Too many eggs in Google’s basket? – My question answered on Security Now #326

On my drive home from work today I was very surprised–when listening to Security Now episode #326 Steve and Leo answered the question I submitted to the show! Let me backup a little and explain things. Security Now is a weekly podcast on the TWIT network that discusses hot topics from the past week on all things security related, as well as fundamentals of computers, the internet, and security. In addition to security news, they also touch on Sci-Fi books and a few health concerns—recently the all important Vitamin D3. I have promised myself to write a big blog post about Vitamin D3 at some point this winter. If you are not a listener, I strongly recommend you listen to an episode or two (At least listen to the Portable Dog Killer episode, it’s not what you think it is at all) .

Question Setup
I am a big fan of Lastpass Password storage system after learning about it on Security Now and hearing why it was safe to use (Episode 256). I am also using the Google Authenticator on my Android phone(Also available for all other major mobile phone OS) for a second form of authentication when logging into my Google account because of how much additional security it provides, especially as this account grows more important. The question I asked below was simplified slightly (Probably due to me not thinking things out fully to get the answer I wanted) but the results were good and answered about 80% of my question.

My question was as read by Leo

“Leo: No. Question 7, Jon in Lincoln, Nebraska – another cornfield flyover – worries about giving Google too many eggs: Steve and Leo, I love the podcast. I’m a long-time listener, LastPass and Vitamin D advocate. I have the entire family well educated and believing now. Yay. Over the weekend I saw that now LastPass – as we mentioned in the news – supports Google Authenticator. This is great news because I currently use the app on my Android phone to get into my Gmail account. I also know how much more secure two-factor authentication is, thanks to previous Security Now! episodes. But it makes me wonder if tying so many of my services to Google is a good idea or a potential security problem. What happens if Google were to go down for a few hours? Any thoughts or opinions on this would be appreciated. Am I putting too many eggs in Google’s basket?”

Watch the video on Youtube of Steve and Leo answering my question below. Start at 1:30:00 goo.gl/kaJD5

Or read the answer http://www.grc.com/sn/sn-326.htm (About 5/6 down the page)

After hearing this answer I am feel reassured about my concerns and I am very glad it is independent and closed loop. My biggest concern was if my Google account was suddenly compromised/deleted/suspended etc that I would be locked out of my Lastpass too, but since it is independent and I have a backup of codes generated I know I won’t lose my Lastpass. Just in case I always have my local Lastpass Pocket standalone as a measure of last resort (No cloud).

Firesheep Vs Blacksheep the new security threat

Over the past several months or so, the Internet has been abuzz about sheep, yes sheep.  Let me explain.  On October 22 2010 at ToorCon 12 http://sandiego.toorcon.org/ a Firefox plugin was released called Firesheep. Firesheep is a tool that makes it very easy for HTTP session hijacking (also called sidjacking) to occur. The tool allows the attacker to capture the session cookie and then log in using that cookie to have full control of the account to do things such as change your Facebook photos, update your Twitter status, etc.

The primary attack vector is on open WiFi hotspots, like those in coffee shops, airports, and other public places. This is not an exploit in Firefox or your operating system, but rather the problem of open WiFi and the website your connecting to. Firesheep does nothing new and can not be patched.  This can be done with any packet sniffing tool for your platform. What it does do is make it very easy for just about anyone to launch a Firesheep attack on an open WiFi hotspot.

Solutions
The ultimate solution to end all Firesheep attacks is the use of SSL on more than just login pages.  On most websites this is something that the the website must first make the internal changes and then the end user must implement with a setting change.  This is not ideal (as it should be on by default but its better than nothing). Facebook says they are evaluating implementing this.  The first major website that has made changes (Source) to protect its users from Firesheep is Microsoft with Hotmail and many of the other Live services. However this setting is not on by default; users must enable it in their settings.  I hope that with time all websites with private, or user data will make this change a default, like Google has done with Gmail.

Many web companies cite the increased cost in implementing full time SSL connections for their users.  While it is true that an SSL connection does increase the server load the difference is very small.  Google was really the first major Internet service to move a very large service to be encrypted with SSL by default for the entire session with Gmail. A Google engineer has talked about the cost of switching over to full SSL for all Gmail users in this blog post here http://techie-buzz.com/tech-news/google-switch-ssl-cost.html

“all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.”

