Monday, August 2, 2010

Do You Trust Websites? Paranoia, Part 2

In my previous post I talked about some of the security implications that come from inherently trusting unknown computers. Today I am going to talk about websites. Again, you can call me paranoid if you want to, I'm just trying to get you to think about things from a different perspective.

What is a website? A website is a server that you connect to through your web browser. Some sites are strictly informational, but nowadays almost every site out there is interactive in some way. You can create an account that you can access with a username and password. Accounts are normally tied to an email address. You use your account to interact with the website in some meaningful way. Nothing I've said so far should be terribly new to most people familiar with the Internet.

Now onto the things you may not have thought about. 

Is your connection to the website secure? Some websites, like your bank, use an authentication and encryption protocol known as SSL/TLS to verify the identity of the site and to protect all of the traffic being transferred between your computer and the server. Not all sites use SSL/TLS because it costs money for the website to setup and adds additional processing load to the server. SSL/TLS is not dependent upon the use of a username and password, which means that it can be used on sites where you don't have an account. It also means that just because you have to login to use a site that the connection isn't necessarily secure. Many, many sites requiring a login do not encrypt their connections.

Where is your account information stored? The answer to that question is that your account information is stored in a database. The database is probably stored on the same physical machine as the web server for low volume sites while higher volume sites may store the database separately. Databases are typically not encrypted because it doesn't make sense to do so.

Who has access to the website's database? Obviously the webserver has access to its database. Some people will have access to the database too. For low volume sites this may be a single person who runs the website. Or it could be the guy that the website owner pays to manager the site. For larger volume sites, it might be a team of people who have access to the database. Depending upon what the access control policies are like for a company, it could be that everyone who works there has access to the database, like how Facebook is, or at least used to be.

How is your password stored? If a website was designed with security in mind, passwords will be encrypted before they are stored. The way that works to take your password and then encrypt it before it is stored in the database during account creation. When you go to login in the future, your password in encrypted and compared with the stored value. If the two values match, you are logged in. But this requires more work, which leads some sites to just store your password without encrypting it.

What happens when security fails? Websites are designed by people. People make mistakes. People can be negligent. Even websites run by people with the best intentions who have all the right knowledge can suffer security incidents. But how are you to know which websites are careful and which ones are careless? Just because a website is large and well known doesn't necessarily mean that your data is safe. The job posting site has been hacked more than once, leading to the compromise of account information including passwords. And remember, most people use the same password or two for all of their online accounts.

I'm not saying you shouldn't use online accounts. If I did that would make me a hypocrite considering that I use Twitter, LinkedIn, and Facebook, not to mention the fact that this blog, my email, and my website are all hosted courtesy of Google. What I am saying is that you need to think about what you put online before you do it. Just because something isn't available on the open web doesn't mean that it is protected. When you put your trust in a website you are putting your trust into the hands of potentially hundreds if not thousands of people who you don't know.

Tuesday, July 20, 2010

Do You Trust Unknown Computers? Paranoia, Part 1

You may call it paranoia, but I call it caution. Do you drive recklessly without wearing a seat belt? Do you wander through bad neighborhoods at night? You probably avoid these behaviors because they are dangerous and you know what could happen if you did do them. You have made a decision that they're not worth the risk. Is that paranoid? No, you're being cautious, and that's a good thing.

So when I say that I won't check my email on any computer except my own, I get told I'm being paranoid. I don't see it that way. I see checking my email on other computers as being dangerous and I know what could happen if I'm not careful. This article is the first in a series on being paranoid about privacy and security with your digital life. Except that it's not really being paranoid, it's being cautious, and I'm going to tell you why.

We all know that malware exists. Everyone has heard one of the various terms used to describe it such as virus, trojan, spyware, adware, scareware, and rootkit. The list goes on. The general feeling about malware seems to be that it makes your computer really slow and not work right. Except that if it's doing that then it's not doing its job very well. Most malware you'll never know you're infected with until one day you realize you've become the victim of identity theft and you'll wonder how it happened. The malware you really need to be worried about is quiet, unobtrusive, and farms your computer for information that it ships off to its controller.

Ready for some numbers? According to data collected by Panda Labs, out of 21.5 million computers they scanned from businesses and homes in over 100 countries, 47.87% of them contained malware. Nearly half of the computers were infected. That's the reason I won't use other people's computers for anything requiring me to enter a password. While I'm pretty sure my own computer is safe, I have no clue about anyone else's.

