Rossander’s Security Reader

How many different passwords do you have? Add up all the ones on your work computer, your bank account, 401(k), personal email account, amazon, google, ebay, twitter, facebook, linkedin, wikipedia, professional organizations, other shopping sites… The list goes on and on.

Each password has to be strong enough to protect the information behind it. Of course, knowing that we are all basically lazy (and that they will be held responsible if the account is hacked), the companies hosting these services require “strong” passwords – numbers, punctuation, no duplication, etc. And without universal standards, we end up with a hodge-podge of passwords that are impossible to keep straight.

One answer is a “password management” program, often built right into your web browser. These programs remember your logins and passwords for you and automatically fill them in as soon as you go to the page. There are several problems with them, though.

1. When your computer gets stolen, you lose all your passwords.
2. If the password manager gets hacked, you again lose everything all at once.
3. The passwords are only available while you’re working on that one computer. You’re out of luck if you need to check your account from your mother-in-law’s.
4. And, of course, these don’t do anything for the passwords you need to track that aren’t associated with web pages.

A perhaps-better answer is a single-signon service. In this model, you create one account with a widely accepted and trusted service who then authenticates you to the merchants. The Open ID Foundation is probably the best known, accepted by about 9 million websites including Google and Yahoo. This still leaves all your eggs in one basket but at least the basket is not in your easily-stealable laptop. On the other hand, if any one of those 9 million websites gets hacked, the thief might then be able to forge your credentials on the other sites. I’d trust their service for accounts I don’t care much about (google, email, shopping sites, etc) but not yet for my bank account.

Several academics are experimenting with using your cell phone as your password manager. It’s an interesting idea since we are so very attached to them. But we also lose them at an incredible rate. And if you think you get resistence about your computer passwords, try requiring a strong password on a phone.

Biometrics? There are some interesting new ideas about facial recognition using the builtin webcam of many modern laptops and others that track things like your typing patterns. None are ready for prime time yet.

All told, I think we’re still in a bad place. Passwords are the least unworkable answer we have today. Try to pick strong passwords, use a pattern that lets you modify a core password according to the site you’re visiting, change the important ones regularly and never, never, never share your password. If you must write them down, keep them in a dedicated and highly secure application like the old Blackberry password vault.

I don’t know what’s happening today but suddenly there are multiple stories about airport security “breaches” that aren’t and, more worrying, massive over-reactions on the part of the authorities.

In the first story, a lovesick schmuck walked in the exit path and ducked under a rope at Newark Int’l Airport in order to give his significant other a hug before she got on her plane. The guard who should have prevented this was not at his post. TSA isn’t saying why. They are, however, trying to find the man who gave the hug and threatening criminal charges.

Admittedly, the breach resulted in a huge disruption not only of airtraffic at Newark but also cascading throughout the world as connecting flights were delayed. This was an expensive mistake. But it’s not the fault of the man who jumped the rope. The disruption is directly attirbutable to the pointless security theater practiced by the TSA. These threats to press charges are a transparent attempt to deflect attention from the fact that their security protocols are expensive, intrusive and, worst, inherently ineffective. It might be different if we were actually getting some increased security in exchange for our sacrificed civil liberties but this is just pointless.

The second story is an internal test gone wrong. Slovakian security experts were testing the effectiveness of the bomb-sniffing dogs. To make the test as realistic as possible, they snuck some high explosive into a passenger’s bags after check-in but before the bags went onto the plane. There was no detonator or other means to set it off, just the raw material. The dog successfully found the explosive but the handler apparently got distracted and forget to take it out before the bags were loaded. The mistake wasn’t found until the plane was in the air toward Ireland. They radioed the pilot, though, who decided that there was no risk (no detonator, remember?). They also notified the folks at Dublin Airport.

