My Favorite Podcasts

Posted by on October 8, 2011 No comments
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

I admit it, I’m a podcast addict. I don’t listen to every one every day but I listen to them more than I do music these days. In addition, I’ve switched to listening to my favorite NPR shows via Podcasts, which is excellent since I’m often not in a place to listen to shows like Marketplace or This American Life when they air.

Below is my current subscribed Podcast list. I’ve grouped them into a variety of topics, even though many of of them cross between multiple types. If you have others to suggest let me know in the comments or via message; one type I’ve been on the search for but haven’t found one I really enjoy yet is a board/card/tabletop gaming podcast.

Now onto the list….

Educational & Business

Freakonomics Radio

Harvard Business Review Ideacast

How to do Everything

Science Friday Podcast

Stuff to Blow Your Mind

Stuff You Missed in History Class

Stuff You Should Know

Entertainment, Inspirational & Discussion

The Adam Carolla Show

The Moth

NPR Fresh Air

NPR Story of the Day

TEDTalks

This American Life

WNYC Radiolab

WTF with Marc Maron

Financial

Marketplace

Marketplace Money

Marketplace Whiteboard (not updated recently)

Motley Fool Money

Planet Money Podcast

Security

CERIAS Security Seminar Podcast

CERT’s Podcast Series: Security for Business Leaders

The Digital Underground Podcast

Network Security Podcast

PaulDotCom Security Podcast

Risky Business/RB2

SANS Audiocasts (not updated recently)

Social-Engineer.org Podcast

The Southern Fried Security Podcast

Technology/Geek Culture

Lazy Game Reviews

The Nerdist

TechStuff (How Stuff Works Podcast)

Writing/Grammar

Grammar Girl Quick and Dirty Tips for Better Writing

I Should be Writing

Novelists at Work: I wanna be a Writer when I Grow Up

Samsung Galaxy S II GT-I9100 – Essential Software Add-Ons

Posted by on September 18, 2011 No comments
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

Android has challenges; the openness allowing it to be utilized on hundreds of different devices presents issues with hardware compatibility, standardization across implementations and assuring that applications run well. In the best-case apps work great, in the worst they run slowly, crash, or eat your battery.

With the Galaxy S II (referred to as S2 from here out) Samsung has significantly improved their stock/included software over the original Galaxy S. Within a month of acquiring my Galaxy S I was looking to format and install Cyanogen on the device, whereas with the S2 I have had no such desire yet. It runs well out of the box.

As with all devices it is not perfect, below I highlight apps I’m using to cope with some of these weaknesses and create a functional work environment. A few of the tools will require you to Root your device, which is a fairly simple process. When in doubt, a Google search or browse through XDA-Developers should enlighten.

What Samsung Did Right:

In the default software Samsung includes an acceptable email, calendar and Task list client. These three items mean my corporate and home life tracking tasks are performed adequately, even if they still need some work. For those that want better Email I have heard good things about K-9 and Touchdown, although I have not used them. As mentioned above the Galaxy S2 included software is a huge improvement over the original Galaxy, partly due to the advancement in the core Android software over the last year and partly due to Samsung’s additional effort into assuring the end product is polished.

Features Requiring Help:

Notification Light/LED Addition:

This has been a complaint of mine since Apple made minimalist phones trendy. The exclusion of a notification LED was a bad move, which we are still suffering from years later since almost every manufacturer uses Apple as the standard-bearer for design decisions. I like to see whether there are notifications waiting on my phone without turning on the screen.

Solution: NoLED or Backlight Notification (BLN)

NoLED:

NoLED uses the main display to show notices. Due to the AMOLED display technology used in the Galaxy S/S2 a black screen consumes almost no power since each pixel is individually lit. NoLED uses a small portion of the screen to show notifications and moves the notices around as to not create burn-in, something OLED displays are prone to do. It is a super sexy application but if you set it up be conservative in how long you show notices for – this app can consume significant battery if constantly displaying information.

Backlight Notification (BLN):

BLN uses the backlit soft buttons at the bottom of the screen to indicate when there are notices waiting. One disadvantage of BLN is that you need to have a kernel with BLN support, which might be beyond some folk’s comfort level. On the S2 I had to take an additional step and find a liblights library, which supported BLN and load it onto the phone.  With this said, if you desire notifications and want minimum battery use BLN is a simple, winning solution.

Launcher Replacement:

A Launcher on Android is the main interface you use for navigating the phone and launching applications. Samsung includes their own launcher by default, which is not bad but is not as customizable as many of the aftermarket products. On my S2 I have been using ADWLauncher EX as my launcher replacement with the ADWNotifier add-on. Many people will never see a reason to do this since the default launcher is pretty good.

Home/Summary Screen:

I’m a fan of having a homescreen, which displays my calendar, voicemail snapshot, phone status, etc. without having to unlock the phone. WidgetLocker acts as a front-end for your phone when the power button is pressed, presenting you with a screen of apps or widgets you choose. You can then select your app, which is followed by the password prompt (if configured). It provides me with the snapshot I’m so often looking for without having to unlock my phone. The widgets I have configured on my home screen include: CalWidget, Beautiful Widgets clock/weather, Google Voicemail listing, weather and Juice Defender.

Battery Management:

I hate battery management. Hate is a strong word, one I use for having to plug in my phone any time between getting up in the morning and going to bed in the evening unless I’m obsessively tinkering with something or playing a game. With the Galaxy S I had things tweaked so that I didn’t have to mess with it too much but once my local cell provider turned up 3G/HSPA+ service I could hear a giant slurping sound from my phone battery, which could also stand-in for a pocket warmer.

Juice Defender in its most basic form enables and disables the various radios in your phone in an attempt to conserve power and in the most advanced form actively manages everything from display brightness and processor speed to whether or not your phone is connected via EDGE (2G) data, 3G/4G or Wifi.

Before Juice Defender my phone was hitting 50% battery no more than 4-5 hours into the day. Since my days are longer than 10 hours this is not acceptable. Now that I have Juice Defender running and customized my phone is down to 25% battery on average when I go to bed. If I plug in once in about mid-day I can go to bed and still have 60-75% battery.

