Blog

IT IQ: Coffee, Tea, Security?

Working in coffee shops or other off-site casual spaces The java monkey has got your employees in its clutches. Every day, they disappear for hours, laptops in tow, and go off to one of the coffee shops that are popping up on every city block. This is great for companies because a caffeinated employee is … Continue reading “IT IQ: Coffee, Tea, Security?”

Working in coffee shops or other off-site casual spaces

The java monkey has got your employees in its clutches. Every day, they disappear for hours, laptops in tow, and go off to one of the coffee shops that are popping up on every city block. This is great for companies because a caffeinated employee is a happy employee. Employees would cite their reasons as giving them an opportunity to network, to avoid cubicle cramp, and to have a change of scenery that can lubricate their creativity flow. The bottom line for coffee companies is this: No free Wi-Fi, no customers. So coffee shops have gone out of their way to make connectivity easy, fast, and free, often with electrical outlets at nearly every table. These spaces have in fact become almost remote offices for many people (employed or not) because of their convenience, their almost club-like atmosphere, and with the encouragement of the coffee companies.

Our question is what, if any, security concerns might there be in using these venues for work. The cost-free perk of a change of scenery and free “coffee network” access is a good thing. Or is it? When you read the extensive fine print in any coffee shop, tea lounge, or the many edgy alternatives, terms to which you agree simply by using the service, you state that you understand that you are jumping on a public, shared, and unsecured network, joining hordes of similarly caffeinated customers, and accept the risk. But what risk?

First the coffee network is, to repeat: public, shared and unsecured. Anyone can use it, all users share the network to send and receive network data, and network traffic is not encrypted, so it is accessible to all the users and can be intercepted (snooped). The other computers on the coffee network may have been hacked and infected, putting your computer at greater risk. Even the hotspot itself may be spoofed, not set up by the coffee shop at all but by a malicious attacker. Unsuspecting or inattentive customers can fall easily into the trap and have their information intercepted or even their computer compromised, costing your company exposure, embarrassment, time and money.

So here in simple terms, is what to do to protect yourself and your employees working on the coffee network. First verify with the coffee shop the specific name of the hotspot and connect only to that. Second, make sure your computer is updated to the latest software releases. Consider using a privacy screen that allows for viewing the laptop screen only from directly in front. Finally, and most important, use a VPN to encrypt all your computer’s internet traffic over the public network. VPN’s should be used for ANY location outside the company or a network you know is secure.

VPN stands for “Virtual Private Network”. Your computer runs a VPN client that connects to a remote VPN server attached to a trusted network. The VPN technology encrypts *everthing* sent from and received by your computer, to be forwarded on to the Internet by the VPN server. So anyone snooping the “coffee network” would see only encrypted gibberish.

Key takeaway: Verify the hotspot you use is safe, and use a VPN. VPN’s are easy to acquire, set up and use. See the Links of Technical Interest page for more information.

IT IQ: Passwords Made Easy

So we have acknowledged the problem with passwords: some people opt to choose such easy ones that they are practically providing an open invitation to hackers. Like the one stated in the previous post: PASSWORD, while hard to believe, is actually quite commonly used. The user may alternate between caps and lower case, thinking that … Continue reading “IT IQ: Passwords Made Easy”

So we have acknowledged the problem with passwords: some people opt to choose such easy ones that they are practically providing an open invitation to hackers. Like the one stated in the previous post: PASSWORD, while hard to believe, is actually quite commonly used. The user may alternate between caps and lower case, thinking that is really shaking things up, but that doesn’t delay the hack-fest even a little bit. The question for anyone serious about his or her IT Security now becomes how to deal with this precarious predilection.

Let’s cover what we know. Exactly why do people choose easy passwords?

  • Reason #1: Because they must memorize passwords, not write them down;
  • Reason #2: But complex passwords are too hard to remember;
  • Reason #3: We all have too many accounts and passwords to deal with;
  • Reason #4: And we must change our passwords regularly!

Now for number one problem: The human brain. I am giving everyone an out by saying that forgetting could directly relate to the massive amounts of information we have floating around in our cranial hard-drive. Picking a complex, hard to guess password also (ironically) means a password that is very difficult to memorize, and very easy to forget.

Then there’s storage. We often forget things like anniversaries, birthdays, names, and appointments. Now imagine trying to commit 20-30 or more different passwords to memory. Geez. Now it’s getting really complicated. So we want to write down our passwords, just as we do our important dates.

