Forem: Jay Hankins

Privacy and Security Series, Part III: Going Farther with MFA and Audits

Jay Hankins — Tue, 03 Sep 2019 08:00:00 +0000

In the last Privacy and Security Series post, we talked about theimportance of multi-factor authentication (MFA), also known as two-factorauthentication (2FA). Enabling MFA is a giant leap forward when it comes tosecuring your online accounts — Google and Microsoft both say that enabling MFAblocks 99.9% of accounthacks.

If hackers are germs, MFA is the Purell of internet account security.

So, you’ve followed the password best practices we talked about, and you have apassword manager, and you’ve enabled MFA on your accounts. Is there more you cando? Yes, of course!

Going Farther with Two Factor Authentication

Last week, Square & Twitter CEO Jack Dorsey had his Twitter accountcompromised by aSIM-swap attack. Long story short, a fraudster was able to convince someoneworking for AT&T to swap Jack’s phone number to the fraudulent SIM, which wasused to send Tweets via SMS.

Why does a SIM-swappingattack matter to you?

Well, if your MFA strategy is to have a one-time-password texted to your phone,you are vulnerable to a SIM-swap. Technically, anyone with a cellular device isvulnerable, but accounts backed by SMS-OTP MFA are vulnerable in particular.

Are there other downsides to SMS one-time-passwords?

Yeah, quite a few actually. As of July 2016, the U.S. National Institute ofStandards and Technology (NIST) said to stop usingthem.I discuss some additional downsides in the previous post.

What’s a better alternative to SMS-OTPs?

Token-based OTPs (time-based OTPs)

Is not vulnerable to the SIM-swapping attack because each one-time-passwordis generated by a seed/token value. So long as

1. the seed is not intercepted (which you can be reasonably sure of, ifyou trust the security of HTTPS/TLS and the root CertificateAuthorities); and
2. your OTP device is secure you are much more secure than with anSMS-based OTP.

U2F / Yubikey / Other smartcard / certificate authentication

Some companies, like Google, are supporting the FIDO/U2F/Yubikey approach,which involves the exchange of public keys to be matched with the privatehalf of the keypair stored on secured hardware devices. So long as

1. As long as no one steals your U2F device; and
2. the encryption isn’t cracked

you are even more secure than with Token-based OTPs, as the token seed isessentially the private key transmitted over the wire. The U2F approachkeeps the private keys private.

Audit Your Settings

Even after we’ve done the hard work of changing all our passwords and enablingmulti-factor authentication on a bunch of services, there are still things youshould do on a semi-frequent basis.

For one, you should scrutinize the list of apps/services that are “connected” toyour accounts. Maybe you’ve used Boomerang for Gmail, or have apps that usefiles on Google Drive. When was the last time you checked out that list?

Below is a screenshot of some services that were connected to my Dropbox. I’mnot proud of it. Look at how many entries have “full read/write access to anyfile”.

Scrutinize this list and make sure you know every app and service that isconnected. If you don’t recognize an app, remove it and change your password. Dothis frequently for your highest-risk accounts, like your email provider.Google, Microsoft, Facebook, and Twitter all provide app connections, so checkthem often.

Similarly, remove unknown or unused devices from your accounts. For example,your Google account may still have a phone registered and offer to sendauthentication push notifications to it. If you have any reason to believe adevice is compromised, remove it.

Finally, review recent security events if possible. Some companies let you lookat recent login attempts, app connections, etc. At this point, you should bereviewing any activity information you have about your account by default.

Google offers all of these features in an easy-to-use portal called “SecurityCheckup”.

And yeah, my account does not get an A+ in security, because I have an unsignedthird-party app connected to Google Sheets. The good news: it’s a project I amdeveloping, and I trust myself (mostly).

Next Time

Of course there’s more. We haven’t even begun to talk about browser extensionswhich can seriously up your privacy game. Until then.

Privacy and Security Series, Part II: Multi-factor Authentication

Jay Hankins — Sun, 26 May 2019 08:50:00 +0000

In the last Privacy and Security Series post, I wrote about the importance of password managers. In the face of data breaches and credential dumps occurring nearly every day, you need a strategy to protect yourself. Single-factor password authentication is weak, but password managers are a convenient tool to help you lock down your online accounts and localize a breach so that one leaked credential doesn’t give an attacker the “keys to the kingdom”. It’s all about preventing access to your accounts, people.

By the way, in March news broke that 8fit had a data breach in July 2018. While the breach happened in July, the credential list didn’t appear for sale on the dark web until February 2019. My credentials, along with about 15 million others’, were leaked. Thanks to HaveIBeenPwned, I knew as soon as the experts did. If you didn’t sign up for it the last time I mentioned it, I again recommend it.

In addition to adhering to password manager best practices, you can bring another layer of security to your online accounts with multi-factor authentication. Welcome to Part 2, all about multi-factor auth, why it’s useful, and how to set it up the right way.

What is Multi-Factor Authentication (MFA)?

When a system needs to authenticate that you are who you say you are, it can use a variety of factors, or pieces of information, to verify your identity. Many systems just use one factor, like a single password.

Multi-factor Authentication is authentication that relies on more than one factor to verify you. Many things might be factors: security questions, one-time passwords, a PIN, etc. For example, a common multi-factor authentication scheme that you see with major U.S. bank websites involves both a password and a one-time passcode sent to your cellphone. Or, as Wikipedia points out:

A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.

Multi-factor auth strategies are becoming more and more common. Two-factor authentication (2FA) usually involves a password (factor #1) and a token code (factor #2). The 2FA strategy is sometimes referred to as “something you know (the password) and something you have (the token).”

2FA has actually been around for a while, especially in enterprise and government. Many folks will have used or at least seen an RSA SecurID, which is probably the single best-selling hardware token for 2FA. ¹ ²

RSA SecureID is a popular brand of hardware token.

Authy is a popular authenticator app which functions as a software token and a push authenticator.

Why Use MFA?

Basically, the strength of multi-factor auth is that it gives you an extra layer of security on top of passwords. More generally, MFA protects you when one of your factors is compromised.

Say you only use a username/password combination to log into your Google/Gmail Account. That’s one factor, the password. If it’s leaked, 100% of the authentication factors are compromised. Your account is hacked.

But , if you use MFA, and the password is leaked, only 50% of the auth factors are compromised. The second factor is still unknown or unavailable to the attacker. For example, if your second authenticator is your (unhacked) smartphone, and it’s in your pocket, the attacker won’t have all the factors and won’t get in. Your account is safe.

MFA is especially useful for those pesky websites that have password length or character limitations. We all know thatCorrect.horse-battery$Staple is a better password than M@nc#3$ter… but for those sites that only support 16 characters [A-z1-9], a second authentication factor will drastically increase your security.

How to Set Up MFA

Hopefully I have you convinced that MFA is important… the next step is to set this up for yourself. Luckily, we aren’t the only ones who have realized the benefit to MFA. Major online service providers are now 2/MFA enabled, and you’ve probably been prompted to set it up before.

Probably the first thing you’ll need to do is choose a MFA token type. You can choose one or many, depending on your wants and needs.

Types of MFA Tokens

SMS - Text messaging is on the list first not because it is the most secure, but because it’s the most popular. Many, many websites now offer SMS one-time passwords, and unfortunately it’s sometimes all they offer. However, SMS one-time passwords are better than nothing!
Software Token - Software that generates one-time-passwords based on a cryptographic function of time and a token secret, which is given to you by the service provider when you set up 2FA. Most commonly you see TOTP (Time-based One-Time Password) generators. When you set up an authenticator app with a secret code or a QR code, you are using a TOTP software token.
Hardware Token - There are a variety of hardware tokens. Some are OTP generators with a button press to generate codes, and others like the RSA token are always-on and cycle through a number of TOTP codes.
Push Authentication - Push authentication is an MFA factor popularized by Duo, Authy, and Google. Basically, a push notification is sent to your smartphone and you approve or deny the request via the respective app. For example, Google can send Push Authentication notifications to any iOS device with the Gmail or Google apps installed.
And More - Yubikeys are a popular type of hardware token. They have multiple modes of operation, including TOTP, U2F, Fido, and other choice protocols, but also a specialized Yubico code which is based off the key’s serial number, and a PIV mode for smart card protocols. Another app, called Krypton, emulates a hardware U2F key and can support MFA for SSH logins.

What’s wrong with SMS? SMS is the most popular, but probably weakest form of MFA. This is because it’s relatively easy for an attacker to convince your cell phone carrier that they are you, and the carrier will provision them a new SIM card, and from then on it is the attacker who receives your SMS one time passwords. I quickly Googled and found two cases where cell phone carriers were the weak link and allowed an unauthorized user to get a SIM card for your account. I recommend reading the two posts for full details.

Where to Set Up MFA

Ideally, you’ll set up 2FA everywhere! That said, you should enable 2FA on these at a minimum:

your webmail
financial sites
healthcare/insurance sites
social media accounts

The first is obvious, I hope. If an attacker gets your email credentials, you’re pretty much done for. That’s because your email can probably be used to receive password reset emails for all your other accounts.

Financial, healthcare, and insurance sites all hold a variety of sensitive data and breaches to those accounts can have material impacts on your life very quickly. It’s best to multi-factor those for extra peace of mind.

Finally, I think it’s important that social media accounts be protected by MFA. It could be incredibly damaging for someone to hack your social media account and make false claims about you. Your character could be damaged, so I consider social media to be a high-risk environment needing extra security.

Here’s a great resource for knowing which online services support MFA: https://twofactorauth.org/. I recommend going through every service in the list and enabling 2FA for all that you have.

PCMag (hey, remember them? used to love that magazine) has a very thorough article on how to set up 2FA for over 30 different online services.

FAQs

Do you recommend a specific 2FA authenticator app?
No, I find them all to be about the same. I always prefer U2F or push notification authorization to TOTP apps (like Google Authenticator), but I use Authy for services where that’s the only option.
Isn’t this a bit inconvenient?
What’s more inconvenient, having to key in 2FA codes or having your accounts stolen from you? Keying in MFA codes a few times a (week/day/hour) is worth it because of how much more secure the practice can make your accounts.
What about logging into applications?
This is a bit of a caveat. Modern applications that use OAUTH2 for logging into web services will typically not need any special treatment. Actually, they are secured through the online service’s MFA login. For example, adding a Gmail account to an iPhone loads a Google login flow page.
Other, older applications might need a statically generated password that bypasses the MFA login flow. For example, using Gmail over the IMAP protocol will need what Google calls an “application password”.
You’ll have to check with your online service to find out how to handle each situation, but generally speaking, if you can’t access the login provider’s page, (e.g. the Google login flow) and are keying credentials into form fields in the application, you will need to obtain a static password.
Why is SMS 2FA bad?
Generally speaking, SMS 2FA is fine. I’m not sure about the security of the SMS protocol, but I mean it’s probably safe to bet that various government agencies could intercept your SMS codes. Do they want to? Probably not, but I don’t know what my readers are getting up to.
The bigger danger is from your cell phone carrier itself- it seems that it’s fairly easy for an attacker to socially engineer their way into obtaining a SIM card for your account. Then, suddenly, text messages meant for you are going to their phone, and they can get those SMS 2FA codes.
Make sure you’ve taken security seriously with your cell phone carrier. Avoid using real answers to the security questions, and make sure you have any locks turned on. Some carriers allow you to set a passphrase or PIN which would be required to process any changes on the account.
What happens if I lose my token (or phone)?
Unfortunately, there aren’t easy answers to this. The harder you make it for attackers to get into your account, the harder it will be for you to get into your account if you ever lose an authentication factor.
When you enable 2FA with online services, they will typically provide you backup codes to print and store for safekeeping. It’s very important to keep these backup codes, else you may not have other ways to get in.
My personal strategy includes having additional Yubikeys in safe locations in the (unlikely, I hope) event that lose my primary authenticators.
What are some other advantages and disadvantages of using mobile phones as authentication tokens?
Mobile phones are a great way to get started with two-factor authentication, either by SMS or a TOTP authenticator app. Authenticator apps are better typically. Wikipedia has a greatsectionon the advantages and disadvantages. tl;dr: phones may not be a great option if your data connection isn’t solid, and SMS delivery can be flaky in general. TOTP authenticator apps overcome this since the OTP is generated on-device.

Next Time

And… that’s about it! Thanks for reading Part II. There’s more we could say about multi-factor auth, and we will! In Part III, we’ll talk about advanced multi-factor strategies focused primarily on Yubikey. (Spoiler: I started writing this article before acquiring Yubikeys…) You think we’re secure? You ain’t seen nothing yet.

I’m not particularly interested in looking up whether this is true or not, all I know is that SecurIDs were and are everywhere. My mom had one in the late 90s/early 2000s and she didn’t work in tech, so it’s not like 2FA is a recent or nerdy development. (Does anyone have a picture of the credit card-sized RSA token from back then? I can’t quite remember what it looks like, but I think it was white… I’m dying to see a picture for nostalgia’s sake.)
↩
Did you know that SecurID systems used to have the concept of a “duress PIN”? This was a PIN that provided access but also silently logged a message for the sysadmin to know that the user was forced to authenticate.

On older versions of SecurID, a “duress PIN” may be used—an alternate code which creates a security event log showing that a user was forced to enter their PIN, while still providing transparent authentication. Using the duress PIN would allow one successful authentication, after which the token will automatically be disabled. The “duress PIN” feature has been deprecated and is not available on currently supported versions.
Imagine the situation that caused the invention of that feature! Truly a gun-to-head scenario.
↩

Password Managers and How to Use Them

Jay Hankins — Tue, 12 Feb 2019 15:02:41 +0000

2019: Year of the Password Manager

Seriously, it's 2019 and if you aren't using a password manager, it's my humble opinion that you're setting yourself up for a bag of hurt. Security breaches happen every day, some detected and others not. You must assume any credential to any web service could be leaked. To mitigate this risk, you need to:

Use random, complicated passwords
Never reuse a password

By doing these two things, any leaked credentials can't be used to access other accounts. How do you accomplish them? Use a password manager. Recent changes in Apple's iOS and Google's Android have made it easier than ever to use password managers on your phone as well. You can read more about password managers here, but really you should stop questioning it. Basically if you use the internet, you are at risk.

How to do it right

It's not enough to just store your passwords in a password manager. Here's how to properly use a password manager:

Your master password must be completely unique.

It can't be related to anything else. There can be no chance of it leaking because it can only live in your head. It can't be easy for someone to figure out. It can't be birthdays, it can't be pet names, it can't be family names.

One thing to note: passwords made up of words and phrases can actually be stronger than some passwords with common numbers or symbols. Have you heard of "correct horse battery staple"?

Always generate passwords with as much randomness as possible.

Every website should get its own unique password. The more complicated it looks, the better. You're not going to remember it, your password manager is!

You'll often find certain websites, like government, medical, and finance websites, that can't support a wide range of characters for the password, or can't support a long password. That's shitty (compliance and regulation lags behind actual best practices), but a password manager will help you make the best of this situation. A good password manager will have an entropy meter which will help you determine the strongest password you can fit into limited password requirements.

Now of course, whenever you CAN generate complicated passwords, you should. Most modern websites will support fairly long and complex alphanumeric passwords.

Audit your passwords.

As we talked about, Leaks Happen™. So, you need to be notified when your passwords have leaked online. First, go to haveibeenpwned.com to check your different email addresses, and then sign up for their email alerts. Have you been pwned? (Me too, there's no shame in it. It's just random! Really, if you've used the internet, you've probably been pwned.) If so, it's time to change some passwords.

Good password manager apps will have functionality built in to locate weak passwords. You should change identified weak passwords immediately.

You also can never have a duplicate password. Having a duplicate password is a really bad scenario, because then a single leak leaves you vulnerable in multiple places. Password managers generally will alert you to and discourage you from using duplicate passwords.

Also, look for your credit providers to offer email alerts. There are some vendors that will search parts of the dark web to look for your information in leaks.

Also also, were you part of the Marriott Leak? If so, sign up for the identity protection services they're paying for. It's the least you could do.

And don't ever use a non-randomized password for anything ever again.

Don't answer security questions truthfully.

Security questions are bad. Do you know how easy it is for someone to figure out your birthday, your mom's maiden name, and/or your pet's name? These security questions are the weakest form of security I can think of. Don't give real answers.

Instead, give fake answers, or even better, put random passwords in for each question. Note that some websites won't accept highly-complex answers to security questions. That's okay, just make sure to watch the entropy meter of your password manager to generate the most secure answers possible.

Now, anytime someone might try to reset your password or otherwise circumvent normal authentication flow, they'll be met with questions that have nonsense password answers.

Q: What is your mother's maiden name?

A: "9T9.FE#54R98416B"

Such a beautiful name.

Get an app everywhere you need it.

It seems important to say this. If you're setting up a password manager properly, you're no longer going to know any passwords except your master password.

That means you need to sync up those passwords with any phones, tablets, or other computers that you use. Being locked out of your Google account because you're away from your computer isn't productive.

Most password manager apps will cloud-sync your passwords in a premium offering, either on a subscription or a one-time purchase. Cloud syncing is secure because your password wallet is encrypted with your master password— it's a waste of resources for an adversary to try to brute-force decrypt your password wallet unless you're someone ultra-important and believe state-sponsored attackers are targeting you. You can also use an offline password manager like KeePass and sync the passwords manually, though this is wildly inconvenient.

Oh, and this includes browser extensions. All good password managers should have functional extensions that make it a breeze to use your secure passwords as you browse.

Be diligent.

Commit to using your password manager.

If you have a lot of accounts on many websites, you're going to quickly realize it's a lot of effort to set up the password manager. As you log in to more sites and save those passwords in your app, you'll have to go back and audit again. Most passwords will need changed completely (to a new, secure one), some sites will have outdated URLs, login flows, etc. Be focused about taking care of this one day at a time, because it's easier to handle this as it arises.

A password manager also allows you to be cognizant about the accounts you have. Every once in a while I like to go through my password manager just to see what accounts I have open that I no longer use. It's always great to reduce the attack surface.

Next Time

Having secure passwords is just one part of a sound internet security strategy. Stay tuned for Part 2, where we'll talk about the next tool in your arsenal: two-factor authentication.

Thanks for reading!

This was originally posted on my personal blog at https://jayhankins.me/2019/privacy-and-security-series-part-i-password-managers/

I like VS Code. Should I Learn Vim?

Jay Hankins — Sun, 27 Jan 2019 21:56:00 +0000

Sindre Sorhus maintains an ama repo where someone asked him this question:

I know some people (even the young ones) still swear by Vim. I am not sure if its worth knowing vim as well?

I took a minute to write some thoughts on Vim and shaking off the daunting
"learn vim" feeling in a reply to the poster. Spoiler alert, I think it's worth knowing vim.

Hey @anishmittal2020, I am 23 and just graduated with a computer science degree in May 2018, so I don’t know if you consider me one of the “young ones”, but here are some thoughts. I personally use VS Code around 80% of the time, and Vim 20% of the time. Here’s why I think Vim is valuable:

Vim is great for remote editing

Over time, you’ll find yourself in situations where using a GUI editor, such as VS Code or Sublime Text, isn’t easy, feasible, and/or possible. For instance, working on remote machines via SSH. Sure, in some cases you can use SFTP or SCP or rsync or whatever to use VS Code to edit remotely, but that’s a lot of work if you’re just trying to make simple changes.

For example, what if you need to quickly change a system’s hosts file? If you know Vim, then you just SSH to the system and run vim /etc/hosts, save your changes, and you’re done. Again, you could sync directories or even use something like sshfs for remote mounts, but that’s a heavyweight solution. Additionally, you may find that due to security concerns you can’t do this direct syncing or mounting.

The same idea expands to docker containers, where you might want to make a change in-container to verify it before you rebuild the docker image.

You don’t have to learn Vim all at once

I think a lot of people get hung up on “learning” Vim because of the jokes about not being able to exit. It’s not just that, obviously, and there is a bit of complexity to Vim. But for all the power it gives you, you can get started with it fairly easily.

To quit, it’s :q!. Just knowing this command, we can learn a few things about Vim: commands start with :, can be shortened quit -> q and can be forced with !.
To save (write) a file, it’s :w filename, which teaches us that we can also give parameters to commands.
To quit and write, it’s :wq, and we learn that commands can be chained together.
hjkl are the movement keys, along with w for “ word” and b for “back word”.
Hit i for Insert Mode where you can type. And hit esc to get back to the command mode where the keys perform actions rather than typing.

In 5 bullet points, you’ve learned a lot about Vim and know the basics to edit a file. From here you just have to practice by using it, it’s truly the best way to learn something. If you’re familiar with the command line and have gone through the process of learning that, it’s the same thing. You use the terminal as much as you can, figuring out how to do things when you don’t know.

If you didn’t know, there’s vimtutor which is a short 30 minute tutorial that helps you learn some more advanced things about vim, like replacement modes, motion, and more. It has you make corrections in place so you practice as you go. I highly recommend it, but again, you don’t have to master everything at once. Vim is flexible, so there’s a lot of stuff you might never use. VS Code is the same way, and I bet you didn’t worry about learning all the ins and outs of it.

There’s lots of plugins for Vim, it’s harder to curate them

The VS Code extension Marketplace is one of the best parts of VS Code because it makes it easy to find ways to customize the editor to your needs. Vim has mostly the same plugins, in my experience, although it is a bit more challenging to curate and manage them. Mostly you use a plugin manager like vim-plug and store configuration in your .vimrc.

VS Code doesn’t run everywhere (yet?*)

This goes back to the remote editing aspect, but with a twist. I just purchased an iPad Pro for use as an ultra-portable computer when I travel (I really hate lugging laptops in the airport 😅). I rely on SSH and my remote servers to be able to really work (mostly coding and configuration changes). Essentially, the iPad becomes a remote terminal to the server and I’m doing my work there (not unlike the mainframe days 😄) so my only option is an editor that works over SSH. There are lots of editors out there but I prefer Vim!

* VS Code is just a Javascript application. It’s all just code! ¯\(ツ)/¯ Its editor can and has been shipped in other web apps, so you could potentially find a cloud editor that had similar capabilities (Cloud9? I’m not interested in this because I find the UX of a web editor quite poor, so I don’t really know) today, but that isn’t quite the same. In the future, it’s possible that we’d see VS Code on the iPad or ... VR headsets ... Tesla automobiles? Who knows. Anything is possible. Maybe Vim will come to those platforms too 😎

Over time, you’ll probably get curious enough to try Vim anyway

This is just what I’ve seen in myself and my peers! 👨‍💻 👩‍💻

You asked if it’s “worth knowing Vim”, and I think the answer is yes, but perhaps you shouldn’t fret about the learning aspect as much as just using it when you can!

This was originally posted on my personal blog at https://jayhankins.me/2019/i-like-vs-code-should-i-learn-vim/

Connect to Purdue CS Files Using SSHFS

Jay Hankins — Mon, 29 Aug 2016 22:40:32 +0000

Here’s a quick tutorial on how I access my Purdue CS files remotely so that I can still use all my preferred local development tools, like Sublime Text and my shell customizations.

Install Required Software on Mac OS X

I assume you already have Brew and Homebrew Cask installed on your Mac.

Use cask to install osxfuse:

brew cask install osxfuse

Use cask to install sshfs:

brew cask install sshfs

Mount Your Remote Directory

Run the following command to mount the directory to your local machine:

sshfs <username>@data.cs.purdue.edu:/homes/<username>/ ./desired_mountpoint -o auto_cache,reconnect,defer_permissions,noappledouble

For example:

sshfs hankinsj@data.cs.purdue.edu:/homes/hankinsj/ ./purdue -o auto_cache,reconnect,defer_permissions,noappledouble

Now change to the directory you mounted in. You should see the remote files in the directory, and you can interact with them just as if they were local files on your Mac.

Unmount Your Remote Directory

Run the umount command to unmount the directory:

umount ./desired_mountpoint

For example:

umount ~/purdue

Of course, this works on any system that supports SSH, but the case of connecting to Purdue servers to work on projects from home has been especially convenient during my time as a CS student. I’ve found it to be a bit flaky depending on your network connectivity, and it rarely resumes the mount from a suspend gracefully. However, it’s a really convenient way to access your files remotely while still developing locally.

Are you a Purdue CS student that stumbled upon this? Did it help you? Did something not work? Let me know @jay_hankins!