I think Cell phone manufacturers need to give up on the crazy small phones if it means a phone that must be plugged in during the day. I had an extended battery on my Galaxy S to cope with the crazy short battery life. On the S2 I’m attempting to avoid that scenario, which has meant using tools like Juice Defender and keeping power plugs nearby.

Locating/Erasing a Lost Phone:

SeekDroid has only a few functions but very important ones. It allows you to track and remotely wipe your phone if needed. Samsung has included similar functionality in the S2 but I have not enabled it yet. This application is not going to be as effective with JuiceDefender shutting down the data radios in the phone but is a nice feature to have.

Replacing the Stock Samsung Keyboard:

The stock keyboard on the Galaxy S and S2 are poor unless you like Swype. For four years Apple has offered a touchscreen keyboard with better accuracy and text prediction. Some people love Swype (where you slide your finger around the screen to the letters you wish to spell) but that is not me, I prefer to touch type on my phone keyboard, which means I test the ability of the phone to predict exactly what I wanted to say.

Three suitable alternative keyboards I’ve found are the stock Gingerbread keyboard, which is pretty good for someone who types on their phone, the A.I. Keyboard, which attempts to predict what you are going to type and present those options and SwiftKey X, which is pay for play but a usable, configurable keyboard. Right now I’m using SwiftKey but may go back to the Gingerbread keyboard at some point in the future.

Syncing Audio with iTunes:

Currently I’m using TuneSync to perform this function. It took a little work to setup since the error/lack of error messages are vague but once working it synced with our house iTunes library over Wifi, enabling me to carry a little slice of music heaven around with me. I have not experimented with Podcasts yet but that will need to come at some point in the future.

Playing Audio:

I’m using WinAmp to perform this function today. It does a good job of automatically locating my audio on my phone and supports the playlists that TuneSync places on the device. I might switch players eventually but I like whipping the Llama’s ass.

File Synchronization:

Dropbox is how I move files to and fro these days. It is easy to setup and has clients for just about every platform imaginable. On top of it many of the Office and other applications have native support so that they can access files with no additional hoops.

File/Folder Navigation and Management:

This is something Apple really tried to get away from – having the user manage files. On Android it is a must for anyone who considers themselves a power user. For this purpose I’m using Root Explorer today, although I switch back and forth between Root Explorer and Astro depending on the day and need.

News/RSS Feed Reading:

I use NewsRob for news consumption on my Android devices. It does the job so well that in the last year I haven’t even thought about trying out any of the competition.

Backups:

I have a preference for my phone/tablet to perform on-device backups. Rarely do my devices get plugged into a computer so relying on a computer connection to assure a backup is current is a pain. On Android I use Titanium Backup and Rom Manager/CWM to do backup duties. I know other apps exist but these two apps have served my purposes well.

Barcode Scanning/Price Shopping:

With the number of cameras on phones and barcodes out in the world it should be expected that all phones should now include a barcode/QR scanner tool and perhaps some price shopping capability. Luckily Barcode Scanner, RedLaser and the Amazon mobile app are just a download away.

A few honorable mentions: Recently the only games I’ve spent any real time playing are Gurk and Realms of Fortune. I have a bunch of games but those are the only two that are keeping my attention for any length of time. I’m sure Solitaire, Mahjong or Hold’em will make a reemergence at some point. If you are new to Android be sure to download the Amazon App store app and grab some freebies, over a period of weeks you can greatly expand your app collection.

 

Creating Safe, Easy to Remember Passwords

Posted by on June 18, 2011 No comments
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

The last few days I’ve spent time pondering the LulzSecurity breaches, Playstation network breaches and the seemingly endless number of other data and security compromises

This has prompted discussions with coworkers and friends about their personal security practices. Being in the IT field over the years I have found that most IT people are only slightly more secure than the general population. Usually the story is that they “rotate 3 or 4 passwords” or “use one password for sites I care about and another one for everything else.”

Both of these methods in my opinion are bad, primarily because a site you do not care about can become a liability later due to the long tentacles of Google and other search engines. People accessing your account might not always be looking for financial or personal data, they could just be out screwing around or attempting to damage your reputation perhaps by posting inflammatory posts to message boards, which may poison Google searches for your name or email address for years to come. You might not know about the compromise for years but Google would be attributing posts to your username the entire time.

Below I address two methods that you could use to create (relatively) secure passwords without having to memorize a ton of different information.

 

Option 1: Use a Password Database

If you want maximum security I would refer to you a password management tool, which will allow you to have a random password for every website you access.  You must keep the password database safe but keeping a single, well controlled database safe is easier than attempting to manage dozens, or if you are like me, hundreds of sites straight. With major tools you can also sync your passwords between your computer and phone so that you are never without your passwords. The major thing you need to assure is that your master password used to lock the database is secure. Applications such as KeePass, SplashID, LastPass and 1Password are examples of these types of tools.

 

Option 2: Create Reference Passwords that are Customized per Site

If you want an easier, less cumbersome method to create pretty solid passwords without password managers I’m going to propose a few ideas, which should result in significantly more secure passwords but without requiring password management tools. You don’t need to go through this entire gyration but the more you do, the less risk you are exposed to. Customize as you see fit to your paranoia level and needs.