They concluded that there was not a significant increase in cost or server utilization by implementing this. That being said Google has a ton of servers and a lot of resources to work with so this may not be true for every website.  However the myths of the past that this would be an incredibly expensive process and not worth it are simply not true anymore.  Implementing SSL for the entire session (versus just at log-on now) is the only true solution to this problem.  Many websites say they are working on this now and plan to implement it.  This is a good thing.

Here are some solutions that you can do to prevent being a victim of a Firesheep attack.

Be aware of the network you are on.
Know that if you’re on a open hotspot that you’re vulnerable to attack.  It’s probably not the  best idea to be logging into sensitive websites, checking email, Facebook, paying bills, etc.  If you do need to do these things consider some of the options below.

Use a minimum of WPA encryption.
While everyone in their homes should be running a minimum of WPA (preferibly WPA2) many businesses and other public places offer free WiFi that is unencrypted.  Users need to put pressure on business owners and administrators to implement the WPA protocol to protect users.  WPA offers an individualy encrypted session between the user and the router by default.  This does not protect you 100% but protects you from local Firesheep attacks which are the main threat. Many businesses have in the past not wanted to do this because of not wanting to be asked thousands of times per day what the password is or dealing with any complications; however it must be done today because of this and other security risks.  Listening to Security Now podcast #273 they came up with a great solution: put the password in the SSID.  For example the SSID might be (Joe’s Coffee Free WiFi-Password = Joe) or something similar.  This would allow a user who is browsing for the free WiFi to see the password and be secure.  It was suggested that the best way to do this would be to demonstrate the attack to a shop owner; heck, maybe you would get a free drink out of it too.

Use SSL
Some websites that have the option to force SSL (Secured Socket Layer) through the entire session but do not have it turned on by default (Microsoft Hotmail for example) so enable it.  This can be enabled on the security tab of the settings page. Regardless of if you’re on an open or encrypted hotspot, SSL protects you and is the ultimate solution.

Sign Out
Signing out is something everyone should be doing anyways.  Since this tool exploits a session cookie, if you end your session, the cookie that the attacker may have caught becomes worthless.  It is also just the proper way to close a session and is a must on any public computer.

HTTPS Everywhere
HTTPS Everywhere is a plugin for Firefox that is produced by the Electronic Frontier Foundation (EFF) that forces encryption with many major websites.  The EFF is a foundation thats goal is to defend your digital rights. This includes Net Neutrality, privacy and security. Many websites support full HTTPS traffic but make it difficult to use.  HTTPS Everywhere makes this process nearly seamless for the websites it supports.  This is a project that is still in development but is stable and works well.  I have been using it for a few weeks now and noticed no ill effects.  It works on the following websites: Google Search, Wikipedia, Twitter, Facebook, bit.ly, GMX, WordPress.com Blogs, New York Times, Washington Post, Paypal, EFF, Tor, LXQuick, and others. You must install this plugin directly from the EFF’s website https://www.eff.org/https-everywhere as it is still in beta.  Once the plugin goes to a 1. release I expect to see it on Mozila’s plugin page as well.  I hope they will be coming out with a Chrome version soon as well.

Blacksheep
Is a Firefox addon that monitors for Firesheep activity on the network .  It does this by broadcasting fake credentials to sites that are know to be targeted by Firesheep and then when someone does try logging into these fake sites it alerts you with a drop down box in the browser.  It is little more than a notification and offers no real protection to your personal information.  You can download it here if you are interested http://www.zscaler.com/blacksheep.html

VPN
VPN’s offer secure tunnels back to a connection that you trust such as your home or office.  All traffic will flow through this connection so you avoid someone who might be spying on the open hotspot at the airport your on. They require some setup but are what enterprises use to securely connect users back to the office.  They work just as well for the average user as well.  There are many free and paid ways to do this so here are a free ways to do it.  OpenVPN Other options compiled by Lifehacker http://lifehacker.com/5487500/five-best-vpn-tools

In conclusion this is a big deal. Everyone should be aware of it as you travel this holiday season.  Often times travelers hunt out free WiFi connection anywhere they can.  Open WiFi is dangerous, it always has been but with Firesheep it becomes much easier for someone to exploit for nefarious reasons. To protect yourself, consider setting up a VPN connection to your home, if you must use open WiFi connections to check sensitive email or social media websites.

