Passwords and Why Yours Suck: My KWDM Presentation

Posted: November 23rd, 2010 | Author: | Filed under: Software | Tags: , , , , , , | No Comments »

This post has been a long time coming. These slides are from a presentation that I did at the Kitchener-Waterloo Web Design Meetup back in October. The goal of the presentation was to teach people the importance of strong passwords, how to create good passwords, and most importantly, some techniques that can be used to manage all of the passwords that you create.

Passwords and Why Yours Suck

These days, a lot of people use cloud-based services to manage their personal information and communications. These services are great because they’re available everywhere and naturally protect your data from loss and disaster.

Unfortunately, each service requires a username and password to keep the data that it stores safe from others.

A selection of the cloud-based services that many people use

Naturally, this is a lot of passwords to remember. Some people try to counter this problem by using short, easy to remember passwords. These often consist of names of loved ones, favourite sports, or curse words with numbers appended to the end.

A selection of common easy-to-remember passwords that people use

The problem with this approach is that it creates an easy target for people who try to break into your account by brute force.

Brute forcing is an attack method that tries to guess every possible password

The whole idea behind a brute force attack is to guess every possible password that can be created out of an alphabet of characters. As the length of your chosen password and the number of possible characters that it could be made up from increases, the number of possible passwords increases exponentially.

As the length of a password and the number of characters that it could be made up of increases, so does the number of possible passwords

Because most people make passwords out of common words, another approach that an attack can take is a dictionary attack. This is kind of like an educated brute forcing. The attacker starts guessing passwords from a dictionary of known words, names, and other significant strings. This can significantly reduce the time that it takes the attacker to guess the average password.

Dictionary attacks begin by guessing passwords from common words and phrases

The obvious defense against both of these attacks is to choose really long and complicated passwords that are made up of all kinds of different characters and don’t contain dictionary words. These will make brute force attacks infeasible and defeat dictionary attacks altogether.

IT Departments have been telling us to make our passwords more complicated for years now

Unfortunately, these passwords are extremely hard to remember. Every IT department in the world has been telling us to follow these rules for years now, and yet nobody does.

Realistically, the average person cannot remember a good number of suitably complicated passwords

Whenever IT departments insist on implementing draconian password policies, users become frustrated when trying to remember them, and some inevitably seek other ways to keep them in the forefront of their minds.

To compensate for complicated passwords, people often leave reminders on slips of paper around their offices

So what is a responsible computer user to do? Long, complicated passwords are necessary to keep your data safe, but writing them down is dangerous. Luckily, plenty of other people have had this problem before, and a few of them have come up with some solutions.

LastPass is a cloud-based utility that saves all of your passwords securely on their servers

LastPass is a pretty cool cloud-based application that stores all of your passwords in a securely encrypted container on the LastPass servers. The company provides plugins for all of the popular web browsers that allow you to access your passwords securely from any computer.

The combination of KeyPass and Dropbox is another possibility that will allow you to move your passwords between multiple=

Another possibility is the combination of an application called KeePass and a cloud service called Dropbox. KeePass (and its open-sourced linux-based cousin, KeePassX) store your passwords in an encrypted container format on your computer. If you store that container file in a Dropbox folder, your passwords are safely accessible from any computer in the world. Unfortunately, there’s always a catch.

Of course, a password is only as safe as its keeper

A basic rule of cryptography is that a secret is only as safe as its keeper. This is similar in concept to that old adage about the weakest link in a chain.

Although both LastPass and KeePass solve the problem of keeping a lot of passwords safe, it’s important to remember to keep the master password safe. Ideally, it should be committed to memory and not shared with anyone.

Head in the Clouds?

Posted: June 5th, 2009 | Author: | Filed under: Software | Tags: , , , , , , , , , , , , , , , , , , , | No Comments »

Ah, the Cloud. A wonderful place in the electronic ether where you can put all of your data and software so that you no longer have to manage it yourself; never mind dealing with hardware or software purchases, tech support, or IT professionals. Never mind dealing with privacy and security, avoiding vendor lock in, or being free to do what you like with your data – the cloud will take care of it all. For once, I actually agree with the viewpoint of Richard Stallman:

One reason you should not use web applications to do your computing is that you lose control… If you use a proprietary program or somebody else’s web server, you’re defenceless. You’re putty in the hands of whoever developed that software.