Creating an Easy to Remember Set of Passwords:

  1. Pick your Words or Phrases. Pick 3-5 words or phrases you can easily remember. The words SHOULD NOT show up in a Google search, even misspelled. This means if you are going to make up words then make up new unique words no one has used before. For phrases you can use poetry, lyrics, book quotes, anything you would like. I would encourage you to stay away from quotes or lyrics that are extremely popular since you are not the only one that would have thought of them.
  2. Shorten words or phrases into something manageable. If it is a long enough phrase such as “I do not like green eggs and ham said Sam I am.” then shorten it to “IdnlgeahsSIa.” or some variant. There are two reasons for this; first, typing a massive phrase can take people awhile and is prone to typos. Second, many password systems still do not have the ability to handle passwords >16 or >20 characters. Our goal is simplicity without a management system. Note that I left the special character “.”. In password cracking special characters enhance security, although a few password systems will not take them.
  3. Verify the passwords are >8 and <20 Characters. Now you should have 3-5 solid, non-Googleable words or abbreviated phrases with >8 and <20 characters each.
  4. Make it Easy to Locate Which Password to Use. The next step is to figure out a trick to identify each website so that you can pick one of your passwords. You could use the first letter or second letter of the domain name to identify the password to use. E.g Letters A-L get one password, M-S get another, etc.
  5. Figure out a Unique Identifier for Each Website. Figure out something about the domain name or website that will give you something fairly unique. E.g. Logmein.com has 10 characters in the domain name, perhaps you use that. You could also directly steal something from the site, such as its name and use it in the password. E.g. Insert the initials “lmi” or “logmein” into your password.
  6. Place the Unique Identifier into your Password. Now, take your new unique number and apply it to your password, perhaps with the shift-key applied, which will make the characters special. In the case of the password I reference above: “IdnlgeahsSIa.”, if I used both methods identified in step five I would insert “10” with shift held down and “lmi” into my password. The result might be “IlmidnlgeahsSIa!). Note that I did not insert the shifted “10” or the lmi at the very beginning or end of the passwords to make it a little harder to predict for someone attempting to compromise my accounts. At this point most hackers are probably moving onto easier targets unless you have become the target, in which case they will probably try to find other ways to access your accounts. If they do keep trying to access your accounts using passwords there is a good chance you would receive notices that something was up before they gained access elsewhere.
  7. Create a cheat sheet to carry with you. Until you have committed your new password methods to memory carry a coded sheet of paper with you, perhaps in your wallet. Do not just write the entire process, just the cliff notes necessary to jog your memory. This way if you lose your wallet your passwords are still safe, all they will find is paper scribbled with unintelligible notes.

After trying a variation of this system if you think your password management method is still too complex mix it up and perhaps simplify the system. The key is to keep passwords long, avoid dictionary words, mix up the letters and numbers, if possible insert some special characters, and keep from using the exact same password on several websites.

Even if this type of strategy does not keep people out of all of your accounts by the time they figure out what sites overlap (should be very few) you will hopefully have received dozens of “Invalid login attempt detected” messages in your inbox, allowing you to take action.

Navigating and Understanding Vendor Security Claims (2 of 3)

Posted by on June 14, 2011 1 comment
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

This is the second in a series of articles on Navigating and Understanding Vendor Security Claims. You can check out Part 1 here.

 

When good Encryption Goes Bad or “What the hell happened to WEP?”

Many sites will banter around the term encryption like encryption is all that matters. Just because you are using good encryption does not mean your data is safe, the encryption must be implemented properly in order to keep your data secure.

The classic example of “Good technology, bad implementation” is a wireless security protocol called Wired Equivalent Privacy (WEP), which was introduced in 1999 and is still a feature of all mainstream WiFi network cards in your computers today. The core components within WEP were good but implemented in a poor manner, which left the wireless security on millions of computers broken. Within a few years of WEP being released someone had figured out how to break the encryption key within an hour. Vendors made many adaptations to the protocol to beef up its security with varying levels of success. WEP was replaced several years ago by WPA but to this day WEP is still the most compatible wireless encryption protocol so many people use it, especially in homes and environments with older devices.

These same issues relating to bad development decisions may arise in any security implementation. Going back to our online backup vendor example: What if the backup vendor cached your unencrypted data to a temporary directory on their server until they had free processing time to encrypt it? The attacker would never need to compromise your encryption for new data; they would just need to monitor the temporary directory for the cached data and copy the interesting information. In a severe instance perhaps the hacker automatically sends a copy of all data passing through that directory out to another server on the Internet. This scenario would be avoided if the customer were doing the encryption before the data was sent to the provider, although it still relies on the vendor developing their software in a secure manner and being wise about their service architecture.

The final example I will give on this topic since it has been in the headlines recently is Dropbox, which I have mentioned in previous posts. Their website states that they are encrypting customer data with AES. It was later revealed that all customer data is being encrypted using a single encryption key and that the Dropbox staff could decrypt the data if deemed necessary.  This might be fine for some people or organizations but for others it would be a completely unacceptable situation since a single encryption key being compromised could put all data within Dropbox at risk.

If you need a service but are uncomfortable trusting vendor security claims another thing you can do is double encrypt your data. In this situation you would encrypt the data on your servers, then encrypt it a second time before it is sent to your provider using their encryption method. By doing this even if your vendor’s network is completely compromised including your backup private keys the result of a hacker decrypting your data will be more encrypted data, for which they do not have the keys since you performed the first layer of encryption in-house. At that point unless it is a highly skilled, targeted attack against your organization the attacker is probably going to move onto an easier target.

The moral of this section is: Just because the buzzwords are there does not mean your data is safe. Dig deeper to find specific information as to how they assure that their security and encryption implementation is secure whether it be through an advanced quality assurance process, secure development and testing regime, external code and security audits and constant reviews, or any combination. The more they do the better.

 

Are there cases where encryption is a liability?

In my opinion, Yes. This will not be true for most people most of the time but it can be.

When you encrypt or digitally sign (a topic not covered in this article but closely related) your data using a well-constructed key and encryption or digital signature system you have done something in addition to securing your data. You have guaranteed that the data was yours.

Do you want all your data to be traceable back to you? Think about this for just a moment.

Imagine you are in court “So Mr. Weiner, you say you did not send that photo of male genitals to six female colleagues?” “No, I did not sir, my twitter account was hacked.” “Was the image yours?” “I do not know.” “After analyzing your office computer we have found a copy of the image and twitter data encrypted under an account that only you had access to. The forensics team determined that there is no evidence of data tampering or unauthorized access on that computer. Are you sure you did not send the photo?”

