fellow passengers were yelling at me because confronting the thief was holding up the bus. Not a single person volunteered assistance or information. The bus driver was spectacularly unconcerned (annoyed was more like it) at being informed I had just been robbed on his bus. The video cameras may or may not have worked, and my attempts to confirm the bus number with the transit agency have so far failed. (I did write it down at the time.) The nearby police officers told me I had to go to the main station some distance away to file a report.

So here I am, out $80, a wallet I custom made, more money and time in replacing stuff, and a case number that will likely never see the light of day. Oh, and yet another anxiety attack after dealing with it all.

I read an article this week about identity theft by theft of personal information by employees. That’s been going on for years (likely how my Social Security number was compromised) but now the increase in linked data means when something fails, more goes down with it.

Here’s the article:

Can we trust anyone with our personal info?

That made me consider something I’ve been doing when I travel domestically: I don’t use my Drivers License as an ID. It has my address on it, something the person at the security checkpoint has no reason to know. Since I already keep all my travel-related documents/cards together in one place, I just grab that and use my passport. Sure, someone could still look up my address if they had access to the right database (an airline employee certainly would, not sure about TSA.) But it wouldn’t be just sitting there for anybody to see. (In my case they would only get my mailing address, but still.)

And now, since I have the Global Entry card, I use that because it doesn’t show my birth state (which can be used to validate other information like certain Social Security numbers.)

Dear Every Product Marketing Team in the World:

when you try to convince me I need to be able to access my toaster from anywhere on the Internet, this is what I hear:

Hacker taps into baby monitor, shouts at sleeping infant

A family’s baby monitor is compromised by someone who uses it to look around the room and shout at people. And, btw, the manufacturer designed the device such that all logs are lost when powered down.

All software has bugs. If you are lucky, the manufacturer has a process to try to find and respond to those bugs as rapidly as possible. It can never be as rapidly as necessary, however. Choose wisely what you put on the network.

My slow-motion password change-a-thon was interrupted today by a much-anticipated package. I ordered some stuff, and it arrived right on schedule. Yay!

My stuff is great, but I want to mention a little something about the packaging. This seller recycles all sorts of packaging, a good thing. But certain things should not be recycled.

Here is what was on the back side of the printed-out shipping label:


Yup, that is a page from someone’s personal credit report. (Amex tried to sell me that service as well, but I’m not interested in paying for it.)

It doesn’t have a Social Security Number or address, but a full name and details of several credit accounts. Maybe the sender is fine with that. But it’s not stuff I would want floating around. And it’s now going straight into our shredder.