Stallman may be a crazy hippie, but unfortunately, he’s right. In our mad rush to create software as a service, we’ve repeatedly reinvented the wheel in an effort to coerce web browsers into doing things that desktops do with ease – and we’ve lost control over our personal data along the way. In the words of Schneier:

When a computer is within your network, you can protect it with other security systems such as firewalls and IDSs. You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like. With any outsourcing model, whether it be cloud computing or something else, you can’t. You have to trust your outsourcer completely. You not only have to trust the outsourcer’s security, but its reliability, its availability, and its business continuity.

Even though living in the cloud may look great on paper – “All of my services are served by Google, and available via a single user account!” – what happens if the Almighty Goog goes out of business tomorrow? Or just shuts down Google Docs? God knows, it isn’t making any money off of the service. Amazon’s S3 and EC2 services are no better, with rare, but sometimes lengthy outages that can negatively effect many online businesses that rely on the services being running.

The point that I’m trying to get at with all of this ranting and raving is that nobody owns your data but you. How many times have you been told to back up your hard drive? The same rules apply (if not doubly so) when talking about data stored ‘in the cloud’. There is little incentive for the vendor to care about what it does with the data of users who get its service for free. Remember Schofield’s Second Law of Computing:

Data doesn’t really exist unless you have two copies of it. Preferably more. And the only person who can be held responsible for that is you.

The internet is a magical place, and has changed our world in inumerable ways. In this video, Kevin Kelly dissects the accomplishments of the first ’5000 days’ of the World Wide Web, and makes some startling predictions for the next 5000. Ultimately, for any of his ideas to come to fruition, we users will need to surrender much of the control over our data to faceless companies motivated solely by profit. I’m for crafty capitalism as much as the next guy – hell, I want to make my living in this industry – but is this really how we want it to go down?

Understanding the Impact of Technology on Your Personal Privacy

Posted: April 7th, 2009 | Author: | Filed under: Education, Software | Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | 3 Comments »

In short, the concept of personal privacy in communications is possibly the most important right guaranteed to those living in a free society. It is also the single most undervalued freedom in all of Western Society. The right to say what you want to whomever you want puts governing bodies to task, enables rebellion, and ensures that those wishing to sway public opinion have to work hard to demonstrate the value of the opinions that they are trying to impress upon society.

It is thus unfortunate that technology often seems to hinder our ability to ensure personal privacy – at the very least, it makes it easy to ignore the man behind the curtain. Unless one is actively aware of the risks and works to prevent them, most common methods of technological-based communication, including Facebook, cell phones, text messages, instant messaging, web surfing and email all represent massive leaks in personal privacy. These should not be taken lightly, no matter the size of your tinfoil hat. And so, in no particular order, here are some things that you should be aware of when communicating in everyday life.

  1. Facebook and Web 2.0 Privacy:
    While this ubiquitous website has often been accused of selling your information, I find it more strange that it’s users are surprised by the idea that a website owned by a corporation would attempt to monetize the only resources immediately available to it: the information of it’s users. To me, the more scary aspect of Facebook is the slow leak of information that it inevietably causes. Like a small memory leak in an application, it isn’t a huge problem in the short term; but given time, you lose more and more control of your information as it is perused, tagged, linked to, and otherwise aggregated by the website and it’s users.

    As an example, consider the following situation: You go out drinking with friends, and do something stupid. Compromising pictures are taken, uploaded, and tagged by somebody at the bar. What do you do? Well you can un-tag them, but somebody could simply replace the tag, or mention your name in the comments. Even so, anybody who recognizes you could immediately figure out who is in the photo. You can demand the image be taken down, but are reliant on the original poster complying. And even then, who is to say how many people saved local copies of the image, saw it in their news feed, viewed the gallery, or were otherwise linked before it was removed?

    Simply put, Facebook is an easy way to lose control of your personal information. Consider that anybody with a developers license (which is free) has full access to this entire API from any application that they create. The incentive to create malicious trojan applications that steal and sell off information is there. The tools with which to do it are there. And the gullible users who gladly contribute thousands of dollars worth of personal information are there. So even if Facebook is ill-deserving of the allegations of selling users’ information (doubtful), any application that you add can easily present the same danger.