What just happened in this example? Assuming the court understands the basics of encryption and data security Mr. Weiner is damned because he sent the images from his encrypted data store containing both the image and the twitter cache showing the sent image. It becomes a bit like DNA evidence, there is a very large hole to dig yourself out of if you want to prove it wasn’t you. At this point I will point out that I am not a lawyer and am covering this topic just to get people thinking.

Being a computer guy I know people that digitally sign every email, which provides a guarantee that the email is original and was not tampered with in transit from the writer to your computer. This is another item I question; do I want every piece of email I send to have a digital signature guaranteeing that I sent that email? Are you planning on running for political office? If so do you want your “Guaranteed” email quoted out of context by your opponents?

Think about all those funny emails you have, the lewd jokes, the political rant you wrote after a few too many beers, and anything else you may have sent or stored in your encrypted account or data store. Do you want that data to be able to be tracked back to you with certainty?

If you are a corporate encryption user there is a good chance your company is practicing a technique called “key escrow”, which is where the corporation maintains a copy of the encryption keys so that they can access your data in specific situations, such as during a legal proceeding or to meet regulatory requirements. In these cases your company can always access your encrypted data if necessary. It also leaves open a potential attack vector for someone looking to gain access to your data. Rather than target your account they might choose to target the key escrow system within your organization, which might give them access to everyone’s encryption keys.

A privacy paranoid individual would argue that encryption is always good but that is only if the data is not found in the first place (there are techniques to hide your data while also encrypting it), you are willing to give up the keys to a proper authority, or you are doing something illegal for which the punishment is worse than the potential repercussions for denying the court access to your data. Which looks worse, having a hard drive containing illegal data that you can claim was an innocent mistake or showing up in court and refusing an order to provide your encryption keys, which implies that you knew you were violating the law and want to hide it.

If you are breaking the law and hoping to leverage encryption to protect your data your risk maybe more perception than what is contained within the data itself since the authorities already had some evidence in order to arrest you in the first place.

In real life, rather than the armchair quarterbacking that I offer above, I encrypt my notebook hard drives and encourage others with portable machines to do the same. This is not because there is anything illegal on my computers but because if my notebook is lost or stolen I don’t want to worry about what data was lost. Losing a computer would suck, losing a computer with all my important data on it would suck about a hundred times more.

 

What is Hacking?

Hacking itself is not bad, it is the use of something for a purpose other than was originally intended.

Some people have attempted to differentiate Hacking by calling “bad” hacking by a different name such as “cracking” but it has never caught on, it is Hacking, just a different type. You can be a good driver or a bad driver, either way you are still driving.

Most of us partake in some form of hacking every day, although not to the degree that people like the folks participating in Make Magazine or in the more extreme Lifehacker articles do. When you took that broom, sawed the tines down to two inches then used it as a rain gutter cleaner that was hacking at a basic level. You repurposed something in a way the manufacturer never intended.

A second part of understanding hacking is that there are two main types of technology hackers, recreational hackers and hackers with a financial or reputation goals.

For the Hackers with a financial or reputation goals you could become a security consultant, penetration tester (a professional hacker), steal identities or credit cards; it all serves the same purpose only some types of hacking do not result in jail time if caught.

Recreational hackers are folks like George Hotz, smart folks with time on their hands that are interested in tinkering, understanding how things work, and enabling them to do unintended things. Sometimes these folks end up doing stupid stuff, like defacing Bank of America’s website, which can land them in jail or make them the target of a lawsuit but at the end of the day it isn’t about money or fame, it’s a hobby or passion.

 

The Terms of Service Tightrope

All vendors storing your data online are going to have Terms of Service or Terms of Use that disclaim most or all of their responsibility in a security breach or data loss event. Some will provide reassurances or some basic guarantee but if you read the details you will probably find that their liability is only a token effort, not anything that will save your business.

With this said no vendor wants their security compromise or data-loss event to be front-page news so they do have some incentive to keep your data safe other than taking your money every month. For them a security breach will likely mean lawsuits, competitors eating them alive or in the case of regulated data the potential for fines.

If you are looking to outsource more than your non-essential applications, such as a health organization outsourcing their Electronic Health Record and Billing, which are critical to the organization and contain confidential data you will want to perform due diligence by scrubbing the terms of service for exceptions you require, put business associate agreements in place where necessary and analyze any contracts closely.

As a small business you won’t have much leverage with many vendors but if you are a medium or large business it is worth twisting arms a bit to see where you can realize some compromise. If the vendor cannot provide assurances you require you can keep hunting or take your own precautions to secure the data before it is sent to them. This might not be possible with services such as Electronic Health Records but if it is an online Disaster Recovery or Backup service you may be able to take action to add additional layers of security.

 

Physical Security

This is the Gates, Guns and Guards portion of keeping your data secure. If the datacenter housing your data is properly secured you avoid a real risk to data security. Downloading 200 Terabytes of data over the average Internet connection would take months. Stealing the servers out of an insecure building would only take a few hours, plus a Oceans 11-style planning event just for fun.

When evaluating online vendors something we often do not think about is where the data is and what keeps people from accessing the data if they walked into the facility where the equipment is located.

In my last blog post I mentioned finding out where the datacenters were so that you know whether the vendor is geographically diverse. In addition to being geographically diverse you will want to ask about how the facility is secured and who can gain access to the equipment.

There is a computer security mantra related to physical security. For this article I will quote a variant from a Microsoft TechNet article: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

 

Social Engineering

Social Engineering is the act of manipulating or hacking a human-based system to gather the data you are looking for. Why go through five online systems attempting to answer questions to reset someone’s password when a well-placed, friendly call to customer service could do the same?

For a company storing or hosting my important data or systems I would expect that they have a system built to validate people’s identities, keep their facilities are secure, require multiple levels of approval to access and that they would not let a guy dressed as a telecommunications technician with no other credentials wander around the building unfettered and provide him keys to the wire closets.

This might not be something you can find out ahead of time but it is worth asking about. If you cannot get a straight answer as to whether they train their staff to look out for Social Engineering attacks you could test by calling their customer service number and see what information you can gather about your organization or whether they will reset your password without giving them your real credentials.

Another form of Social Engineering attack is the Phishing attack. A phishing attack is where a hacker sends out emails or other communications with a link or request for data while impersonating a legitimate tool or website. Normally this is to gather your usernames, passwords, personal data, or perhaps install malware onto your computer, from which they can gather data or launch attacks later. A variant of Phishing is called Spear Phishing and is targeted at a specific organization.

 

Other Factors

We have focused primarily on computers, encryption implementation and access to those systems. Just like your home, the front door lock is only one aspect to proper security. Other factors we will not be digging into during this article include items such as:

  • Proper network security infrastructure including firewalls, intrusion detection and prevention systems (IPS/IDS) and secure network development and architecture.
  • Host/Computer-based intrusion detection software, antivirus/anti-malware and other tools enabling vendors to monitor, act on, and protect against security events.
  • Network Monitoring infrastructure, enabling vendors to monitor the health of the network, set baselines and alert automatically if there are changes in expected activity. In a perfect world these systems would be tied closely to the Intrusion Detection and other traffic-monitoring systems. A great real-life example of this is the online password site LastPass saw a network data anomaly and immediately took steps to secure their data. Breaches are not a good thing but they are to be commended for having monitoring systems in place with someone watching them so that they noticed when traffic changed on the network and took proactive steps to secure user’s data. After a move like that my trust in the company went up rather than down, whether or not there was a breach.
  • Regular audits, secure development, and quality assurance processes with a focus on data security.

 

So I’ve done or verified everything above; is my data secure?

No one can guarantee that your data will be 100% safe. If an organization has enough money and is determined to gain access to your data there is a good chance they will, even if it means bribing your janitorial firm to photocopy your important data in middle of the night. What you need to do is determine what is reasonable.

Information Security is a compromise between ease of use and protecting user data. As has been said many times, the only secure computer is turned off, in a vault, with no network connectivity. At that point it becomes unusable so the system’s value is destroyed. Security teams are always attempting to strike this balance so that they protect the infrastructure while keeping the systems usable. If systems are not usable the users will find other ways to get the job done, which will almost always be more risky than making some compromises up front.

Security is a huge topic, protecting your data is an industry unto itself. Our goal here is to help you make good decisions and detect questionable statements without being a security expert.

>>>

If you made it this far, congratulations. Eat a brownie and blame me for destroying your diet. In the next article we will look at some specific examples of security claims and compromises.

Navigating and Understanding Vendor Security Claims (1 of 3)

Posted by on June 13, 2011 1 comment
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

Every time you make a decision to trust a vendor, whether it be a storage provider in the cloud, the company handling your taxes online or your favorite social network you put faith in them that they will live up to the security claims provided via their website. Is your online backup vendor really keeping your data secure? When you click “Share my data with only friends” on Facebook what assures that this is true?

Due to the expansiveness of this topic I’m starting with two posts describing data security concepts you should understand if you are looking to evaluate vendor claims. The third blog post will be a hit list with examples of language to look for on vendor sites, how to decipher it, and identify valuable security statements vs. buzzwords and hype, which permeate the industry.

 

Data Security and Encryption Concepts:

In this first section we talk about security and encryption concepts. This post is about defining security terms and understanding important technical components such as what encryption is, the types of encryption, and the differences between encryption keys and password hashes. Don’t worry, there is no associated test.

 

Understanding the difference between Features and Vulnerabilities

A Feature is placed on purpose. The username and password used to log into your favorite site, known as your authentication method, is a feature they have implemented to differentiate and secure user accounts. The “Share data only with friends” button on Facebook is intentional and under normal circumstances will only allow your friends to see your data; this would also be a feature. A programmer built this feature into the software and it is behaving as expected.

Vulnerabilities are unintentional, they are usually introduced when someone is writing a piece of computer code and does not perform the proper checks on that code. By attempting to manipulate the program in unexpected ways someone might find the vulnerability, which allows them to gain access to other data, crash the system or load their own programs onto the system. There are other types of vulnerabilities that can happen at other levels in computers, including at the hardware level but software vulnerabilities are the most common.

As an example of a vulnerability, if a programmer wrote code for a search box on a website and only expected people to search using letters, not numbers or symbols but didn’t write the code to check that only text is entered in the box they may have unintentionally introduced a vulnerability. Later someone might come along and by attempting to insert non-letter characters in the search box learns that they can have the website show them other people’s private data. This newly discovered “capability” would be a vulnerability.

 

Encryption

At a basic level encryption is using math to scramble (encrypt) data so that unless you have the proper key you cannot unscramble (decrypt) the data later.  You can expect that fifty years from now that the data will be accessible due to increases in computing power but over time the confidentiality and value of data is reduced so from an effective standpoint it can be labeled secure.

The primary encryption algorithm used when I started implementing systems was DES, which was used for 20+ years before a machine was built that could crack the encryption in less than a week for a reasonable amount of money. DES is still in use today in some systems that have not migrated to newer systems such as AES, which is now about 12 years old and the current standard endorsed by the U.S. government for Top Secret data. With that said the hunt for the next standard is always underway.

 

Single Key Encryption and Public Key Encryption

The two methods of encryption you should know about are called Single Key (symmetric) encryption and Public Key (asymmetric) encryption. Both types of encryption are referenced by other names depending on whom you are talking to.

It is also important to know that they are often used together since each one serves certain purposes more effectively than others or is more efficient. As an example it is generally recognized that Public Key encryption is far more processing intensive to utilize so you might use Public Key encryption to setup and validate a secure channel between entities, then switch to symmetric key encryption once you are sending data.

Single Key Encryption:

Single key encryption has only one key used for both encryption and decryption of the data. This method comes in most value when the data is only going to be accessed by one group or individual with 100% trust between the parties or a method to share the key between parties that is secure.

An example of single key encryption is if you were to have a document on your computer that you encrypted using a password. You are the only one that knows the password and it can be used to encrypt and decrypt the document. If the password is lost, which in this case is also acting as an encryption key, the document will be unreadable.

