Insecure Security – Authentication and CAPTCHAs

CAPTCHA is the authentication step at a website that asks you to write a bunch of letters and numbers that appear on the screen. It is designed to tell the web that you are a human and not an automated bot. A CAPTCHA makes great sense at a registration web page where the website is trying to figure out that you are human and not a bot trying to create new users perhaps for spamming purposes.

CAPTCHA’s make no sense after the website knows you are a human. For example after you login to a site with a user name, password, and if you are a site with sensitive data (i.e.,, financial or health data) also use a multiple-factor (something you have, something you know, something you are like a fingerprint), the site knows you are not a bot. If bots are able to login to a site, the site has got big security problems. So once you are authenticated, you should be a human.

Today I visit a state of Virginia website and login. I see that my password has not been changed in a few months (this is the topic for another blog) so I go to the change my password page. Why is there a CAPTCHA on the page? If I am bad guy I’m not going to change the password via a bot. The bad guy already has the password. Why change it to tip off the legitimate user? It makes no sense to have a CAPTCHA on a password change webpage or any webpage that appears AFTER the user is authenticated. This adds no security and just gets users upset (upset enough to write a blog!).

Use CAPTCHA’s in the right place on a website and understand what you are protecting.

ID Theft – Be Always Diligent – Lesson from My Accountant

I am always careful of what information I give out. When the DMV was asking me for my Social Security number to put on my license I protested. Why does the DMV need this info? After a letter writing campaign, the DMV switched to a new ID system. When my health care provider sent me an ID card with my SS# on it I protested.  I was happy to get their first “fake-o” ID card as they called it. If there isn’t a good reason to give my info to you I will not give it.

I just filled out my tax return for my accountant. He looked it over and asked why am I putting the full account number of my financial institutions on my tax form. Good question. The IRS computers can match my tax return and my account info. Why put the full number on the form to give an opportunity for a data entry clerk or someone else to steal my ID? Thanks Matt.

Better to ask why then to get your identity stolen.

If you are in the Northern Virginia area and need an accountant, I recommend Matt Miller (http://www.mcg-cpa.com/).  Knows his taxes and tax planning.

Superstorm Sandy and Backing Up Data Off-Premise – I Love Cloudberry

The recent storm affected millions of people including my family. One of my family described water entering their house during the storm like water spreading through the Titanic. Within minutes the PC’s on the first floor of their house were underwater. Seawater can’t be good for a hard drive. It killed it and of course all data was lost.

This reminded me of my continuous effort to ensure my personal and business files are backed up. I follow the 3-2-1 backup plan. Three copies of my essential data. At least two different media. One copy off-site.

The off-site copy is a challenge. I have three rules for this backup. It must be secure. I follow the “trust no one” axiom. It must be reliable. Once setup it must be automatic.

I finally found the solution. Cloudberry Backup (www.cloudberrylab.com). It uses AES-256 bit encryption with a password that only I know. I have it backup to Amazon’s Glacier and Microsoft’s Azure cloud backup services. Both are pennies a month. So not only do I backup off-site but two different backup services. Cloudberry automatically backs up my essential files per a schedule I set (one a day for me). The Cloudberry application comes in various formats depending on whether you want to backup your PC or a home server (my local backup solution is Windows Home Server 2011). The cost is minor..

What sealed the deal for me was tech support. A day after I started my free trial I got an e-mail from Cloudberry support asking for feedback. I ran into a small problem setting up a backup. Told support about it. They responded back and said they would incorporate my feedback. Fantastic!

The one caveat I have with Cloudberry is that while its got the right feature set for me as an advanced PC user, its a too complex for my mom. When I told this to their tech support they agreed with me and suggested a couple of programs that my mom could use.

I’m a fan.

Stupid Password Reset Questions Hall of Shame

I have been blogging about passwords and stupid reset/security questions for a long time. It is now time to call out the worst offenders. Please add you own in the comments.

Fidelity (financial institution): What year did you graduate high school? If you know someone’s approximate age, how difficult is it to figure out the four digits of the graduation year. Even if you didn’t know their age, the universe of years is probably around 80 possibilities. Easy to guess.

 

Cloud Computing – A Few of the Hidden Factors to Consider

I am a big fan of cloud computing (CC) and have been using CC to backup my essential files since I first heard of Jungle Disk in 2007 (Jungle Disk is a great product for home, SOHO, and small businesses to backup and share files). I have also been working with some friends on a business which uses cloud processing. Before choosing CC, organizations need to evaluate a number of factors. Here are a few that don’t get much attention.

Who Owns the Data? Who Cares if You Use PIE

There is great debate about who owns the data that is stored on the cloud. What about data that might get stored in different countries? What about subpoenas? This is a legal issue which will take time to be litigated. Mark Rasch, director of cybersecurity & privacy consulting at CSC, has an excellent primer on this topic at: http://www.api.org/meetings/proceedings/upload/SessIVRaschPres10Nov10.pdf I recommend that my clients use “PIE” or “pre-Internet encryption,” a term coined by Steve Gibson of the Security Now podcast. The idea is to encrypt your data BEFORE sending it to the cloud. You know the key and no one else. If your data is hacked or a subpoena is served, all that will be visible is random garbage. If you are a small business, Jungle Disk uses your own AES 256 key to encrypt. There are products like Trend Micro’s CC suite which encrypt enterprise-level data.

Just Because Your Cloud Computing Supplier is Big, Doesn’t Mean they Are Smart

This is a corollary to using PIE. Amazon had a well-publicized outage a couple of months ago. What was not publicized was that a small amount of data (less than 1%) was permanently lost. If that was your customer database, you could have been screwed. Another CC supplier Dropbox had a software glitch recently caused when they were updating software. The glitch meant that no one’s password was being checked so anyone could log into a Dropbox account with no password or any password. Last year Google fired a system administrator who was accessing customer files using his administrator access. Using a “big supplier” doesn’t mean they do everything right. You need to protect yourself. If you were using PIE, in any of these situations you would be protected.

Bandwidth, Don’t Assume It Will Always be Free

CC uses lots of bandwidth. Some CC supplier’s like Amazon charge for bandwidth but what about your ISP? Most ISP’s are looking at instituting bandwidth caps and/or charges. How would bandwidth charges from your ISP change the economics of CC?

Backups, The 3-2-1 Rule

When I work with clients I ensure that not only do they protect their data from bad guys but also from natural disaster, fire, theft, lightning, hard drive failure, etc. After Hurricane Katrina I spoke with some AOL customers who were having a difficult time getting access to their money since their paperwork was destroyed by the flood. Backups including off-site are key. Use the 3-2-1 rule.

At least 3 copies of every essential file
At least 2 different media
At least 1 copy stored in a different location

My essential files are copied to my Windows Home Server (one of Microsoft’s best products that few people know about), to a weekly backup of the Server which is stored on a fireproof, waterproof hard drive, and to both Amazon & Rackspace’s online backup using Jungle Disk (the best desktop backup product around). I use both hard drive and cloud drive media (I guess technically the files are all stored on hard drives). My files are also off-site with Amazon and Cloudspace.

Regularly test your backups to make sure you can read them. Being a cybersecurity/privacy pro my off-site files are all encrypted using AES-256 and I am the only one with the key (OK, a trusted person else also has the key).