IT IQ: Coffee, Tea, Security?

Working in coffee shops or other off-site casual spaces

The java monkey has got your employees in its clutches. Every day, they disappear for hours, laptops in tow, and go off to one of the coffee shops that are popping up on every city block. This is great for companies because a caffeinated employee is a happy employee. Employees would cite their reasons as giving them an opportunity to network, to avoid cubicle cramp, and to have a change of scenery that can lubricate their creativity flow. The bottom line for coffee companies is this: No free Wi-Fi, no customers. So coffee shops have gone out of their way to make connectivity easy, fast, and free, often with electrical outlets at nearly every table. These spaces have in fact become almost remote offices for many people (employed or not) because of their convenience, their almost club-like atmosphere, and with the encouragement of the coffee companies.

Our question is what, if any, security concerns might there be in using these venues for work. The cost-free perk of a change of scenery and free “coffee network” access is a good thing. Or is it? When you read the extensive fine print in any coffee shop, tea lounge, or the many edgy alternatives, terms to which you agree simply by using the service, you state that you understand that you are jumping on a public, shared, and unsecured network, joining hordes of similarly caffeinated customers, and accept the risk. But what risk?

First the coffee network is, to repeat: public, shared and unsecured. Anyone can use it, all users share the network to send and receive network data, and network traffic is not encrypted, so it is accessible to all the users and can be intercepted (snooped). The other computers on the coffee network may have been hacked and infected, putting your computer at greater risk. Even the hotspot itself may be spoofed, not set up by the coffee shop at all but by a malicious attacker. Unsuspecting or inattentive customers can fall easily into the trap and have their information intercepted or even their computer compromised, costing your company exposure, embarrassment, time and money.

So here in simple terms, is what to do to protect yourself and your employees working on the coffee network. First verify with the coffee shop the specific name of the hotspot and connect only to that. Second, make sure your computer is updated to the latest software releases. Consider using a privacy screen that allows for viewing the laptop screen only from directly in front. Finally, and most important, use a VPN to encrypt all your computer’s internet traffic over the public network. VPN’s should be used for ANY location outside the company or a network you know is secure.

VPN stands for “Virtual Private Network”. Your computer runs a VPN client that connects to a remote VPN server attached to a trusted network. The VPN technology encrypts *everthing* sent from and received by your computer, to be forwarded on to the Internet by the VPN server. So anyone snooping the “coffee network” would see only encrypted gibberish.

Key takeaway: Verify the hotspot you use is safe, and use a VPN. VPN’s are easy to acquire, set up and use. See the Links of Technical Interest page for more information.

IT IQ: Passwords Made Easy

So we have acknowledged the problem with passwords: some people opt to choose such easy ones that they are practically providing an open invitation to hackers. Like the one stated in the previous post: PASSWORD, while hard to believe, is actually quite commonly used. The user may alternate between caps and lower case, thinking that is really shaking things up, but that doesn’t delay the hack-fest even a little bit. The question for anyone serious about his or her IT Security now becomes how to deal with this precarious predilection.

Let’s cover what we know. Exactly why do people choose easy passwords?

  • Reason #1: Because they must memorize passwords, not write them down;
  • Reason #2: But complex passwords are too hard to remember;
  • Reason #3: We all have too many accounts and passwords to deal with;
  • Reason #4: And we must change our passwords regularly!

Now for number one problem: The human brain. I am giving everyone an out by saying that forgetting could directly relate to the massive amounts of information we have floating around in our cranial hard-drive. Picking a complex, hard to guess password also (ironically) means a password that is very difficult to memorize, and very easy to forget.

Then there’s storage. We often forget things like anniversaries, birthdays, names, and appointments. Now imagine trying to commit 20-30 or more different passwords to memory. Geez. Now it’s getting really complicated. So we want to write down our passwords, just as we do our important dates.

Conventional password wisdom says do not use the same password for more than one account. Thus begins the next problem. Most people have accounts for email, banking, bills, and social media, to name only a few, and good practice means that each should have its own distinct password. Therein lies the rub. If every individual account must have its own password, that’s a lot of passwords to create.

And if we continue to follow conventional wisdom, passwords should be changed regularly––say monthly or quarterly. There’s the final rub. Let’s say we succeed in figuring out the perfect password. Now we have to do it all over again on all of our accounts. Often. Most people would exclaim, “You’ve got to be kidding me!”

So let’s address each of these concerns.

One must memorize passwords, not write them down.
This one is easy! I’m saying you should write down your passwords! Wow! But this is really the only way to insure you don’t lose your passwords. Just be sure to write them down the old-school way: off-line and on paper, along with the accounts and login names associated with them. And store that paper in a safe yet accessible place. You can even take a copy traveling with you; just guard it like your passport, storing it away from your computer.

One must create complex passwords.
Unfortunately this is true. Password cracking software is easily available that can automate at great speed the checking of your passwords against commonly used passwords and dictionaries of common words, even in other languages. Cracking software can also check against common special character patterns, such as using ‘@’ for ‘a’. So it is really important to make good, hard to guess passwords.

