Archive for the ‘Privacy’ Category
The latest interest security threat, called Heartbleed, has caused some people to reconsider their use of passwords and net security generally. Latest threat or not, that’s never a bad idea.
If you’re a typical internet user, you re-use the same user name and password, or some slight variation of it, on every website and service you visit. This is a very natural, human solution to the problem of having to remember multiple user names and passwords. It’s also several steps removed from never locking the door to your house. It’s more like leaving your door unlocked, putting up a neon sign reading “FREE LOOT,” and then posting the address of your home and your daily itinerary on Craigslist.
Heartbleed exploited a flaw in a piece of software used by millions of websites. It allowed an intruder to retrieve information held in volatile server memory, which changes from one microsecond to the next. Make enough queries, and you’ll eventually get someone’s user name and password information, and maybe even their credit card or bank data. Invaders write “bots” to do this again and again, and then search the plunder for the information they want.
Once that’s in their hands, they start trying some of the larger commercial websites with the same user name and password data. If you were using the same login information on, say, Twitter, that you were using at Amazon.com or BestBuy.com, they will be able to order merchandise under your account and even change your password and email address of record to make it more difficult for you to notify the merchant of the intrusion. Your credit card company will most likely eat the fraudulent charges sooner or later, but in the meantime you’re trying to buy gas or check into a hotel, and your card is declined because it’s over the credit limit.
Much of this grief can be remedied by using a password manager. Password managers track your user name and password information, as well as a lot of other data if you choose to trust it, all locked down with a single password.
The obvious first questions are, “So what if I lose that password?” and “What happens if the password manager is compromised?” If you lose the master password and don’t have the data backed up anywhere, you’re pretty much screwed. Sorry about that. Nothing is completely foolproof. However, that problem is solved fairly easily.
As for having the password manager compromised, well, never say never, but it hasn’t happened yet. Because of the importance and the volume of information these services protect, they have multiple layers of encryption and are about as secure as anything you’re going to find. In any event, they’re better than writing down your passwords on a Post-It attached to your monitor (someone just glanced at that Post-It).
Creating a password that you can remember, but is difficult to crack, is not as difficult as you might think. Stringing together three apparently unrelated dictionary words works pretty well, even more so if you separate them with random punctuation or substitute numbers.
For example, say that your high school mascot was the Warriors, your favorite pet’s name was Fluffy, and you lost your virginity in a Camaro. Let’s also assume you haven’t used any of these as the answers to security questions on any website (if you have, pick some other random words or events). From these, we get
Preface, separate and follow up the passphrase with some punctuation, and we have
Now, change the letter i to numeral ones (1) and the letter o to zeroes (0), and we get
Using the calculator at How Secure Is My Password?, I get the following estimates of how long it would take a typical desktop PC to crack each one of these:
WarriorsFluffyCamaro: 165 quadrillon years
*Warriors%Fluffy&Camaro+: 530 septillon years
*Warr10rs%Fluffy&Camar0+: 14 octillion years
Personally, I think the calculator on that website is a little pessimistic, as people are constantly devising better methods to crack passwords. However, I want to make it as difficult as possible, on the theory that if I make it hard enough to crack my password, the intruder will go on to someone who is easier pickings.
Most password managers have an option to use an onscreen keyboard to enter the master password. This is a feature designed to thwart keyloggers. Keyloggers can be hardware or software add-ins (the hardware varieties are usually innocuous-looking devices that install between your keyboard and computer cable) that record every keystroke you enter. A keylogger can obviously steal any password information you type into the keyboard. You circumvent the keylogger by bringing up a graphical keyboard with keys you click on with the mouse to enter your password. This is an important feature to use anytime you’re using a computer you do not control 100% of the time.
Password managers can also store information you key into onscreen forms, such as your home and shipping address, phone numbers, credit card numbers, etc. They save time, all but eliminate errors, and also circumvent keyloggers.
You can also create random, all-but-unbreakable passwords with all these password managers. You set some parameters of length, whether the password should contain uppercase or lowercase letters (or a mix of the two), and numbers and/or punctuation. Click the button, and a new, random password will appear. If you’re using a password manager, there’s no reason not to use long, complex passwords, as you’ll never have to enter them manually.
Here are three password managers I know to be reliable. Each one works in a slightly different way. One is free, no matter what; one is free for basic use and has an annual fee for more advanced features, and one is a subscription service.
KeePass is an open-source, completely free, standalone password manager. By “standalone,” I mean that it does not reside on the internet. You store the program, and its data files on your computer, or on a flash drive you move between the computers you use. Open source software is created by volunteers who make the source code available to anyone who wants it. The idea is that anyone who is interested can improve it and submit the improved code for new versions. There are lots of very reliable and well-thought-of open source packages.
As with other password managers, when you set up the program, you establish a single master password. This password should be something completely unique, not a word found in any dictionary, and certainly not something you use or have ever used anywhere else. If everything goes right, there is no need for you to remember any other password, ever again, so make this one a good one.
KeePass is activated when you bring it up manually, as with any other program. You enter websites, user names and passwords into forms, which are then encrypted and saved by the software. The next time you want to log into a website you have already saved, you just bring up KeePass, find the entry for the website you want, click on it, and it will open a new browser window, enter your login credentials, and log you in. It does this much faster than you would be able to.
You can install KeePass on any computer you use, but data files residing on more than one machine won’t be synchronized automatically. You can avoid that problem by installing the software on a flash drive, and inserting the flash drive into whatever machine you’re using at the moment. If you lose the flash drive and the data isn’t backed up (easy to do), you’re in a world of hurt, but anyone who finds the flash drive won’t be able to get into your password file without the master password.
LastPass is a web-based password manager that is free to use most commonly-used features. There is a premium version for $12 per year that allows you to use the service on smartphones and other devices.
You start by going to the LastPass website and setting up an account. You then download and install the LastPass plug-in for any web browsers (Internet Explorer, Firefox, Chrome, etc.) you use. Each time you open that browser, LastPass will ask you for your master password.
When the plug-in is active and you’re logged in, LastPass will ask you if you want it to remember each website you log into. If you answer in the affirmative, the login information will be stored along with the site’s URL. For future logins, all you need to do is find that website in LastPass’s list, click on it, and the service will open a new browser window, go to the appropriate site, and log you in.
LastPass can be run from any computer, even if the browser doesn’t have the plug-in installed. You justy go to LastPass.com, log in with your email address and master password, and you’ll see a list of your stored sites. Click on any one of them, and the service will behave as if you had the plug-in installed, opening a new window and entering your login details.
LastPass can also store routine form information, credit card info, and random text information. For example, if you needed to keep a list of your prescription medications, you could open a new “Secure Note,” enter the information, and save it. It is as secure as your passwords.
This is the password manager I use, more out of habit and preference than anything else. RoboForm is free to download and install, but the unlicensed version will store a limited number of passwords. The premium RoboForm Everywhere package is $9.95 for the first year and $19.95 each year thereafter, and works across multiple computers and smartphones.
Installing RoboForm automatically installs a plug-in into any browsers installed on the computer. Periodically during the day, the software will “phone home” and check for any changes between the local database and the one residing on the RoboForm servers. Synchronization is automatic and almost instantaneous. The advantage is that I have the same password and other data files on every computer and smartphone I use. The RoboForm software starts automatically every time I log in to my computer, but it asks for the master password every time, and after an interval I set if I haven’t used it for a while.
As I log into a new website, RoboForm asks me if I want to save that login data. If I answer “yes,” the URL and login data are saved automatically. You can set up multiple nesting folders for logins, what RoboForm calls “SafeNotes,” and other information, so that you see only the lists you want to see. For example, I keep the logins and notes for my employer in a separate folder from my own. If I have multiple logins for the same website stored (as with different accounts for Google, Facebook, etc.), when I go to that site’s login page, RoboForm gives me a list of the stored logins and asks me which I want to use.
I can store multiple credit cards, shipping addresses, and even personal data like driver’s license and passport number, and keep separate sets of these under different “identities,” if desired. I just counted, and saw I have 920 website logins stored in RoboForm, so obviously keeping all of this straight is kind of important for me.
RoboForm is updated constantly—as often as every week. When I new update is available (usually to deter a new intrusion scheme), I get a notice that I’m using an outdated version. Downloading and installing the latest version seldom takes more than a minute.
This editorial originally appeared on Officer.com in August 2007.
I spent the last few days at the annual meeting of Police Futurists International, which is held in conjunction with the World Future Society’s annual conference. This year, we were in Minneapolis. One of the presentations I attended discussed the use of RFID devices. “RFID” stands for Radio Frequency Identification, and most of us know them as those anti-theft tags concealed inside merchandise that are supposed to be deactivated when we buy the item. When they’re not, an alarm sounds as we exit the store. In some businesses, the alarms are so commonplace that no one even looks up when they go off.
What made the news most recently was the announcement that my home state of Washington was going to start placing RFID tags in its driver licenses, starting in 2008. This came a week after I received my new passport in the mail. The new document has a small gold symbol below the words “United States of America,” and indicates that it, too, contains an RFID chip.
