The University of Massachusetts Amherst
Categories
Apps Hardware Security

Data Backups

Broken laptops happen to anyone and everyone, and they generally choose the least convenient time to break down. Whether it’s right at the beginning of an online test, as soon as you finish a long and important paper, or you just finished all your work and really just want to watch netflix, your laptop seems to know exactly when you least want it to break. However, while a ruined Netflix session might be unfortunate, there’s not much worse than losing all of your files.

Nowadays computers are used to store everything from irreplaceable home movies to 100 page long thesis papers, and backing up data is more important than ever. If your computer crashes, there’s no guarantee that your data will still be there if it turns on again. If that happens, the best way to save yourself some heartbreak and frustration is to have a regular backup of your data, or even two (or three if it’s something as important as your thesis!). For someone who barely uses their laptop, backing up once a month might be plenty. However anyone who regularly uses their laptop to write up or edit documents (which is the case for most students) should be backing up their machine at least once a week if not even more frequently.

So how and where can you backup your data? Well there’s a few popular options, namely on an external drive or in the cloud.

External

For external drives, 1TB is a standard size, although you might want to get a bigger one if you have a really large amount of files that you want to back up (or a million photos and videos). Some popular brands are Seagate, Western Digital, and Toshiba and they run about $50 for 1TB drives. Also be sure to get one that has USB 3.0, as that will increase the speed of the data transfer.

Image result for hard drive back up

Cloud

UMass provides unlimited secure online storage through Box. With Box you are able to securely store and share your files online, so that they can be accessible through multiple devices and so that you won’t lose them if your laptop decides suddenly to stop working. To read more about Box or get started with backing up your files you can go to https://www.umass.edu/it/box.

Image result for box cloud backup

Categories
Linux Security Software

Hiding in Plain Sight with Steganography

Steganography is the process of hiding one file inside another, most popularly, hiding a file within a picture. If you’re a fan of Mr. Robot you are likely already somewhat familiar with this.

Although hiding files inside pictures may seem hard, it is actually rather easy. All files at their core are just text, so to hide one file into another it is just a case of inserting the text value of one file into another.

Even though this possible on all platforms, it is easiest to accomplish on Linux (although the following commands will probably work on Mac OS as well).

There are many different ways to hide different types of files, however the easiest and most versatile method is to use zip archives.

Once you create your own zip archive we can then append it to the end of an image file, such as a png.

cat deathstarplans.zip >> r2d2.png

If you’re wondering what just happened, let me explain. Cat prints out a file as text (deathstarplans.zip in this instance). Instead of printing to the terminal, >> tells your terminal to appends the text to the end of the specified file -> r2d2.png.

We could have also just done > however that would replace the text of the specified file, specifically the metadata of r2d2.png in this instance. This does work and it would still allow you to view the image… BUT r2d2.png would be easily recognized as containing a zip file and defeat the entire purpose.

Getting the file(s) out is also easy, simply run unzip r2d2.png. Unzip will throw a warning that “x extra bytes” are before the zip file, which you can ignore, basically just restates that we hid the zip in the png file. And so they files pop out.

So why zip? Tar tends to be more popular on Linux… however tar has a problem with this method. Tar does not parse through the file and get to the actual start of the archive whereas zip does so automatically. That isn’t to say its impossible to get tar to work, it simply would require some extra work (aka scripting). However there is another, more adavanced way, steghide.

Unlike zip, steghide does not come preinstalled on most Linux Distos, but is in most default repositories, including for Arch and Ubuntu/Linux Mint.

sudo pacman -S steghide – Arch

sudo apt install steghide – Ubuntu/Linux Mint

Steghide does have its ups and downs. One upside is that it is a lot better at hiding and can easily hide any file type. It does so by using an advanced algorithm to hide it within the image (or audio) file without changing the look (or sound) of the file. This also means that without using steghide (or at least the same mathematical approach as steghide) it is very difficult to extract the hidden files from the image.

However there is big draw back: steghide only supports a limited amount of ‘cover’ files – JPEG, BMP, WAV, and AU. But since JPEG files are a common image type, it isn’t a large draw back and will not look out of place.

To hide the file the command would be steghide embed -cf clones.jpg -ef order66.pdf

At which point steghide will prompt you to enter a password. Keep in mind that if you lose the password you will likely never recover the embedded file.

To extract the file we can run steghide extract -sf clones.jpg, assuming we use the correct password, the hidden file is revealed.

All that being said, both methods leave the ‘secret’ file untouched and only hide a copy. Assuming the goal is to hide the file, the files in the open need to be securely removed. shred is a good command which overwrites the file multiple times to make it as difficult to recover as possible.

shred -z order66.pdf

or to delete it automatically

shred -zu order66.pdf

Categories
Operating System Security

Password Security on Github

“The password you provided has been reported as compromised due to re-use of that password on another service by you or someone else. GitHub has not been compromised directly. To increase your security, please change your password as soon as possible.”

I thought this was funny when I first saw this message from Github, a website that has over 28 million users and 57 million repositories. I knew I was receiving this message because I used a very similar password for my IBM intern account and my personal account.

So I was telling my coworkers in IT about it, and they pointed out to me in horror – “That means they’re storing passwords in plaintext…”

Well turns out this isn’t true. In fact, they use fairly secure Key-Derivation Function (KDF) software called Bcrypt.

For obvious reasons, this is scary. The responsible practices for password storage are, well, complicated. It’s a combination of hashing or the more secure Key-Derivation Function, both of which basically scrambles up the user’s password so that not just anyone can decode it, and a careful implementation of where . If a company isn’t using proper security for user data, there’s an increased risk of getting hacked. And realistically, if someone managed to snag the password to your Github account, they’d likely be able to get into at least a few of your other accounts as well.

If you want to learn about this more in depth, you can read this interesting thread.

Categories
Apps Security Web

What’s Going on with Cambridge Analytica?

If you’ve paid attention in the news this week, you may have heard the name “Cambridge Analytica” tossed around or something about a “Facebook data breach.” At a glance, it may be hard to tell what these events are all about and how they relate to you. The purpose of this article is to clarify those points and to elucidate what personal information one puts on the internet when using Facebook. As well, we will look at what you can do as a user to protect your data.

The company at the heart of this Facebook data scandal is Cambridge Analytica: a private data analytics firm based in Cambridge, UK, specializing in strategic advertising for elections. They have worked on LEAVE.EU (a pro-Brexit election campaign), as well as Ted Cruz’s and Donald Trump’s 2016 presidential election campaigns. Cambridge Analytica uses “psychographic analysis” to predict and target the kind of people who are most likely to respond to their advertisements. “Psychographic analysis”, simply put, is gathering data on individuals’ psychological profiles and using it to develop and target ads. They get their psychological data from online surveys that determine personality traits of individuals. They compare this personality data with data from survey-takers’ Facebook profiles, and extrapolate the correlations between personality traits and more readily accessible info (likes, friends, age group) onto Facebook users who have not even taken the survey. According to CEO Alexander Nix, “Today in the United States we have somewhere close to four or five thousand data points on every individual […] So we model the personality of every adult across the United States, some 230 million people.”. This wealth of data under their belts is extremely powerful in their business, because they know exactly what kind of people could be swayed by a political ad. By affecting individuals across the US, they can sway whole elections.

Gathering data on individuals who have not waived away their information may sound shady, and in fact it breaks Facebook’s terms and conditions. Facebook allows its users’ data to be collected for academic purposes, but prohibits the sale of that data to “any ad network, data broker or other advertising or monetization-related service.” Cambridge Analytica bought their data from Global Science Research, a private business analytics research company. The data in question was collected by a personality survey (a Facebook app called “thisisyourdigitallife”, a quiz that appears similar to the silly quizzes one often sees while browsing Facebook). This app, with its special academic privileges, was able to harvest data not just from the user who took the personality quiz, but from all the quiz-taker’s friends as well. This was entirely legal under Facebook’s terms and conditions, and was not a “breach” at all. Survey-takers consented before taking it, but their friends were never notified about their data being used. Facebook took down thisisyourdigitallife in 2015 and requested Cambridge Analytica delete the data, however ex-Cambridge Analytica employee Christopher Wylie says, “literally all I had to do was tick a box and sign it and send it back, and that was it. Facebook made zero effort to get the data back.”

