Category Archives: Security Practices

A Warning About Two Factor Authentication

I have been a strong advocate for two factor authentication and still am, but I ran across a situation yesterday that made me realize that there is something that you need to consider when you implement two factor.

The situation that I encountered was a user that was using text messages for two factor authentication and those text messages were going to his cell phone.  Without understanding the implications, the user cancelled that cell phone and lost control of the phone number.  When that happened, the user lost the ability to sign into the account protected by that phone number.

This is very similar to forgetting your password, but most vendors have made recovering your lost password easy – too easy in my opinion, but we are used to it.  I have to admit, I have used it.  Typically they send an email to the registered email address and you can reset your password.  If a hacker gets into your email they too can reset any password, which is why I say that it too easy.

The problem/question is if you lose access to your phone number (and notice I didn’t say your phone, but rather your phone number because if you lose your phone but still control the number, you can move that number to any new phone and still get those text messages), does the vendor have a mechanism to recover access to the account.

Lets say you protect your bank account with two factor.  Likely, you can go into the bank in person, show a banker your government issued picture ID and they can remove the two factor requirement or change the phone number.  MAYBE.  Worst case, you can go into that same bank and close your account, take your money and open a new account.

But what if the account is Facebook.  There is no Facebook store to go into to do the same thing and closing your Facebook account will cause you to be disconnected from everyone.  Of course, possibly, losing access to Facebook might give you a lot of time back in your day.

OK, so now I scared you out of using two factor authentication.  Let me see if I can make you OK with two factor.

First, if the web site allows it, you should create a backup authentication option.  For example, many companies will allow you to get your second factor via text message OR phone call. Or possibly via text message OR email.  If they allow that, then make sure that you set that up.  That way, if you lose access to your phone number, you can still log in after receiving the code via phone call or email.  DO NOT make the phone number the same phone number that you get your text messages from.  Remember that the issue is that you lost control of that phone number.  Use a home phone or work phone or spouse’s phone or just something different.

Next, make sure that you keep track of what those second methods are.  Sometimes a web site will display an option showing you how you can receive the second factor.  If it does, pay attention and make sure that you still have access to it.

Do not release your phone number unless you are sure that anything that you are using it for has been accounted for.  If you have to change your phone number for some reason, look at all the accounts that use it to protect and disable two factor before you get rid of that number and then turn it back on with the new number.

Talk to your phone carrier and add a password to your mobile phone account.  While hackers can sometimes social engineer their way around that, it makes it more difficult.  That will reduce the odds that you will lose access to that phone number.

Finally, ask the vendor what their policy is for resetting two factor authentication.  Even Google has a method to do this.  It is a bit of a pain and it can take a couple of days, but it is possible.

As two factor becomes more popular, vendors are going to have to deal with this  new reality, but it will take some time.

Finally, if you use two factor authentication apps like Facebook Authenticator, those are more portable.  As long as you don’t lose access to your Facebook account, you can still access authenticator – from any phone – as long as your access to Facebook is not protected solely by a two factor authentication to that lost phone NUMBER.

I know, something else to worry about.  I think as long as you set up two different methods to receive that second factor, you are pretty safe.  Just keep it in mind.

 

Facebooktwitterredditlinkedinmailby feather

Between Snowden and Shadow Broker, NSA has a Problem

The NSA hasn’t had a great few years.  And it isn’t getting any better.

First it was Snowden and dumping documents on seemingly a weekly basis.  There were two schools of thought regarding Snowden.  Some said he was a hero for disclosing illegal government actions  Others said that he was a traitor for disclosing national security secrets.  The leaks seem to have stopped at this point.  For now!

There are a couple of important distinctions about Snowden.  First, we know who he is and where he is.  Second, he disclosed documentation.  Directions.  Information.

The second major breach is the Shadow Brokers.  Where Snowden leaked documents, Shadow Brokers leaked tools.  Going back to those distinctions, we do not know WHO the Shadow Brokers are or WHERE they are.  These tools are now available on the open market and while some of the flaws these tools exploited have been patched, it doesn’t mean that people have applied those patches.  Remember the WannaCry infection that cost Fedex $300 million and Merck $600 million – so far?  Yup.  One of those tools that was released.  And for which there were patches issued but not applied.  And that was only ONE of the tools.