That didn’t stop the Irish security from arresting the innocent man whose bags were used in the test. He was later released (we hope with some kind of apology). The Irish government has focused not on their overreaction but on the “riskiness” of the test, calling it “unprecedented”. Realistic tests are not only accepted but are best practice. Do you really want to train your dog using only fake materials? How will you know whether she’s actually reacting to the right triggers? An explosive-sniffing dog that only reacts to Play-Doh (which looks and feels like C4 and might even smell like it to a human) won’t do any of us much good. Despite the Irish government’s spokesperson’s claims, tests with real materials are normal. Again, deflecting.

The third story is a domestic traveler who wanted to bring home some honey. Knowing that there are new restrictions, he called TSA who confirmed that honey, like other foodstuffs, can be checked in your baggage (though it may not currently be taken as carry-on). TSA claims that the plastic bottles of honey tested positive for TNT and TATP and that two of their screeners had to be “rushed to the hospital” after opening the bottles. Subsequent tests showed no explosives – the two screeners are now being described as “just nervous”. That didn’t stop TSA from yanking the victim off the plane and disrupting travel for hours. All of it pointless, though at least this time TSA is taking at least a little bit of ownership for their mistake.

NPR ran a report a few days ago talking about the inherent difficulties of looking for bombs instead of looking for terrorists. On any given flight, there are only about a hundred suspects. There are, however, literally tens of thousands of hiding locations for bombs. And new security protocols always address the last threat, never the next threat. Terrorists adapt. Their tactics are not static. Make us take off our shoes – the explosives go in the coffee cup. Ban all liquids – try the underwear.

Next up, carry the explosives in a body cavity. Actually, that’s not even novel – it’s already been used in an Al Qaeda’s assassination attempt against one of the Saudi princes. And all those fancy whole-body scanners can’t do a thing to stop it.

As a society, we keep hoping that by sacrificing “just this one more” bit of our personal dignity and liberty, we will finally be safe. That’s not and never will be true. The recent failures highlight not tactical failures in the implementation of our security but a wholesale failure in the underlying security strategy. It’s time to rewrite our approach from the ground up.

Last time, we talked about resolving to make stronger passwords in the new year. This might also be a good time to resolve to check your credit report more regularly.

You are entitled to a free copy of your credit report (though not your credit score) every 12 months. Follow the instructions at www.annualcreditreport.com to request your credit report from each of the three major credit reporting agencies. (Stay away from the scam site that runs the goofy adds and has “free” in the domain name. They are anything but free.)

When reviewing the credit reports, look for:

• adverse actions on your accounts that might indicate that you have been a victim of identity theft
• accounts that have been opened in your name without your knowledge. Even if the identity thief is making the payments regularly, the account could still be in use for illegal activities.

If you find a discrepancy, follow the specific instructions on the website to dispute any incorrect information.

Some other suggestions:

• Don’t forget to check the credit reports of your immediate family members, especially minor children and dependent elders. Both of those groups are at elevated risk of identity theft.
• Remember that you are also eligible for a report every 12 months from any of the specialty agencies which have information about you.
• If you want more frequent feedback on your credit history, consider asking for your free copy from only one of the major credit reporting agencies at a time. Space the requests for the other two agencies out every four months. For example, you could ask for your free copy from Experian in March, your free copy from TransUnion in July and your free copy from Equifax in November. Once you start, you will have to keep the same rotating pattern. Schedule the requests on your calendar.

Note: Several people have asked my opinion of credit monitoring services. I do not consider them worth the money if you are taking the regular precaution of checking bank and credit card statements and are reviewing your credit report at least annually. They might be useful if you are a recent victim of identity theft or are in some other high-risk category but they’re overkill for most of us.

Happy New Year, all. I hope you had a wonderful and safe holiday. It’s a brand new year – time to make resolutions to do better and be better people.

One resolution that we’ve talked about before is the need to make better, stronger passwords to keep your identity and your customers’ informations secure. Americans still have a nasty habit of picking passwords from the dictionary. When the system requires numbers or extra characters, we tend to add them to the end. Hackers know this and exploit the pattern when they build programs to break your password. Here are a few suggestions to make their lives harder (without making your passwords so impossible to remember that you write them down). None of these suggestions are new but hopefully this is a useful reminder.