This chain of events makes it clear that data analytics companies (as well as malicious hackers) are not above breaking rules to harvest your personal information, and Facebook alone will not protect it. In order to know how your data is being used, you must be conscious of who has access to it.

What kind of data does Facebook have?

If you go onto your Facebook settings, there will be an option to download a copy of your data. My file is about 600 MB, and contains all my messages, photos, and videos, as well as my friends list, advertisement data, all the events I’ve ever been invited to, phone numbers of contacts, posts, likes, even my facial recognition data! What is super important in the realm of targeted advertisement (though not the only info people are interested in) are the ad data, friends list, and likes. The “Ads Topics” section, a huge list of topics I may be interested in that
determines what kind of ads I see regularly, has my character pinned down.Though some of these are admittedly absurd, (Organism? Mason, Ohio? Carrot?) knowing I’m interested in computer science, cooperative businesses, Brian Wilson, UMass, LGBT issues, plus the knowledge that I’m from Connecticut and friends with mostly young adults says a lot about my character even without “psychographic analysis”—so imagine what kind of in-depth record they have of me up at Cambridge Analytica! I implore you, if interested, to download this archive yourself and see what kind of person the ad-brokers of Facebook think you are.

Is there a way to protect my data on Facebook?

What’s out there is out there, and from the Cambridge Analytica episode we know third-party companies may not delete data they’ve already harvested, and Facebook isn’t particularly interested in getting it back, so even being on Facebook could be considered a risk by some. However, it is relatively easy to remove applications that have access to your information, and that is a great way to get started protecting your data from shady data harvesters. These applications are anything that requires you to sign in with Facebook. This can mean other social media networks that link with Facebook (like Spotify, Soundcloud, or Tinder), or Facebook hosted applications (things like Truth Game, What You Would Look Like As The Other Gender, or Which Meme Are You?). In Facebook’s settings you can view and remove applications that seem a little shady.

You can do so by visiting this link, or by going into settings, then going into Apps.

After that you will see a screen like this, and you can view and remove apps from there.

However, according to Facebook, “Apps you install may retain your info after you remove them from Facebook.” They recommend to “Contact the app developer to remove this info”. There is a lot to learn from the events surrounding Facebook and Cambridge Analytica this month, and one lesson is to be wary of who you allow to access your personal information.

Categories
Security

Creating and Remembering Long Passwords – The Roman Room Concept

Comic courtesy of xkcd by Randall Munroe

If you are anything like me, you have numerous passwords that you have to keep track of.  I can also safely assume, that unless you are in the vast minority or people, you also have autofill/remember passwords turned on for all of your accounts. I’m here to tell you that there is an easy way to remember your passwords so that using these convenient insecurities can be avoided.

The practice that I use and advocate for remembering and creating passwords is called The Roman Room. I’ll admit, this concept is not my own. I’ve borrowed it from a TV show called Leverage. I found it to be a neat concept, and as such I have employed it since.  The practice works as follows: Imagine a room, it can be factual or fictional. Now imagine specific, detailed items that you can either “place” in the room, or that exist in the room in real life. This place could be your bedroom, your family’s RV, really anywhere that you have a vivid memory of, and can recall easily. I suggest thinking of items that you know very well, as this will make describing them later easier. Something like a piece of artwork, a unique piece of furniture, or a vacation souvenir. Something that makes a regular appearance in the same spot or something that has a permanence about it.

Now comes the challenging part: creating the password. The difficulty comes in creating a password that fulfills the password requirements at hand. This technique is most useful when you have the option to have a longer password (16+ characters), as that adds to more security, as well as allows for a more memorable/unique password. Let’s say for example that I often store my bicycle by hanging it on my bedroom wall. It’s a black and red mountain bike, with 7 speeds. I could conjure up the password “Black&RedMountain7Sp33d”.

