Insecure Security – Authentication and CAPTCHAs

CAPTCHA is the authentication step at a website that asks you to write a bunch of letters and numbers that appear on the screen. It is designed to tell the web that you are a human and not an automated bot. A CAPTCHA makes great sense at a registration web page where the website is trying to figure out that you are human and not a bot trying to create new users perhaps for spamming purposes.

CAPTCHA’s make no sense after the website knows you are a human. For example after you login to a site with a user name, password, and if you are a site with sensitive data (i.e.,, financial or health data) also use a multiple-factor (something you have, something you know, something you are like a fingerprint), the site knows you are not a bot. If bots are able to login to a site, the site has got big security problems. So once you are authenticated, you should be a human.

Today I visit a state of Virginia website and login. I see that my password has not been changed in a few months (this is the topic for another blog) so I go to the change my password page. Why is there a CAPTCHA on the page? If I am bad guy I’m not going to change the password via a bot. The bad guy already has the password. Why change it to tip off the legitimate user? It makes no sense to have a CAPTCHA on a password change webpage or any webpage that appears AFTER the user is authenticated. This adds no security and just gets users upset (upset enough to write a blog!).

Use CAPTCHA’s in the right place on a website and understand what you are protecting.

ID Theft – Be Always Diligent – Lesson from My Accountant

I am always careful of what information I give out. When the DMV was asking me for my Social Security number to put on my license I protested. Why does the DMV need this info? After a letter writing campaign, the DMV switched to a new ID system. When my health care provider sent me an ID card with my SS# on it I protested.  I was happy to get their first “fake-o” ID card as they called it. If there isn’t a good reason to give my info to you I will not give it.

I just filled out my tax return for my accountant. He looked it over and asked why am I putting the full account number of my financial institutions on my tax form. Good question. The IRS computers can match my tax return and my account info. Why put the full number on the form to give an opportunity for a data entry clerk or someone else to steal my ID? Thanks Matt.

Better to ask why then to get your identity stolen.

If you are in the Northern Virginia area and need an accountant, I recommend Matt Miller (http://www.mcg-cpa.com/).  Knows his taxes and tax planning.

DNSSec Works for Consumers, Almost

Every since I found heard about Dan Kaminsky’s research on flaws in DNS in 2008 I have been looking forward to the industry’s response, DNSSEC (Domain Name System Security Extensions). Unfortunately DNSSEC required an end-to-end solution from the root DNS servers to ISP servers to routers to operating systems to browsers. Parts have been working for awhile like my ISP’s DNS server. Finally this weekend with some beta software from my home router my dream of seeing DNSSEC for consumers has been completed.

My Verizon’s DNS server supports DNSSEC (note that as of today not all of Verizon’s servers are supporting DNSSEC). My Asatro router has implemented DNSSEC. Firefox and Windows 8 support it. With the help of the Firefox DNSSEC validator plug in you can see in the screenshot below the validation that Symantec’s website is the real site and could not have been spoofed by a DNS exploit. Yeah!

Now its time for Cisco/Linksys, Netgear, D-Link, etc. to support DNSSEC.

DNSSec in Action

Superstorm Sandy and Backing Up Data Off-Premise – I Love Cloudberry

The recent storm affected millions of people including my family. One of my family described water entering their house during the storm like water spreading through the Titanic. Within minutes the PC’s on the first floor of their house were underwater. Seawater can’t be good for a hard drive. It killed it and of course all data was lost.

This reminded me of my continuous effort to ensure my personal and business files are backed up. I follow the 3-2-1 backup plan. Three copies of my essential data. At least two different media. One copy off-site.

The off-site copy is a challenge. I have three rules for this backup. It must be secure. I follow the “trust no one” axiom. It must be reliable. Once setup it must be automatic.

I finally found the solution. Cloudberry Backup (www.cloudberrylab.com). It uses AES-256 bit encryption with a password that only I know. I have it backup to Amazon’s Glacier and Microsoft’s Azure cloud backup services. Both are pennies a month. So not only do I backup off-site but two different backup services. Cloudberry automatically backs up my essential files per a schedule I set (one a day for me). The Cloudberry application comes in various formats depending on whether you want to backup your PC or a home server (my local backup solution is Windows Home Server 2011). The cost is minor..

What sealed the deal for me was tech support. A day after I started my free trial I got an e-mail from Cloudberry support asking for feedback. I ran into a small problem setting up a backup. Told support about it. They responded back and said they would incorporate my feedback. Fantastic!

The one caveat I have with Cloudberry is that while its got the right feature set for me as an advanced PC user, its a too complex for my mom. When I told this to their tech support they agreed with me and suggested a couple of programs that my mom could use.

I’m a fan.

The Washington Post on “the most secure password of all time”

Selecting a strong password is not easy as Alexandra Petri wrote in The Washington Post. A little password humor.

The most secure password of all time

Stupid Password Reset Questions Hall of Shame

I have been blogging about passwords and stupid reset/security questions for a long time. It is now time to call out the worst offenders. Please add you own in the comments.

Fidelity (financial institution): What year did you graduate high school? If you know someone’s approximate age, how difficult is it to figure out the four digits of the graduation year. Even if you didn’t know their age, the universe of years is probably around 80 possibilities. Easy to guess.

 

The Average Number of Mobile Apps per Phone is 41 and Growing – The Malware Threat

Reading the study below from Nielsen re mobile apps is a bit scary when you consider the opportunity for malware to affect your phone. 41 apps per phone and growing is extraordinary. I’d be surprised if there are more than 15 or 20 apps per PC and that number is probably stagnant. Nielsen might have also checked on the source of the apps. On a PC the user is likely to know the software vendor before installing the app. I doubt with 41 apps that smartphone users know the reputation of the vendors. With the explosion of appstores including the entrance of Microsoft with Windows 8 and Windows Phone 8, it will be hard for the stores to protect users from malware. It is made more difficult because the smartphone app could be safe when installed but a few days later via the update mechanism which app store vendors cannot police, the legit app can become malicious.

The sheer number of apps along with the source of the apps is daunting from a malware perspective. Add in the 24 hour a day broadcasting of the smartphone users location and the opportunity for bad guys to exploit you via the phone will be a big problem. Combating mobile malware will be also be a large opportunity.

—————-

From http://blog.nielsen.com/nielsenwire/?p=31891

State of the Appnation – A Year of Change and Growth in U.S. Smartphones

May 16, 2012

Roughly a year ago when we summarized the state of smartphones at the Appnation conference, less than 40 percent of mobile subscribers in the U.S. had smartphones. Today, one in two mobile subscribers has a smartphone and that figure is moving steadily upwards. By most measures, it has been the year of the App once again, driven mostly by the rise of Android and iOS users who have more than doubled in a year and account for 88 percent of those who have downloaded an app in the past 30 days. In just a year, the average number of apps per smartphone has jumped 28 percent, from 32 apps to 41. Not only is the 2012 smartphone owner downloading more apps, they are increasingly spending more time using them vs. using the mobile web — about 10 percent more than last year.

Some things haven’t changed, however. The Top Five Apps continue to be Facebook, YouTube, Android Market, Google Search, and Gmail. And smartphone owners spend just about the same amount of time on apps each day (37 minutes a day in 2011 compared to 39 minutes today). Finally, privacy continues to be a concern with the vast majority (70% in 2011 and 73% in 2012) expressing concern over personal data collection and 55 percent wary of sharing information about their location via smartphone apps.

appnation-what-has-changed

© 2012 The Nielsen Company. All Rights Reserved.