Source Boston 2016 Promotion

MEI Security wants to see YOU

at the Source Boston conference, May 18 and 19.

Join us where Security and Business come together at Source Boston 2016, and drink in the Security know-how.

Each person who signs up with the affiliate code “AFFILIATE_VIKSOLEM” gets a portable USB battery, a slide-able webcam cover, and their choice of an MEI hat or T-shirt.

Here’s what to do

  1. Sign Up – Sign up for Source using the affiliate code “AFFILIATE_VIKSOLEM” – which gets you a $50 discount right off the bat!
  2. Email Us – Email us at source2016@meisecurity.com, let us know you signed up with our code, and indicate (1) your choice of logo and (2) your choice of hat or T-shirt (and T-shirt size).
  3. Learn and Enjoy – Go to the conference and drink in the security know-how!

 

Don’t forget to pick a logo (Consulting or Training) for your battery, webcam cover, and hat/T-Shirt.

 

Logo_consulting_vs_training_600_or

 

We will have your battery, webcam cover, and hat / T-shirt at the conference or delivered to you afterwards, depending on availability.

Two Cyber Security Secrets about the FBI v Apple Case

Hush

Hush

Speaking as a cyber security professional, there are two “secrets” about the FBI v Apple case that seem obvious but don’t appear to have much visibility in the news.  (1) If you want to break into an encrypted device you hire people who do that for a living not the manufacturer, and (2) if a back-door is built into any system it will be used by those who don’t care about obeying the law.

There are many specialties in cyber security.  Picking three for illustration, there are companies that unshred documents – see our upcoming post on how to use a shredder properly.  There are companies that specialize in breaking into online sites.  And there are companies that break into mobile devices.  If you need documents rescued from the shredding bin you call a deshredding company, not the shredder manufacturer.  If you want to see how vulnerable your web site is to attacks then you hire a company that does that all day every day, never hire the company that built the web site – especially if you built it yourself!  And if you need to break into a mobile device, in this case an iPhone, then you hire a company that breaks into these devices all the time.  You do not go to the manufacturer.  (Of course, if your goals is swaying public opinion instead of breaking into the phone then perhaps you make a federal case of it.)   SECRET #1: If you need to break into something you hire a specialist who does that for a living.

Knowing that a back-door exists completely changes how you try to break into something.  As long as a secured container is thought to be secured, the attacks against it are typically frontal assault / brute force attacks or coercion / candy-for-your-password attacks.  The moment that a back door is known to exist the known “attack surface”  changes, as do the methods of attack expected to succeed.  If a back door were to be built into a class of mobile devices (e.g. all iphones) then that back door would become the area of focus for getting into the phones.  Instead of breaking into a single phone, one successful exploit gets an attacker into all phones (of a certain version etc.)  The idea that the special back door will only be used when appropriate (e.g. with a warrant) is just silly.  Once the back door has been built, the security of the system is broken, and government funded (possibly not the U.S. government) and criminally funded attackers will get the key.  Yes.  I said “will get” not “might get”.  If it exists they will obtain it, and they don’t care about warrants or other legal issues.  What started as a Law Enforcement Only back door will then be use to steal private information for use by other governments and criminals around the world.  How would a foreign intelligence agency use “private” text messages and emails against a government employee having money trouble or family issues?  How useful would it be for a burglar to know the precise location of every member of your family at all times? Breaking the security of the iphone – or of any ecosystem – is a serious loss for all good people.  The notion that law enforcement or apple can keep the secret key a secret is immaterial. The very existence of a back door makes it a very valuable targe. SECRET #2: Once a back-door key exists the back-door becomes the attack point, and attackers will get in, no warrant required.

The very notion of asking a manufacturer to break into their own device indicates that the goal is not the data on that one device, and if the manufacturer provides that access then it opens up all devices to those who (unlike law enforcement) don’t care about the rule of law, freedom, or personal privacy.

How to Get Control of Your Accounts

As we continue to use services of different companies, we end up with more and more accounts.  Getting control of all of those accounts can be a very difficult task.  Here we mention one method and explain an second one in detail. Both will work, but each one has strengths and weaknesses.

The list of accounts that each of us has gets out of hand very quickly.  Online banking, email account, store loyalty card, sports team registraion, etc.  There are two good ways of getting the accounts under your control.  One is electronic and one is not.