Editor: This is not Tyler's bike.
Image: bicyclehabitat.com

Alternatively, I could create a password that describes that state of the bike opposed to its appearance.  This example reminds me of how the bike looks when its hung on the wall, it looks like its floating. Which reminds me of that scene from ET. I could then create the password “PhoneHomeB1cycle”, or something along those lines. This technique is just something that I find useful when I comes time to create a new password, and as a means to remember them easily that also prevents me from being lazy using the same password again, and again. Though this method doesn’t always generate the most secure password (by that I mean gibberish-looking password), it is a means to help you create better passwords and remember them without having to store them behind yet another password (in a password manager). What good is a password if you can’t remember or have to write it down?

Categories
Security Software Web

What Do Cryptocurrency Miners Do?

You’ve probably heard of Bitcoin. Maybe you’ve even heard of other cryptocurrencies, like Ethereum. Maybe you’ve heard that these cryptocurrencies are mined, but maybe you don’t understand how exactly a digital coin could be mined. We’re going to discuss what cryptocurrency miners do and why they do it. We will be discussing the Bitcoin blockchain in particular, but keep in mind that Bitcoin has grown several orders of magnitude greater in the 9-10 years it’s been around. Though other cryptocurrencies change some things up a bit, the same general concepts apply to most blockchain-based cryptocurrencies.

What is Bitcoin?

Bitcoin is the first and the most well-known cryptocurrency. Bitcoin came about in 2009 after someone (or someones, nobody really knows) nicknamed Satoshi Nakamoto released a whitepaper describing a concept for a decentralized peer-to-peer digital currency based on a distributed ledger called a blockchain, and created by cryptographic computing. Okay, those are a lot of fancy words, and if you’ve ever asked someone what Bitcoin is then they’ve probably thrown the same word soup at you without much explanation, so let’s break it down a bit:

Decentralized means that the system works without a main central server, such as a bank. Think of a farmer’s market versus a supermarket; a supermarket is a centralized produce vendor whereas a farmer’s market is a decentralized produce vendor.

Peer-to-peer means that the system works by each user communicating directly with other user. It’s like talking to someone face-to-face instead of messaging them through a middleman like Facebook. If you’ve ever used BitTorrent (to download Linux distributions and public-domain copies of the U.S. Constitution, of course), you’ve been a peer on a peer-to-peer BitTorrent network.

Blockchain is a hot topic right now, but it’s one of the harder concepts to describe. A blockchain performs the job of a ledger at a bank, keeping track of what transactions occurred. What makes blockchain a big deal is that it’s decentralized, meaning that you don’t have to trust a central authority with the list of transactions. Blockchains were first described in Nakamoto’s Bitcoin whitepaper, but Bitcoin itself is not equivalent to blockchain. Bitcoin uses a blockchain. A blockchain is made up of a chain of blocks. Each block contains a set of transactions, and the hash of the previous block, thus chaining them together.

Hashing is the one-way (irreversible) process of converting any input into a string of bits. Hashing is useful in computer science and cryptography because it’s really easy to get the hash of something, but it’s almost impossible to find out what input originally made a particular hash. Any input will always have the same output, but any little difference will make a completely different hash. For example, in the hashing algorithm that Bitcoin uses called SHA-256, “UMass” will always be:

D79DCC44F746FB74C71CE93CAA65A527AD0A743E7E57F5D5E5A7F21337D742F9

but “UMasss” will be completely different:

3EA2E03CE0286302451E2EAB2ABFEC310A6A164B4F27634FED4E81744A50D4E4

In this 64-character string, each character represents 4 bits. This hash can also be represented as 256 binary bits:

1101011110011101110011000100010011110111010001101111101101110100110001110001110011101001001111001010101001100101101001010010011110101101000010100111010000111110011111100101011111110101110101011110010110100111111100100001001100110111110101110100001011111001

Those are the general details that you need to know to understand cryptocurrency. Miners are just one kind of participant in cryptocurrency.

Who are miners?

Anybody with a Bitcoin wallet address can participate in the blockchain, but not everybody who participates has to mine. Miners are the ones with the big, beefy computers that run the blockchain network. Miners run a mining program on their computer. The program connects to other miners on the network and constantly requests the current state of the blockchain. The miners all race against each other to make a new block to add to the blockchain. When a miner successfully makes a new block, they broadcast it to the other miners in the network. The winning miner gets a reward of 12.5 BTC for successfully adding to the blockchain, and the miners begin the race again.

Okay, so what are the miners doing?

Miners can’t just add blocks to the blockchain whenever they want. This is where the difficulty of cryptocurrency mining comes from. Miners construct candidate blocks and hash them. They compare that hash against a target.

Now get ready for a little bit of math: Remember those 256-bit hashes we talked about? They’re a big deal because there are 2^256 possible hashes (that’s a LOT!), ranging from all 0’s to all 1’s. The Bitcoin network has a difficulty value that changes over time to make finding a valid block easier or harder. Every time a miner hashes a candidate block, they look at the binary value of the hash, and in particular, how many 0s the hash starts with. When a candidate block fails to meet the target, as they often do, the miner program tries to construct a different block. If the number of 0’s at the start of the hash is at least the target amount specified by the difficulty, then the block is valid!

Remember that changing the block in any way makes a completely different hash, so a block with a hash one 0 short of the target isn’t any closer to being valid than another block with a hash a hundred 0’s short of the target. The unpredictability of hashes makes mining similar to a lottery. Every candidate block has as good of a chance of having a valid hash as any other block. However, if you have more computer power, you have better odds of finding a valid block. In one 10 minute period, a supercomputer will be able to hash more blocks than a laptop. This is similar to a lottery; any lottery ticket has the same odds of winning as another ticket, but having more tickets increases your odds of winning.

Can I become a miner?

You probably won’t be able to productively mine Bitcoin alone. It’s like buying 1 lottery ticket when other people are buying millions. Nowadays, most Bitcoin miners pool their mining power together into mining pools. They mine Bitcoin together to increase the chances that one of them finds the next block, and if one of the miners gets the 12.5 BTC reward, they split their earnings with the rest of the pool pro-rata: based on the computing power (number of lottery tickets) contributed.

Takeaways

The U.S. dollar used to be tied to the supply of gold. A U.S. dollar bill was essentially an I.O.U. from the U.S. Federal Reserve for some amount of gold, and you could exchange paper currency for gold at any time. The gold standard was valuable because gold is rare and you have to mine for it in a quarry. Instead of laboring by digging in the quarries, Bitcoin miners labor by calculating hashes. Nobody can make fraudulent gold out of thin air. Bitcoin employs the same rules, but instead of making the scarce resource gold, they made it computer power. It’s possible for a Bitcoin miner to get improbably lucky and find 8 valid blocks in one day and earn 100 BTC, just like it’s possible but improbable to find a massive golden boulder while mining underground one day. These things are effectively impossible, but it is actually impossible for someone to fake a block on the blockchain (The hash would be invalid!) or to fake a golden nugget. (You can chemically detect fool’s gold!)

Other cryptocurrencies work in different ways. Some use different hashing algorithms. For example, Zcash is based on a mining algorithm called Equihash that is designed to be best mined by the kinds of graphics cards found in gaming computers. Some blockchains aren’t mined at all. Ripple is a coin whose cryptocurrency “token” XRP is mostly controlled by the company itself. All possible XRP tokens already exist and new ones cannot be “minted” into existence, unlike the 12.5 BTC mining reward in Bitcoin, and most XRP tokens are still owned by the Ripple company. Some coins, such as NEO, are not even made valuable by scarcity of mining power at all. Instead of using “proof of work” like Bitcoin, they use “proof of stake” to validate ownership. You get paid for simply having some NEO, and the more you have, the more you get!

Blockchains and cryptocurrencies are have become popular buzzwords in the ever-connected worlds of computer science and finance. Blockchain is a creative new application of cryptography, computer networking, and processing power. It’s so new that people are still figuring out what else blockchains can be applied to. Digital currency seems to be the current trend, but blockchains could one day revolutionize health care record-keeping or digital elections. Research into blockchain technology has highlighted many weaknesses in the concept; papers have been published on doublespend attacks, selfish mining attacks, eclipse attacks, Sybil attacks, etc. Yet the technology still has great potential. Cryptocurrency mining has already brought up concerns over environmental impact (mining uses a lot of electricity!) and hardware costs (graphics card prices have increased dramatically!), but mining is nevertheless an engaging, fun and potentially profitable way to get involved in the newest technology to change the world.