    When using a Web 2.0 site like Facebook, Twitter, or any other site that asks the user to post personal information on a profile, it is advisable to take a quick scan through the Terms of Service (ToS), End User Licensing Agreement (EULA), and Privacy Statement (PS) of the site. Some sites, like Facebook and even Tetris Online, post outrageous claims to user data in their ToS. While I am unaware of any court case that has established a ToS, EULA, or PS as a binding legal contract between website and user, at the time of this writing, it is safe to assume that sites could attempt to act on these ‘agreements’ should user’s violate them enough times, unknowingly or otherwise.

    So what can you do? Wean yourself off the koolaid. Do you really need 300 friends with whom you will never interact in real life? How many of those applications that you’ve installed and websites that you’ve joined do you really use? Is it entirely necessary to list your favourite movies, music, books, last 10 jobs, and your educational information where anybody with an internet connection could conceivably access them? I made the decision to get rid of my Facebook account a few months ago, and have never looked back. After a week, the only thing that I missed was Tetris Friends, which I later found out is available elsewhere anyway (although I haven’t registered a user account  – see Jake’s comment on the Tetris Online ToS below for the reason why). If nothing else, consider taking a stroll through the myriad of options available from the settings page of your favourite social networking site and limiting the access of non-friends to your account.

  2. Cell Phones and GPS:
    Remember the nineties movie slogan? “Shit, he’s on a cell phone. Those are untraceable!” Yeah right. By default, every cellular phone connects with two or more cell towers at any given time, and chooses the one with the strongest signal to transmit and recieve data from. This allows the phone to easily transition between towers without dropping calls while on the move. As a consequence, as long as your cellphone is on, in addition to the knowledge of what towers your phone is within range of,  the phone company can locate the handset to within roughly 1-kilometer of it’s actual location by triangulation. Further, new phones often include a GPS chip that allows you to use mapping applications and geo-tag your photos. If active, the GPS chip can also transmit the location of your phone, often without your knowledge.These tracking features have many positive uses, such as enabling authorities to immediately locate the source of 9-1-1 calls, and allowing business to track the location of their employees in an effort to optimize scheduling. Unfortunately, they also have their downsides – smart phones often come with mapping applications like Google Maps that allow the user to get directions to any destination that update with respect to their location in real time. Who is to say that the almighty Goog isn’t recording all of that data, and linking it with the web-browsing habits and any email received on the same handset? While the process would certainly be undertaken in the name of increased ad-targeting abilities, having all of that relational data lying around can have dangerous side-effects if it is misused, misplaced, or simply sold.The problem of cellphone location is one inherent to the system – the ability to locate phones on the network is a natural side-effect of the way the technology works. There is little that a user can do to prevent their phone from being triangulated. GPS however, is another matter. Many phones give users the options to turn off GPS functionality, or even to limit access to the GPS radio to certain applications. Since I am paranoid, my blackberry is set to disallow Google Maps access to the GPS radio except when I explicitly allow it. This prevents the application from unintentionally spewing my location to Google without my knowledge. As previously mentioned, cameras in newer cellphones that also have GPS can record location information into images taken by the device. Users can turn this functionality off by default, which is a good idea if you intend to upload the photos to social-networking sites or other easily-accessible locations.
  3. SMS Text Messages and Instant Messaging:
    At the end of 2007, an astounding 74% of cell phone subscribers used the SMS text messaging features of their phones. In the book ‘How to be Invisible’ by J.J. Luna, the author reveals that federal law in the USA requires that ‘all billable information [regarding a text message] be maintained for ten to fifteen years,’ including the message contents, date and time of sending and receipt, and the phone numbers of both sender and receiver. Remember the warnings about putting revealing information on the back of a postcard? The same applies to text messages, except that post cards aren’t kept on file by the postal service.Unfortunately, there is no easy solution to the SMS problem. Like post cards, users are best to simply limit what they say via these channels, as they are unencrypted, heavily logged, and contain plenty of identifying information.