The electronic method can be very useful, but it has its own risks.  In the past some password manager sites have themselves been hacked, exposing their users’ passwords.  There are a few things to keep in mind about storing your passwords electronically.  It is similar to writing your passwords on a paper, with two exceptions.  First, the “piece of paper” lives in cyber space, and it can be sent to places you never intended.  Remember, if your password manager doesn’t save the file to the cloud then if you lose access to it (e.g. if it’s on your phone and you lose your phone) then you will not have access to any of your passwords.  If your password manager synchronizes to the “cloud” then your “piece of paper” is now copied onto multiple computers in multiple locations, and is exposed to attackers is those attacker break into any one of the locations where your “piece of paper” has been copied.  Second, while the “piece of paper” is protected by encryption, it is thus protected by three things.  (1) the strength of your password, (2) the encryption algorithm used, and (3) the secure programming abilities of the programmers who implemented the encryption algorithm.  You can control the first, and you can select the second, but you have little control over the programming abilities of the people who implemented your program. The best you can do there is to select a program written by an organization with a reputation for secure programming.  The easiest way to do this is to select open source programs that have been tested by the industry for many years.  My personal favorite here is PasswordSafe, but there are others.  Your best methods for protecting your passwords is to choose a good password for your password manager and to change all of your passwords every three to six months.

The paper method is especially useful for people who don’t trust their phone, their computer, the cloud, or any electronic device that can break.  Unlike hacking a phone, server, or network, hacking into a person’s house must be done in person, and that makes it far more difficult (though not impossible) to do.  Securing your passwords in this manner takes some doing.  First, you must have a secure location for storing your passwords.  A notebook in your desk is usually not the best location.  Who can get access to your desk?  Do you have an alarm system and video cameras recording when you are not at your desk?  A small safe is a good first step.  You want to take every reasonable step that makes it harder for someone to quickly grab – or simply photograph – your paperwork.  A small safe (sometimes called a document safe or a gun safe) locked inside a desk drawer, or physically connected to a wall is a good start.  If you live in an apartment where you can’t drill into a wall or floor to connect the safe, you can bring in a few long pieces of wood, place them in a closet, and then connect the safe to that.  You want to make it extremely difficult for an attacker to grab your safe, drop it in a back pack and walk away.  For the first six months that you own it you should open the safe daily or at least weekly.  This will make the combination easier to remember after the six month period.

Now that you have a “safe” location let’s talk about the paper.  Whether you use a pad of paper, individual sheets, or a notebook, you want to be sure that the whole stack goes into the safe.  You do not want to write your secrets on the top page of a pad of paper, rip if off, and place it in the safe.  An attacker could use a pencil to expose your password from the indentations made when you wrote them down.  Now this may seem extreme, but never give any attacker a gift.  Today you may not expect anyone to be searching your home for your passwords.  Five years from now you may have different friends who bring with them their friends on a visit, and now you have people you’ve never met inside your home.  Taking extra steps ahead of time can only help you prevent problems later.

Now, you have the paper and a secure location for storage.  You’ll want to start by listing all accounts that you can remember.  Ideally you want to save the location of the account (web site, cell phone, etc.) along with the username, the password, and the answers you gave to any “secret questions”.  (Remember each secret question can be answered like a password if you want, but you must save the answers you give.)  Another piece of data that can be very useful is the date when you set the password.  This will need to be updated when you change your passwords, but it will be very helpful if you ever have a problem with the account.  If you have an opportunity to use a phone number for additional security for the account then you’ll want to note that here.  It’s a good reminder that you’ll need the phone when you connect to the account.  As you remember more accounts (sports registration, gym membership, theater tickets, store loyalty card) you’ll want to add them to the paper.  For the first run take note of all the accounts you remember. Then keep the paper in the safe.  As you remember other accounts you can take note of them  – just the account – and keep that separate until you have an opportunity to sit down with the master list and add the new accounts.  That keeps your master list safe, since you don’t have it out all the time.

In summary you want a secure location, physical or cyber, and you want to keep a complete list of all accounts.  We have suggestions on how to choose passwords and how to answers secret questions, but that’s for another time.

Happy Birthday MEI Security

Happy Birthday - MEI Security!

Happy Birthday – MEI Security!

Mabuhay Enterprises Inc. was formed nine years ago, on February 10, 2007.  Since then we have continued to help our customers understand risk and secure their infrastructures.  What started as a small, part-time endeavor has grown to serve multiple customers, and is on a path to serve many more customers in 2016.

In the coming year we have some exciting new offerings most notably our RECA engagements.  We hope to help many more customers jump-start their security programs by helping them understand the threats to their people and their organizations and by providing prioritized, actionable tasks that help control or eliminate those lists.

Please join our mailing list for up-to-date information on our consulting offerings and on our training schedules.

Cake is Eaten

We’ve had our cake.  Time to get back to work!

Apple vs FBI – After They Break The Encryption

Let’s assume that Apple does help the government subvert the security of iPhones by getting them into this one device.  This is not Apple’s specialty.  I wouldn’t hire a safe builder to crack into a safe.  I’d hire a safe cracker, but that’s just more about how the government is being disingenuous when it says this is about just one phone.