Conventional password wisdom says do not use the same password for more than one account. Thus begins the next problem. Most people have accounts for email, banking, bills, and social media, to name only a few, and good practice means that each should have its own distinct password. Therein lies the rub. If every individual account must have its own password, that’s a lot of passwords to create.

And if we continue to follow conventional wisdom, passwords should be changed regularly––say monthly or quarterly. There’s the final rub. Let’s say we succeed in figuring out the perfect password. Now we have to do it all over again on all of our accounts. Often. Most people would exclaim, “You’ve got to be kidding me!”

So let’s address each of these concerns.

One must memorize passwords, not write them down.
This one is easy! I’m saying you should write down your passwords! Wow! But this is really the only way to insure you don’t lose your passwords. Just be sure to write them down the old-school way: off-line and on paper, along with the accounts and login names associated with them. And store that paper in a safe yet accessible place. You can even take a copy traveling with you; just guard it like your passport, storing it away from your computer.

One must create complex passwords.
Unfortunately this is true. Password cracking software is easily available that can automate at great speed the checking of your passwords against commonly used passwords and dictionaries of common words, even in other languages. Cracking software can also check against common special character patterns, such as using ‘@’ for ‘a’. So it is really important to make good, hard to guess passwords.

The best passwords are long, much better than shorter passwords that use lots of numbers and special characters. Longer passwords take longer to crack. So how to make a long password that you can easily memorize? (Because you don’t want to check your paper all the time!). The “secret” is to use “pass-phrases”. Pick a song lyric or favorite quote or really any phrase memorable to you. Make it at least 15 characters long, the longer the better, up to the limits of the password field. You can even (or might have to) mix in numbers and special characters. Then write down the pass-phrase on your paper.

But I have too many accounts and passwords to deal with.
No way around this one. You really should have a different password, or better a pass-phrase, for each account. This isolates the damage to you if any one password gets stolen. Of course not all your accounts are equally important. Perhaps you use the same password for your different streaming music accounts without much worry. But bank, social media and other important accounts should each have their own, unique pass-phrase. Consider the damage to you of unauthorized access to each account then make your decision.

If managing all these different pass phrases becomes too much of a burden then consider using a Password Manager. This is software you purchase that manages all passwords and pass-phrases for you. You enter one, master password to unlock all the others. So you now only have to remember the master password. But that master password must be a long, complex pass-phrase because it is now the single point of access to all your passwords and accounts. Password managers can be used on all of your devices, including tablets and smart phones, with passwords sync’ed between these devices. Password managers can load your browser with your web-based accounts and auto-fill-in the login and passwords for you. Slick! Password managers can create extremely long and complex passwords for you, a different one for each account, and memorize them all.

And we must change our passwords regularly!
This used to be the recommendation from IT security experts, but not so much anymore. Change passwords infrequently, say once a year or two, or don’t change them at all. Or if you use a Password Manager, change only the Manager’s password. Why this new advice? Because changing passwords, from good, complex, protected passwords to new good, complex, protected passwords can be difficult and risky. Difficult to think up a new, complex password, difficult to make the change and not risk mistakes, and difficult to update your password records, either on paper or within a password manager. If you build strong passwords and protect them carefully, regularly changing them brings little additional benefit.

I’ll close on a final note. More and more sites and services are making Multi-factor Authentication available, authentication (verifying that you really are the authorized user) that includes a second “factor”, in addition to a password, to authenticate a user. That added factor is usually a text code sent to your mobile phone, but other factors can be used, such as finger prints. Chances are low that both the password and phone are stolen. In general Multi-factor Authentication is a very good practice and you should switch to it for your high-value accounts.

As always, you can write to me with any questions, suggestions or comments.

IT IQ: The Case of the Perilous Password

I am starting my series titled “IT IQ” to cover some of the most common questions I am asked, or situations I encounter. Here is the debut post, starting with the most humble and yet most perplexing of topics: The Password. There are a million tales in the IT Security consulting world, ones that keep … Continue reading “IT IQ: The Case of the Perilous Password”

I am starting my series titled “IT IQ” to cover some of the most common questions I am asked, or situations I encounter. Here is the debut post, starting with the most humble and yet most perplexing of topics:
The Password.