Categories
Android iOS Operating System Security

SOS: Emergency Response in the Smartphone Era

By now, we’ve all seen or heard stories about a recent scare in Hawai’i where residents were bombarded (ironically) with an emergency notification warning of a ballistic missile heading towards the isolated island state. Within seconds, the people of Hawai’i panicked, contacting their families, friends, loved ones, and stopping everything that they were doing in their final minutes of their lives.

Of course, this warning turned out to be false.

The chaos that ensued in Hawai’i was the result of an accidental warning fired off by a government employee of the Emergency Management Agency. Not only did this employee send off a massive wave of crisis alert notifications to Hawaiians everywhere. In some cases, it took up to 30+ minutes to signal to people that this was a false flag warning. With the rising tensions between the United States and the trigger-happy North Korea, you could imagine that this could be problematic, to put it simply.

The recent mishap in Hawai’i opens up a conversation about Phone notifications when responding to crisis situations. While Hawaiians, and more broadly Americans, aren’t used to seeing this type of notification appear on their lock screen, this is a common and very effective tool in the middle east, where Israel uses push notifications to warn of nearby short range missiles coming in from Syria and the Gaza Strip/West Bank.

Image result for israel missile defense notification

In a region full hostilities and tense situations, with possible threats from all angles, Israel keeps its land and citizens safe using a very effective system of Red Alert, an element of Israel’s Iron Dome. According to Raytheon, a partner in developing this system, the Iron Dome “works to detect, assess and intercept incoming rockets, artillery and mortars. Raytheon teams with Rafael on the production of Iron Dome’s Tamir interceptor missiles, which strike down incoming threats launched from ranges of 4-70 km.” With this system comes the Red Alert, which notifies Israelis in highly populated areas of incoming attacks, in case the system couldn’t stop the missile in time. Since implementation in 2011 and with more people receiving warnings due to growing cell phone use, Israelis have been kept safe and are notified promptly, leading to a 90% success rate of the system and keeping civilian injuries/casualties at very low levels.

If this Hawaiian missile alert was true, this could have saved many lives. In an instant, everyone was notified and people took their own precautions to be aware of the situation at hand. This crucial muff in the alert system can be worked on in the future, leading to faster, more effective approaches to missile detection, protection, and warnings, saving lives in the process.

In an era of constant complaint about the ubiquity of cell phone use, some of the most positive implications of our connected world have been obscured. Think back to 1940: London bombing raids were almost surprises, with very late warnings and signals that resulted in the destruction of London and many casualties. With more advanced weapons, agencies are designing even more advanced defense notification systems, making sure to reach every possible victim as fast as possible. In an age where just about everyone has a cell phone, saving lives has never been easier.

 

For more reading, check out these articles on Washington Post and Raytheon:

https://www.washingtonpost.com/news/post-nation/wp/2018/01/14/hawaii-missile-alert-how-one-employee-pushed-the-wrong-button-and-caused-a-wave-of-panic/?utm_term=.9898f44541cd

https://www.raytheon.com/capabilities/products/irondome/

Categories
Security Web

Private Data in the Digital Age

Former U.S. spy agency contractor Edward Snowden is wanted by the United States for leaking details of U.S. government intelligence programs
Former U.S. spy agency contractor Edward Snowden is wanted by the United States for leaking details of U.S. government intelligence programs

In a scenario where someone has a file of information stored on a private server with the intent to keep it private, is it ever justified for someone else to expose a security flaw and post the information anonymously on the internet? There exists a fine line where “It depends” on the scenario. But this classification simply does not do the case justice as there are extraneous circumstances where this kind of theft and distribution is justifiable.

One such case is whistle-blowing. Edward Snowden is still a man of much controversy. Exiled for leaking sensitive government documents, some label him a hero, others a traitor. Snowden was former Special Forces and later joined the CIA as a technology specialist. He stole top-secret documents pertaining to the National Security Agency and FBI tapping directly into the central servers of leading U.S Internet companies to extract personal data. Snowden leaked these documents to the Washington Post, exposing the PRISM code, which collected private data from personal servers of American citizens. This program was born out of a failed warrantless domestic surveillance act and kept under lock and key to circumvent the public eye. Americans were unaware and alarmed by the breadth of unwarranted government surveillance programs to collect, store, and search their private data.

Although Snowden illegally distributed classified information, the government was, in effect, doing the same but with personal data of its constituents. I would argue that Snowden is a hero. He educated the American people about the NSA overstepping their bounds and infringing upon American rights. Governments exist to ensure the safety of the populace, but privacy concerns will always be in conflict with government surveillance and threat-prevention. The government should not operate in the shadows; is beholden to its people, and they are entitled to know what is going on.

The United States government charged Snowden with theft, “unauthorized communication of national defense information,” and “willful communication of classified communications intelligence information to an unauthorized person.” The documents that came to light following Snowden’s leaks only pertained to unlawful practices, and did not compromise national security. Therefore, it appears as though the government is trying to cover up their own mistakes. Perhaps this is most telling in one of Edward Snowden’s recent tweets :

“Break classification rules for the public’s benefit, and you could be exiled.
Do it for personal benefit, and you could be President.” – @Snowden

This commentary on Hillary Clinton shows that in the eyes of the government who is right and wrong changes on a case to case basis. In many ways, Snowden’s case mirrors Daniel Ellsberg’s leak of the Pentagon Papers in 1971. The Pentagon Papers contained evidence that the U.S. Government had mislead the public regarding the Vietnam war, strengthening anti-war sentiment among the American populace. In both cases, whistle-blowing was a positive force, educating the public about abuses happening behind their back. While in general practice, stealing private information and distributing it to the public is malpractice, in these cases, the crime of stealing was to expose a larger evil and provide a wake-up call for the general population.

Alternatively, in the vast majority of cases accessing private files via a security flaw is malicious, and the government should pursue charges. While above I advocated for a limited form of “hacktivism,” it was a special case to expose abuses by the government which fundamentally infringed on rights to privacy. In almost all cultures, religions and societies stealing is recognized as wrongdoing and should rightfully be treated as such. Stealing sensitive information and posting it online should be treated in a similar manner. Publishing incriminating files about someone else online can ruin their life chances. For example, during the infamous iCloud hack, thousands of nude or pornographic pictures of celebrities were released online. This was private information which the leaker took advantage of for personal gain. For many female celebrities it was degrading and humiliating. Therefore, the leaker responsible for the iCloud leaks was not justified in  taking and posting the files. While the definition of leaking sensitive information for the “common good” can be in itself a blurred line, but a situation like the iCloud leak evidently did not fit in this category. Hacking Apple’s servers to access and leak inappropriate photos can only be labeled as a malevolent attack on female celebrities, which could have potentially devastating repercussions for their career.

While the iCloud hack was a notorious use of leaking private data in a hateful way, there are more profound ways which posting private data can destroy someone’s life. Most notably, stealing financial information and identification (such as SSID) can have a huge, detrimental effect on someone’s life. My grandmother was a victim of identity theft, where someone she knew and trusted stole her personal information and used it for personal gain. This same scenario plays out online constantly and can drain someone’s life savings, reduce their access to credit and loans, and leave them with a tarnished reputation. Again, we draw a line between leaking something in the public’s interest and exposing a security flaw for the leaker’s benefit. By gaining access to personal files, hackers could wreck havoc and destroy lives. Obviously this type of data breach is unacceptable, and cannot be justified.

Overall, taking sensitive material and posting it anonymously online can generally be regarded as malpractice, however, their are exceptions such as whistle-blowing where the leaker is doing so for the common good. These cases are far and few between, and the “bad cases” have harming repercussions which can follow someone throughout their life. Ultimately, to recall Snowden’s case, everyone has a right to privacy. This is why someone leveraging a security flaw and posting files online is wrong from the get go, because it supersedes personal secrecy. In an increasingly digital world it is difficult to keep anything private, but everyone has a fundamental right to privacy which should not be disrespected or infringed upon.