Anyway – once the government has access then we live in a world where all iPhones can be opened.  At first it will take a court order to get access to a phone.  Then the code will leak out, and it will leak out.  Consider who has been compromised in the past.  Places like Sony, OPM, IRS, and even the Pentagon.  Once there’s a program that is a back door to all iPhones, it will be stolen.  Once that happens all iPhones can be opened.  Will Joe Criminal continue to use iPhones? Of course not!  Criminals will do a google search (Yes.  Criminals have heard of the Internet.), and they will use some other technology to keep their communications secret.

Let’s say that the politicians get involved.  They talk about how this encryption stuff is obviously dangerous, and it must be regulated.  Remember, we did this before.  Let’s say that they require all products sold in the U.S. to have back-doors built in so that law enforcement can have access to all encrypted secrets.  They’ll say that it’s only law enforcement, but later it will be any well funded group like China, ISIS, or perhaps a political party looking for dirt on people.  What will happen next?  The same thing that happened when the U.S. government declared encryption to be a munition and regulated it.  All people and organizations that value privacy will use encryption that’s not broken.  They’ll get it from outside the U.S.  But wait!  You say congress is smarter than that.  They will make it illegal to use such encryption.  Once that happens, all people who obey the law will use broken encryption.  All people who value privacy and who are criminals (terrorists, drug dealers, etc.) will use encryption that works.

Breaking the encryption never hurts criminals over the long run.   It always hurts good, law-abiding people.

When terrorists in Mumbai used cell phones there was talk about how cell phones can be dangerous.  Yet we understand that the devices do far more good than bad.  Privacy likewise does far more good than bad.  Without privacy we are open the whims of those in power.  If the government has access to the private communications of all citizens then what happens when our next President decides to use an executive order to punish those who pollute, or those who own firearms, or those who speak ill of another religion.  Privacy protects us all.  If we sacrifice privacy in the name of security then we’ve lost both.

How to Answer Secret Questions

Many accounts permit or require users to answer so-called “secret questions”.  The idea is that you can provide answers to questions so that they can verify that it’s you answering the questions.  Unfortunately for most of these questions the answers are easily obtained by an attacker.  Here we discuss how to prevent those attacks so that your “secret answers” to their “secret questions” can actually be secret.

First of all let’s recognize that the answers to most secret questions can be obtained by a good researcher.  “Where did you attend high school?”  “Where were you born?”  “What was the model of your first car?”  In order to make your answers secret you must somehow provide an answers that’s more that just the real answer.  One technique is to use a password manager and to save the questions along with a randomly generated answer.  “What is your mother’s maiden name?” might be answered “dFr%@4d“.  As long as you have a secure, private place to store the question and the answer so that you can find it when you need to authenticate, this is a secure method of solving the problem.   However, most people would prefer to answer the questions in such a way that they can remember the answers.

A simple method for this is to have secret word. (For extra security you can have a different word for each account – but you will need to remember that word!)  For this example let’s assume that my secret word is “markers“. That’s my secret word for all of my personal accounts.  I will use that everywhere.  Therefore the answer to all of my secret questions will be prefixed with that word.  The answer to “Where did you attend high school?” changes from “Randolph High School” to “markers Randolph High School“.  The answers to “Where were you born?” and “What was the model of your first car?“, would be “markers Boston” and “markers Sentra“.  As long as I do not tell anyone my secret word then my answers are secret, and they can’t be hacked, even if an attacker knows the real answers through research.

In review, select a secret word.  One that you do not tell anyone.  Then use that word in front of the actual answers to any secret questions.  Suddenly all of your accounts are far more secure than they were before.

 

Apple vs FBI – Infosec Failure for San Bernadino

While much of the argument about the iPhone data centers on whether Apple should comply with an order to break their own protections, companies which own phones should note that the real failure is that of San Bernadino County’s information security policies and procedures.  They permitted their property ( the iPhone ) to be used in such a way that they no longer had control of it.  In effect, they provided their employee with a safe, a cyber space safe, and they did so without maintaining their own key to the safe.  Now that they want access to their own property (the iPhone ) , they find that their information security policies and procedures have failed.  In cases where an organization provides a safe (especially a safe inside a phone) they should consider carefully what will happen if the employee does not provide access to the safe, whether that’s because the employee has won the lottery, been terminated, or passed away.

Thinking about such events may not always be easy or comfortable, but considering such risks is critical to a complete, mature information security stance.  In this case having a plan in place would have made it possible to provide assistance to law enforcement in a potentially serious matter, and that would have been better San Bernadino County, the families of those affected, and indeed all good people who want to prevent such cowardly attacks in the future.  Have a tested plan in place.  Hope you never need it, but have it in place ahead of time.  It makes all the difference.