There are a million tales in the IT Security consulting world, ones that keep professionals in this field gainfully employed by day and tossing and turning at night. I have dealt with many that can keep me occupied for weeks peeling away layers of complexity. But surprisingly, even after all these years, one of the IT security questions that I am asked most often is about passwords and password security. In fact, I have even had executives at big companies express concerns over this topic, usually after an attack has occurred or information has been compromised.

The issue, succinctly phrased is: Why is it that, despite widespread and highly publicized caveats, so many people continue to use easy-to-guess passwords? Why is it that they don’t heed well-disseminated warnings about creating a password that cannot be easily determined? And the highly anticipated sequel to this topic, of course, is: How to prevent history from repeating itself.

There is a very simple explanation for why this problem occurs in the first place. Even geniuses that can memorize the minutest details about everything under the sun sometimes find themselves struggling to recall their password. Multiply that by multiples, since each of us has many. So the most logical strategy that seduces the average human is to choose a word that is easy to remember because it is significant in some way. In my experience, that usually means one of the following: name of children; name of pet; name of birth city, or home address. The problem is all of these are fairly easy to find, especially given our ubiquitous presence on myriad forms of social media.

Then there are the real security defeating selections. Yes, believe it or not people still use PASSWORD for their password. They really do. Why? It’s easy and most people I have talked to who do this say they were planning to go in and change it shortly after they opened an account, but then they never got around to it. Likewise with the old, unreliable 1234567 or its many permutations. Here, for your perusal and entertainment, are the 25 most common passwords as reported in The Telegraph (http://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using/):

123456
password
12345678
qwerty
12345
123456789
football
1234
1234567
baseball
welcome
1234567890
abc123
111111
1qaz2wsx
dragon
master
monkey
letmein
login
princess
qwertyuiop
solo
passw0rd
starwars

(For anyone mystified by qwertyuiop, check out your keyboard. Likewise qazwsx)

So despite the agitation caused by this seemingly simple to change behavior, it continues unabated. Most people will say that regardless of what they read and know about attacks and hacks, they never think it will happen to them.

My advice is therefore that the IT Security team in every company has to accept as a given that some employees will always choose to use one of the easiest, most findable passwords ever and in doing so, may put competitive information at risk. The question of how to deal with this challenge is the subject of the next blog post. Spoiler alert: There is hope…

IT IQ: A Social Engineering Story

When pondering the term Social Engineering, my focus is solidly placed on “Social.” These are human, not technical, attacks. Social Engineers are first and foremost masters of manipulation of the social interaction. They identify potential targets, assess them in the first few seconds of conversation, and then launch the attack. A crisis situation is presented … Continue reading “IT IQ: A Social Engineering Story”

Grafitti comic of man jumping Berlin Wall

When pondering the term Social Engineering, my focus is solidly placed on “Social.” These are human, not technical, attacks. Social Engineers are first and foremost masters of manipulation of the social interaction. They identify potential targets, assess them in the first few seconds of conversation, and then launch the attack. A crisis situation is presented and the assault usually occurs with dizzying, intentional speed, such that the victim has no time to think, much less verify what they are told. Victims are quite simply caught off-guard. If the first thrust is successful then follow-on attacks are launched.

These attackers often do a little homework to prepare. They identify a target audience, usually vulnerable groups like the elderly. A crisis scenario is developed that preys on the psychology of the target. Any background information the attacker can gather increases the success of the attack, making the crisis scenario seem more authentic.

And by the way, I am not talking necessarily about the sophisticated professional villain. Many successful attacks are authored by rubes who strive for quantity, with the law of averages supporting their likelihood of success with at least one target. And a few successes is all it may take to make the Social Engineer successful in the “profession.”

Today I present a case in point, that illustrates a typical attack. A neighbor of mine in his mid-eighties got a call from someone who easily found his landline number (yes, you read that right). The person claimed to be a police officer in Las Vegas, saying that the neighbor’s grandson had been arrested for some indiscretion and needed bail money to get him sprung from jail quickly. The neighbor, reasonably upset by the news, asked simply “Which grandson?”, and the response was “The older one.” The caller gave wiring instructions then ended the call with the caveat “Your grandson asked that you not mention this to anyone, including his parents, because he is really humiliated. He said you were the only one he could go to for help.”

The real story behind the story of course is that my neighbor, who had been feeling old and irrelevant, was instantly cast in the role of the hero, having been given a rare opportunity to swoop in and save the grandson from destruction. This was the psychology behind the crisis scenario. Social Engineer called it with 100% accuracy and my neighbor fell for it. He transferred the money to an account in Las Vegas, not even asking the caller to verify the grandson’s actual name.