Futurism is bright and cheery or dark and scary, and sometimes a little of each. It’s the practice of making a best guess at will happen in the years to come. Movies tend to get a little ahead of themselves with regard to the advancement of technology and the social implications of it. A film shown at the 1939 (this was the year that The Wizard of Oz premiered) World’s Fair in New York depicted the America of 1960 as having flying buses, elevated trains that operated without human pilots and dropped you right at your office door, and concentrated food that didn’t require refrigeration, cooking, or even chewing. 2001: A Space Odyssey was released in 1968, and forecast a space station that looked like an airport hotel, routine scheduled flights (on PanAm, no less) between the space station and earth, and full-screen video phones, not to mention a talking computer that was self-aware. Of course, The Terminator and 1984 showed a gloomier view, where machines had taken over the world and were working on exterminating all of us meat puppets, or a totalitarian society in which everyone was watched, all the time, and the range of creative thought was progressively narrowed in order to maintain government control.
Futurists claim to base their studies on nascent technology and social practices, with an eye on how and how fast things have progressed thus far. Some of these are kind of “out there,” in my view. I heard one talk where the speaker not only forecast the advent of a Star Trek-like computer where all input and most output was speech-based, but said that this would lead to a society where conventional literacy was obsolete (and he characterized this as a good thing). The RFID stuff seemed more plausible to me, mainly because there is considerable economic incentive to make it happen.
RFID chips come in two main flavors: active and passive. The passive ones are a lot cheaper and much more common. A passive RFID device can be very small–some will not cover the mint year on a penny–and contains no power supply. It draws its power from the radio energy of the scanner or “interrogator” that reads it. When the device is energized by the right type of electromagnetic juice, it transmits the data encoded on it. The data is normally a short (up to 60 or so) string of numbers, although the more complex and expensive chips can hold considerably more data. Most of the RFID chips in use hold a number which is keyed to a more complete record in a database located elsewhere. The RFID chip that is implanted under the skin of my dog holds a number that corresponds to the information in the pet locator’s computer, which includes the dog’s name, my name, address, phone number, etc. If you scan the number but don’t have access to the database, the number isn’t going to be much use to you. The chip proposed for the Washington driver license will hold the license number, which will allow someone with access to the Washington Department of Licensing database to get the record associated with that license number.
The RFID device in my passport is a little more complex. The page of my passport that has my photo and other identifying information has a “machine readable” section at the bottom. Optical scanners at many passport control stations in this country and others can interpret this information and save the border security officer the time required to type the same information into a terminal and determine, despite my devilishly good looks and dazzling sophistication, that I am not an international spy with a license to kill. The RFID tag contains exactly the same information. Thus, is someone was to get close enough to interrogate the tag, they would have the essential details contained in my passport. The cover of the passport is supposed to have metal threads that will act as a Faraday cage and thwart efforts to do this, but anecdotal evidence indicates that it not only can be done, but has.
To fan the flames of discontent further, the inclusion of an RFID device is one of the measures recommended for identification documents in compliance with the REAL ID Act, which, at this writing, has been put off until the end of 2009.
Detractors of the new Washington driver licenses, which include, naturally, the ACLU, say that there is a difference between handing someone your identification and knowing that they have access to the information it contains, and having someone be able to get that information without your knowledge. This is not a far-fetched scenario. If the scanner at Wal-Mart can detect from 20 feet away that you’ve got the new Disney DVD in your shopping cart, it would be pretty easy for the same scanner to pick off your license number from the RFID chip embedded in the license. And it may already be possible to interrogate such RFID devices from the side of the road, logging the ID of every driver and passenger that passes a checkpoint, and checking them against a wanted persons database. Some people are already upset about automated license plate readers, calling them an invasion of privacy.
Personally, I don’t get too bothered about all of this. I just put my own name into Zabasearch and came up with 75 hits, four of which are me. For less than ten bucks, anyone who wants to can get my date of birth and address, and for a few dollars more, a lot of other stuff. People who subscribe to data mining services like Accurint can get a whole dossier for a quarter–I’ve seen mine. The only way to avoid having this information available is to go off the grid and live below the radar for a long time, and most of us can’t or don’t want to do that. Identity theft is a real concern, but I check my credit card and bank statements carefully, and order up a new, free credit report every four months (each of the three major credit bureaus has to give you a free report once a year if you ask – just ask a different one every four months). But I can see how this would bother a lot of folks.
I didn’t get in to active RFID tags, which actually broadcast data to a dedicated receiver, a cell tower, or even a satellite. Yes, they exist, and that is a scary proposition.
Welcome to the Brave New World. It isn’t the world that 2001: A Space Odyssey or 1984 led us to expect, and yet you could argue that it’s a little of both.