Apple vs FBI – Not About Just One Phone

There seems to be some question about Apple refusing access to a single phone.  First of all, let’s be clear.  The failure is that of San Bernadino County.  They own a device, the phone, which might contain information useful for a federal investigation.  They can’t get into their own phone.  Consider that the phone is like a safe.  San Bernadino County bought a safe, and they let their employee take it home.  The employee changed the password.  Now the employee is dead, and they want access to the safe.  Now, if I had lost the combination to a safe, I’d hire a safe cracker.  I would not blame the safe company for building a good safe.  Furthermore, if the FBI wanted access to the property of San Bernadino County then they’d be ordering San Bernadino County to unlock the phone.  Then the owner of the property, San Bernadino County, could hire a hardware hacker to break into the phone.

But instead of going after a single phone, the federal government has ordered a manufacturer to subvert the security of their product.  Again, if they wanted access to a single phone they’d hire an expert to break in.  If this were to happen in China, I’d expect the government to command its citizens to do what it says.  Here in the U.S. I don’t understand how the government can order someone in this way.

The terrorists hate us because we treat people as individuals.  We have gender, racial and other equality written into our laws.  They consider women to be property.  We educate all children, boys and girls.  They kill girls who try to go do school.  We encourage freedom of speech.  They kill those who speak out against the government.  We have freedom.  They do not. They want us to become a place where people fear the government.  We need to be better than that.

There are other reasons that the government should not break the encryption of iPhones, but that’s a topic for another post.

How to Choose Good Passwords

With our continued reliance on passwords, it is still a good idea to select good, secure, and memorable passwords.  It’s also very important to change them periodically.  We’ll cover some suggestions on selecting good passwords that naturally expire, and we’ll cover a bit about password safety.

There is no such thing as the perfect password, and there are many different ways that passwords can become compromised.  This does not mean that we should simply give up and use “Password” or “Excalibur” for all of our passwords.  It does mean that we should all choose passwords that are appropriate for the assets that they’re protecting, and we should all change our passwords periodically.

First of all, we should not have one password for everything.  If your password is compromised you do not want that to allow an attacker to gain access to every single account that you have.  A simply way to have different passwords for every account is to separate your passwords into two halves.  One half is a good password perhaps 6 to 8 characters.  The other half is unique to the account of that particular password.  For example, if your good half is “ILFit5!” and you are choosing passwords for your email and for your mobile phone online account then those two passwords might be “ILFit5!gmail” and “ILFit5!tmobile“.  Now you have two different passwords, but they are easy to remember (more about remembering that first half in a bit.)  While there might be some concern that a person who gets one password might see the pattern and use it for other accounts, this is not a risk we’re mitigating with this strategy.  What we are preventing is keyboard loggers, network sniffers, and stolen password hashes – all attacks that can be connected to automation – where the attacker wrote a program that grabs the username and the password and then tries it against as many other web sites as it can find.  In these cases there’s never any person reading the password.  It’s a program.  It just tries the same username and password all over the place.  You’ve now secured your account against these.

Now, for the “good” half of the password.  Let’s take a six word (or more) seasonal sentence.   For this example “I like flowers in the spring.”  We’ll take the first letters which gives us “I Like Flowers In The Spring”, or ILFITS.  Now let’s change the case.  I suggest using capitalization to emphasize the words that are important.  So let’s make it “I Like Flowers in the spring”, or ILFits.  Now let’s add a number or change something to be a number.  Since the s and the number 5 have similar shapes, let’s make that a 5.  Now we have “ILFit5“.  Finally we need a special character in the password.  Let’s add an exclamation point for emphasis.  This gives us a final password of “ILFit5!“.  This is too short to be the whole password, so it will need to be followed by a unique identifier. As describe above, using as different identifier per account is a good way to keep passwords different.  There are some web sites and other accounts that have very poor password requirements, and which don’t allow some special characters.  This is very frustrating, particularly for those of us in the security industry.  When you run across one of these I suggest having a different sentence.  Perhaps “Some websites don’t value my security”, or “SWdvm5“.

Passwords that are tied to the seasons automatically remind you to change them.  Each time I’m logging into my tmobile account I’m repeating the words (in my head of course) “I like flowers in the spring.”  If I’m still using that password during the summer, this password method reminds me when it’s time to change my passwords.  It’s a good idea to have a list of your accounts and their passwords either electronically or on paper, but that’s a topic for another time.

Remember.  Give your passwords two parts, and for the password part use a Six word Seasonal Sentence to remind you to change that part of the password at least four times a year.

MEI Security Vision Statement

The world can be dangerous.  We help organizations and people to conduct business and to live more safely and securely in today’s world.

We do this by helping our customers understand the risks they face, providing clear assessments of their security, and helping them take steps to minimize their risks in ways that fit their organizational or individual risk tolerances.