What does this mean for you? That means that you certainly shouldn't use a public computer like those found in libraries or coffee shops, you shouldn't use a computer that belongs to a friend or family member, and you shouldn't even use a computer that was configured by a security expert. You should only use a computer that you configured and have protected from unauthorized use and unauthorized software. Now when I say "use," do I really mean "use at all?" The answer is no. If you want to check the weather, or a sports score, or anything else really that doesn't require a password or make use of personal information, then that's okay. Your passwords and other private information are what you need to protect by only using computers that you trust. In order to trust a computer, you have to know it and that means having exclusive control over it.

If you disagree with my proposed safe computing habits then that's fine, it's your life. You can live it how you choose. If nothing else I hope I've given you something to think about the next time you borrow a friends computer to check your email, log into facebook, or buy something from Amazon. I think of it as being cautious, but you can call it paranoid if you want.

Wednesday, July 14, 2010

Are Your Passwords Really A Secret?

Are your passwords really a secret? For a lot of people, that answer is a resounding "no". And just so that you are clear, I'm talking about every single password you have. That includes your Facebook, your email, your bank, your computer and any other place that uses a password for authentication. Are your passwords really a secret? If you're answer is anything other than "yes," then you should seriously think about why.

Think about all the couples out there who think it's cute to log into each other's Facebook accounts. Or the ones that know each other's email passwords. What do you suppose happens when they split up? Is it still cute when they start defacing your Facebook page or lock you out of your own email account?

I knew someone while I was in college who's account on the school computers stopped working. There was some hiccup in Active Directory somewhere and she couldn't log in. Her solution? Instead of calling the help desk and having it fixed she just borrowed her roommate's password and would log in using her roommate's account whenever she had to use a computer in one of the school labs. And her roommate was totally fine with this! Think about the fact the the exact same credentials gave you access to a user's account on the lab computers, the course registration program, their Blackboard account, and their school email.

When I bought my Motorola Droid, I got it from a Verizon Store. The sales person I worked was very friendly and helpful. She turned on the phone and proceeded to activate it, just like they always do. Then she handed me a piece of paper and a pen, asking me to write down my Gmail username and password. She was genuinely surprised when I flatly told her "no." It turns out that whenever she asks customers to do this, they comply without any question. I mean we're talking about the password to your email account. The account to which all other online accounts are tied to and where reset emails are sent if you forget your password somewhere. And people would hand this over to a complete stranger who also, incidentally, likely has access to your billing information, home address, and maybe even your social security number.

I'm sure that everyone has probably had someone sit down in front of their computer and ask for the password so they can check something online. Whenever this happens to me I usually just look at the person and say "really?" To which the response is almost always "What? Don't you trust me." I hate to break it to you, but no, I don't trust you. At least not that much. And it's not that I necessarily think you will do something intentionally malicious, but I certainly don't trust you not to do anything foolish.

Ultimately whether or not you share your password with someone else is up to you. It all comes down to trust. How much do you trust another person? And trust is more complicated than whether or not someone will use your password to be intentionally harmful. Trust is also accountability. What are you going to do if you let someone use your password and they get phished or install a virus on your computer thinking it was a game? Also consider that a 2008 study found that most people use the same one or two passwords everywhere online. That means that while you might have only meant to share one password, but actually just shared half of your passwords, or maybe even more.

Monday, July 12, 2010

Enforce Security Practices by Disrupting Work Flow

Convincing some people to practice good security in their daily life can be a challenging task. If someone chooses to be careless with their personal computer it may be frustrating, but there really isn't anything you can do to force them to practice good security. At least not in any ethical way. But what happens when you are a system administrator for a small company and the employees there don't seem to care about following the company policies for security?

I know a system administrator who had a creative solution to this problem. In an office that had a lot of clients and visitors coming in and out frequently, it was important for employees to lock their workstations when they would walk away from them. Some of the employees, however, failed to view this as a priority either because it slowed their work flow on returning or they simply didn't care. So the tactic the sysadmin would take was to punish the employee in a relatively harmless way so that through the magic of operant conditioning they would learn to lock their workstation.