1. Pick a pass phrase, not a password. A good hacker can test your password against every word in the dictionary in something under 30 sec. Testing every possible combination of 7 random characters takes not that much longer. A five word passphrase, on the other hand, can not be brute-forced using current computers in the time remaining in the life of the universe. And because of how our brains are wired, phrases are much easier to remember than strings of characters.
2. Make each password a unique variant using some personal rule about the site that you’re logging into. That way, you won’t lose everything just because the hacker cracks one site but you can still keep the number of things you must memorize to a minimum. Here is a link to one technique.
3. Never share your password. Not to your boss, your co-workers, your spouse, no one. Nobody should know your password except you. (The only exception I allow is that parents should insist on a copy of all passwords used by their underage children. Keep it safe, though.)
4. Make sure you’ve changed the default password on accessories like your router.

Two interesting privacy positions came out today, one from the Ohio Supreme Court and one from the Australian Ministry of Communication.

In the Ohio case, the Supreme Court ruled that the police need a warrant to search the contents of your phone. The case comes from a drug bust. From the available evidence, the guy was guilty as sin. Unfortunately, when the police arrested him, they confiscated and then, without either a warrant or his consent, searched the phone. The trial court allowed the evidence from the warrantless search citing a 2007 federal court decision that considered a cell phone similar to a “closed container”. (The closed container rule is what lets the police look in your pockets when they arrest you.) For physical items, the closed container rule makes some sense – you need to be sure your prisoner is not still in possession of something that could be used as a weapon. And if you happen to see other evidence while checking for physical threats, at least you had a reasonable justification to be looking.

Now, you could argue that a phone is an “information container”. The trial court did and an appeals court agreed. And so did three of the seven Ohio Supreme Court justices. But four of the justices were unable to make that stretch and I agree with them. A phone or a hard drive may be an information container but the information within it can’t be used as an immediate weapon to threaten the safety of the arresting officers. The justification for a warrantless search is missing. There is no immediacy. So does this mean we have to let drug dealers go free? No, it just means the police need to talk to a judge before they search the phone. They need a warrant, just like they do for almost all other searches. I think this ruling is in keeping with the privacy expectations of most of us.

There is one caveat in the Supreme Court’s ruling – they can search the content of your phone if they believe their safety is in danger. I am at a loss to think of a scenario where a phone would constitute a danger but expect some pretty specious arguments. Overall though, this was a clear win for privacy.

The story from Australia is a lot less promising. The Australian Communication Minister announced today that it will impose mandatory internet filtering to block “obscene and crime-related websites”. That content is already illegal from publication in Australia but they have no ability to control it when a citizen accesses the content from an overseas server.

If the filter is implemented, it would be the strictest among the world’s democracies. It would put Australia in the ranks with Burma, China, Iran, Syria and North Korea.¹ Unfortunately, the Minister has also already conceded that the filter will be ineffective, despite the success of a recent technological test. Much of the information that he proposes to block is available via peer-to-peer and chat sites, neither of which would be affected by the domain name-based filters which are being proposed. The filters also inevitably block some proportion of legitimate content. The result would be a sweeping grant of power to create a secret blacklist to little or no obvious gain. Electronic Frontiers Australia, a privacy rights group, has challenged the government’s plans, saying “We’re yet to hear a sensible explanation of what this policy is for, who it will help, and why it is worth spending so much taxpayers’ money on.”

In both these cases, it’s easy to empathize with the “tough on crime” position. Drug dealers are evil and obscenity is bad. But the erosion of privacy and other personal liberties is far worse, no matter how well-intentioned. I am heartened that the Ohio Supreme Court found the right decision even though it took an ugly case to bring it to light. I hope that the Australians find their way as well.