Public Key Encryption:

In Public Key Encryption there are two keys that are mathematically linked. When someone encrypts data using the Public Key the only person who can decrypt the data is the person with the Private Key. Public Key cryptography is also used to generate and apply digital signatures to files or documents, which is beyond the scope of this blog post.

An example of Public Key Encryption is being able to send an email that is secured in a way where only the recipient could decipher it. By having the recipient’s Public Key you can encrypt the email before sending it. When they receive the email they will decrypt it using their Private Key, which only they have. This same scenario works in reverse if they want to send an email back to you; they would use your Public Key to encrypt the email, send it to you, then you would use your Private Key to decrypt it. In this situation, even if someone eavesdrops the email they are left with unintelligible data since they don’t have the Private Key.

In your web browsing every day you use a combination of these types of encryption. Anytime you browse to a secure website, marked by a URL with “https” in the beginning, you are using both Public Key and Single Key encryption compliments of TLS/SSL.

 

The Key

The Encryption Key used to encrypt and decrypt data can be anything.  Usually it is a long series of random characters, which is used by the encryption algorithm to process the data. The outputs from the encryption process are blobs of scrambled data called ciphertext, which is your data, only encrypted. Think of the key as a really long, secure password.

If you have chosen your key wisely and the encryption algorithm is solid, assuming no one steals your key and data, your secrets will be safe for many years to come.

An important rule when generating a key is that it should be large and random. If the encryption algorithm is secure but the key is non-random or too short someone can use a type of attack called a brute-force attack, where they try every combination of potential keys to access the data. This is also true for passwords, which we will discuss below.

It is worth noting that all encryption keys and passwords can be brute-forced if given enough computing power and time. If, with modern computers it will take 200 years to access a piece of data it is effectively secure. It is not that data cannot be accessed; it is that the data cannot be accessed in any practical timeframe.

Good encryption for the average person is a combination of a strong algorithm AND a large, random key.  If you are lacking one of these your data will not be secure.

For this reason it is important to know what encryption system people are using to secure your data. Any time I see the word “Proprietary” with no additional details I become concerned. Thinking that a single organization has built an encryption algorithm stronger than the publically accepted gold standard, which as of this writing is AES, is highly unlikely. There are other systems that companies might choose to use such as Twofish but they should be willing to reveal what method they are using and you should be able to find information on the encryption they are using through a search engine.

 

Keys vs. Passwords

Passwords and encryption keys are very similar in concept; they are unique pieces of data that provide assurance that you are the only one accessing a system or a piece of data.

The difference between a password and encryption key is defined by what the computer does with it. Above we discussed what an encryption key is used for; to secure your data against use even if the data itself is compromised. Without the key the data is useless.

A password in its standard form is used to authenticate your identity and authorize access to certain data on a system. It is not used to encrypt or otherwise obscure your data so that it is unreadable.

As an example of simple password use we will use Facebook. When you provide a password to Facebook it allows you to access your profile and data. In this case your password is used to validate your identity and grant access to different pages and profiles on the Facebook website. If someone hacked into Facebook and was able to download your profile data that is exactly what they would have – your completely readable profile. It was not encrypted so the data can be read easily.

I will not over-muddle the use of passwords and encryption keys but these concepts overlap. Sometimes your password will also be used as an encryption key or be tied to an encryption system so that once you login you also gain access to your encryption keys. This type of system is often used in corporate environments where you cannot trust users to secure their own keys against being stolen or lost. In this situation when someone logs into the network they are also provided access to their encryption keys.

 

Who holds the keys to the Kingdom?

When using online services there is a risk in where the keys are stored. Are you holding the keys, is the vendor holding the keys or do both of you have copies? For this example we will assume that we are using single key encryption and you are going to use an online backup service.

Vendor Maintained Encryption Keys:

Most consumer-oriented services hold the encryption keys for you. Why would they do this? They understand that for a home user keeping their encryption keys in a safe location is a major issue so they setup infrastructure to house the keys.

In this case you will be forced to trust that the vendor is storing your keys and your data securely. If they are not there is potential of all of your data being compromised. A positive aspect of this is when your father’s computer fails you can recover his data even if he does not have his encryption keys. If the encryption keys were stored on the computer and he did not have backups (isn’t that what he is paying the vendor for?) his data becomes useless when the hard drive crashes and takes the keys with it.

A paranoid security expert ignoring ease-of-use or practicality would tell you that this type of service should never be used. Taking it from a more practical standpoint if the consumer of the service cannot be counted on to maintain encryption keys it is best to identify a vendor to provide the service or qualified technical help to assure he is securing his keys. I would not typically recommend this type of service for any business except for a tiny business without any technical staff, confidential data, or trade secrets and in that case it would come with a bucketful of disclaimers.

Customer Maintained Encryption Keys:

Backup vendors oriented toward businesses will often rely on the customer to store and maintain the encryption keys. This puts ownership onto the customer to have infrastructure and systems in place to manage and distribute keys in a secure manner but removes the potential for a vendor-side security compromise to reveal unencrypted data.

In this situation the vendor never has visibility into the unencrypted data. Before the data is uploaded to the vendor servers the data is encrypted, making it meaningless to a compromiser as long as the backup vendor’s encryption system is solid.

This places complete ownership of the keys onto the customer, which usually includes generating a proper length, random key then storing them in such a way as to assure that even if the customer’s servers melt-down there are copies of the keys available elsewhere. In situations like this the customer needs to make an appropriate number of copies of the keys then distribute them to safe locations where they can be recalled if need. If the keys are lost, so is the data since the vendor cannot decrypt it.

Other than staying away from Cloud-based or Hosted vendors this is the most secure method to handle your encryption keys but it places ownership onto you, the customer to keep the keys safe. If they are lost, your backups are worthless.

 

What is Hash other than a drug?

When your passwords are stored on most websites and servers they are hashed, which is different from encryption since the algorithm that generates hashes does not have the capability to turn the hash back into a password. It is a one-way function only.

If you hear in the news that an organization had a hundred million passwords compromised and they state that unless your password is simple or short it should be safe, that means they have hashed your password before it was stored.

At a basic level a hash is a fixed-length unique value that is returned when you feed a certain input into a hash algorithm. When I use a Hash Generator and feed “bob” into it I receive back “bf8bea686c94bce1a58631cf5a3e9cf9ebabb31e16e353f4caa97f052bb629ff2b945aaa8f8caaf5 1fdec2c7f874420e45617f6abcbf9407f08ef939c1aa1e11” as the Whirlpool hash. This number is for our purposes unique to the word “bob”.  If two inputs generate the same hash it is called a “collision” and from a mathematical perspective is extremely rare with modern hash algorithms.

When using hashes you expect someone to know what input it takes to derive the proper hash value, which is why it works well for items like passwords where you are confirming someone knows some piece of data, not trying to recover it. This is also why most websites cannot tell you your old password; they are only storing a hash of your password, not the password itself.

 

Putting Salt in the Hash

This is not an article on passwords alone but there is another term you will hear thrown around when talking about passwords. That term is “Salt”. When hashing data, Salting is the process of placing an additional bit of data into the hash process to assure the result is unique.

Think of it as a method to make your password stronger. By doing this you thwart certain types of attacks, specifically Rainbow Table attacks, where there is already a massive dictionary of pre-computed hash values available that a hacker can compare to customer’s (loose definition) hash database, which will tell them the passwords used. If a Salt is included when the password is hashed the dictionary is worthless unless it is a very large dictionary since the resultant hashes will be different from the dictionary. E.g If my password was “bob” and my Salt was “bigbadpasswordstuff” I would pass “bobbigbadpasswordstuff” through the hash, which would generate a different hash than just “bob” itself. A Rainbow Table is likely to contain “bob” but probably is not going to contain “bobbigbadpasswordstuff”.

Salt values are of maximum value if they are not revealed since it will strengthen the password but even in the case where a salt is discovered they still hinder Rainbow Table attacks since the entire table would need to be recomputed with the salt to identify the passwords easily. It won’t stop an attacker but may slow them down.

>>>

And if you survived this far, thanks for coming along. Next time on security concepts of the not-so-rich and not-so-famous we have:

When good Encryption Goes Bad or “What the hell happened to WEP?”

Are there cases where encryption is a liability?

What is Hacking?

The Terms of Service Tightrope

Physical Security

and

Social Engineering

Continue on to Part 2


Beware but Embrace the Cloud

Posted by on June 7, 2011 No comments
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

What is a Cloud?

At this time the Cloud is a buzzword without proper definition, standard or specification. It is a concept encompassing storing data or using computing power somewhere out on the Internet. Under the most generic definition you can put files in the Cloud then access them from anywhere as long as you have an Internet connection. There are many variations including streaming your music or accessing applications such as your word processor via an online tool from the Cloud but this is the basic concept.

This usage of “Cloud” implies a robust, reliable infrastructure but this is deceptive since any company can use the term Cloud no matter what they are selling.  Many providers that used the term “Hosted” in the past have moved to “Cloud” with no technical changes at all.  Taking this into account the best way to define Cloud right now is to label it “Nebulous.”

Next we will look at some of the characteristics of Cloud based services.

No Standard:

A Cloud based service has no formal definition as to where, how, or what it is constructed of. The term implies a robust infrastructure out on the Internet, probably replicated across several locations for geographic diversity. In all reality the Cloud could be a single computer in someone’s basement without proper redundancy or backups of any sort. You could launch a service today and advertise your services as “Cloud Based” even though you are running the service out of your home. This is not the usual deployment model but it is important to understand that there is no standard in place today for what Cloud services entail.

Varying Reliability:

One of the most important aspects to what Cloud implies is that your services will always be available or in a disaster that your data will not be lost. In the case of the most advanced providers this will likely be true but for many vendors they might not have the proper backups or hardware to assure that your data will be safe. It is worth noting that during Amazon’s recent EC2 outage there was data loss, despite Amazon being a large provider of Cloud-based services.

Varying Security:

This is one of the most hotly debated items today in relation to Cloud services. When your data is stored “in the Cloud” you trust a provider to keep it safe and in many cases you will be relying on more than one vendor to secure your data.

Using Dropbox as an example, arguably the most popular Cloud based storage service for end users today, they are using Amazon’s S3 storage network to house their data. Amazon and Dropbox both have security statements available on the web for review. The important fact to recognize is your data, no matter how you bake it, is on the Internet. You must be able to trust Dropbox and Amazon are acting in a responsible manner when it comes to your data security or you must take additional precautions to further secure your data.

In the case of the Dropbox service, Amazon stores your data and another vendor handles the file transfer and encryption of the data. Yes, a hacker would need to access your data and the encryption keys to read your data but the more complex the infrastructure the more potential attack vectors and vulnerabilities that are introduced. In addition it was recently revealed that Dropbox does not use an encryption key per user or group but a single encryption key for the entire data set. This is very troublesome in that if someone compromises the encryption keys for Dropbox or the company has a dishonest employee it could threaten the security of all data stored within Dropbox, not just a single user’s.

I’m picking on Dropbox but that is only because they are a well-known example of a Cloud-based service using multiple vendors, not because I think they are less trustworthy than anyone else. Most startup websites and many non-startups are likely to leverage a similar architecture to Dropbox if they are going to deploy Cloud services for their clients.

What does a Worst Case Cloud Provider look like?:

One guy on a DSL connection in an apartment in remote Russia advertising his services as “Cloud-based” running on a 10 year old laptop with no security updates in the last five years. Unlikely? Yes. Impossible? No. Functioning for a short term before he is figured out? Probably.

At Best:

A large organization with a keen sense of information security, the best interests of the clients at heart, the cash to have several geographically diverse data centers built around the globe all with top-tier hardware, connectivity, redundancy, technical staff, and power systems ready for the next nuclear holocaust.

These are two very different views. The Worst is unlikely and I’m afraid to say that the Best is also unlikely. The truth is probably somewhere in-between, which is why there is a buyer beware component to this discussion.

Precautions you Should Take:

  • Always look deeper than “Cloud-based” claims on websites when evaluating services or vendors. If you are a business user talk to the vendors and ask them to quantify exactly what it means to them. Components I would inquire about are (with many project-specific requirements): Infrastructure Redundancy and backups, Geographic Diversity, Carrier Diversity, Resource Management/Capacity Planning, and Security. There are many sub-areas you could dig into but major weaknesses will become apparent if they cannot answer with specific details as to how they handle these components. I have spent most of this post using storage vendors as an example but understanding these components for cloud-based application vendors is just as important.
  • Look for specific language rather than generalities in Cloud-based claims. Some vendors do not reveal the addresses of their datacenters for security reasons but they should be able to tell you how many locations they have, what general areas of the globe they are in, and the basics of the technologies they are using to secure your applications or data.
  • Always consider the risk of your data being compromised or lost. There is something to be said for storing your sensitive data on your home computer with an off-site backup updated regularly. I’m not paranoid but I do accept that there is always someone after my SSN and credit card number.
  • If you want to use Cloud-based services for the convenience evaluate what data you put into the Cloud. You can encrypt your data before it is sent into the cloud with available tools, which assures that if your data is compromised there is an additional layer of security. At that point it becomes like a burglar in a neighborhood looking for the right house – why waste time on the house with bars on the windows and five deadbolts when a guy down the block left his front door unlocked? The Dropbox Wiki has a page on this topic, which should also work for other storage service providers such as Windows Live Mesh.
  • Consider downtime as part of your calculation. Cloud-based services in their truest form are still a young technology and need time to mature. Even the largest vendors experience outages from time to time to one degree or another. If your business counts single minute outages by the thousands or millions of dollars you need a higher level of assurance than “99.9% Uptime Guaranteed!” on a website. In that case you may want to consider a private cloud vendor (or build your own) with dedicated connectivity rather than any service that relies on Internet transport. If your organization requires this level of infrastructure hopefully you have or are hiring a professional to handle the RFP and bid evaluation for the services.

The Future:

Cloud Services are here to stay. There will be security scares and additional issues as the technologies mature but the temptation of companies to use Cloud-based services rather than install server farms is too tempting and as those companies grow there is a good chance they will stay in the Cloud. Combining resources is too efficient and offers a level of scalability hard to match outside of the Cloud environment. There will always be exceptions for critical business applications but for the majority of applications and user needs the compromise will be worth it.

For mobile users and highly connected individuals with electronic gadgets the temptation of storing data and using Cloud-based applications is very tempting. Ease of use will and accessibility of data on-the-go will continue to drive the migration for these users.

From an individual user level the convenience of using online backup tools and applications will become part of what they do every day. The App Store concept is slowly creeping into desktop operating systems and Apple announced integration of Cloud based services in the next version of Mac OSX yesterday. Other vendors will do the same since it will enhance the end-user experience, provides a level of stickiness, and an opportunity to up-sell or offer subscription services. This model could be important for companies such as Microsoft, where desktop operating systems are a major portion of their revenue stream. Even when accounting for reliability and security concerns the Cloud-based service model is a compelling story for many individuals, which makes it a easy sell.

Just imagine your mother bringing home a computer and with only a few clicks and a credit card number receiving assurance that she will never lose the photos of her grandkids if her computer crashes…. It’s an easy sell… Assuming she can remember her username and password when that time comes.

I’ll leave you with a relevant XKCD Cartoon.

Finding Extra Bucks without Making More Money

Posted by on June 2, 2011 No comments
Share on Facebook
Share on StumbleUpon
Bookmark this on Digg
Share on reddit
Share on LinkedIn

The last few weeks I have been going through all of our personal household expenses in an effort to cut around the edges without removing anything we care about. This exercise was inspired by seeking quotes on our motorcycle insurance and Tanya selling a couple of large items on Craigslist, which has caused a nice bonus the last month.

I would encourage anyone that has accumulated various charges or bills that automatically pull money from your accounts to take a look at this type of exercise, it has been quite revealing for us each time.

Changes made this month to save money:

  • Moved to a different web hosting package
  • Cancelled the renewal of seven website domains
  • Eliminating excess Second Life land holdings (I know, I know, SL is so 2008 :^))
  • Cancelled our World of Warcraft accounts, we were playing it a few months ago and it didn’t really catch on this time
  • Re-quoted our Motorcycle insurance and moved to a provider where we are paying less than half of what we were previously, partly due to getting married

Total money saved by making these changes is over $1000 per year.

Some of the changes from prior efforts include:

  • Reducing our Netflix subscription since we did not need three movies at a time
  • Cut magazine subscriptions that we are not reading
  • Have the paper delivered only on weekends
  • Move all bank accounts to types that do not charge fees and preferably pay interest
  • Merge our auto insurance into one account
  • Set a household grocery and misc expense budget
  • Eliminate all memberships we are not using
  • Purchase Movie tickets from Costco since we were going fairly often at the time
  • Switched from using standard credit/debit cards to ones with benefits. In our case the winners were the Costco American Express and Alaska Airlines Visa.
  • Return Cable boxes we were not using
  • Change our Internet plan to one that fits our usage patterns
  • Replace all light bulbs in our house with compact fluorescent bulbs
  • Troll the Sunday papers for coupons and always pay attention to finding better deals or leveraging the system. An example is we always buy Xbox, Wii, DS, etc. points and game currency, which usually has a fixed price structure by using Fred Meyer 10-25% off gaming accessories coupons

Embarking on an activity like this is revealing as to how you spend your money – our credit cards and bank accounts accumulate little hits from these small transactions, often under $10 per month. Over a year those little charges add up. In some cases finding these efficiencies is just a matter of moving to newer service plans with the same providers.

As for where to start with this process: I track our finances in spreadsheets and with software. The spreadsheet lists all regular income and bills, which gives us an excellent cash flow view and helps budget planning in addition to tracking down efficiencies.

Once you have a list of all bills the rest becomes much easier. You can systematically analyze the list of all reoccurring charges and decide whether to keep them, investigate changes or cancel service.  It’s worth the time and to us it is worth $85 a month.