The New York Times ran a great article on the issue yesterday (see link below) that talks about how these breaches have affected the NSA (and the CIA with its own leaks).

The problem is that with so many employees and contractors, and the ease with which someone can sneak out a gigabyte of data on a device the size of your finger tip, it is a hard problem.

So they have been conducting witch hunts.  Given that they don’t know who or how many bad guys there are, they really don’t have much of a choice, but that certainly doesn’t improve morale.

One of the guys the Times interviewed for the article was a former TAO operative.  TAO is the NSA’s most elite group of hackers.  He said that Shadow Broker had details that even most of his fellow NSA employees didn’t have, so exactly how big is this leak anyway?  And is the leaker still there?  Is the leaker an insider?  Or have the Ruskies totally penetrated the NSA?

And, of course, the NSA has to start over finding new bugs in systems since the vendors have, in many cases, patched the bugs that the NSA tools used.  Then we have that NSA developer in Vietnam who took homework and ultimately fed it to the Ruskies – not on purpose, but the effect is the same.

It just hasn’t been a good couple of years for the NSA or the intelligence community.  On the other hand, as we hear more about the hacking of the elections last year, the Russians seem to be doing pretty well.

One last thought before I wrap this up.

The government, many years ago, decided that OFFENSIVE security was much more important than DEFENSIVE security.  This is why the NSA hordes security vulnerabilities instead of telling the vendors to fix them.  Maybe that is an idea that needs to change.  It certainly does not seem to be working out very well for the American citizens and businesses.

Until that happens, you are pretty much on your own.  Just sayin’.

Information for this post came from a great article in the New York Times.

Facebooktwitterredditlinkedinmailby feather

What Do You Get for $7.55 Billion?

This year the TSA’s performance is better than last year.

Last year, it has been reported, TSA checkpoints failed to detect contraband 95% of the time.

That means for $7+ billion, TSA agents only stopped 5% of the stuff that was not supposed to be allowed on board.

This year, according to reports, the number is in the neighborhood of 80% failure, meaning that the bad guys have a 4 out 5 chance of getting contraband on board.

That makes me feel safer, for sure.

The briefing, before the House Committee on Homeland Security, was classified. I think the bad guys understand that their odds are good in getting stuff through the checkpoints.  The reason the hearing was classified, no doubt, is they probably discussed what types of things were least likely to be detected and techniques that they used.

This year, instead of using specially trained red teams during the test, they used secretaries and clerks.  You would think that might improve the odds of getting caught, but apparently not.

Rep. Mike Rogers told TSA administrator David Pekoske that “this agency that you run is badly broken”.

That would qualify as an understatement.

Of course, none of this is news to those of us in security.

Going back to when Mary Schiavo was the Inspector General of the Department of Transportation, corruption, fraud, incompetence and abuse in the DoT was being exposed.  Schiavo had over 150 convictions during her 6 years as IG.

TSA “red teams” have been trying to sneak stuff through checkpoints for 15 years.  In 2015, the TSA screeners failed in 67 out of 70 tests, according to leaked reports.

This years is a tad bit better, but still, the odds of getting contraband through – including guns and explosives – is insanely high.

It might also be useful to understand that the so-called “9/11” security fee that is added to every airplane ticket has been mostly diverted to other purposes and is not used to pay for or improve security or buy new screening devices.

Because the 9/11 fee is being diverted to items like building the border wall, security at airports is being degraded.  DHS Viper teams that use dogs to secure transportation facilities are being cut from 31 teams to 8 teams, for example.

I think I am going to drive on my next trip – it might be safer.

Information for this post came from ABC.

Facebooktwitterredditlinkedinmailby feather

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather

Who Owns Your Financial Data Anyway?

Consumers have been wrestling for years now about access to their personal data.  There are many non-bank financial products such as Mint and WalletGyde that help consumers manage their money, but it has always been a fight between the banks and these companies (of which there are at least hundreds, maybe more).  As a group, these companies are called FinTechs.