Other Sources not specifically listed in the article but used
http://www.grc.com/sn/sn-273.txt
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html
http://codebutler.com/firesheep
http://www.slate.com/id/2275850/pagenum/all/

Adobe Reader X Quick Review

I originally wrote this article for HijinksInc.com
_________________________________________________
Background
Last week Adobe released a new version of Adobe Acrobat, version X.  This is a new version of the program that many of us use every day.  In the past people shied away from new versions of Acrobat reader because over the years the program had become bloated and slow.  However this new version offers important security benefits and speed improvements that make the upgrade worth it.

As many people know Adobe Reader has become one of the favorite attack vectors for hackers and malware over the past few years for a number of reasons including.

  1. The install base is huge! Most new PC’s come with it preinstalled, if not almost everyone needs a PDF viewer and Adobe’s is the most popular.
  2. Quarterly updates that Adobe releases are too slow and infrequent, Only if an exploit is really bad does Adobe decided to do an out of cycle update.  Even with these updates few people know that the program needs updated.  The automatic updates in version 9 have been better but still seem to fail most of the time.  Manual updating seems to be required.
  3. The ability to run things such as Javascript in a PDF exist and are on by default.  Just about everyone does not need this feature and it represents a large place to exploit.
The Good
Security
The biggest feature of version X is the introduction of a Sandbox.  A sandbox provides isolation  of the program from the operating system, to lessen the chance of security exploits.  Adobe does a great job in explaining all about the sandbox features in these two blog posts, Sandbox Post 1,  Sandbox Post 2, Sandbox Post 3, Sandbox Post 4.  This is such a big thing from a security angle that the SANS institute has recommended that everyone install Adobe Reader X to get this feature.  https://isc.sans.edu/diary.html?storyid=9976

Speed
Surprisingly this new version is faster than the old version 9.  It appears to be less bloated and quicker responding.

Other changes
I noticed the voice that will read text to you if you want seems to be more like a human.  The flow is greatly improved. The interface has been tweaked slightly to have more of a beveled edge, silver stainless steel look.  I like it.  Its nothing revolutionary but a nice, clean change.  The updater also now allows for you to set it to automatically download and install updates.  Hopefully this works well and allows the program to stay up to date without much user intervention.   I do hope Adobe changes their company policy and moves to a monthly update policy on the second Tuesday of the month, like Microsoft.  This will make the task of corporate administration much easier on the administrator.

The Bad
By default two security settings are on, when they should be disabled for increased security.  They pertain to features that a very, very small percentage of users actually use.  If for some reason you needed these someday you can easily turn them on, but for maximum security they should be off.  Adobe has even recommended doing this when the program has had problems in the past.
So to disable these settings go under EDIT—> Preferences —-> Then on the Left hand side choose JavaScript and then at the top of the page, uncheck the box that says “Enable Acrobat JavaScript

The second option that needs changed is under this same menu.  Choose Trust Manager on the left hand side of the page, then at the top of the page uncheck the box that says “Allow Opening of non-PDF file attachments with external applications”

The other bad thing is that despite these new security features the very people you are trying to keep out are trying to take advantage of this new release to push their spamware most of it dubbed “Adobe Acrobat 2010” THIS IS FAKE and Malware, DO NOT INSTALL.  The SANS institute has a nice post about this as well, even with photos! https://isc.sans.edu/diary.html?storyid=9982

In conclusion when combined with the new security features and increased performance this seems like a great thing to have if you like the official client.  Here is a direct download for Windows ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe

Security the Family PC

This story was Originally Posted at HijinksInc.com by me, the author.

The SANS center also known as the Internet Storm Center is a volunteer organization dedicated to computer and Internet security. They rely on volunteers to detect problems, analyze threats and provide technical and procedures to the general public and IT professionals to address these threats. I visit their website at https://isc.sans.edu/ daily to see the new threats that I need to be aware of as a general PC user and an IT professional at work. It is very well known in the security community of posting quality information in a very timely manner.

