Bad Consumer Security Advice

There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice:

1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in a Virtual Private Network account, but remember, the bad guys are very smart, so by the time this column runs, they may have figured out a way to hack into a VPN.

I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice? I think twice about accessing my online bank account from a pubic Wi-Fi network, and I do use a VPN regularly. But I can’t imagine offering this as advice to the general public.

2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today! Go to www.SSA.gov.

This is actually good advice. Brian Krebs calls it planting a flag, and it’s basically claiming your own identity before some fraudster does it for you. But why limit it to the Social Security Administration? Do it for the IRS and the USPS. And while you’re at it, do it for your mobile phone provider and your Internet service provider.

3. Add multifactor verifications to ALL online accounts offering this additional layer of protection, including mobile and cable accounts. (Note: Have the codes sent to your email, as SIM card “swapping” is becoming a huge, and thus far unstoppable, security problem.)

Yes. Two-factor authentication is important, and I use it on some of my more important online accounts. But I don’t have it installed on everything. And I’m not sure why having the codes sent to your e-mail helps defend against SIM-card swapping; I’m sure you get your e-mail on your phone like everyone else. (Here’s some better advice about that.)

4. Create hard-to-crack 12-character passwords. NOT your mother’s maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a “pass-phrase” as your answer to account security questions such as “Youllneverguessmybrotherinlawsmiddlename.”

I’m a big fan of random impossible-to-remember passwords, and nonsense answers to secret questions. It would be great if she suggested a password manager to remember them all.

5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months.

Yes to the first part. No, no no—a thousand times no—to the second.

6. To prevent “new account fraud” (i.e., someone trying to open an account using your date of birth and Social Security number), place a security freeze on all three national credit bureaus (Equifax, Experian and TransUnion). There is no charge for this service.

I am a fan of security freezes.

7. Never plug your devices (mobile phone, tablet and/or laptop) into an electrical outlet in an airport. Doing so will make you more susceptible to being hacked. Instead, travel with an external battery charger to keep your devices charged.

Seriously? Yes, I’ve read the articles about hacked charging stations, but I wouldn’t think twice about using a wall jack at an airport. If you’re really worried, buy a USB condom.

Tags: security awareness, security education

Posted on December 4, 2018 at 6:28 AM • 82 Comments

Comments

Winter • December 4, 2018 6:54 AM

“but I wouldn’t think twice about using a wall jack at an airport.”

I would like to know whether it is possible to hack your gadget through a (110/220V) power wall-socket and your own charger?

“Possible” as in proven or theoretical or anything in between.

Peter Knoppers • December 4, 2018 7:12 AM

@Winter: No; it is not possible to hack your gadget through your own charger.

Mike Scott • December 4, 2018 7:41 AM

I get my email on my phone, but SIM swapping won’t let the attacker get my email, only my SMS messages. That’s why email is a better way to receive 2FA codes than SMS, if (and this is a big if) your email account is properly secured, with 2FA where the second factor uses neither email nor SMS.

Brian • December 4, 2018 7:42 AM

Well, what’s a hack?

Let’s say you’ve been plugged in a while and so are fully charged. An adversary who can fully manage your network traffic might get some advantage from also seeing your moment by moment power draw.

Jordan • December 4, 2018 8:00 AM

Why is unsecured WiFi a risk?

You’re using TLS end to end, right? Why isn’t that enough?

If TLS isn’t enough, why aren’t you worried about the guys who maintain all of the routers between you and your destination, who all have access to your traffic without any WiFi-based security?

Gerhard Poul • December 4, 2018 8:03 AM

Password managers and especially generating random passwords are a great idea, although not always very easy to do in all cases. (e.g. if you have mobile apps where you often need to enter said long random password)

But can someone explain to me why public Wi-Fi is the great danger and everyone should use VPN? Why isn’t the current move to making everything through TLS sufficient? I guess because of DNS being spoofable or browser zero-day exploits? Especially if I control the endpoint and know there are no weird CA certs in my browser, what’s the big risk of public WiFi that a VPN would solve?

Steven J • December 4, 2018 8:06 AM

Tech fearful humans like absolute answers.
Security experts live in this space of risk mitigation, do at least as much as reasonable. Explaining that to normal people often doesn’t work so “always” and “never” are the easy way out.

If you live in Cancun Mexico, NEVER use the ATMs that your Mother, a native of the area, says is safe. See how that works? Cancun is overrun with ATMs controlled by crime organizations according to Brian Krebs.

12 random characters for a password? Since we all use password managers, make them 40+ random characters. It isn’t like anyone will be typing them in. If I’m going to type it, 20+ characters is my rule of thumb. I believe there is no substitute for length, everything else being equal.

I carry a USB charger with me when travelling that can last 3 days of phone use.

No email on my phone. I don’t consider phones secure enough for email use. I have over 100 email aliases which are used for different online logins. Low value logins use a shared email. If there is money involved in any way, a unique email address is used for that site. This would be hard for most people.

VPN use is something I use about 90% of the time on Android, but for my travel Linux system, I tend to use ssh tunnels/proxies and a browser running on a file system overlay that is purged at browser close.

I’d never use Windows online for general use. Couldn’t imagine travelling with Windows on a laptop.

After being hacked through bluetooth at a security conference, I disable bluetooth before leaving the house and keep it off. It seems the entire world refuses to talk about how poor the security of BT is.

And I’m amazed that people think putting their passwords into the cloud is a good idea. That fails every “smell test” I have. Don’t put things you want secret into any cloud service.

Iggy • December 4, 2018 8:07 AM

Use the SSA website to sign up? What? No. No, no, no. For especially this, go in person or use USPS. Seriously. The SSA website might be well secured but what about your end (or ends)? Do not get a SSN for your child. That used to be a thing, but considering how creative ID thieves have gotten, no longer a safe idea. If you want to be the next wave of humans whose SSN is not readily available to theft and sale on the dark web, do not share any part of it with anyone not the SSA, your employer or, unfortunately, the bank. It’s unfortunate because banks are very careless with customer account security. They just don’t care, because, FDIC. No, not even the last four digits. Make your bank put a password on your account and make them ask for it. Otherwise, the poorly trained clerk on the phone will ask for the last four automatically and anyone can give him that.

Phaete • December 4, 2018 8:09 AM

@Bruce

Did you read the last sentence, who the article is attributed to?

Marla Ottenstein is a professional organizer in Naples, Florida, who offers expert residential and corporate professional organizing services.

Her tagline:

Professional Organizer Florida has the expertise, skills and compassion to help you do the things you can’t, won’t or don’t want to do yourself.

I am unable to express my opinion about this without a lethal overdose of sarcasm.

Weather • December 4, 2018 8:13 AM

Gerard
They are a lot of attackethods on http, cookie password replay, ssyn/back high jacking, open ports on computer, ddns changing,sensitive information, ffake ap(stronger signal next time in range,autoconnect) maybe more

Weather • December 4, 2018 8:21 AM

forgot to add, I use free WiFi open a lot, hackers aren’t hiding under my bed 🙂

Steven J • December 4, 2018 8:22 AM

@Iggy – if you don’t have a SSN, then you cannot deduct the child from your taxes as a dependent.
In the USA, good luck getting health insurance care without providing a SSN. Or a home phone or CATV service or car loan or credit card.

I don’t disagree. When I visit different doctors, I write “on-file” in the SSN area. It just isn’t in their files. 😉

Wael • December 4, 2018 8:35 AM

@Bruce,

Yes to the first part. No, no no — a thousand times no — to the second (Whenever possible, change your passwords every six months.)

I have not seen a single objective justification to that. I’ve seen some heuristic arguments, but nothing concrete. My comments on the topic were here, here, and here.

Seriously? Yes, I’ve read the articles about hacked charging stations, but I wouldn’t think twice about using a wall jack at an airport. If you’re really worried, buy a USB condom.

I’ll leave comments on this one for another time.

Weather • December 4, 2018 8:48 AM

Sorry @mod
Once you have mitm you can use sslstrip or write your own to read hijacked https ,if the user accept self signed certs

David H • December 4, 2018 9:13 AM

@Steven J,

I enjoyed your first post. I’m quite a few steps behind your security posture but want to get there, slowly and steadily. If you’re willing, can you share some (any) details on your setup?

I have over 100 email aliases which are used for different online logins. Low value logins use a shared email. If there is money involved in any way, a unique email address is used for that site. This would be hard for most people.

I’ve read of different ways of doing this, from using a free Gmail account (say, example@gmail.com) and doing example+citi@gmail.com example+fidelity@gmail.com, etc. I’ve also read a much better way of buying a domain and setting up legitimate e-mail aliases, so citi@mydomain.com, fidelity@mydomain.com, etc.

but for my travel Linux system, I tend to use ssh tunnels/proxies and a browser running on a file system overlay that is purged at browser close.

Fascinating. Can you spare any more details?

After being hacked through bluetooth at a security conference, I disable bluetooth before leaving the house and keep it off. It seems the entire world refuses to talk about how poor the security of BT is.

I’ve read of several legacy and maybe current attacks on Bluetooth but admit I’m quite rusty. I have BT disabled at all times anyways and have the Tasker app on Android only enable it when certain apps launch (or other triggers), then automatically disable. Would you be willing to share how you were hacked through Bluetooth at a sec conference?

And I’m amazed that people think putting their passwords into the cloud is a good idea. That fails every “smell test” I have. Don’t put things you want secret into any cloud service.

Eh, not horrible for the layman. I’ve recommended commercial providers like LastPass to friends, but I use KeePass personally and have more control over where the .kdbx database file is physically stored. I’m considering syncing this file in Google Drive or SpiderOak or Nextcloud or [wherever] but haven’t done so yet. I realize that an attacker can potentially get to this file and attack it offline at their own convenience. But as long as the crypto is solid and the password is strong, what’s the harm? What’s your current practice? I’d like to sync the password database between personal phones, tablets, desktops, and laptops and maybe use a cloud solution as the conduit. Either that or use Syncthing or something.

Warren • December 4, 2018 9:24 AM

Given all the issues USPS has had with Informed Delivery, API access, etc … I think I’d recommend you not setup an account there 😐

CallMeLateForSupper • December 4, 2018 9:24 AM

“4. Create hard-to-crack 12-character passwords. NOT your mother’s maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a “pass-phrase” as your answer to account security questions such as ‘Youllneverguessmybrotherinlawsmiddlename.'”

Hard-to-crack + 12-character is an oxymoron. Worse, the term “password” should be relegated to the dust bin and replaced with “passphrase”. While the author eventually reaches that point of enlightenment, in her very next breath she relinquishes most of a passphrase’s potential security by suggesting one that 1) contains no punctuation/special characters, 2) contains no uppercase characters, and 3) uses only common words, all of which are spelled correctly, (Which is to say, it is a perfect set-up for a dictionary attack.)

“5. Avoid the temptation to use the same user name and password for every account.”

This wording can mean
1) It is alright to reuse a pass[phrase], so long as it’s not paired with an already-used username.
2) It is alright to reuse a username, so long as it’s not paired with an already-used pass[phrase].

I suggest this rule instead: Never re-use a username; never re-use a passphrase.

@Bruce did a nice job on the charging issue, so ‘nuf said.

nycman • December 4, 2018 9:51 AM

Have seen many security articles that say unsecured public wifi = bad. Never seen a thorough technical explanation as to why. Is the SSL on your banking site insufficient? Is there a worry that apps aren’t implementing encryption properly? Which apps and versions? Is the risk that you’re revealing which sites you’re visiting? Or are you revealing your passwords or something else? Legit questions because I haven’t seen the risk quantified in any security article.

#7 should refer to usb outlets, not electrical outlets. A misconfigured/vulnerable phone could expose your pictures or entire storage, even if encrypted, if you plug a usb cable into it. You don’t know what’s on the other side of that data cable.

me • December 4, 2018 9:51 AM

@Jordan
unsecured wifi it’s not a risk if you use tls, the point is that not 100% of the websites support that.

i think that the “unsecured public wifi=danger” it’s mostly a stupid thing.
also “use vpn” is ueseless: it just moves the problem in another place, it doesn’t solve the problem.
TLS solves the problem!

the only logic part is that anyone with a computer can mess with wifi, but having access to isp network is not as easy.
that’s why using home connection is safer, not because wifi encryption (that ends at the router in about 2 meters compared to 9000km that your data do). but because less people has the capabilities to mess with isp network.
it’s like moving money from home to bank in insecure car but using a road with low criminality rate (home wifi).
doesn’t improve security but decrease risk.

anyway i think that the security of a computer should not depend on the network it is attached on.
i think that i’m “stealing” schneier words from old article (but i’m not sure).

me • December 4, 2018 10:00 AM

@Gerhard Poul

Why isn’t the current move to making everything through TLS sufficient

It is sufficient, if you don’t ignore potential browser warnings about invalid certificate.

It’s not about security, http is insecure both over wifi and over vpn (you just move the problem).
in the same way, https is secure over both channels.
The difference is risk: probably many wifi are subject to attacks by random people because they are cheap to attack: just get a pc.
while for the vpn, if the provider is legit, are more difficult to attack because you have to attack an isp network that gives the connection to the vpn provider.

so if you use vpn you can “skip” the wifi part where most of the attacks occour.

anyway i don’t use vpn, and i don’t have any problems using public wifi.
i use vpn only if public wifi has some kind of captive portal that try to intercept also https connections or i can’t reach a website over the public wifi because is blocked for some reason.

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

i keep hearing this “wifi dangerous/vpn safe” and i think is meaningless.

Denton Scratch • December 4, 2018 10:01 AM

@Gerhard Poul and others:

Indeed, password managers are a cool thing. I use Bruce’s passwordSafe. But I need to be able to use my passwords from anywhere: third floor, ground floor, office, friend’s house.

So I store the password repository on a USB stick (along with the portable version of the code). Simples! But actually I have been trying to reduce the amount of clutter filling up my manbag, so I generally leave the stick plugged into one machine.

Also – it so happens that most of the computers I use are low-power devices running command-line Linux (and no GUI).

What would be cool (for me) would be a password manager that (a) runs on a server that can be interrogated over the network, (b) only works for me (i.e. passphrase, I guess; I don’t carry my phone, and don’t want to use an app, and I’ve never thought bio-id was a good idea). I’d use a USB id-stick such as Yubikey; but I haven’t convinced myself that Yubikey is sound. I own a FSF (GPG) privacy key; I believe this device is pretty sound, but it’s the devil to use (and I only correspond with one other person that owns one – and we don’t generally exchange secrets).

There’s a password manager that runs on Linux command line; it’s called Pass (bad name choice – Google will lose it among a mass of dross). It would be easy to give it a GUI, and it wouldn’t be that hard to make it network-capable. Pass looks pretty good to me.

Ann Ominous • December 4, 2018 10:03 AM

As tempting as it is to say “never re-use a username”, there’s no getting around it for social media and for other situations where other users need to identify both accounts with the same entity.

me • December 4, 2018 10:11 AM

@Weather
The same attacks can be carried also if you use vpn or any kind of tunneling. the only way to stop them is to encrypt from the source to the end, using https/tls.

@Jordan @Gerhard Poul
The wifi is dangerous thing it’s designed to be a simple thing that anyone understands, exactly like “look for the lock icon, if it’s there the site is legit/safe”
but that was never the case, https meaning was never “the site is legit” but “the connection is protected”.
the point is that not all the people unterstand what you said:
-i control the endpoint
-there is no fake CA root
-i don’t ignore the warings

most of the people when see an invalid cert warning read only “im the useless error preventing you from seeing the site that you want to see, click ignore to open the site”
so the most simple thing is tell them “just don’t use wifi”
but i find this so wrong because you teach wrong things to the people and there will be a point where attacks will be common also in different locations and the whole thing became meaningless/dangerous.
in the same way it happened with “look for the lock icon” after let’s encrypt.
we are seeing bgp hijacking to do ad fraud and to steal bitcoins so we should stop immediatly pretending that it’s only wifi and that people will not understand, we shouldn’t fix the user but we might remove the ignore button or make it in simpler words with a delay before the button become clickable.

Weather • December 4, 2018 10:41 AM

@me
Vpns help a little but if you as a attacker can setup a Ap the same as the lidget one, and then forward it over another link, oopen,listening, closed, key needed ports can still be accessed

The four types can all be attacked from easy to very hard

deanishe • December 4, 2018 10:48 AM

I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice?

Yeah, for convenience and privacy. Many of the corp networks I’ve used block random stuff, like SMTP or IMAP or the App Store.

I have an algo VPN box, which comes with a config profile that makes my iPhone connect to the VPN whenever it’s not on my home network, so I don’t have to worry about the whims of network administrators.

It also comes with DNS-based ad-blocking, which, imo, is reason enough in itself to use the VPN.

Hope iOS gets Wireguard support soon.

Clive Robinson • December 4, 2018 11:14 AM

@ Bruce,

Seriously? Yes, I’ve read the articles about hacked charging stations, but I wouldn’t think twice about using a wall jack at an airport. If you’re really worried, buy a USB condom.

It all turns on what people mean about “charging”.

There are three basic ways these days you can find in public places,

1, Low Frequency Mains AC Power.
2, DC charge –USB and other– point.
3, High Frequency inductive loop charge point.

All three can not only carry power to your device but communications as well.

In general low frequency AC power “did not” have comms on it but that is changing very fast as utilities get into comms. So whilst it might only be X10 and other home control currently with no built in at the computer currently that is set to change (possibly 😉 If for no other reason of IoT blocking WiFi.

As for many modern DC supplies sending data comms down the line is quite normal, though you might not see it. Those pre IoT CCTV cameras, the head end of Satellite TV dishes and much else besides. The idea of power over communications such as PoE and USB is a little newer but is happening, the important point is your device has built in comms to the CPU. USB appears to be the current “common denominator” and as it’s considered “safe” from an electrocution persoective, poping up on “trains, planes and automobiles” as well as street furniture like benches. Thus it would be wise not just to have a “data condom” but over voltage protection as well (remember the “USB of Doom” “USB-Killer”[1] device).

The latest power by wireless / induction is still an unknown, but RFID devices have used the technology for years and data comms comes built in…

@ ALL,

One issue of using not just WiFi but any network is your location can be tracked and more importantly your data packets tagged by the neywork you are connecting to.

Some VPN’s supposadly remove both the location information, but also strip of the data tracking tags.

[1] https://arstechnica.com/information-technology/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/

Weather • December 4, 2018 11:19 AM

A AP with Vlan for data and 255.255.255.254 netmask and a landing page with a random 4 diget pin, in case the network drops out.ideally each connection should some how have unquie wpa2, for the air

Wael • December 4, 2018 11:28 AM

These are some events that made me change my password and my username: for the sake of example, not exhaustion:

Logged in to one of my accounts from a hotel in a country that was reported to hack into systems.
Had a feeling someone was observing me typing a username / passphrase / PIN, or there was a camera somewhere
Created a Cryptocurrency trade account, and was asked in the process to validate my username / password of my bank-account to link – no other option was given: no oAuth, no bank-hosted iFrame, etc… (are you kidding me!) I created the account and immediately changed my pass phrase and my username.
Had indications there was screen-scraping going on…
Forced to allow Javascipts, need to use web browser extensions, etc…
…<

I didn’t necessarily find out that my credentials were compromised. But I view the actions I took as the proper thing to do. There were some situations where a change of a password / username is warranted, in my view. Of course in the corporate world, we have to comply or we lose access.

To make a broad statement that passwords / passphrase should not be changed unless there are indications of compromise is not a good advice. I did not cover scenarios where some of the above occurs at a time when the soon to be victim did not realize they took place. Furthermore, we can’t claim with any degree of confidence that our credentials have not been compromised. Sometimes we’ll detect it; sometimes we may not.

This is my heuristic argument. Still not conclusive, but I believe I presented a good defense of my stance.

Matt Newman • December 4, 2018 11:40 AM

No, no no — a thousand times no — to the second.

I understand that mandated password expiration isn’t helpful, but I use a password manager and reset ~ 5% of my older passwords every month.

I’m running on the assumption that some services I use will be compromised, and some of them will have done something dodgy like log/store passwords in plaintext or hash them insecurely.

If you are already using a password managers & random passwords then I don’t see the downside of rotating passwords (though I agree the utility is reduced if you have strong enough passwords to start with).

Otto Defey • December 4, 2018 11:55 AM

A bit of advice about WiFi I see all over the net and especially in documentation for consumer equipment is not to implement MAC filtering. I used to work on this stuff, so I understand that someone who is patient and adept can beat that. But that would need to be someone who had a reason to be out to get me in particular. It’s difficult to believe that my home LAN is that interesting. Anyone looking for a LAN to crack will find much easier pickings in my neighborhood.

I suspect the real reason they say not to filter MACs is that when some people do it they forget, have trouble, and make calls to product support. That’s an expense vendors would like to avoid.

Often similar advice is given about keeping the SSID out of the AP’s beacons. Does anyone know a reason why not to do this things if one is a competent admin for one’s own LAN? thanks.

Weather • December 4, 2018 1:15 PM

Otto
When a client connects it displays the essid, not broadcasting just means its invisible to basic click and point,search for networks, if you use pmosicous mode and airdump-ng or wireshark and a client connected they will see the essid,
Its security by insecurity

Its easy to change the Mac to match there’s, if they then drop offline you just match there’s.

Set the Ap to only use as many personal things you want connected, then change the netmask so no more things can connect unless one gets booted off,deauthincate packet.

Its really little things, but some little things are pointless

David H • December 4, 2018 1:19 PM

Often similar advice is given about keeping the SSID out of the AP’s beacons. Does anyone know a reason why not to do this things if one is a competent admin for one’s own LAN? thanks.

@Otto, the long answer is to learn the nuances of how 802.11 works, the control, management, and data frames. The shorter answer is that disabling SSID broadcast can actually (ironically) weaken security/privacy.

When SSID is broadcast as party of the beacon management frame (often times every 100 ms or so, so 10 beacons/second), all stations (wireless clients) in the area have an idea of what access points are available. It’s a passive activity that only requires listening, not talking, so a station can do so stealthily without revealing its presence or MAC address. Of course, a user or station/client can always manually ask “Who’s out there?” which it does this by sending out probe requests, and all access points that hear the probe requests respond with probe responses.

So let’s say you have a portable/mobile device such as a smartphone or tablet that connects to your home Wi-Fi. When you leave home then come back home, how does it know to connect to your home Wi-Fi? Because it hears your AP’s beacons and can associate with the access point and then authenticate, joining your home network. But as you go about your day away from home, your phone/tablet/laptop has no need to yell out, “Is HomeWiFi there?” since it can assume it isn’t there by the lack of beacons.

If SSID broadcast is turned off, it merely removes the SSID from the Access Point’s beacon frame, shifting the burden to the station (client). So now your phone/tablet/laptop has to constantly send out probe requests (aka “Marco? Marco? Is HomeWiFi there?) which 1) yells out to the entire world that your home network is HomeWifi, and 2) yells out your phone/tablet/laptop’s MAC address.

By shifting the burden to the client, this weakens privacy and potentially security since your device will have to constantly poke and probe like a blind person (assuming your Wi-Fi is enabled). Stores are increasingly using Wi-Fi, Bluetooth, facial recognition, etc. to uniquely identify customers for behavioral, analytics, and marketing purposes as customers walk throughout a store, and a unique MAC (that’s not randomized) marks you.

A more sinister approach is that if your Home SSID is fairly unique, a stalker can search for the SSID, MAC, etc. in Wi-Fi databases such as WiGLE.net and find out exactly where you live. Which opens up potential safety concerns.

Modern OS’s implement the Wi-Fi stack in different ways. I finally have MAC address randomization in Android 9 (Pie), and I believe iOS may have this. Not sure about macOS and the *Nix’s. It’s best to 100% disable Wi-Fi when not in use anyways, but unless this is automated (easier on Android), it’s easy to forget.

There’s other attack methods as well: Some OS’s implement Wi-Fi so poorly that even if your phone/tablet/laptop hasn’t connected to any “hidden” networks, it’ll still leak out your entire list of saved networks and yell them out to the world via probe request frames. “Hello world! I’m a Windows laptop, MAC address 00:11:22:33:ab:54. I just wanted everyone to know that I’m a big fan of Starbucks, McDonald’s, Panera, HolidayInnFree, HomeWi-Fi, CancerClinic, Jennifer’s House, and Bar-Guest!” And from there, that unique combination of saved Wi-Fi networks is a great way to fingerprint somebody, and the metadata is gold for finding out where that person lives, works, and frequents, and who this person socializes with.

This was much longer and rambly than I anticipated. I dream of somebody being as verbose or brilliant as Clive, but that may take decades of study. :p

The tl;dr: Disabling SSID broadcast is an obsolete Wi-Fi security practice and actually weakens privacy and possibly security. SSID is communicated in plaintext anyways, so there is no point at this juncture, at least until 802.11 is amended to allow for SSID to always be encrypted.

Phaete • December 4, 2018 1:21 PM

I think a professional writer could have worded a lot of these statements better.
The following is my favourite:

2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today!

So as long as you know someone that is 18 years or older, you need to sign up for you SSN online, very bad choice of words there.

Doug • December 4, 2018 2:28 PM

So when is PCI DSS going to be updated on password requirements, hmmmm? Version 3.2.1 dropped in the middle of this year, but they are still requiring the password policies of several years ago. To make this even more hilarious, they repeatedly refer to NIST, SANS, CIS, etc. … all of whom have updated their password advice.

What a farce. PCI, lift your game.

Actua[ria]lly • December 4, 2018 3:01 PM

Credit freezes ding your credit.

It’s bit like the problem gambler who calls a problem gambling hotline and submits to a voluntary casino ban.

A consumer’s request to place a freeze on credit is always interpreted by the credit bureaus as, “I’m a problem borrower. I need my access to credit cut off.”

So no new credit cards, you can’t even open a new checking account, rent an apartment, buy a house or car, even when you are paying for things free and clear.

Your auto and homeowner’s insurance premiums shoot through the roof, and you are essentially unemployable, all because you requested a credit freeze.

It’s too much. What I call the consumer credit cartel. Visa, MasterCard, Equifax, Experian, TransUnion.

The lending is facilitated through Visa and MC exclusively, while Equifax, Experian, and TransUnion are essentially the bill collectors or enforcers of the cartel.

Steven J • December 4, 2018 3:37 PM

David H – there are many people here with much more expertise than I. Anyway, here’s some of what I do.

I’ve been setting up and running email servers for decades. I host a few domains for my private use. Unlimited aliases. Unlimited email accounts. I would never use gmail or any of the huge providers. Heck, I don’t even like sending email to those anti-privacy places.

ssh can create a socks proxy for a browser easily. There really isn’t much more to say.
$ more fireproxy-home.sh
#!/bin/bash

Only start SOCKS proxy if necessary

if [ $(ps -eaf |grep ssh |grep -c 64000) = 0 ] ; then
# Setup SOCKS proxy through home server
echo “Starting ssh SOCKS Proxy”
ssh -f -C -D 64000 50.1.2.3 -NT # the IP could be a
# DNS entry, but
# IP won’t be spoofed
fi

Star private firejail with chromium, going through

just setup SOCKS proxy

echo “Starting Firejail chromium with private & proxy ”
export http_proxy=”socks5://localhost:64000″;
firejail –private chromium-browser \
–proxy-server=”socks5://localhost:64000″ &

I use KeePassXC on my linux systems and use rsync to push the DB file out to other systems just after midnight.

I don’t trust wifi in my house, so why would I trust someone else’s wifi? Wifi at the house is treated like it is raw internet. To gain access to internal systems, a VPN must be used.

I don’t use any cloud storage and avoid using most cloudy services. Self-hosting isn’t hard for me, but that isn’t realistic for most people. When I’m remote, I simply want to get access to my internal systems. When I’m working from home, sometimes I don’t notice internet outages for hrs because most of the services I need are local (though on different subnets).

Sorry for the post length.

tomb • December 4, 2018 4:26 PM

A far cheaper and simpler solution than the “usb condom” is a data only cable. Most of the magnetic charging cables only have one prong exclusively for charging. The magnetic tips are removable as needed.

Jari R • December 4, 2018 4:31 PM

@David H

I tend to use ssh tunnels/proxies
Fascinating. Can you spare any more details?

You need a server with sshd running in default config
and a valid login credentials for that server.

$ ssh -D localhost:5544 your-ssh-host.com

Then configure Firefox:
Edit -> Preferences -> Network Proxy -> Settings
Manual proxy configuration = yes
SOCKS Host = localhost Port = 5544
SOCKS v5 = yes
Proxy DNS when using SOCKS v5 = yes

Then click OK.
After that your browser’s DNS queries and web
browsing are ssh-tunneled to your-ssh-host.com
where they pop out to the world.

tomb • December 4, 2018 4:39 PM

I meant to say “power only” cables in my last posting.

There was a fantastic skit on the television show Penn & Teller “Fool Us” in which the magician’s gig is to do magic tricks with USB charging cables. The climax of the skit involves the magician borrowing Penn’s phone and plugging his cable into the phone. The phone appears to shutdown. Then an animation of the phone’s charging screen pops up in the foreground with a picture of Penn’s face on the phone. The screen goes blank when the magician lets go of the cable and lights up once again when he holds it.

This is really a stupid and gimmicky trick but it won a “Fooled Us” award for the same reason I mention it here. Very few of us realize that a simple cable is capable of uploading malware to a phone. Penn gave the award specifically because “i don’t know how phone chargers work”.

asdf • December 4, 2018 4:44 PM

@Peter Knoppers

I’d think that if you had control over the electrical pulses you could code something super sophisticated to symbolize USB cable inputs from a console to the phone. I’m reminded of those 1990s-2000s era wifi extenders that worked by sending coded pules through the electrical lines of a house.

Weather • December 4, 2018 4:58 PM

Don’t no the command, but you can use Socat and if the DST port is 53 pipe it to 127.0.0.1:ssh tunnel

Can be used for other services

Rach El • December 4, 2018 5:11 PM

Appreciate the intelligent well considered comments, thanks everyone.

Travel with an AC charger because – because you shouldn’t rely on USB charging! And USB stations are quite simply not availabe in many airports.

one aspect of changing passwords is it introduces a point of vulnerability. For inexplicable reasons the new password can fail- an error in reproduction, who knows.

I updated my Kepass password and some months later something went wrong and it stopped working. It took about 6 months of no access to that vault to realise Kepass had reverted to the previously used password, which was fortunately still in my memory. Maybe one of my back ups was swapped, or a corrupt database was overwritten, who knows

There are good arguments for paper based ‘password managers’ which will be familiar to many of you. They have some strengths over digital ones and also are laywoman friendly – and circumvent the potential cloud-synching issues laypeople often require. (I’d only ever use a local, off line portable Manager like Kepass)

I have experimented with storing my sensitive information (on paper or digitally behind a password) in a way a 3rd party cannot use – with a system to reorganise the data known only to me. Swapping the last digit for the first, or having 5 passwords listed for each username but only one being the correct one.

The latter idea was good but the former got me into trouble when I couldn’t remember the system! ‘why is this credit card not working!!?’ YMMV

echo • December 4, 2018 5:16 PM

My security is Swiss cheese but I don’t do anything daft. Being boring = secure by design.

@Wael

With password length we need to consider entropy and search space (including brute force search space optimisations). This is partly why I never mention what password lengths or schemes I use to keep people guessing. I have no idea about a formal proof but assume a secure password will be secure for the duration as per the statistics. As Bruce oftens says “trust the maths”.

It’s an industry wide benchmark that a secret only stays a secret for no more than six months. I’m guessing in practice this varies depending on the type of secret and who knows and direct and indirect access to the secret. I don’t personally buy the “change password every six months” meme. I am of zero tactical or financial interest and have risk managed what matters out the door. (I actually did make one stupid idiot security mistake in the past few months and am not doing this a second time.) The “change passord every six months” thing whiffs of corporate “one size fits all protect against the highest theoretical risk and lowest common denominator” type of reasoning. This seems like a lot of work over nothing.

Wael • December 4, 2018 5:58 PM

@echo,

The “change password every six months” thing whiffs of corporate “one size fits all protect against the highest theoretical risk and lowest common denominator” type of reasoning.This seems like a lot of work over nothing.

No-one is defending the six-month mandate. Perhaps six months is good for an organization and three is more suitable to another. It may seem like a lot of work over nothing, but I believe it has value, even though it annoys me to no extent. Now I am forced to use a password manager, and it took me forever to find one that I am ok with. Most of them want subscription fees, cloud, migration to other devices, etc. all I want is something simple and reasonably priced. I am not willing to pay subscription fees for such an app.

If I had time, I’d do my own.

Wael • December 4, 2018 6:25 PM

@echo,

Besides: in the corporate world, users have varying OpSec habits, regardless of the training they get. I kid you not: one time I needed IT support help because I could not gain access to a resource. The IT guy said: “I’ll IM you my password to use for now”. I told him don’t even think about it. Too late, he sent it to me. I told him you had better change your password immediately, I’m deleting what you sent me.

Call periodic mandatory password change a Defense In Depth[1] attitude; the corporate cannot assume all employees are Security Savvy: they are most definitely not, and that includes Security Architects, engineers, and IT, etc… You won’t believe the kind of crap I saw. I could write a comedy movie script out of it. Worse things happen in the Defense Industry. Ever heard about the 00000000 password for missile launch, or is that an urban legend?

For the personal case: do what works for you. Problem is: do you know what works for you? Let me ask you a question: can you tell me with certitude that none of your current passwords has been compromised?

[1] And that’s still not sufficient. One needs defense in depth, width, and hieght. That was yesteryear. We now need active defense (offense) on top of that, but I digress.

Loose Tongue • December 4, 2018 6:55 PM

Changing passwords every six months?

It’s a good thing to do on one’s own initiative, particularly if others are suggesting otherwise.

Or use one-time-only passwords with a system like S/KEY.

The risk of keeping the same old password increases as time goes by, due to shoulder surfing, surveillance camera peeking, cops with bodycams, keyloggers, spyware, and other malicious software.

“La Nueva Generación” is not just a drug cartel, by any means. Not all youth do drugs, but there is a certain “New Age” philosophy of life which maintains that whenever a password becomes “old” — and New Agers are always superstitious of anything “old” — it’s time to retire it and generate a new password.

echo • December 4, 2018 7:30 PM

@Wael

Besides: in the corporate world, users have varying OpSec habits, regardless of the training they get.

Yes, this is the kind of thing I was alluding to. It’s like intersectional issues: a variety of factors all playing together and varies from instance to instance.

For the personal case: do what works for you. Problem is: do you know what works for you? Let me ask you a question: can you tell me with certitude that none of your current passwords has been compromised?

No but then I can’t tell the other way either. I’m a PONTI (Person of No Tactical Interest) and don’t have enough money to attract criminals. I’m fairly blackmail proof too and my default response is to scratch someone’s face off and shout and scream and leave bite marks. The odds are I can embarass them more. If I am compromised they are either saving it as a last ditch Doomsday weapon or thrown it on the scrapheap. If any actually are compromised and used in anger? Oh, boo hoo someone has a collection of pixels on the screen.

Betrand Russell wrote very interesting essays on both power and laziness. From a security point of view they could be read as “shifting endpoints” and “least energy”.

My mum grew up in a world where a scratch could kill, children went to school so poor they ate sugar sandwiches or wore clogs, and she was born when women didn’t have the vote. I am just old enough to remember when women had few job choices beyond becomign a teacher, a nurse, or a secretary unless lucky enough to have rich parents. The world has a changed a lot since then. She was never showy but nobody died on her watch. I’m really really bad at following her advice but a few things stuck in my mind:

“Run away to fight another day”.

“Take the rough with the smooth.”

“Rome wasn’t built in a day”.

John Souvestre • December 4, 2018 7:37 PM

I don’t believe that the advice to register with USPS to avoid someone else from doing it will help. USPS treats John Doe and John A Doe as different people living at the same address.

echo • December 4, 2018 7:44 PM

@Wael

Now I am forced to use a password manager, and it took me forever to find one that I am ok with. Most of them want subscription fees, cloud, migration to other devices, etc. all I want is something simple and reasonably priced. I am not willing to pay subscription fees for such an app.

This is a pain, I agree. I suspect they do this because it’s a small requirement and once an application is good enough there is little need for anything else. Beyond this payment is simply for entertainment value or emotional comfort.

I sometimes suspect the biggest security gain from applications like this is if the developers weren’t working on them or enjoying the benefits of revenue it would be a case of “idle hands make for the devil’s work”. I suspect this is true to some degree of parliament, the British Army, and large swathes of the civil service. If “make-work seat filler” weren’t drawn into their hallucinatory prison they would be up to something else which, statistically speaking, might not be very nice as indicated by the repercussions of austerity policies becoming more obvious.

Jonathan Wilson • December 4, 2018 8:11 PM

Do the policies that many corporations have for mandatory password changing actually make sense? Are they doing it because some standard (HIPPA for health care, PCI for anything to do with credit cards or otherwise) has been interpreted in such a way as to require it? Do the management types insisting on it genuinely think it is good for security?

Weather • December 4, 2018 8:35 PM

Jonathan
Maybe not, a rootkit or Apt doesn’t need to know you password anymore, it’s been planted, I’m meaning that once found the password and used it, it doesn’t need to be used to get back into the system.so why change it.

If you detect a break in, then everyone changes the passwords

Russ • December 4, 2018 10:15 PM

Here’s a really small, well made, USB condom:
https://n-o-d-e.shop/collections/security-privacy/products/usb-condom-keychain-v4-pack-of-2

And you get two for the price.

Lsuoma • December 4, 2018 10:58 PM

@Russ

Really? In the UK a packet of three is better known:

“Something for the weekend, sir?”

Going Postal • December 5, 2018 1:08 AM

@John Souvestre

the advice to register with USPS

https://www.usps.com/ship/insurance-extra-services.htm

Registered Mail^® is very expensive, and the clerks and postal inspectors and city cops all got their sticky fingers in it while they mutter under their breath about bearer bonds and gold coins.

And then everybody tries to steal whatever it is, plant some kind of controlled substance or illegal firearm, call the cops, make a bomb threat in your name, call in SWAT team for a bust, and make sure you are separated from your money and found in possession of something illegal under federal law.

The cops are all game for it, too. The make a sport of playing along with SWAT pranksters, robbers, and thieves, and either beating or shooting the victims to death.

It’s not entirely clear what the cops’ goals are, but banning guns is important to them and stopping crime is not.

Clive Robinson • December 5, 2018 4:49 AM

@ echo, Wael,

Let me ask you a question: can you tell me with certitude that none of your current passwords has been compromised?

I personally assume they are all compromised, before the last keypress of entering a new one has compleated…

The simple fact is that there are so many “endrun attacks” via CCTV cameras, microphones and similar available all before you actually get to the computer…

Thus with that assumption in place you move direct to the mitigation phase, where you actually protect what’s on the computer in various ways assuming the “not nice SOBs” are already in and looking anyway…

The other thing I do is change my password every time the clock tics on my home systems 😉

Back in 1995, Sun Micro Systems published the idea of Plugable Authentication Modules (PAM). In a way it could be seen as an extension of the idea of “Unix Streams”. Less than a year later Red Hat pushed out the first implementation. Back then I was still producing code so I read the specs and cut my own One Time Password code. After I got the code running on a “pocket device” I went down an algorithmic method using time and a rolling crypto generator (think CTR mode with twiddles).

The big problem if you ever write your own is implementing “time sync” and “replay-lockout” together. Put simply the longer you make the time intervals on the CTR clocking the easier it is to sync up, however it’s also easier for an attacker to re-use the password. But if you use short clocking intervals you get other problems. Hence you have to put in a mechanism that alows multiple logons to the same account in the same time frame, BUT using different passwords…

Like many things it’s not difficult to do if you are aware for the need for it in the design spec stages 😉

echo • December 5, 2018 5:24 AM

@Clive, @Wael

GCHQ would make a fortune if they consumerised their collect it all “time machine”. Never lose data or a backup again. GCHQ anticipates the problem and provides a solution by grabbing has a copy of all your data before you have backed it up!

Petre Peter • December 5, 2018 8:43 AM

The cloud remains extremely tempting.

Clive Robinson • December 5, 2018 10:46 AM

@ echo,

GCHQ would make a fortune if they consumerised their collect it all “time machine”.

Don’t say that too loud, remember the current emcumbrants see citizens data as “cash to collect” one way or another. From Council Tax records, through many other systems like education onwards to death with your health records and anything else that’s not nailed down physically or legally…

They force you to hand it over then they flog it to cover give away taxes to the 1%ers, anyway with a little luck we will be rid of the worst of the current bunch befor the end of the year.

The smile I had on my face last night hearing that Parliment had given a certain pompus git two fingers by way of a “contempt” finding was sunny enough to heat the room 😉

As the old saying goes “I couldn’t wish it on a more deserving cause”. Does that make me petty?

I hope not as I sit here making wax effigies of BoJo and Co especially that illegal act of Faraging 😉

Oh spot the BoJo failed O Level maths at work,

“As many as 16 per cent of our species have an IQ below 85, while about 2 per cent have an IQ above 130.”[1]

Apparently he went on to fail an IQ test on air… And “This is the man who would be King”…

[1] https://www.theguardian.com/politics/2013/nov/28/boris-johnson-iq-comments

bigmacbear • December 5, 2018 10:56 AM

@Jonathan: Yes, PCI DSS section 8.2.4 dictates “Change user passwords/passphrases at least once every 90 days.”

Because merchant contracts with their banks dictate that PCI-DSS must be followed on pain of breach of contract, this gives these requirements “the force of law” on systems in their scope (and PCI scoping – which requirements must be met by which system – is probably the most controversial part of compliance).

What this means is someone needs to tell the folks who write the PCI DSS that they have to make amendments – the problem is that no one seems to know who that is and the process takes longer than is acceptable.

anonymuos croward • December 5, 2018 12:26 PM

@echo
“GCHQ would make a fortune if they consumerised their collect it all “time machine”.”
Didn’t the NSA already do that with the internet archive website?

@Bruce
“5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months.”
Why not just change your password as often as it can be cracked by the fastest known computer to you? That doesn’t account for a super computer that is unknown. Maybe the change your password every second thing is the best then.
Why are you tracking people by blocking using the name anonymous? There is a large amount of assumption in that last question. I apologize in advanced if this gets posted three times. Feel free to delete the first two.

@Clive
Is calling out new handles an exercise for the reader or yourself?

Bob • December 5, 2018 1:49 PM

She forgot one more important piece of advice: cover your mobile devices in a layer of Crisco. This makes them harder for thieves to snatch and run off with.

@bigmacbear
IS auditing is complete garbage. Standards made by accountants and MBAs who don’t have the first clue about how anything works, audited by accountants who get certified to audit information systems despite not knowing TLS from AES, culminating in a nice little package that says “we know what’s going on and it’s all cool” wrapped up by people who don’t know what’s going on when everything’s not cool.

Clive Robinson • December 5, 2018 3:39 PM

@ bigmacbear,

the problem is that no one seems to know who that is and the process takes longer than is acceptable.

It is however something judges are very good and usually quite fast to get to the bottom of.

The simple fact is the National Standards Organisation NIST has changed the rules, and after a reasonable period for adjustment –which is now long gone– a judge would want a very clear and compeling reason why what are subsidiary standards –whether they like it or not– have not changed. And if not given a sufficiently compelling reason make a ruling that the defendent(s) standards have a very limited time to come into line with the national standards.

The judge would not care if the defendent was a person “legal or natural” as punishment would be financial all the way through bankruptcy if required…

It’s a point that the EU has recently got across to various US Corps via the GDPR, so any managment would find it dificult to convince a judge representing the other side –ie the shareholder interest– that they did not see it coming, thus should have behaved competently.

As a friend once observed “Everybody has a fulcrum…” then alude to an anatomical action with an appropriate lever…

Clive Robinson • December 5, 2018 5:04 PM

@ anonymuos croward,

Is calling out new handles an exercise for the reader or yourself?

First ask if the person behind the new handle is actually new or not. When you see the same off topic behaviour / style and a new handle, it may well be a sock puppet etc.

Wael • December 6, 2018 4:02 AM

@Clive Robinson, @echo,

I personally assume they are all compromised

That’s why “multi-entity” Authentication is important. Authenticate both the silicon unit and the carbon unit (or the water-bag, if you like.) Multi-factor authentication can also be imposed on the carbon-unit. You know we talked about that a few times.

I say not only the passwords need to be changed periodically, but also the username. And usernames should not be easy to link to a real identity. Come to think of it, I advocate the use of “user phrases” and “pass phrases” — keep both these bad boys secret. There: paranoid enough for ya? Now where did I put my straitjacket?

parent • December 6, 2018 4:44 AM

@Denton Scratch: “So I store the password repository on a USB stick (along with the portable version of the code).”

(1) Is this “code” based on Pass ?

(2) Do you have to insert passphrases on foreign sessions? I do: as a parent, on the “parental control” authorization form of win10 and of MacOS. I have to insert the passphrase each time. And no password repository that I know of would have been able to let me insert that passphrase.

Clive Robinson • December 6, 2018 7:50 AM

@ Wael, echo,

Come to think of it, I advocate the use of “user phrases” and “pass phrases” — keep both these bad boys secret.

This is going to at first sound like madness but bear with it.

The likes of PCI require “two factor authentication” and an auditor is supposed to look and verify before puting the tick in the checkbox on their list.

So far so good. The problem is some specifications just say “two factors” not “two different factors”… So it has been known for an organisation under audit to use “two passwords”, as the organisation pays for the audit and auditors like repeate business, it’s been known for an auditor to accept this argument…

If you say “user phrase and pass phrase” it’s entirely possible some auditor might be persuaded…

I remember Ross J. Anderson telling a story of just how difficult it is for people to think outside the box with “factors”. As a standard part of teaching about them he would ask the students if there were any other factors outside of the three standard “Something you are / have / know”. Depending on how you view it there are or there are not.

Which is why I say that “where / when” of geo and temporal location are sub classes of “know”.

Back when Ross was first asking the question “where/when” was not seen as particularly important. As you may remember both @Nick P and myself realised in different ways that the politicians would stick their nose in like the proverbial camel[1] and that they would resort to their usual “thugish behaviour” disguesed as “the word of law”. I pointed out that “secret sharing” out of a nations legal jurisdiction with “duress checks” would put a curb on such political excesses, and Nick pointed out that even that was insufficient thus we needed not just multiple jurisdictions but ones that were actively hostile to each other, thus not disposed to cooperate.

As predicted the politicians legislated but worse the LEOs pushed further via chosen court cases to set “case law”. In effect we have lost two of the original three factors, because LEOs have the power of violence to force “are/have” leaving only “know” as safe currently. But judges under LEO / Prosecutor pressure are now using contempt of court to attack the simple “know” by forcing the issue via “compulsion” of unlimited –illegal[2]– detention.

Thus extending the simple “something you know” of a pass phrase to the more complex knowing where to be and when, redresses the balance, a little bit. Esspecially if the “where” is well outside of the juresdiction the LEO / Prosecutor / Judge is.

The hard part is making the “where / when” sufficiently difficult that it can not be “faked” or “guessed”, and importantly can only be done by you in person.

Which is where another subset of “know” can be used which is the “who” of “shared secrets”.

All of which brings out the point about psychopathic[3] LEOs and Prosecutors, who care not if a person is innocent or guilty or if there are any extenuating circumstances. Their sole objective is that their will, will prevail. In turn they are ably supported by legislators making pointless and dangerous law. You can not legislate against the laws of nature and trying to do so can only result in violence… Which the state just so happens to reserve a monopoly on, for exactly the purpose of enforcing their will by fear, force and murder, justice is not something psychopaths care to understand…

[1] The camel is supposadly both curious and obstinate, thus it will push it’s nose under the tent flap, and unless soundly beaten back will quickly occupy the whole of the tent much to the occupents disadvantage.

[2] Many nations have signed up to various international treaties that prevent crul, unusual, arbitary justice. Contempt is most certainly arbitrary and when used for compulsion of the mind unusual, which if it goes on for very long becomes crul, if not torture. The fact contempt still exists actively in courts suggests that various nations have signed a treaty under false pretenses.

[3] Simply a person who exhibits sufficient of the traits given in one of several lists, which does not need a qualification to judge, https://www.psychologytoday.com/gb/blog/mindmelding/201301/what-is-psychopath-0

Wael • December 6, 2018 8:24 AM

@Clive Robinson, @echo,

The problem is some specifications just say “two factors” not “two different factors”.

It’s implicit.

to the more complex knowing where to be and when, redresses the balance, a little bit.

These are not factors; they are other parameters that can be enforced. Some of them have device-affinity and some have user-affinity. And yes, they count as additional guardrails.

The hard part is making the “where / when” sufficiently difficult that it can not be “faked” or “guessed”

It’s challenging, given that there are GPS simulators, Fake location Apps, etc… the weakness is in protecting the signal, GPS for example. Unless we use Military grade GPS satellites with encrypted and signed signals that can be used as proof or attestation of the location, I’d say it’s very challenging.

and unless soundly beaten back

You don’t that to camels, my friend. They keep score and will take revenge, sometimes years later. Don’t mess with them.

chris • December 6, 2018 8:45 PM

Can’t one make their own “USB Condom” by buying an inexpensive USB cable at, say, a dollar store and simply cutting the data wires and taping them off. It seems to me that Google search and a simple splice and some electrical tape would help you make a non-data USB cable in a few minutes. Am I missing something?

echo • December 7, 2018 7:46 AM

My PortaPow USB data blocker arrived. I bought the dumb version not the one with a chip in it for “smartcharging”. It has a small window you can see the conacts through. The power contacts are present and data contacts absent. I checked it and it works. It’s available in the UK at least with local shipping and is cheaper than Bruce’s suggestion.

@Chris

Can’t one make their own “USB Condom” by buying an inexpensive USB cable at, say, a dollar store and simply cutting the data wires and taping them off. It seems to me that Google search and a simple splice and some electrical tape would help you make a non-data USB cable in a few minutes. Am I missing something?

There’s nothing wrong with this. I find the manufactured product tider and can use it with any cable. It’s also smaller and saves carrying an extra cable for data use. I guess it all dpends on what your personal needs are.

Clive Robinson • December 7, 2018 7:53 AM

@ Chris,

Am I missing something?

Short answer “Yes”…

Long answer it’s to do with what voltage, how much current or power you can or cannot draw (mwc 20V, 3amp Confusingly there have been several specifications which are almost as good as sleeping tablets when you read them. If you look it up you will find the following,

On 8 January 2018 USB-IF announced “Certified USB Fast Charger” which will certify chargers that use the feature “Programmable Power Supply” (PPS) of the USB Power Delivery 3.0 specification.

Is –possibly– the latest in a long line of USB Power Control Specs…

In most cases the use of a resistor and one of the data lines surficed. But… It’s been a few years since I designed a USB device, so “Read the Specifications”, lest you blow something up (like the inductor in the power supply line, ment for EMC filtering but also makes a handy fuse…).

CallMeLateForSupper • December 7, 2018 8:11 AM

@Chris
“Can’t one [..] make a non-data USB cable in a few minutes. Am I missing something?”

You are correct. A person with a knowledge of USB wiring spec. and some skill with simple hand tools can make a non-data USB cable.

The reason that pre-made is available is not because maling them is hard but because a significant number of potential customers exists => product is viable. Why are there a bunch of potential customers for pre-made? For the same reasons that loaves of bread sell: a significant number of people think they don’t have the time nor the skills to bake bread.

I think – and I am preeee-ty sure @Clive would agree with me on this – that a lot of folks could surprise themselves by making a dough ball, setting it aside to rise, and then making a non-data USB in the mean time.

Dust • December 7, 2018 6:33 PM

I’m surprised you would use public WiFi and even with no VPN. I haven’t done so a single time (with or without VPN) and can’t see any reason to do so even if I didn’t care about security.

Nothing is so important it can’t wait until you have your own net connection again. If something is, it is too important for public WiFi.

echo • December 8, 2018 5:57 PM

I don’t have the headspace or spare money but otherwise would use a Raspberry PI to make my own VPN. This could be used as a media player too and other low intensity tasks, and a back up Linux desktop for emergencies.

I have only ever connected to a public wifi out of curiosity.

Paul from PA • December 8, 2018 6:59 PM

re USB condoms:

This USB power meter includes a “no sync” port and a regular sync/charge port. It’s nice to see amperage and total charge when charging flashlights and discharging USB power banks. Also exposes bad USB plug-in chargers.

https://www.amazon.com/PortaPow-3-20V-Monitor-SmartCharge-Technology/dp/B01CVMAK2M/

George • December 10, 2018 3:25 PM

I saw the article several days ago, and posted some of the SAME points as above!

AtAStore • December 10, 2018 4:55 PM

@Dust, All

I’m surprised you would use public WiFi and even with no VPN. I haven’t done so a single time (with or without VPN) and can’t see any reason to do so even if I didn’t care about security…”

Does anybody want to recommend 1-5 VPN vendors to consider (free or not free) as opposed to diy?

It seems when using free wifi, using an amnesiac OS (boot from DVD to ram, for example) makes sense as does a) authentication (look at url address) and b) look for the lock attempts as well. a and b make sense in general (free wifi or not)

From Clive Robinson
“One issue of using not just WiFi but any network is your location can be tracked and more importantly your data packets tagged by the neywork you are connecting to.
Some VPN’s supposadly remove both the location information, but also strip of the data tracking tags.”

If you have the ISP router in the US, and your own purchased router, using Comcast, FIOS, or the like, can ISP vendors still insert tags easily while you’re at home? I think in the cellular world, Verizon and ATT did that and one of them allowed you to pay extra to avoid tags. How about Consumer Cellular, Ting, US Cellular, and other MVNOs?

It seems to me. that sometimes people might not want metadata or tags, finger.prints, etc., tied to their home or work IP address (back to free wifi).

Perhaps sometimes use figureitout’s “bicycle wifi technique”, or version thereof, when getting a new email address.

AtAStore • December 10, 2018 4:56 PM

“I’m surprised you would use public WiFi and even with no VPN. I haven’t done so a single time (with or without VPN) and can’t see any reason to do so even if I didn’t care about security…”

Does anybody want to recommend 1-5 VPN vendors to consider (free or not free) as opposed to diy?

It seems to me. that sometimes people might not want metadata or tags, finger.prints, etc., tied to their home or work IP address (back to free wifi).

Perhaps sometimes use figureitout’s “bicycle wifi technique”, or version thereof, when getting a new email address.

Guest • December 10, 2018 8:56 PM

Battery packs. Keep them on you at all times, recharge one at a time (rapid charging is essential here) when you are at an outlet. If they overvolt through the wall (or a compromised charger), you lose ONE battery pack (and hopefully the rest can see you safely out of the country). Get a portable computer that will run off USB if you can, a high-capacity battery pack that will output enough power to recharge a laptop if you can’t. Keep all of these with you at all times; in the shower, have a waterproof bag to keep an eye on your stuff. (Glow-in-the-dark may work in case the power goes out; battery-powered lights, if also waterproof, may be better.)

Bruce, if I have a smartphone that can log on to an E-mail provider without 2FA (e.g. using just SMTP), how does a SIM swap attack help attackers? Isn’t the problem with this more of a password reset option where the phone number has been registered with the mail provider?

Joao • December 10, 2018 11:41 PM

The passwords problem is to be solved in the near future with SQRL (Secure Quick Reliable Login). Will be open and free to provide and to use, like username & passwords are currently. Will be one-to-one relationship like username & passwords (no third party involved), and will authenticate users because of the use of Ed25519 elliptic curve technology. And web sites can still use username & passwords, FIDO U2F, and anything else they may want. If users loose the private key can recovery their account with built in technology. If the user uses dedicated hardware (that company’s may make in the future if this gains traction) it may be very secure even against malware inside devices (smartphones/ tablets/ computers).

FIDO2 can already help solve the username & password problem… but seem to have to many problems yet, starting by the use of the controversial NSA made NIST P-256 Elliptic curve; limited accounts numbers that can be added in some devices; some devices don’t even have PIN protection to be enter in the hardware itself, getting the device is sometimes all some attacker needs to be able to login into anyone’s account (protecting accounts while sleeping from other family members/ “friends”/ coworkers/ someone else that attack/ steals over night… may become very difficult, the same from pickpockets).

Currently the problem with all web sites is the recovery process! I don’t know of a single web site that has a perfect recovery process. And I don’t even know about one that even allows the user to disable the recovery process. And isn’t that hard, there are so many ways, like for example:
Give some random username for recovery not associated to any thing else like: 914832-029347, and some random password for recovery like: 819283-258273-019272-283811-999283-443821-192281 display it to the user, make him enter in the next page/ screen and then PBKDF2 with Scrypt as its PRF into the database both of them without showing again… and allow the user to regenerate it anytime him wants, after him enters again the authentication and second factor if him uses anything. If the user has some second factor active don’t allow bypass unless you verify the user can’t really login for some time frame (7 to 90 days, let the user choose) and only start counting the time frame after someone with valid credentials (normal or recovery) requests to bypass, sending user some note alerting him that someone requested to be able to login without the second factor of authentication (into e-mail, instant messaging app, postal mail, inside the application if logged in or when logging in,…), and then send him the code by register postal mail or for example has some special bypass password like: 952059-293489-294949-201249-298475-204933-204293 and also PBKDF2 with Scrypt as its PRF into the database after be sure the user has take note of it. Also let users to be responsible and let them completely disable recovery, and allow recovery for example only through a court order demanding access to that person/ company so that attackers will be mostly out of luck most times, and because most times the courts can already demand many things so let them make sure it is the correct person and at least wont be your company/ organization/ yourself the responsible for easy account take overs… since lawyers can get involved and make more accurate verification’s of proof of identify and things like that until everyone agrees is the correct owner.

Where will users put all this information? paper note book closed in some secure safe, into a encrypted note software for example of some password managers.
And what if they loose the recovery stuff? Loose the account… or needs to go to court to have it back and be prepared to take time.

VPN’s are useful in Open Wi-Fi/ Wi-Fi not controlled by the user because many hackers try to manipulate traffic in all sorts of ways, and sometimes even attempt to get in into the device if they can… good VPN’s (self-hosted in home, or a good company) well configured let everything go securely inside a secure tunnel letting the attacker out of the connection and stop easy manipulation of data (wrong DNS reply’s/ strip DNS reply’s, strip TLS availability, and many others).

Creating online accounts so that others can’t do it, is the mixed feeling… it can be good if the provider does everything else right, or can be worse, or may not help that much to prevent identity theft (I’m thinking “back doors” into those systems for example).

La Abeja • December 11, 2018 3:16 PM

@Joao: authenticate users because of the use of Ed25519 elliptic curve technology

It’s probably okay, but the guy that came up with some of that stuff or at least widely published it is a little too pompous and people cannot even dare talk about it, let alone critically review it, without just the right college frat-boy credentials.

It’s infuriating. There’s a pistol-packing, mace-wielding university PhD, and that’s his turf. Don’t you dare study elliptic curves without his permission. He holds a complete patent on that entire branch of mathematics and number theory.

Clive Robinson • December 11, 2018 10:32 PM

@ La Abeja, Joao,

He holds a complete patent on that entire branch of mathematics and number theory.

Only in limited places.

Also patents can be challenged if overly broad or the claims are not quite right.

Also there are other tricks, if people are shown to be stopping progress.

The history of crypto patents has often not been a good one for the patent holders.

Back in 2007 Our host @Bruce had this to say on ECC patents,

Certicom certainly can claim ownership of ECC. The algorithm was developed and patented by the company’s founders, and the patents are well written and strong. I don’t like it, but they can claim ownership.

It stuck in my mind at the time because I don’t know if Bruce has actually read the patents or not. Bruce, has noted in the past that reading patents in the US is actually an unwise thing to do, so he does not do it. Which means he may well have been reporting on the consensus of others. For obvious reasons it’s not a question I would ask him, nor would I expect a reply.

But the crucial question is “What can Certicom claim ownership on?”

RSA Laboratories view point is that whilst well written the patents cove specific “implementation technique(s)” not ECC in general.

Certicom tried to sue Sony, but the case ended quite quickly in part because Sony claimed “prior art” back in the early 1990’s.

Many of Certicom’s fundemental patents are about to expire, but they may be of little worth anyway. The NSA held several ECC related patents but they expired because the NSA decided for what ever reason to not make the payments. A point others have indicated might indicate that there are problems with ECC the NSA are not talking about. But as you could also argue the opposit with the NSA, I would not put any value on it either way.

But it would appear that some quite firmly believe that the Certicom patents do not apply to all ECC. One such is D. J. Bernstein, you can read his comments as to why,

http://cr.yp.to/ecdh/patents.html

It’s been around for quite a few years and is relatively short thus worth a read, and it reinforces the RSA Labs view point.

The point many forget is that patents do not bring wealth, especially not fundemental/primary patents. It’s knowing the market and acting accordingly that brings wealth. If you make your licencing sufficiently inexpensive people will not go to the effort of trying to avoid the patents. Likewise if you try to encorage a market developing rather than hinder it.

Likewise patents are jurisdiction based thus unless you know what you are doing trying to cease control of a market through patents realy is “a fools errand”.

Oh and the big problem with crypto is the work of Claude Shannon and his communications channels. Even what some would consider “weak cryptographic systems” can be strong enough to keep all but the most well resoursed out of a communications channel and even then for a very long time. Thus it can be used to in effect conceal the use of much stronger cryptography that creates the secure channel[1]. Unless a patent holder somehow obtained evidence that their technology was being used they would have difficulty establishing that it was being used by examining an encrypted communications channel and thus would find it difficult to take legal action.

SigInt agencies for instance have a long history of stealing and using other peoples patented technology without even bothering to take “extra precautions” to hide the use then filibustering it out to try and bankrupt claiments. We’ve seen the same behaviour with “Collect it all” with the argument an individual “has no standing” for various reasons.

It is widely suspected that many patented communications techniques are “locked away in chips” made outside of the US and there is little the US Patent holders can do. Thus anyone who holds a crypto patent is going to have a very tough time defending it in a market owning way. Which is why they usually fail[2] and if not superceaded by other methods they will see the market they tried to own establish after their patents have expired…

As noted the ECC patents are starting to expire and others have found prior art that were either never patented or the patents have expired. Thus within a relatively short time ECC will start to become unencumbered, it will be inyeresting to see if the market for it starts to develop after that as it has done with RSA.

I suspect that it might not if there are new announcements of relevance in the field of Quantum Computing or in Quantum Computing resistant cryptography. Which you might want to spend some time getting to know, atleast in respect to it’s interfacing requirements (massive keys etc). As the need to switch over may occur quite suddenly (or never at all).

[1] You often see “channel within a channel” in communications protocols, in essence all “layered protocols” like TCP within IP are like this just in plaintext not ciphertext. But you should see it with things like Full Disk Encryption, where each layer in the OS to platter stack should use a form of encryption appropriate to the functional layer (but you seldom do). You certainly see it with “end to end” file encryption carried on a network of “point to point” link encryption and the likes of anonymous networks like Tor. In practice both military and diplomatic higher level traffic has been encrypted by one method at the message level and supper encrypted at the transmission level. An example was the British Diplomatic use of Typex at the message level and Rockex at the transmission level. So “crypto in crypto” is a well established and recognised technique that can be used for other purposes than just message hiding.

[2] However a new version of market control is said to be being tried by the NSA through the current US Administration. The Argument is that the NSA has already got backdoors in all the communications infrastructure by leaning on US companies and likewise the other Five-Eyes etc have done the same to their manufacturers. But they can not lean on two Chinese companies ZTE and Huawei who unfortunatly hold the significant patents on 5G. Thus the US attacks are infact a way to stop 5G they can not backdoor getting to market. That is if 5G is killed off then a new version using non Chinese Company Patents that the NSA et al can backdoor can be put in it’s place. So the likes of Iran etc would not have communications networks the NSA could not access at will…

bttb • December 12, 2018 3:08 PM

@Joao wrote:

“VPN’s are useful in Open Wi-Fi/ Wi-Fi not controlled by the user because many hackers try to manipulate traffic in all sorts of ways, and sometimes even attempt to get in into the device if they can… good VPN’s (self-hosted in home, or a good company) well configured let everything go securely inside a secure tunnel letting the attacker out of the connection and stop easy manipulation of data (wrong DNS reply’s/ strip DNS reply’s, strip TLS availability, and many others)”

Thank you for those comments.

Does anybody know if “Wi-Fi hackers” are readily able to mess with imap smtp servers, such that one needs to delete that imap account and then add it back? Or might that problem be caused by the email company making changes at their end?

Is IMAP considered more or less secure relative to POP3?

I know little about VPNs, but found these links:

https://ssd.eff.org/en/module/choosing-vpn-thats-right-you\
https://thatoneprivacysite.net/ ; evaluates email and vpn providers
https://en.wikipedia.org/wiki/Comparison_of_virtual_private_network_services

and from https://en.wikipedia.org/wiki/WireGuard

“As of April 2018, WireGuard has been adopted by the VPN service providers Mullvad and AzireVPN. WireGuard has received donations from Mullvad, Private Internet Access and the NLnet Foundation.[6]

As of June 2018 the developers of WireGuard advise treating the code and protocol as experimental, and caution that they have not yet achieved a stable release compatible with CVE tracking of any security vulnerabilities that may be discovered.[7][8]

Oregon senator Ron Wyden has recommended to the National Institute of Standards and Technology (NIST) that they evaluate WireGuard as a replacement for existing technologies like IPsec and OpenVPN.[9]”

Schneier on Security

Bad Consumer Security Advice

Comments

Only start SOCKS proxy if necessary

Star private firejail with chromium, going through

just setup SOCKS proxy

Leave a comment Cancel reply