Search

Most Recent Posts

Index of Older Posts

Tuesday
Jul172012

Passwords -- Part I

This is the first installment of a multipart series on passwords.  It's a challenging topic because the best approach rests not only on how high a security bar you can set, but also on the user and the situation.  For example, you could have a 12 character truly random password with lowercase, uppercase, numerals and punctuation for your iPhone which was the ultimate in security.  The result would be that you could never unlock your phone.  On the other hand you could "link" as your password to LinkedIn.  Don't laugh.

I want to pause to point out that I am neither a security expert nor a cryptographer.  I'm merely attempting to summarize some reasonable practices and apply some common sense to a very difficult topic.  For those inclined there are great sources on the internet, including Security Now, which I really enjoy, and I'd love to hear your thoughts about what works and doesn't work for you!

Let's start with the bottom line recommendations.

  1. Use different passwords for each account and website
  2. Use passwords that are not easy to guess
  3. Use a system for generating and remembering your passwords
  4. Get LastPass and use it

For those of you who don't know, LastPass is a cross-platform password vault that works on PCs, Macs, iOS devices, and Android devices.  It allows you to have a single strong password that accesses the rest of your less-than-memorable (but secure) passwords.  It works with Internet Explorer, Safari, Chrome, Firefox, etc.  The company has an excellent reputation and the product is well reviewed.  Here's a link to a piece that Steve Gibson did about it in his Security Now show.  There are lots of sophisticated features of LastPass that most of us will never use, but it will automatically generate excellent passwords that you can use, and makes the process of having a different password for each website much less painful.  (OK, it's still a little painful...)

Let's spend a few words on something that I bet every one of us already knows, but most of us do anyway: pick passwords that are easy to guess.  It's so dumb that it's almost unavoidable.  Consider the recent password hack that disclosed 6.5 million poorly hashed passwords from LinkedIn (which will be the topic of a separate post).  Here are the top five passwords chosen by users:

  1. link 
  2. 1234
  3. work
  4. god
  5. job

The #1 password "link" was used 941 times, or as the password for 1.5% of all the accounts.  These top 5 brilliant passwords together were used to access more than 3% of all LinkedIn accounts.  Before you point out how stupid that is, take a moment to assess your own password collection.  I'll bet you that there are at least one of two in there that you aren't proud of.  Some of you might even have used "password" or the equally secure "password1".  (The first is a convenient and common choice when 8 characters are required, the second happens when "password" is rejected because it doesn't contain at least one number.)

I could go on, but you get the point.  The real question is how should be go about generating passwords that are a reasonable compromise between security and practicality?

We'll start digging into strategies that you might want to consider in Part II.

 

--Tiron

Sunday
Jun242012

Great iPhone/iPad Security Tip

A four digit "simple" iOS passcode takes about 13 minutes to crack, so use more than four numbers to create your passcode

If you use the default passcode setting on your iOS device you are prompted to enter four (and only four) numbers, followed by your iOS device unlocking.  Some folks might not know that it's easy to use a longer numeric (or alphanumeric, if you choose) passcode!SIMPLE PASSCODE

The default setting of a new iPhone or iPad is to have the passcode turned off.  When you swipe the bar, you unlock the phone.  All your data on the phone as well as any personal data that could be accessed with an unlocked phone, like your address book, calendar, or documents on Dropbox, is unprotected.

If you turn on the passcode from the Settings --> General --> Passcode Lock page the default is to use "Simple Passcode", which is the four digit passcode discussed above.  However, if you merely select "Simple Passcode Off" then you have access to the entire alphanumeric keyboard to choose from!  This is much better from a security standpoint, but it's pretty difficult to enter your code quickly and accurately, particularly with one hand, because the keyboard is tiny compared to the numbers-only passcode lock screen that iOS devices use for Simple Passcode.EXTENDED NUMERIC

Here's the cool trick: If you choose only numbers from the standard (small) keyboard then when your passcode entry box is displayed it will be presented with the much easier to use large number easy-entry screen used for the default Simple Passcode! 

You can choose a numeric only passcode of as many digits as you want, thereby greatly increasing the security of your iOS device without using the tiny full alphanumeric keyboard.  Note that you will have to press OK at the end, as the iPhone otherwise won't know how long your passcode is.  See article and step-by-step instructions here.