They have designated October as Cyber Security Awareness Month and have dedicated that efforts this year will be focused on “Securing the Person”, in other words they are talking about the human element of security. These things go beyond the everyday security practices of “Run a Firewall” but should be helpful for anyone who does any technology trouble shooting. I plan on highlighting some of each days topics that I think will be most helpful for readers adding comments and other thoughts along the way.

Today’s topic is “Securing the Physical Family PC”. Anyone who has a computer at home should consider implementing at least some of these tips. They are designed for families but most can apply to anyone. I will talk more about general computer security such as software updates, network security, etc in my next post.

  • Backup your computer.
    • In my opinion this is the most overlooked area in home computing today. We live in a digital world today, with most people owning a digital camera, purchasing digital content (music, movies, software, games, etc) but they fail to prepare for problems. Computers have problems from time to time, hard drives and other hardware fail, computers become infected with viruses and malware, acts of God (Flood, Fire, Tornado), and theft all happen. What would you do if your house burned down? Would all of your digital photos, turbotax records, music from the past 5 years burn with it? The answer should be no. Backing up for protection from a hardware failure is easy with a local copy on another hard drive but it is not perfect because it does not protect against theft and acts of God, a more perfect solution involves an offsite backup. Many online cloud solutions are good for this, each service is a bit different and has pro’s and con’s. My favorite of the moment is Backblaze but other good options are Mozy and Carbonite. Take a look at them and consider implementing something on your computer today. All of these services offer encryption and trial periods. With any cloud based backup solution the initial backup may take days but in the end it is worth it. On my list of To Blog about topics includes a couple of backup articles. More will follow.
  • Use an uninterruptable power supply (UPS) for PCs, laptops have their own built-in UPS – the battery.
    • Many people understand that a computer should be plugged into a surge protector, but a UPS is an even greater source of protection. UPS’s allow a PC to run on battery power should the power dip, or spike or go out and most initiate a safe shutdown procedure to protect your hardware from damage that would result. In the midwest they are very handy to help with extreme weather.
  • Document computer details in writing (serial number, software, receipts, BIOS password, etc.) and keep the documentation in a fireproof box or safe
    • This is very helpful information if you ever have computer problems or need to call your manufacture for support. It is also helpful for an insurance inventory. Consider storing a copy online in the cloud as well. Dropbox, Lastpass, and a Google Document (for non sensitive information) are both good ways to do this. Also keep the information up to date
  • Keep all of the hardware and software manuals, plus any software CDs/DVDs in one place that is easy to find
    • Common sens here, it makes it easy to find when you need it in a panic situation.
  • Use a cable lock to keep intruders from stealing the computer should there be a break-in
    • No device makes it impossible for a thief to steal if they really want it. A cable lock does slow someone down. This may seem overkill but works especially well in some environments (Think college dorms).
  • Throw a towel over the web cam (better: unplug the web cam)
    • The recent news story of school district that was found to be spying on students while at home by accident with the school issued laptops, integrated web cams (News stories here: Story 1, Story 2, Story 3) have brought this to the attention of the public. It is possible for a virus of malware program to do the same thing. As a result the easy solution is just to cover it up. On laptops with integrated web cams a piece of blue painters tape or sticky note works well too. Most people don’t use their web cams all the time so this is an easy way to improve general security.
  • Unless it needs to always be on, consider turning it off when not in use
    • Computers use a lot of energy and create a lot of heat. Consider shutting it off or enabling sleep or suspend mode on your operating system to control this.
  • Keep plenty of room around the PC so that air can flow through to cool it
    • Computers are hot and need lots of air moving through them for cooling. Under the desk in the corner on the dirty floor is not the best place for a PC. Out of sight, out of mind is not a good policy to follow here. At least once a year (preferably once a quarter) unplug the computer, take it outside, open up the side of the computer case, and then blow the dust out with a can of compressed air. This is easy to do and will keep the computer running much cooler. A cool computer is less likely to have stability problems and hardware failure.
  • Keep all computers in full view (no hidden machines, no illusion of privacy)
    • This one is really designed for families with children. A PC in the living room that the kids use really do allow for parents to keep an eye on what the kids are doing online. Also for younger kids who are using the computer for homework it can help to keep down the many distractions they face (IM’s Facebook, etc)

Here is a link to the original SANS article https://isc.sans.edu/diary.html?storyid=9649