    The privacy situation surrounding Instant Messaging programs like MSN Messenger, Yahoo Messenger, and even IRC is in a similar state of disrepair. In order to ensure that MSN Messenger simply works on any machine, regardless of your network situation, all messages are sent from your computer, through a single connection to Microsoft servers, and then forwarded to the intended recipient(s). Messages can be logged on your machine, that of the recipient, or even at the Microsoft servers. Further, all messages are sent in unencrypted plain text that any server along the path from your computer to the recipient can log and store. By the distributed nature of the internet, the very thing that makes it so powerful, the path between any two machines generally consists of 10-15 intermediate hops. (You can check the virtual ‘distance’ between yourself and various institutions in many countries at this website.) That means that between you and your friend, there are 20-30 computers and the Microsoft servers, all of which are capable of logging anything that you say in your conversation.

    Luckily, this problem is far more easily solved than that of SMS messaging. Third-party messenging clients like Pidgin allow you to connect to multiple networks (like MSN, Yahoo, Gmail, and even Facebook chat) at once, and offer an optional plugin called Off the Record (OTR) that can automatically encrypt any messages sent between you and a client that also has OTR running. It is easy to install and mindless to use, and should be a standard feature in every commercial instant messaging application. The only downside to Pidgin is that it looks ugly on Windows machines, but this is offset by it’s plugin abilities, and the fact that it can replace multiple IM clients.

  4. Web Surfing and Internet Connectivity:
    Many people don’t realize what the act of viewing a web page actually is. When you load up this page, your computer contacts my web server, requests the page, and begins to download it to your machine, and then processes and displays the page in your web browser. That means that when you look at this page, all of it’s text, images, and other content are stored in a folder on your computer called the browser cache.

    Along with the history of visited pages that many browsers keep, this information can be used by any person with access to your machine to figure out what web pages you have recently viewed. Further, many web pages leave a file behind on your computer called a ‘cookie’ that contains information that allows web sites to ‘remember’ who you are, which lets them store things like your user name and password, your preferences, or the things in your shopping cart. Again, these files can show people with access to your machine not only what sites you have recently visited, but with what account you logged into them, and potentially, what you did while logged on to the site. You can easily clear the cache, cookies and history from most browsers, or choose not to save them at all.

    Additionally, because the internet is just a massive network of computers, any time you request a page, that request and all of the content that you download from the server hosting the page can travel through multiple servers, and can potentially be logged at any one of them. Further, many internet service providers keep detailed logs of your web browsing activity that authorities or unscrupulous employees can gain access to and misuse. Lastly, in the age of widespread digital piracy, many providers employ a technology called deep packet inspection to determine what your computer is uploading and downloading while connected to the internet. This technology looks inside the messages that your machine sends, determines their contents, and whether or not they should be blocked or limited. By it’s very nature, it also has the ability to snoop on any unencrypted data that you are sending, including your web requests and instant messaging conversations.

    Protecting your information online is a tough thing to do. Of primary concern is the browser program that you use to view web pages. Older browsers like Microsoft’s Internet Explorer 6 have major security holes that can be used by nasty websites to steal your personal information or to install annoying programs on your computer without you doing anything out of the ordinary. Make sure that you have the latest version of your browser of choice installed. Secondly, be careful about what kind of information you give to websites. Do you really need accounts on websites that you use once a month? Putting your name or email address up on these sites can increase spam email, and lead to identity or data theft issues – all of the issues raised during the discussion about Facebook and Instant Messaging apply doubly here. For example, if searching for a job, are resume sites like really necessary? Putting your resume (which contains a bunch of personal information and all of your contact information) up online can lead to some devastating consequences. Finally, make sure that you have updated virus protection and firewall software installed and running on your computer at all times, and turn the machine off when you aren’t using it. If you’re really concerned about your online privacy, look into Tor, a program that encrypts your web traffic and forwards it through a bunch of random servers all over the world so that intermediate servers have no idea where the request is coming from or what data was transferred.

  5. Email:
    All email communications should be considered in the same category as Post Cards and SMS Text Messages. They are unencrypted, used worldwide, and sent through hundreds of servers that all have the ability to snoop or store copies along their journey from machine to machine. Further, webmail addresses like those available from Gmail or Windows Live store your email on their servers (sometimes indefinetly), where the messages and the information that they contain are out of your control and suceptible to snooping by authorities or unscrupulous employees.