The four digit code that is commonly used to unlock your iOS device is certainly better than nothing, but with only 10,000 unique codes it isn't very secure.  How long would it take to guess the code?  Apple released informaiton on iOS security that helps figure that out.  The algorithms in the iPhone and iPad are written so that each attempt at access takes 80 milliseconds, or 12.5 possible guesses/second.  After several incorrect entries the iPhone starts to add delays before you can enter the next attempt at access.FULL KEYBOARD

However, if you are entering the unlock code via a computer (with the iOS device connected via USB) you would be able to enter a new guess every 80 milliseconds -- and the features that introduce delays before the next code can be tried as well as the ability to the erase iPhone after 10 unsuccessful attempts, are bypassed.  So every possibility for a four digit code can be tried in about 13 minutes.

But let's say you use a five digit numeric-only passcode.  You go from 13 minutes to a little over 2 hours to try every combination.  With six digits you need about 1 day, with seven digits you need about 9 days, and with eight digits you need about 90 days.  Note that to get this benefit you must have selected a random numeric password which cannot be guessed except by brute-force attack (i.e. it's not 1111111 or 1234567 which will be cracked before you have finished reading this paragraph).

Admittedly this is not as good as choosing a passcode from the complete alphanumeric character set where, even if you used only lower case letters and numbers, you have 36 possibilities for each position in the code.  So a 4 digit code with numbers and lower case letters would take about 1.5 days to brute-force and a 5 digit code would take about 56 days.  Of course, this assumes a truly random passcode.  Note that if you were to include upper case, lower case, punctuation, and digits you get a 4 digit code that would take about 66 days to crack.

For the past several weeks I have been using a passcode which has lower case, upper case, punctuation, and numbers -- but it is very tedious and cumbersome to enter.  Since I can remote-erase my iOS devices and am pretty sure that I will know one is missing within 24 hours, I am reasonably satisfied with a strategy that will take more than 24 hours to brute-force the passcode.  So I'm going to try a six or greater digit random numeric only passcode, and I strongly suggest that you consider this approach to do better than the 13 minutes it will take a to crack your old 4 digit passcode!

--Tiron

 

Saturday
Jun232012

Private VPN Part II  

In order to create and use a VPN tunnel you’re going to need to have someone or some organization on the other end of the tunnel to connect with.  You might be familiar with using VPN to connect to your corporate network.  In that case, the other end of your tunnel is your employer, whose IT department has set up the VPN service.  But for our private VPN we are going to need something different.

For example, we could decide we want to create a tunnel from wherever our laptop computer happens to be, say at Starbucks, to our computer at home.  You can do this!  There’s a good article about it on Life Hacker (and another).  I don’t think that this is a great solution, however, as you will be limited in speed by the upload speed of your home connection, which is typically much less than the download speed (your home computer is functioning as a gateway to the internet on the other end of the VPN tunnel so your laptop will only be able to browse the internet at the speed that your home connection can upload information).  In addition, any web site you visit will see the IP address of your home internet connection.  Again, not perfect.  On the positive side, it does prevent snooping by anybody at your public hotspot. 

A better choice is to have a VPN service provider who offers a connection from your computer to their servers and then sends your internet traffic on from there.  Most have very fast connections to the internet.  There are lots of VPN providers.  Search for “private VPN” on Google.  Some are free, such as Anchor Free’s HotSpot Shield, which is supported by advertising.  Others are quite expensive.  Add supported free services are a little dicey, as they need to be looking at your internet traffic for the purpose of add placement -- a real no-no when you are supposed to be protecting privacy!  Overall, you likely get what you pay for.

I chose WiTopia PersonalVPN Pro service.  Installation was very easy.  It worked immediately and flawlessly on my Mac Pro, my Macbook Air, my iPhone, and my iPad.  Note that setup on the different devices will necessarily be a little different, as they support different VPN protocols, but the WiTopia directions were clear and easy to follow.  Fat-finger errors aside, total time to get up and running was between 5 and 10 minutes. 

For the Macs I just let the WiTopia VPN client (downloaded from their site) automatically make the best connection.  It used the OpenVPN protocol.  On the iOS devices the setup is a little more manual, and you can choose L2TP or IPSEC (both good) or PPTP (not as good).

When I went to work I was unable to connect, as the ports and protocol that I was trying to use (OpenVPN) was blocked.  I used live chat with the WiTopia support folks and within 5 minutes had a solution which worked perfectly!  (I needed to change protocols to L2TP using a different WiTopia gateway which allowed traffic over ports which were unblocked.)

