The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).
So Facebook’s been in the news recently about their ever degrading privacy protections and coding screwups (EFF link and Tech Crunch link). I’m not a big fan of the service but it is a unique way to keep in touch with people you are far away from, as well as get updates on the “normal” part of their lives that don’t exactly warrant a phone call or email. Anyway, I’ve already erased most all my personal info because I’m a paranoid. I also check up on the privacy settings to see if I’m inadvertently leaking personal info because of my mistake or Facebook’s frequent policy changes.
I noticed an interesting feature yesterday that allows you to get an email when a computer that hasn’t been “authorized” authenticates to your account ( Click Account Button…Account Settings…Account Security). Facebook also allows you to see a log of the computers that have authenticated to your Facebook (security guys love logs) which is cool. The log is weak on the technical side, no IP address, DNS hostname, or Useragent etc. But it is an interesting feature that I believe banks should offer as well.
So I had a debate with my wife and father in law the other day. They insisted that his 2 month old HP laptop with Vista HOME was broken. He had just started staying with us after being in the shoe-horned suburbs of Las Vegas for about a year. Seriously those houses are WAY too close, anyway, it went something like this…
Me: How is it broken?
Them: We can’t get to the internet.
Me: Well how do you usually get there?
Them: We just “click on the internet”
Me: Please show me.
Them: “Double clicking on the Desktop Internet Explorer icon”
Me: You need a connection to an ISP before IE will work.
InLaw: I always have a connection to an ISP, I just have to boot.
At this point I understood what was confusing them, and it struck me as a scary thought. They were so used to the prevalence of unsecured Wireless Routers in suburbia, it made more sense that the laptop was broken then there happen to be no wide open Wireless internet signals in range. It goes to show how accommodating Windows is when it detects a Wireless LAN, it simply connects so the user doesn’t have to do anything but “Click on the Internet.”
I hear the new routers you get are starting to come out with Pre-shared Keys already defined and “SecureEasySetup” technology which is good, hopefully they are all WPA and not WEP. But that doesn’t change the fact there are tons of them already out there just waiting for someone to boot up. Now I’m going to surprise you and not go on a diatribe about why you should lock down your Wireless router, isn’t the fact that someone else is using your $40 / month connection enough? Linksys has some flash video targeted at the average home user on how to setup WPA, MAC filtering, SSID broadcasting, etc here is a link. Remember your security is your responsibility, in other words you reap what you sow.
I really wish people would stop complaining about creating passwords. All it would take is a shift in thinking. If I may be so bold, consider this, your passwords are the most important thing standing between you and anyone, in any country, doing anything you can! Reading your email, accessing your files, changing the locations of your money, etc. I submit that you should think of passwords as virtual keys to your house, would you want anyone else to have the same key to your house as you? Probably not.
Now to complexity, the most important thing when making passwords is length. Sometimes that is considered a part of complexity, sometimes not, but in reality it trumps everything. And by complexity I mean Uppercase, Lowercase, Special Characters, Numbers, etc… For example, I’d rather have a 10 character alpha password then a 6 character alphanumeric password. A Securityfocus thread in August 2007 brings up some interesting mathematics involving the ancient (NT4 sp2) passfilt.dll that M$ stubbornly refuses to update at least in a currently released OS. This dll creates the restriction that passwords must be 6 characters and contain 3 of 4 categories (upper,lower,number,special) among other things, M$ article here. The posters debate about how these M$ restrictions may actually lower the possible number of passwords a cracker would have to try as opposed to having no requirements at all. While I don’t feel comfortable, or motivated, to get into the mathematics I think a good point to remember that length trumps any argument about variation of password makeup. Although it is not commonly accepted by the army of “pay me now” government regulation auditors, and even many “old school” directory administrators. I recommend concentrating on length as opposed to only passfilt.dll restrictions. Unfortunately companies often need to be more concerned with those auditor’s blessings then InfoSec guys like me.
The problem in my opinion is about being blinded by the mathematics while ignoring common sense. Yes a 6 character alpha password has 308,915,776 possible combinations (26^6 = 308,915,776), and since it locks out after 3 attempts and 3 – 308,915,776 = impossible. But you can manipulate statistics & mathematics to prove many falsehoods, did you know 4 out of 5 people think the fifth one is an idiot? 🙂 My point is malicious users love administrators and auditors who believe such logic, because they are forgetting about the weakest link in the InfoSec world. The average user (no offense). Such logic does not apply to them because is assumes a completely random 6 character password where as users will pick anything but, can you say 123456? “That’s Amazing! I’ve got the same combination on my luggage!”
So longer is better, the next time you have to change your a password, try something like this “Wow, I loved going to Pacific Beach that 1 time” You, your data, and your company’s network will be MUCH better off.
I’m going to keep this article from the Miami Herald, so I can forward it to anyone who complains about needing a One-Time-Password to remotely access their employer’s network. I encourage everyone to program a red flag to pop up in your head whenever anything asks you for username/password. Ask yourself…
Do I believe I can trust this physical location
- Is it shared internet and/or computer access?
- Do I trust who had access before me?
Do I believe I can trust this virtual location?
- Is it HTTPS with valid certificate?
- Did I get here from a reliable source?
What would happen if these credentials were compromised?
- Remember many sites will allow a password change while relying on nothing but the belief that only you know the password to your web-mail.
Of course almost all of the long term risk posed by these threats can be mitigated by using a one-time-password. Next time you have to use one thank an Information Security Administrator instead of complaining to one.