    To protect yourself while using email, you should limit the amount of sensitive business or personal information that is sent via unencrypted channels. Further, look into PGP, a (usually) free protocol that can encrypt or digitally sign all of your communications so that others cannot tamper with them. Plugins are available for most commercial email programs, although the best one that I’ve seen is the enigmail plugin for Mozilla’s Thunderbird application. Microsoft Outlook does not ship with default PGP functionality, and most of the third-party plugins that I’ve used are a pain at best and non-functional at worst. Lastly, try to limit your use of webmail, or at the very least, the amount of information that you leave on the remote servers. I use Gmail, but have Microsoft Outlook set up on my desktop which downloads all of my email, saves it locally, and deletes the copies from the server after 30 days.

  6. Bonus Section: Safely Deleting  and Protecting your Files:
    While not strictly a communication issue, many computer users don’t understand how the process of deleting a file on their computer actually works. When you delete a file on Windows, it is removed from it’s original location and sent to a folder called the Recycle Bin so that you can restore it in case you deleted it accidentally. However, even when you empty the Recycle Bin, the file is not physically removed from your machine. In order to save time, Windows simply marks the file as deleted, but never actually removes the data from your hard drive. If, at a later time, the system needs that space, it will over-write the file. But if your computer has a large hard drive that you never fill, chances are that the file can live on in the ‘empty’ space of your hard drive for years to come. Once marked deleted, many freely and commercially available programs can restore most or all of the file’s contents so long as they haven’t been overwritten by new files.

    Because of this functionality, you should always assume that when you delete a file on your computer, it is for all intents and purposes, still available to anybody who cares to look for it. However, you can ensure that the file is safely deleted by using a program called a File Shredder that overwrites the file with random data, making it nearly impossible to ever recover. I would reccommend a free application called Eraser that allows you to shred any file directly from the right-click menu in windows, and can be scheduled to shred the contents of any folder or all of the free space on your hard drive at regular intervals.

    A file shredder can be used to improve your security by securely deleting the contents of your recycle bin, free space on your hard drive, internet browser cache and cookie files, old email, and the porn that you downloaded that you don’t want your wife or boss to find on your machine. It’s easy to set up, integrates directly into Windows, and works without a second thought. Just beware – once a file has been shredded, it’s gone for good. Make sure that you aren’t going to need it before shredding it.

    Finally, to prevent people unwarranted access to your sensitive data, look into a full-disk encryption application like TrueCrypt. It encrypts your entire hard drive and refuses anybody access until they enter a secret password that you set. Windows Passwords are good for preventing access to your machine, but if an attacker removes your hard drive and pops it into another computer, the Windows password doesn’t help you in the slightest. Full-disk encryption however, makes it extremely hard, if not impossible, to get at your files unless you personally unlock the machine.

    The more expensive versions of Windows do offer a file encryption system called Encrypting File System (EFS) that can optionally encrypt your files and folders with a combination of symmetric- and public-key cryptography, similar to the system used by PGP. One potential problem with the scheme lies in the fact your Windows password and decryption password are one and the same. When you log in to Windows, the operating system transparently decrypts any files that are requested by applications. As long as you have a strong Windows password that you change every so often, this can be a good solution; however, by default, TrueCrypt encourages the use of two separate passwords and demands the first before Windows even boots, which can be far more secure (as long as the attacker chooses to boot Windows and not a separate OS from a CD or DVD drive if they get past the TrueCrypt password).  Secondly, EFS does not provide full-disk encryption. Instead, it allows the user to choose which files and folders they would like to encrypt. This is generally alright, except that many programs leave digital litter around your hard drive that may not be encrypted under this scheme. For example, if you encrypt a Word document and then open it, Word can create a series of unencrypted temp files on your drive while you work on the file. Unless you wipe the free space on your drive on a regular basis, this may not be desireable when working on sensitive. If an attacker were to pull the hard drive from your machine, they could gain access to any files that you had not expressly set as encrypted by EFS. For this reason, full-disk encryption provides a better out-of-sight, out-of-mind solution that is guaranteed to protect all of your sensitive data.

Alright, if you’re still here after that massive article, I hope that you found it informative, enlightening, and easy to understand. Technology can seem tough and scary, but it doesn’t have to be that way. With a little bit of well-placed education, anybody can understand and improve the security of their communications in an effort to protect themselves from identity theft, unwanted intrusions, and overzealous authorities.