Are there issues that VPN doesn’t solve?  Sure.  For example, using VPN your traffic is very secure between your computer and your VPN provider.  But your VPN provider has to forward the traffic over the regular, unencrypted internet to reach the website you are trying to browse or the email server you are connecting with.  So the security is really to get around the problem of local snooping at the airport or free WiFi, or an insecure or untrusted network such as in a hotel.  It also helps to protect the privacy of your communication if you are using a network within your workplace.  VPN also does not address the privacy issues of tracking you with cookies or web bugs, or of the often near-unique footprint of your web browser (more on this in another posting).

Those issues aside, I think each of us should carefully weigh the cost/benefit of using VPN to protect our privacy on the road.  Seems very worthwhile to me!

Safe surfing...

 

--Tiron

 

 

Friday
Jun222012

Network Attached Storage: Part II

I received my new Synology 412+ last week, as well as 4 Seagate 3TB hard drives.  I'm plesed to report that the unpacking and installation went very smoothly, and that the Synology seems to be very nicely designed with resepct to getting the disks into their trays and snapping them into place (this particular unit supports hot-swappable disks which means that if a disk fails you can just pull out the tray holding that particular drive, unscrew and install a new drive, and slide the tray back in -- all without shutting the unit down or loosing any data).

Installation of the software on my Mac also was without a hitch.  A minor point was that there were two CDs included with the NAS, one of which was completely unlabled.  Turns out that this was a more recent release of all the software on the nicely labled disk.  Setup was quite easy and, though not without points of head-scratching, it was by far less obtuse than setting up my ReadyNAS NV+ (the old NAS).

The Synology software (DAS) has a lot of features.  I have tried a few of them, but the file sharing seems to work as advertised with no problems creating and administering shared volumes.  I was able to easily set up the NAS as a target for Apple Time Machine so my Macbook Air is now using it for backup.  There has been no problem with automatic connections to it.  I also tried the CalDAV feature which allows you to set up a server for calendars compatible with the Mac.  It worked as advertised, but I haven't yet discovered the level of features that I would need to make this a good solution (ability to setup permissions by user/calendar).

It's worth pointing out that the unit is very quiet and produces relatively little heat.

Since my last blog posting PC Magazine has come out with a nice set of articles about selecting a NAS.  Follow these links!

My heart is lighter knowing that I again have vast, unused amounts of storage!!

--Tiron

Wednesday
Jun202012

Private VPN Part I

There are two important problems that come up with respect to security and privacy which just happen to share the same solution:

  1. Public WiFi is unsafe
  2. Your activity on the internet can be tracked by your IP address

The solution for each of these is the topic of today's post:  Private VPN (Virtual Private Network)

Let's talk about each issue above individually, then we will introduce VPN in a relatively non-technical way.  Information on selecting a VPN provider and setting up VPN will be in Private VPN Part II.

Public WiFi is unsafe (and some wired networks too!)

There are lots of ways that your information can be compromised if you choose to connect to a public WiFi access point, or even if you connect to an access point that isn't public but isn't under your control.  Your employers wireless network, for example.  Unfortunately, places like free airport WiFi are hotbeds for scamming your information, much of which is generally not encrypted when sent over the internet.  In general, unless you are using SSL connections for your email (and you should be!) your email username and password are sent over the internet as clear, unencrypted text.  Unless you are using a secure website with https:// and you see the little lock, everything that is received or sent to/from your computer is able to be easily intercepted.  How?  Lots of ways!  For example do you really know which of the free airport WiFi networks you should connect to?  Anyone with $35 can purchase a WiFi access point, set it up to run an unsecured network, and name it "FREE AIRPORT WIFI".  You see it, connect to it, and they log everything, and I mean absolutely everything, that goes into or out of your computer.  Passwords, emails, websites you visit.  The whole works.  And that's just one way.  Convinced yet, or do you need another example?

How about a hotel network?  You are in your hotel room and you're too smart to get sucked in by connecting to WiFi -- whether it's secure or not.  So you decide it's safer to use the good old Ethernet cable that's provided for you.  You plug into your computer, enter your name and room number when prompted, and you're off and running.  And potentially every single piece of information is being snooped.  Yep.  Unfortunately, hackers have managed to get into and exploit both the wired and wireless networks in hotels.  The FBI recently put out a warning about the dangers of connecting to hotel networks, especially allowing any updates to take place -- here's a link to a PC Mag article, and onother to a story Forbs did about it.

Your activity on the internet can be tracked by your IP address

 

Click to read more ...

Page 1 ... 2 3 4 5 6 ... 7 Next 5 Entries »