Insecure Security – Authentication and CAPTCHAs

CAPTCHA is the authentication step at a website that asks you to write a bunch of letters and numbers that appear on the screen. It is designed to tell the web that you are a human and not an automated bot. A CAPTCHA makes great sense at a registration web page where the website is trying to figure out that you are human and not a bot trying to create new users perhaps for spamming purposes.

CAPTCHA’s make no sense after the website knows you are a human. For example after you login to a site with a user name, password, and if you are a site with sensitive data (i.e.,, financial or health data) also use a multiple-factor (something you have, something you know, something you are like a fingerprint), the site knows you are not a bot. If bots are able to login to a site, the site has got big security problems. So once you are authenticated, you should be a human.

Today I visit a state of Virginia website and login. I see that my password has not been changed in a few months (this is the topic for another blog) so I go to the change my password page. Why is there a CAPTCHA on the page? If I am bad guy I’m not going to change the password via a bot. The bad guy already has the password. Why change it to tip off the legitimate user? It makes no sense to have a CAPTCHA on a password change webpage or any webpage that appears AFTER the user is authenticated. This adds no security and just gets users upset (upset enough to write a blog!).

Use CAPTCHA’s in the right place on a website and understand what you are protecting.

Advertisements

The Washington Post on “the most secure password of all time”

Selecting a strong password is not easy as Alexandra Petri wrote in The Washington Post. A little password humor.

The most secure password of all time

Guidance for Enterprises on Protecting Passwords

A report from Imperva on how enterprises can protect passwords. A little salt on the hash will do the trick.

http://www.imperva.com/docs/HII_Enterprise_Password_Worst_Practices.pdf

Stupid Password Reset Questions

When I was at AOL we fought a constant battle between bad guys and executives who thought that customers should have easy access to their accounts. The bad guys loved “easy to guess” passwords and password reset questions which were used in case a customer forgot their password. One of my projects was to update the reset process for current vulnerabilities. AOL had the last 4-digits of the customers Social Security number. Two problems: a) If you know someone’s age and U.S. birthplace you can figure out the first five digits so the only random part was the last four digits. For an ID thief, this was the part they wanted the most. b) Many states were including partial SS#’s as PII in the definition for “data breach notification.” Other reset questions were easy to guess. If you have to guess someone’s favorite food, it is probably not brussel sprouts (although they are tasty). In five guesses you can probably figure out 98% of the U.S. populations favorite food (donuts, cake, ice cream, etc.).

Websites need to ensure that reset questions are not easy to guess. To shame websites, especially banking and financial institutions, to use reasonable steps to protect our data I am creating a list of real “stupid” password reset questions. Of course if a website asks me for my brothers middle name I’ll say “ju8klw#nq.”

THE QUESTIONS

What color was your first car? Would it be chartreuse or Lavender? How many car colors are there? Who cares if its your first car or your fifth car the color choices are the same.

What year were you born? Until people start living until age 1,000, the choice of birth years is 100 or less. Certainly few babies born last year of using banking sites and most people in the 90’s are unlikely also. The universe of birth years is about 50 numbers. Hackers like those odds.

Tips to Keep You Safe Online

Some tips to keep you and your family safer online.

a)      Use Lastpass.com to keep track of your passwords. With Lastpass I remember only one long, random, secure password and Lastpass remembers over 200 of my passwords which all look like random variations of “C5r$u9cLy#bG”. I also use YubiKey with Lastpass to provide secondary authentication. Yubikey is a small plastic USB device that sends a pseudo-random number to a server to authenticate me. Google Authenticator is an alternative secondary authentication.

b)      Change your password reset questions so that your answers are no longer “Snoopy”, “ice cream,” or “Justin Bieber.” Too easy to guess the name of your first pet or your favorite food. Too easy to find out from your Facebook profile your favorite singer. Use answers like “game73elmo29.” Write them down in a secure place or you can use Lastpass to keep track of tem.

c)       Do not use the same password at multiple sites.

d)      Change the default password on your router. Some of the sophisticated hacks attack widely-available Belkin, D-Link, Linksys, etc., routers. If you are adventurous build your own router like Astaro or PFSense using an old PC.

e)      Check your router’s security using the ShieldsUP! tool at grc.com.

f)       Make sure your wireless router uses WPA2. WEP is too easy to crack.

g)      Check to see that hardware DEP is turned on if you are using a Windows PC.

h)      Use NoScript to prevent malicious scripts from running if you are using Firefox. I think Firefox is the most secure browser but you could also make an argument for Chrome or IE9.

i)        Use SandboxIE to virtualize any browser.

j)        Backup your essential files. Bad things can and will happen. I use the 3-2-1 rule. Three copies, two different media (I use hard drives and cloud drives), and one copy off-site (I use two off-site vendors, Amazon and Rackspace)

k)      Scan your PC occasionally using a LiveCD like Microsoft System Sweeper. The LiveCD does not boot into Windows so difficult to detect malware like rootkits can be detected.

l)        If you want to check to see if the file in an e-mail or you downloaded, check the file at virustotal.com. It will be checked against more than 40 antivirus products. Of course just because the file appears to be virus-free, it may be a zero-day.

A Government Clearinghouse for Reporting Breach Info?

Breaches and bots share much in common including the damage they do to consumers and the US economy but also the need for government action. At the October 2011 Online Trust Alliance Forum meeting I attended two sessions on breaches. The panelists included lawyers and CSO’s who have been engaged on multiple breaches. I wrote and regularly tested AOL’s breach plan. The discussions and my experience indicate that breaches get reported (unfortunately not all are reported) to multiple groups from the local police department to the FBI, Secret Service, and other Federal/state agencies. This hodgepodge of reporting results in an incomplete view of essential statistics. Data on breaches becomes widely-varied guesses. There needs to be a central government clearinghouse where all breaches are reported. 1-800-DATABREACH. This clearinghouse then collects statistics and parses the cases to the appropriate agency for investigation.

More importantly the hodgepodge of reporting results in the inability to collect information on the cause and the cures which is essential to share with other companies. My experience with Internet crime shows that the bad guys continually exploit the same techniques. The clearinghouse should be sharing data on the exploit and recommendations to prevent the problem from reoccurring.

The clearinghouse also needs to be sharing data about the individuals who were breached so that other sites where the same user authentication data is used can be shut down. In other words it is very common for sites to use an email address as the user ID. Sites have the terrible habit of using email addresses as the user ID for convenience purposes. Consumers have the terrible habit of using the same password on multiple sites. The bad guys know this and once user names are compromised at one site the bad guys are using the same info to compromise individual accounts at financial institutions, ISPs, etc. In fact there is a website in which you can check to see if your email address has been compromised. The clearinghouse should make available to vetted companies the compromised email addresses and passwords so that sites can test the combination and temporarily shut off access before additional accounts get compromised.

Password Lessons Learned from Sony Breach

When I was at AOL I spent considerable effort fighting for stronger passwords. There was a “discussion” with marketing on “security versus convenience.” An analysis of the Sony breach by Troy Hunt (http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html) showed a number of things to take note of:

  • Sony had stored over 1M passwords in “plaintext.” The first lesson in “cybersecurity 101” is never do this.
  • 2/3’s of users that had accounts at both Sony and Gawker (another site recently breached) used the same password on both sites. The second lesson is don’t resuse passwords.