It worked so well that a few hours later the attack continued. Another call came through—this time from a purported ‘lawyer’, claiming that he represented the grandson and his friend, and who described that the situation was “even worse than had been previously described. The charges were being escalated to something felonious. So of course that meant the lawyer’s retainer would have to be sent immediately so that work could begin without delay to help prevent the situation from getting more difficult.

Attackers know how to be flexible with their story, to keep the attack going. So when my neighbor said he didn’t have the requested retainer sum, the lawyer explained that this was not a problem, that the grandson’s partner in crime was from a wealthy family, and would pay the retainer. But because the family that did not want to be directly identified, they would first deposit the retainer funds into my neighbor’s account and, once he verified the deposit, my neighbor was then to directly pay the lawyer. All the family required of him was to provide his social security number and bank account number, which they explained was completely logical since they were “trusting” him with their payment of the retainer amount. Yes, he fell for it and gave the information.

Now the attackers had far more than the first payment to Las Vegas of easy cash. They had the victum’s confidential financial information, given by the victim himself! In the hands of a Social Engineering attacker such information can easily be used to leverage more information and more cash.

When my neighbor called the bank to verify the transfer, lo and behold, the new money had been deposited into his checking account! How can this all be a fake when money is flowing to him? What he didn’t think to check were his linked accounts, such as savings and retirement. Using the bank information my neighbor provided, the thieves had simply done a telephone account transfer, mimicking my neighbor’s telephone number so it appeared on the bank agent’s caller ID display. It is usually easier to transfer funds between accounts than out of the bank. My neighbor then promptly transferred the ‘retainer’ amount, really his own cash, to another Las Vegas account.

Again, the attack continued. The ‘attorney’ called again to say that the case was more complicated and a higher retainer amount was required. Only then did my neighbor start to feel a little suspicious, and finally called a family member to share the situation. End of story: My neighbor was bilked of thousands of dollars and felt too humiliated to talk much about it.

It is critical that we share news of these incidents to raise awareness of the power of a good story, and a compelling storyteller. These attacks are successful, in part, because victims are too embarrassed to talk about their experience. And it can happen to anyone, individuals and businesses, given the right story, particularly with good background information we all to readily give away in our social media posts. When thinking about your on-line security, it is critical to understand the people factor and to spread awareness of how powerful and successful Social Engineering attacks can be.

IT IQ: Wells Fargo Phishing

Always interesting to get and look over a phishing email, as I did today. The email, purportedly from Wells Fargo, was boldly titled “Important Notice Regarding Your Account”, showed “Wells Fargo” in the From header line, with the official Wells Red square logo below the address block. The email address behind the From line was … Continue reading “IT IQ: Wells Fargo Phishing”

Picture of Wells Fargo logo

Always interesting to get and look over a phishing email, as I did today.

The email, purportedly from Wells Fargo, was boldly titled “Important Notice Regarding Your Account”, showed “Wells Fargo” in the From header line, with the official Wells Red square logo below the address block. The email address behind the From line was smrfc@notify.wellsfargo.com. The rest of the email is copied below,

with an asterisk added in the address so you don’t accidentally click it.

The key giveaway feature of these phishing emails is the helpful link you can click on to log in and solve the problem. Everything else in the content is intended to get you to trust and click. So the first rule you should follow is never click the included link. If you want to validate that you really have a problem then open your web browser, navigate to your bank’s site, authenticate, then check for warning messages.

My attention was also caught by the phrase “forced to suspend your account indefinitely”. While a bank may freeze a compromised account, no bank will lock you out of your funds and on verification with you may transfer funds to a different account number. This phase was included to alarm you with a tight deadline and severe consequences, so you’ll be more likely to click.

Don’t fall for these scams. At best they might lead to a software download that would compromise your computer. At worst they will clean out your bank account and try to find linked accounts to do the same.

Stay Safe online!

– Ken


Dear Wells Fargo Member:

We recently have determined that different computers have tried to log in to your account. Multiple password failures automatically places your account on hold.
We now need you to re-confirm your account information to us.
If this is not completed by December 03 2014, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes.
We thank you for your cooperation in this manner.

To remove limitations from your account click on the following link:

https://online.*wellsfargo.com/cgi-bin/Logon.aspx?sd

Thank you for being our customer.