The best passwords are long, much better than shorter passwords that use lots of numbers and special characters. Longer passwords take longer to crack. So how to make a long password that you can easily memorize? (Because you don’t want to check your paper all the time!). The “secret” is to use “pass-phrases”. Pick a song lyric or favorite quote or really any phrase memorable to you. Make it at least 15 characters long, the longer the better, up to the limits of the password field. You can even (or might have to) mix in numbers and special characters. Then write down the pass-phrase on your paper.

But I have too many accounts and passwords to deal with.
No way around this one. You really should have a different password, or better a pass-phrase, for each account. This isolates the damage to you if any one password gets stolen. Of course not all your accounts are equally important. Perhaps you use the same password for your different streaming music accounts without much worry. But bank, social media and other important accounts should each have their own, unique pass-phrase. Consider the damage to you of unauthorized access to each account then make your decision.

If managing all these different pass phrases becomes too much of a burden then consider using a Password Manager. This is software you purchase that manages all passwords and pass-phrases for you. You enter one, master password to unlock all the others. So you now only have to remember the master password. But that master password must be a long, complex pass-phrase because it is now the single point of access to all your passwords and accounts. Password managers can be used on all of your devices, including tablets and smart phones, with passwords sync’ed between these devices. Password managers can load your browser with your web-based accounts and auto-fill-in the login and passwords for you. Slick! Password managers can create extremely long and complex passwords for you, a different one for each account, and memorize them all.

And we must change our passwords regularly!
This used to be the recommendation from IT security experts, but not so much anymore. Change passwords infrequently, say once a year or two, or don’t change them at all. Or if you use a Password Manager, change only the Manager’s password. Why this new advice? Because changing passwords, from good, complex, protected passwords to new good, complex, protected passwords can be difficult and risky. Difficult to think up a new, complex password, difficult to make the change and not risk mistakes, and difficult to update your password records, either on paper or within a password manager. If you build strong passwords and protect them carefully, regularly changing them brings little additional benefit.

I’ll close on a final note. More and more sites and services are making Multi-factor Authentication available, authentication (verifying that you really are the authorized user) that includes a second “factor”, in addition to a password, to authenticate a user. That added factor is usually a text code sent to your mobile phone, but other factors can be used, such as finger prints. Chances are low that both the password and phone are stolen. In general Multi-factor Authentication is a very good practice and you should switch to it for your high-value accounts.

As always, you can write to me with any questions, suggestions or comments.

IT IQ: The Case of the Perilous Password

I am starting my series titled “IT IQ” to cover some of the most common questions I am asked, or situations I encounter. Here is the debut post, starting with the most humble and yet most perplexing of topics:
The Password.

There are a million tales in the IT Security consulting world, ones that keep professionals in this field gainfully employed by day and tossing and turning at night. I have dealt with many that can keep me occupied for weeks peeling away layers of complexity. But surprisingly, even after all these years, one of the IT security questions that I am asked most often is about passwords and password security. In fact, I have even had executives at big companies express concerns over this topic, usually after an attack has occurred or information has been compromised.

The issue, succinctly phrased is: Why is it that, despite widespread and highly publicized caveats, so many people continue to use easy-to-guess passwords? Why is it that they don’t heed well-disseminated warnings about creating a password that cannot be easily determined? And the highly anticipated sequel to this topic, of course, is: How to prevent history from repeating itself.

There is a very simple explanation for why this problem occurs in the first place. Even geniuses that can memorize the minutest details about everything under the sun sometimes find themselves struggling to recall their password. Multiply that by multiples, since each of us has many. So the most logical strategy that seduces the average human is to choose a word that is easy to remember because it is significant in some way. In my experience, that usually means one of the following: name of children; name of pet; name of birth city, or home address. The problem is all of these are fairly easy to find, especially given our ubiquitous presence on myriad forms of social media.

Then there are the real security defeating selections. Yes, believe it or not people still use PASSWORD for their password. They really do. Why? It’s easy and most people I have talked to who do this say they were planning to go in and change it shortly after they opened an account, but then they never got around to it. Likewise with the old, unreliable 1234567 or its many permutations. Here, for your perusal and entertainment, are the 25 most common passwords as reported in The Telegraph (http://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using/):

123456
password
12345678
qwerty
12345
123456789
football
1234
1234567
baseball
welcome
1234567890
abc123
111111
1qaz2wsx
dragon
master
monkey
letmein
login
princess
qwertyuiop
solo
passw0rd
starwars

(For anyone mystified by qwertyuiop, check out your keyboard. Likewise qazwsx)

So despite the agitation caused by this seemingly simple to change behavior, it continues unabated. Most people will say that regardless of what they read and know about attacks and hacks, they never think it will happen to them.

My advice is therefore that the IT Security team in every company has to accept as a given that some employees will always choose to use one of the easiest, most findable passwords ever and in doing so, may put competitive information at risk. The question of how to deal with this challenge is the subject of the next blog post. Spoiler alert: There is hope…