As this kind of stuff is a hobby of mine, I will be happy to answer any questions raised by or not covered by the post – leave me a comment!



Edit: Thanks to Tyler for pointing out that Enigmail for Thunderbird is an optional plugin, and is not included by default, as well as the information about Window’s EFS technology. Also thanks to Jake for pointing out the importance of reading the ToS of your favourite websites.

Windows Backup Doesn’t Play Nicely with TrueCrypt

Posted: November 16th, 2008 | Author: | Filed under: Software | Tags: , , , , , , , , , | 7 Comments »

I keep both my PC and laptop hard drives protected with full disk AES encryption using free software from the TrueCrypt Foundation. Not because I have anything to hide, or have done anything overwhelmingly illegal, or am planning a government coup; I protect my equipment because I’m a big nerd. Cryptography has always been an interest of mine, and a couple courses on the subject along with some reading have fuelled that interest to the point where I like to experiment with cryptography in my spare time.

As a responsible computer user, I also like to keep backups of my important files, namely my schoolwork, my code library, and my digital music collection. The easiest way that I have found to run timely, dependable backups on a Windows system is to use the built in backup tool (often only installed by default on the more expensive distributions of Windows). It uses a handy shadow-copy technique that allows it to backup a file even if it is currently in use, and supports some excellent compression and incremental backup techniques that reduce the space required for full system backups. Short of installing a RAID array in my personal machine, I feel that this is the easiest and most secure way of creating full machine backups in a timely and non-intrusive manner.

Unfortunately, as I have found in the last couple of days, Windows Backup doesn’t play nicely with a disk that has been encrypted by TrueCrypt. I recently purchased a portable 250GB harddrive to save my backups to. It came with some backup software already installed, but frankly, the included app was slow as sin and crashed twice before I even started backing my drive up. So i reformatted the drive and decided on Windows Backup instead.

The drive sits on my desk, plugged into my machine, silently protecting my data. Now, given my full-disk encryption security policy, it would be illogical to have unencrypted backups of my machine. That pretty much negates any security provided by the disk encryption scheme, so I’d like to have this drive encrypted. TrueCrypt works by encrypting the entire hard drive, including the file tree, which means that Windows (or any other operating system for that manner) cannot see any of its contents until it is ‘mounted’ by the TrueCrypt software. Once mounted, the drive appears as a virtual drive, and for all intents and purposes, works exactly like a standard physical disk. Except when using Windows Backup.

When setting up a backup, Windows asks you where it should put the backup, and allows you to scan for appropriate physical or network locations to save data to. This scan refuses to recognize the mounted external drive as a legitimate disk, even though the rest of Windows is ok with it. The scan also prevents you from saving a backup to the disk being backed up, which is a pain because it would provide an easily scripted work around to the problem. Windows help gives no further information, except by saying that Windows Backup does not support removable thumb drives, which is an outright lie, because I can choose my 8GB thumbstick with no problems, but it doesnt have the capacity that I require.

Now, as TrueCrypt acts as a software layer between Windows’ I/O functions and the physically encrypted drive, encrypting and decrypting all traffic that passes through it, I would imagine that their software simply hasn’t enabled some obscure API call that Windows relies on to determine if a drive is an appropriate backup location. So the issue is probably with TrueCrypt and not with Windows, but in my mind, Windows should allow users who know what they’re doing to put their backups wherever they please, because frankly, there’s no excuse for this tomfoolery.

Since I cannot seem to coerce Windows into allowing me to use my encrypted drive, the only option I have left that maintains my security policy is to use a Visual Basic app that my roommate wrote for fun. It performs backups of any folder on your machine to any other folder (networked or local), and supports a full suite of encryption and compression methods, based on a couple of open sourced libraries that he has incorporated. The problem with his work around is that it does not (to the best of my knowledge) take advantage of Windows’ shadow copy feature, and thus will not be able to back up files that are in use at the time of the backup.

For the time being, I will continue my experimentation, and should I get it to work, I will most certainly post a copy of his backup utility for all to use. If anybody with a similar setup has found a workaround to Windows’ incessant pickiness when choosing backup locations, or knows of a decent encrypted backup solution that I haven’t covered, I would appreciate the heads up.