Tuesday, April 29, 2014

The power of notoriety

Heartbleed and you
If you don't see this, you're using an old version of IE. Read "If you really want to keep your Windows XP." (April 2014)

Just after I posted my item on The Second Factor (1), I saw a syndicated story under the heading of “Double-layer passwords offer additional protection online.” It started out “If the Heartbleed security threat teaches us anything, it’s that passwords don’t offer total protection.” (2)

While that was a good article on why and how multi-factor authentication is valuable, its reference to Heartbleed was as valid a lead as a picture of a scantily-clad model.

Don’t get me wrong. Both topics are important considerations for your security online. But I haven’t seen any clear lay explanation as to the risk and impact of Heartbleed on the ordinary user.

First the technical details. Heartbleed was a flaw in OpenSSL, a component of certain webservers, from 2012 until April 9, 2014. Depending on whom you listen to, this flaw could have affected between 66% and 17% of all websites on the internet. I’m inclined to lean toward the lower number.(*) But this is still serious since the count is of sites, which included the likes of Google and Yahoo.

Due to the high risk from the flaw, OpenSSL team had issued a patch within 72 hours of being notified and less time from any broad awareness. Most of the larger secure sites implemented the patch immediately. In fact, I first became aware of the flaw when I started getting notices from my banks that they either were never vulnerable, or had already patched their system.

What does Heartbleed do? The flaw allows a hacker to induce the server to send him the contents of a small portion (64 kilobytes) of its memory (remember that a webserver will have 8-64 gigabytes of memory). The affected memory would contain random bits of the server’s recent activity.

This memory could be the contents of its own webpages which anyone could view. It could be the computer language instructions to manage the website. It could also be bits of the conversation between your browser and the server that establishes your secure connection in advance of telling your bank to pay a bill.

All the hacker has to do is get the same server to send him a few thousand 64 KB downloads. Then he has to scan through the mostly binary data for the flecks of gold that are recognizable. Once found, he has to refine those flecks into real knowledge that he can exploit for value. (If that sounds tedious, all of the tasks can be automated.)

What is the risk to you? It’s possible those flecks of gold may include your account name and password. But if the hacker’s goal is passwords, that’s an inefficient way to get them. Every week credentials are being stolen in million-account lots through other security lapses and flaws.

A far more valuable nugget to look for is the webserver’s master key to all its SSL/TLS communications. If a hacker has this, he can create a fake website that your browser will accept as authentic. Then he can execute a perfect phishing or man-in-the-middle attack against any visitor to his bogus site. He can also decrypt previous “secure” traffic to most sites. Of course, the latter two attacks require the hacker either be in the middle or have access to previously recorded internet traffic.

What should you do? Unfortunately, because of how the flaw works, there is no way to know that a specific site has, or has not, been hacked. If your partner has advised you that they have eliminated any risk from this flaw, you should change your password for that site. Take this opportunity to use a strong and unique password for each of your high value web accounts. If available, you might enable 2-factor sign-on to reduce the possibility of an account being hijacked.

Once a site has been patched, they should have received a new SSL certificate and revoked their old, compromised certificate. Unfortunately, as of this writing, there is no reliable way to ensure you know that you aren’t accepting a stolen certificate. Some browsers, maybe with some deep settings, will warn you that a certificate has been revoked. There is one site that will test whether your browser properly recognizes a revoked certificate. There is one known website that can actually serve you a revoked certificate. If you go to http://revoked.grc.com(3), you should receive an error. If your browsers test good and give you the error, you can read more about revocation at(4).

There’s more at risk than just websites. Although I have not seen an authoritative list, SSL is by far the dominant method of protecting electronic communication on the internet. Potentially vulnerable services run the gamut from a sophisticated private VPN to the heavily consumer cloud storage services. They could also include the likes of email, chat and VoIP, or routers for both home use and controlling the internet.

Unfortunately, many of these services are either embedded deeply into the technology or are never managed again after the original configuration. They will be patched slowly or not at all.

Fortunately, as the variety of programs for exploit increases, the number of clients shrinks. If the host in a peer-to-peer network serving two nodes is invaded, it could be devastating for those two, but will not affect anyone else.

Like the number of potentially vulnerable webservers, many of these services are not at risk from Heartbleed because their communications are not encrypted in the first place. Your chat, email, and cloud backups have been coursing through the internet as plain text; easily readable by anyone with a tap on the line – and I don’t mean just governments.

Bill Barnes with Dewey Williams, PCCC

(*) The reported risk to 66% of all websites refers to the number of websites that are running webservers that might use OpenSSL. These are primarily the programs Apache and nginx.
This number has to be reduced by the large number of websites that don’t even offer SSL. Again subtract the number what did not install the affected versions of OpenSSL and you get a much lower percentage of the Web. However, with worldwide web sites numbering in the 9 digits (decimal); whether the affected percentage is 30% or 10%, it’s still a huge number. (5)

Blog post “The Second Factor”. http://fromthehelpdesk.blogspot.com/2014/04/the-second-factor.html
(2) AP article “Double-layer passwords …” read in The Charlotte Observer. http://www.charlotteobserver.com/2014/04/26/4865676/tech-tips-double-layer-passwords.html#storylink=cpy
(3) Test website for a revoked certificate. http://revoked.grc.com
(4) Explanation of revoked certificates. https://www.grc.com/revocation.htm (also on podcasts referenced below)
(5) The number of websites truly at risk. http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html.

