Insecure Security – Authentication and CAPTCHAs

CAPTCHA is the authentication step at a website that asks you to write a bunch of letters and numbers that appear on the screen. It is designed to tell the web that you are a human and not an automated bot. A CAPTCHA makes great sense at a registration web page where the website is trying to figure out that you are human and not a bot trying to create new users perhaps for spamming purposes.

CAPTCHA’s make no sense after the website knows you are a human. For example after you login to a site with a user name, password, and if you are a site with sensitive data (i.e.,, financial or health data) also use a multiple-factor (something you have, something you know, something you are like a fingerprint), the site knows you are not a bot. If bots are able to login to a site, the site has got big security problems. So once you are authenticated, you should be a human.

Today I visit a state of Virginia website and login. I see that my password has not been changed in a few months (this is the topic for another blog) so I go to the change my password page. Why is there a CAPTCHA on the page? If I am bad guy I’m not going to change the password via a bot. The bad guy already has the password. Why change it to tip off the legitimate user? It makes no sense to have a CAPTCHA on a password change webpage or any webpage that appears AFTER the user is authenticated. This adds no security and just gets users upset (upset enough to write a blog!).

Use CAPTCHA’s in the right place on a website and understand what you are protecting.


ID Theft – Be Always Diligent – Lesson from My Accountant

I am always careful of what information I give out. When the DMV was asking me for my Social Security number to put on my license I protested. Why does the DMV need this info? After a letter writing campaign, the DMV switched to a new ID system. When my health care provider sent me an ID card with my SS# on it I protested.  I was happy to get their first “fake-o” ID card as they called it. If there isn’t a good reason to give my info to you I will not give it.

I just filled out my tax return for my accountant. He looked it over and asked why am I putting the full account number of my financial institutions on my tax form. Good question. The IRS computers can match my tax return and my account info. Why put the full number on the form to give an opportunity for a data entry clerk or someone else to steal my ID? Thanks Matt.

Better to ask why then to get your identity stolen.

If you are in the Northern Virginia area and need an accountant, I recommend Matt Miller (  Knows his taxes and tax planning.

DNSSec Works for Consumers, Almost

Every since I found heard about Dan Kaminsky’s research on flaws in DNS in 2008 I have been looking forward to the industry’s response, DNSSEC (Domain Name System Security Extensions). Unfortunately DNSSEC required an end-to-end solution from the root DNS servers to ISP servers to routers to operating systems to browsers. Parts have been working for awhile like my ISP’s DNS server. Finally this weekend with some beta software from my home router my dream of seeing DNSSEC for consumers has been completed.

My Verizon’s DNS server supports DNSSEC (note that as of today not all of Verizon’s servers are supporting DNSSEC). My Asatro router has implemented DNSSEC. Firefox and Windows 8 support it. With the help of the Firefox DNSSEC validator plug in you can see in the screenshot below the validation that Symantec’s website is the real site and could not have been spoofed by a DNS exploit. Yeah!

Now its time for Cisco/Linksys, Netgear, D-Link, etc. to support DNSSEC.

DNSSec in Action

The Unintended Consequences of Social Networking

With today being Facebook’s IPO I wanted to address an unintended consequence of social networking. I am a huge fan of LinkedIn for expanding my professional network, for learning and collaborating with other security/privacy pros, and it certainly helps with a job search. I teach advanced LinkedIn every week to 20 to 30 people in career transition.

Bad guys are using LinkedIn to create org charts of their targets. Odds are high that you are connected to your manager and your team is connected to you. If you or your team received an e-mail from your boss (or someone spoofing your bosses e-mail address) and it contained an attachment labeled “Corporate Strategic Plans – Confidential” (or any document containing malware), would you open the mail and the attachment? Highly likely.

Good guys a.k.a. your competitors are watching the new LinkedIn connections from your executives, especially the business dev team. They look for patterns. A few execs connecting to a particular company can be a clue about M&A activity. Want to know who a company’s suppliers are? Check LinkedIn. Competitors are also looking at new hires gleaming information about new products being developed.

Actionable advice: Security teams need to advise HR, business dev, and product teams about the information bad guys and competitors can learn from social networking.

Tips to Keep You Safe Online

Some tips to keep you and your family safer online.

a)      Use to keep track of your passwords. With Lastpass I remember only one long, random, secure password and Lastpass remembers over 200 of my passwords which all look like random variations of “C5r$u9cLy#bG”. I also use YubiKey with Lastpass to provide secondary authentication. Yubikey is a small plastic USB device that sends a pseudo-random number to a server to authenticate me. Google Authenticator is an alternative secondary authentication.

b)      Change your password reset questions so that your answers are no longer “Snoopy”, “ice cream,” or “Justin Bieber.” Too easy to guess the name of your first pet or your favorite food. Too easy to find out from your Facebook profile your favorite singer. Use answers like “game73elmo29.” Write them down in a secure place or you can use Lastpass to keep track of tem.

c)       Do not use the same password at multiple sites.

d)      Change the default password on your router. Some of the sophisticated hacks attack widely-available Belkin, D-Link, Linksys, etc., routers. If you are adventurous build your own router like Astaro or PFSense using an old PC.

e)      Check your router’s security using the ShieldsUP! tool at

f)       Make sure your wireless router uses WPA2. WEP is too easy to crack.

g)      Check to see that hardware DEP is turned on if you are using a Windows PC.

h)      Use NoScript to prevent malicious scripts from running if you are using Firefox. I think Firefox is the most secure browser but you could also make an argument for Chrome or IE9.

i)        Use SandboxIE to virtualize any browser.

j)        Backup your essential files. Bad things can and will happen. I use the 3-2-1 rule. Three copies, two different media (I use hard drives and cloud drives), and one copy off-site (I use two off-site vendors, Amazon and Rackspace)

k)      Scan your PC occasionally using a LiveCD like Microsoft System Sweeper. The LiveCD does not boot into Windows so difficult to detect malware like rootkits can be detected.

l)        If you want to check to see if the file in an e-mail or you downloaded, check the file at It will be checked against more than 40 antivirus products. Of course just because the file appears to be virus-free, it may be a zero-day.

For Absolute Internet Security – A Browser & Internet Boot Disk

There is a misconception in the public that you can visually detect malware on your PC because there are popups or strange things happening to their PC. It is true that some malware tries to sell you protection software and it will popup fake security warnings or the latest scam says that your “hard drive is failing.” Much of the most dangerous identity stealing or malware that gives bad guys access to your financial accounts is designed to be absolutely stealth. The bad guys do not want you to know there is a problem with your computer otherwise you might think there is something wrong and try to fix it. Not all malware is detectable by anti-virus tools.

So what is the absolutely must secure protection you can take? A boot CD or USB drive with an operating system, usually Linux ready to operate after a quick boot. When you want to securely access the Internet start one of these malware-free drives. Since they are read-only cookies cannot be stored so they enhance your privacy (of course you can still be tracked by IP address).

My favorite boot disk is from the U.S. military called “Lightweight Portable Security.” You can carry it with you on a USB flash drive. It installs quickly. Once running you can use Firefox to access your secure sites. It is free.


My Favorite Firefox Security Add-On, NoScript

Security pro’s have been advising people to “stay away from dangerous websites.” I agree that pornography, game cheat codes, and file sharing sites are probably more dangerous than CNN but you can also get infected from a malicious advertisement appearing on CNN or any “legitimate” site. Turning off scripting, the most likely source of malware, is an important step.  It is simple to do.

Once you install NoScript, view this video which explains how to use it.