The punishment the sysadmin chose was one that would disrupt their work flow and cause inconvenience rather than harm. The key was to ensure that the inconvenience for not locking a workstation is greater than the inconvenience incurred by locking it. So what did he do? When the employee left their computer unlocked, the sysadmin would create a new text file on the user's desktop and name it something like "I will lock my screen.txt". Then he would copy the file around 400 times so when the user would return their desktop would be covered in copies of this file. Since a lot of users save files to their desktop and launch programs using shortcuts that are stored there, this caused them consternation when trying to open new files and programs. Was it annoying? Yes. Was it harmful? No. Was it a little bit childish? Possibly. But did it change the behavior of the employees? You bet it did.

Wednesday, March 31, 2010

Disable all data on Motorola Droid

On the Motorola Droid, there is an option called "Airplane mode" that disables all wireless connections (data, WiFi, calls, and bluetooth). This is great for airplanes. Other times it is nice to have the option to just disable the phone's data connection without sacrificing the ability to make phone calls. There are apps like APNdroid that does this for GSM phones (T-Mobile, AT&T, most of the world). Luckily, this functionality is already built into the Moto Droid using a hidden menu. This does not require any special ROM or ROOT power, it works on a factory build of the operating system.

Start by opening the "Phone" app. Dial this number:
To make it easier to remember, 7764726 spells "program" on the dial pad. Press the call button. You will be prompted to "Enter SPC password". The password to enter is "000000". Then press the "Verify" button. You will now see a menu with options numbered 01-09. Touch "09 Data Call Settings". You will see two options, "Data Call Enabled" and "Disable At Startup". By default, only "Data Call Enabled" is checked. Go ahead and touch it to uncheck "Data Call Enabled". In a couple of seconds, the 3G or 1x indicator at the top of the screen will go away. Now the data connection on the phone is disabled but you retain the ability to make phone calls and send/receive SMS messages. To turn your data connection back on, just recheck the box

Restrict Motorola Droid to 1x (3G disabled)

I get great reception on my Motorola Droid, but if I am running low on battery or am in an area with spotty 3G coverage, it is nice to be able to restrict the phone to using 1x data. With 1x all regular data services work, it is just a much slower connection and also happens to use a lot less battery (so I hear, I haven't actually been able to test the battery usage personally). The technique I use works on the Motorola Droid at least, I haven't tested it on any other phones and does not require any special ROM or ROOT powers.

Start by opening the "Phone" app. Dial this number:
To make it easier to remember, 4636 is "info" on a dial pad. Anyway, as soon as you press the final * you are taken to a special menu that lists four options:
Phone information
Battery information
Battery usage
Usage statistics
Touch "Phone information". Scroll down until you see a a drop-down menu labeled "Set preferred network type". The default selection should be "CDMA auto (PRL)". Touch the drop-down and select "CDMA only". As soon as you do so the 3G indicator on the bar at the top of the screen should be replaced with a 1x icon. Touch the "home" button to leave the menu. When you are ready to go back to using 3G just follow the same instructions and switch the drop-down menu to its original value.

[I know that screenshots would be really helpful here, but I really didn't feel like installing the SDK just to be able to take some.]

Friday, February 12, 2010

Modify the login screen in Ubuntu 9.10

In Ubuntu, it's easy to customize the way your desktop looks. The menu is available at System>Preferences>Appearance. Alternatively, you could change the way your desktop looks by running this command:
$ gnome-control-center
This opens a graphical configuration tool for changing a whole bunch of settings. You can click on the Appearance button to change the desktop theme and other appearance settings.

If you want to change the way the login screen looks, you're going to have to do a little bit more work. First, you're going to have to log out. Next, you need to login through a text console. Do this by pressing:
Login with your regular username and passphrase. Once you're logged in, run these two commands:
$ export DISPLAY=:0.0
$ sudo -u gdm gnome-control-center
You will see some errors, but that is alright. The command will also hang, so don't expect to see a prompt again. Instead, switch back to the graphical login screen by pressing:
Instead of seeing the login screen, what you'll see is a graphical configuration tool. This tool looks the same as the one you'd see if you ran the command at the beginning of this post. Anyway, by clicking on the Appearance button, any changes you make will be reflected upon the login screen instead of the desktop. You can use this to change the wallpaper for the login screen. Another useful tweak could by to adjust the screen resolution. You can do this by clicking the Display button. Whenever you finish making your changes just click the X in the top right corner of the window. Now you should see the graphical login screen with your changes.

Keep in mind that you are still logged in to the text console. Switch back to it by pressing:
And type this to logout:
$ exit
Press this to switch back to your graphical login screen again: