M6 Security

This story is illustrative of a common method of internet fraud.

http://blog.rjssmartsecurity.com/security-news/internet-theft-and-the-holidays/

The story includes a summary of the characteristics of a fraudulent transaction:

  • Do you feel like you have to act immediately? (Urgency)
  • Are the terms of the deal unclear in any way? (Uncertainty)
  • Are you afraid that if you don’t take the deal, something bad will happen? (Fear)

While it is one thing to know that these characteristics exist, one is still susceptible to these scams as when you are in the grip of Fear, Urgency, and Uncertainty, you are likely to act first and think later.

Security – Basics

2 security issues:

  • Encryption – No one can eavesdrop on your communication
  • Authentication – You are who you say you are
Authentication

Authentication may be Strong or Weak

Weak Authentication

Password – passwords may be strengthened by specifying a minimum length, specifying that they be changed periodically, and specifying that they use numbers and special characters.

Insecure mostly because of human factors – people writing their passwords down and keeping them in a drawer, using their spouse’s name, etc.

Strong Authentication

Password and some other method of authentication

Password and texting – texting an authorization code to the user’s cell phone.

Password and computer environment – password only works from certain IP addresses.

Password and Secure key – password and a device that you carry around.

Creating Passwords

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Something else to worry about:

http://xkcd.com/792/

http://www.schneier.com/blog/archives/2012/08/yet_another_ris.html

The above link describes how several popular web based utilities can be used to get at your personal or business information. This article inspired a security consultant to write in describing the measures she takes to protect her personal information. I used her letter as a check list for my own business and personal use.
This from her letter:

Password policies (both enforced and personal) are rather interesting. Security is often sacrificed for convenience, and in many cases convenience is sacrificed for a false sense of security.

Some common limits, like a maximum password length, are damaging to both usability and security. Longer passwords are more secure, passphrases are easier to remember and more secure (if generated well, such as with diceware) and programming in a length limit introduces another possible source of error. Since the best practice is to hash all passwords any length will produce a fixed-size hash output. If you’re not hashing (and preferably salting) your passwords you have no right to be making an authentication system.

In the end, I developed a compromise system. My most secure passwords are protected by keepass password safe. My master password is a 6-word diceware passphrase. This keeps really important stuff, such as bank account passwords. I also store other passwords here as a backup in case I forget. All “security question” answers are random gibberish at least as complex as the password. My mother’s maiden name is “kk&`V^522G/5O7t&5!#RBhrm\w.4lX”.

Yes, she is polish, how did you guess?

Next down I have a few 5-word diceware passphrases. 1 for my e-mail that is used nowhere else. The next in the form ThisIsFiveWordsLong+SITEURL. I copy+paste the URL when entering the password. I use it for sites/services where no financial information is given, I care about the account, and I have reason to believe the password is properly hashed and salted. Sites without that reason that I care about get keepass passwords.

Then there are the 1-off sites, and the sites I use regularly but don’t care about at all. For example, I use a site for midi soundfont downloads that requires an account. The account is purely for tracking, there’s no forum or any real reason for login credentials. So I use physical or mathematical constants.

Generally the golden ratio:

Phi=1.618033

Upper case, lower case, numbers, punctuation, 12 characters! It’s a perfect password for things that don’t need a password. If any of the hundreds of sites I’ve made an account for and forgotten about is compromised I lose access to all of them, but I’ve already forgotten their existence anyway. I also don’t use my real name or standard alias on such sites.

I’ve sacrificed security for convenience in the case of the 1-off sites, and convenience for security in the case of banking passwords (I don’t actually know any of them. I’ve never even seen most of them, just copy+paste from keepass into the login page.)

The above may strike you as preposterously complicated. It is, nevertheless, typical of the precautions that people who are serious about security take.

Cryptography

The second major question in security is, can somebody eavesdrop on your communication? This is the question of encryption, or, cryptography.

Everything you need to know about cryptography is contained in this link:

http://www.pgpi.org/doc/pgpintro/

You will be responsible for this introduction, not the rest of the website. We will be talking about this for the next several weeks. This is perhaps, the most conceptually difficult material we will cover in this class. Take your time reading it.

I need you to know the concepts of public and private key cryptography and certificate authentication as described on the above link.

The rest of the site site, www.pgpi.org contains a description of “pretty good privacy,” a public domain encryption program. If you are interested in this sort of thing you can pursue it further at this site. This is beyond the scope of this course. Computer security is a difficult but profitable field and people who like this sort of thing have a great future.

Vocabulary

These words are covered in the above reading. You should know what they all mean.

Public Key

Private Key

Key-Pair

Plaintext

Ciphertext

Encryption

Decryption

Session Key

Key-Ring

Digital Certificate

Cryptography

Both major issues in cryptography, encryption and authentication, are dealt with using public-key cryptography.
Some questions to test your understanding of these subject of public-key cryptography.

Bob has a public and private key pair. Jill and Alice know Bob’s public key. Jill encrypts a message to Bob using Bob’s public key. Alice intercepts the message. Can Alice decrypt the message?

Bob and Jill are married. Jill sends Bob a list of groceries to buy on the way home from work. She uses Bob’s public key to encrypt the grocery list (Jill is a little paranoid). She sends Bob the encrypted grocery list, throws out the original plaintext list, list but keeps a copy of the ciphertext for herself. Later on she doesn’t remember if she included eggs on the list. Can she check if eggs are on the list without calling Bob?

You go to the website bobjones.com. There is a picture of Bob Jones on the site along with Bob Jones’ public key. You leave your email address on the site. Later on you get an encrypted letter from Bob Jones. You use the public key from bobjones.com to decrypt the letter. This works. Under what circumstances would that letter be from Bob Jones? Under what circumstances would the letter be from someone else?

Tim Berners-Lee

The inventor of the web and author of the RFC for HTML. For an idea of how a technically sophisticated internet user (he invented the web!) uses the web, see his home page, and how he expects to get mail, and what kind of mail he won’t open.
http://www.w3.org/People/Berners-Lee/

In the news

http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/?intcmp=ros-md-acc-p-nws

True crypt uses public key cryptography similar to the algorithms we discussed. One issue we didn’t discuss which came up in this article is plausible deniability – if you encrypt an area on a disk drive, can you deny that the area is encrypted?

Security – Authentication

Security

Authentication – strong and weak

Using public and private key technology

Using public and private key technologies

Problem – you login to 10 computers which are all high security (you work for a banking software company or a defense contractor). You want to use public-private key technology so that you don’t have to keep a file containing (10) 20-digit passwords in order to login to these computers.

Solution:

Download SSH version 2 (free)

Use SSH to generate a public-private key pair. These are files “public.ppk” and “private.ppk”.

Laboriously (20 digit passwords remember?) upload public.ppk onto all 10 machines.

Setup up your SSH client (on your local computer) to use private.ppk to authenticate you when you login.

All machines have your public key. They all can send you a message. You are the only person in the world with your private key. So you are the only person in the world who can decrypt the message they sent you. If you send the decrypted message back to them, they know it must be you. This works great as long as your private key is not lost or stolen. If it is stolen, all 20 machines may be compromised.

A step-by-step description of this process as applied to a Linux machine is here:

http://kb.iu.edu/data/aews.html

You will not be tested on this specific methodology, but you need to know how public-private keys work.