In Europe, the government said that consumers owned their data and even forced a standard on banks for sharing data with FinTechs that consumers wanted to share with.

In the U.S. there is no standard and up until now no requirement that banks allow you to be able to grant access to your own data.  This has led to FinTech companies having to ask you to trust them with your banking userid and password and those same companies having to scrape your data right off the screen.  About a year ago I got a message from Chase warning me that if I shared my password with a FinTech company (or anyone else), the bank was disavowing any responsibility for what happened.

This week that all changed.

The Consumer Financial Protection Bureau issued a long waited-for ruling on the subject.  Their answer.

CONSUMERS SHOULD HAVE ACCESS TO FINANCIAL DATA THAT IS TIMELY, ACCURATE AND SECURE ON WHATEVER TRUSTED THIRD-PARTY TOOL THEY CHOOSE TO USE.

This is a win for consumers who now will be able to have a more timely and secure method of sharing their data with third parties and it is a win for the FinTechs who have been fighting for this.  For the banks, it is not good news, but probably expected.  Banks are fighting for their survival.  Until say ten years ago, they were the king of the financial hill.  Now, they are just one player of many and when it comes to data aggregation, the banks aren’t really much of a player at all.  This is one more nail in that coffin.

Up until now the data sharing between banks and FinTechs have been one off agreements between two parties such as:

  • Chase and Intuit have created a data interchange agreement
  • Wells and Xero have an agreement
  • Capital One and Xero have an agreement
  • And likely others that we have not heard about

The principles that the CFPB created include –

  1. Access – users can obtain information from a service provider and grant access to a third party
  2. Data Scope and Usability – The available data should include transaction and fee information and any other aspect of a consumer’s usage.
  3. Control and informed consent – Consumers can control their data sharing and revoke it whenever they want to
  4. Authorizing payments – Accessing data is different from authorizing payments to be made, but consumers may grant third parties both of these permissions.
  5. Security – The data has to be secure.  This seems to give the CFPB a camel’s nose under the tent to make sure that the FinTechs protect consumer’s data.
  6. Access Transparency –  Consumers need to be able to easily understand what permissions they have granted to whom with relevant parameters (like how often the third party can access their data).
  7. Accuracy –  Consumers can expect the shared data to be accurate and have reasonable means to dispute and resolve inaccuracies.
  8. Ability to dispute and resolve unauthorized access – Consumers have reasonable and practical ways to dispute and resolve issues related to unauthorized access and payments.
  9. Efficient and accurate accountability mechanisms –  Commercial participants (i.e. the FinTechs) are accountable for the risks, harms and costs they introduce to consumers.

So this swings both ways and the CFPB has already whacked FinTechs from time to time (Search for CFPB Dwolla consent decree, for example).  All in all, though, I would say that this is great news for consumers, good news for FinTechs and not so good news for banks.

Now it is up to the banks and the FinTechs to work out the details.  It is likely to get a bit messy before it gets cleaned up.  MAYBE, the banks will agree to a data interchange standard, which would be great, but I haven’t seen anything public on that subject.

Information for this post came from American Banker, here, here and here and the CFPB.

Facebooktwitterredditlinkedinmailby feather

TSA Rolls Out New Screening Rule

Earlier this summer, TSA banned laptops and other large electronics on flights into the United States from certain countries.  Almost as quickly, they removed those bans – likely due to feedback from the airlines who were concerned that travelers would use video conferencing instead of flying.

Later this summer, TSA started a pilot program at a few airports that implemented enhanced scanning of electronics.

Now they are beginning the roll out of the program nationwide between now and early 2018.

Here is how the program will work.  Passengers will be required to take ALL electronics larger than a cell phone out of their carry on bags and place them in a tray by themselves with nothing underneath them and nothing on top of them.

This includes game consoles, cameras, iPads and other large electronics.

Because of these new rules and the anticipated delays at screening locations, TSA is recommending that passengers arrive at the airport 90 minutes before their flight rather than 60 minutes before.

It is not clear if these rules will apply to TSA Precheck passengers.

Information for this post came from Security Today.

Facebooktwitterredditlinkedinmailby feather