More references
An early announcement on Heartbleed. http://pc3.org/heartbleed-bug-affects-60-of-secure-internet-servers/
Text and podcasts on Heartbleed. https://grc.com/sn

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

Sunday, April 27, 2014

The Second Factor

The Second Factor

Sometimes when creating or logging into an online account the system will ask for a phone number or a second email address. Recently my users are asking me “why do they want that?” One user ignored the request so many times the system locked her out of a portion of her account until she provided it.

This alternate point of contact is called a second factor authentication and is a means for the website to verify that you are the person who signed up for the account. It is similar to your bank asking for the last digits of your Social Security Number or the doctor’s office wanting your date of birth. These are bits of information that they know came from you and should be different from anyone else who might share your name or other primary login.

This is not the same as when a website shows you a picture of the Statue of Liberty or a Corvette after you’ve logged in. With that the website is proving its identity to you because an imposter would not know which picture you are expecting. Second factor authentication allows you to prove you are you to the website.

If the website offers second factor, it’s a good thing. Imagine if someone were looking over your shoulder and stole your password. Then they could login as you and change your settings such that you are no longer getting notifications from the site. If it were a shopping site with a memorized credit card, you might not know what they are buying until you get the bill.

Typically the second factor will send you a one-time code that you must enter before proceeding. Check your email, type 4-6 digits or click a link, and you’re in. Often it will set a cookie in your browser and not inconvenience you even that much every time.

Ideally, the second factor should be delivered out of band – that is, through a different network than you used for your first factor. An excellent option is to send you the code for a website by cell text or voice telephone. If instead of looking over your shoulder, someone stole your computer, he might have access to your email as well as the website.

Second factor is more reliable than asking how many sisters you have or which high school you went to. Someone who’s gone to the trouble of stealing your identity could also find out that information. Instead it relies on responding with unique real-time information delivered to a device you would likely not lose at the same time as losing your computer.

If you provided the second factor channel (such as your cell phone number) at the time that you created the account, there is no way it could be hijacked. You’re well on your way to accomplishing the triumvirate of identity: something you know, something you have, something you are. That is: your logon and password (both something you know), your cell phone or a dongle (something you have), and your biometrics (like a fingerprint reader).

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
    (cc) 2014 Bill Barnes - Disclaimer - Home Page - Blogs Home

Saturday, April 5, 2014

If you really want to keep your Windows XP

These tips are in no particular order. Note that some tips may require also following other tips that might come after or before them.
  • Always log on as a Limited User unless you absolutely must update some software.
    Lack of administrator rights blocked over 90% of the Windows OS* malware in 2013.
  • Keep all your software and applications up to date. Make a list of programs that need regular updates and check for updates at least monthly.
  • Don’t use Internet Explorer; install the latest versions of Opera, Chrome, or Firefox.
  • Install and use the NoScript and Ghostery plugins for Firefox.
  • Uninstall JAVA. At least, disable it in all browsers.
  • Uninstall or restrict use of Adobe products. A recommended alternate PDF reader is Sumatra (I have not used it). Use the built-in readers in Chrome or Firefox instead of a plugin. 
  • If downloading an Office document, preview it in a viewer instead of the full program. Disable any macros.
  • Uninstall Microsoft Security Essentials and use a 3rd party antivirus such as the free options from Avast, AVG and others.
  • Upgrade to Microsoft Office 2007 or newer. Better still, move to a non-Microsoft suite.
  • Upgrade to Internet Explorer 8 (the highest level that works with XP).
  • Don’t access the internet (including email) from your XP computer. Don’t install unknown software downloaded from the internet by other computers.
  • If you must browse the web, restrict the ability of malware to get to you:
    • Ensure you are behind a router – the first-line firewall – and that Windows firewall is active.
    • Configure your email reader to display only text – no pictures or links.
    • Use Firefox with NoScript. Learn the controls in NoScript and don’t casually allow everything.
    • Browse only to sites you are familiar with.
  • If you must use email on XP, restrict the ability of malware to get to you:
    • Use webmail. In particular, gMail online is practically immune to transmitting malware to your system.
    • Use a mail client other than Outlook or Outlook Express.
    • Configure your mail client to display messages as “text only.”
    • Do not open email attachments or follow links until you have independently verified with the sender they are benign. Read our article on evaluating an email.
  • Shut your computer off when not using it.
    You may discover you have very little need for XP. Plus, older computers are less efficient and you’ll save on your energy bill. 
* Logging on as a Limited User will block most malware that attacks flaws in and installs to the Windows operating system. This does not include malware that attacks flaws in individual programs such as JAVA, email, Microsoft Office, or .pdf documents.

Additional References
Some of these references are documents and must be downloaded and viewed in their program. Yes, they're safe for XP.
PC Club of Charlotte’s original presentation
http://pc3.org/smfpc3/index.php/topic,266.0.html and

Security researcher Steve Gibson’s comments:
https://www.grc.com/sn/sn-447-notes.pdf (first page) and

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2014 Bill Barnes - Disclaimer - Home Page - Blogs Home