Categories
Security

Physical Security is Important Too

Although Cyber Security Awareness month is over, that doesn’t mean you can forget to lock your computer. One should always remain vigilant to protect their personal data. One aspect of security that is often overlooked by most people is physical security; the protection of the devices themselves.

On an individual scale, physical security is as simple as not leaving your phone/laptop/tablet unattended in dining halls or the library. If you must leave your laptop, be sure to lock your screen and get a laptop lock. A quality lock can be had for around $20 and is well worth the cost when compared with the cost of a new laptop, and losing any data you don’t have backed up. Also consider that many people store their passwords in their browser such as Google Chome’s auto-fill feature. While this is convenient for the user, if someone steals your laptop and is able to log in, they now have access to all of your online accounts.

One might argue, “Isn’t that the point of having a login password on my computer?” and they would be correct. But there is a saying in the security industry: Physical access is total access. This means that once someone has your device in their hands, they can do whatever they want given enough time. That is why in professional industry, security conscious businesses will have security experts conduct a “penetration test”. A security expert will go unannounced to the office being tested and try to circumvent the security in place at the office. This can be in the form of lock picking, social engineering (i.e. “look like you belong”), or simply finding an open door. Once the expert (or an actual criminal) is inside, they now have physical access to the company’s computer systems and data. From there, they can install key logging or other data gathering software, or simply steal encrypted hard drives to be broken into later.

While having a strong password is a good start to keeping your data secure, the importance of physical security cannot be overstated. One should always take precautions to prevent others from gaining access to their computer in any and every way possible.

Categories
Security

Quick Tips: Remembering Complex Passwords

password_strength

This XKCD comic notes a popular strategy to password security, using a series of words rather than a single word with special characters. But is this the best way to come up with a secure password that you can remember? Depending on what you create, the password may still not be very secure if it is low in complexity and the words you chose include common words like “password” or “umass”.

But remembering random letters and numbers is difficult, and might cause you to find yourself writing down passwords or forgetting them entirely. Another strategy is to come up with a phrase of words, like “correct horse battery staple”, but then only use certain letters. If you only think of the phrase in your head, and then use something like the first letter and last letter of each word, you keep the ease of remembering a simple phrase, but now have “cthebyse” in your password. Adding some special characters to this will make a very strong password.

Longer passwords are even better, so if you can come up with a scheme like this for a long phrase, your password will be even stronger. “Mary had a little lamb its fleece was white as snow” is easy to remember, and the first letter of each word produces “mhallifwwas”.

You won’t find this in a dictionary attack, and recalling this complex string as you type it out is as easy as remembering the lyrics in your head. Just make sure you add any special character and case requirements to the password, and you’re good to go!

Reference:
Monroe, Randall. “Xkcd: Password Strength.” Xkcd: Password Strength. N.p., n.d. Web.
…..17 Nov. 2016.

Categories
Security

Securing Your Online Services

Securing your online services

With more and more of our lives happening online, it’s super important to protect all of your personal information with secure passwords. Your personal information is probably stored across a wide variety of social media, Google, banks, and other sites that contain information you would not want to fall into the wrong hands.

There are several different aspects to making sure your passwords are protecting you as much as possible. This post will serve as an online security audit so that you can go through your online services and secure yourself as much as possible

Step 1: Securing your email

Your email account is the most important account to secure. If someone has access to your email, then they can view all of your personal personal information within those messages. Your main email account is also used for password recovery for every other account that you have, so if they get into your email, theres no stopping them from getting into your Facebook, Google, and banking information.

The first place to start is making sure your email has a very strong password. We will get into generating strong passwords later in the article, but your email account should definitely be one of the stronger ones. This is the first line of defense against people trying to enter into your email.

Step 2: Two-Factor Authentication

The basic premise behind two factor authentication
The basic premise behind two factor authentication

After you get setup with a strong alphanumeric password, the next step is to turn on Two-factor authentication (sometimes known as two-step authentication). This system adds an additional layer of security to your account by requiring you to have your phone or another device in order to get into your account. There are various implementations of this system, but it generally works by receiving a text message with a code that you enter after you enter your password. This code expires after 30 seconds, so even if someone was able to steal this code, it would be useless after 30 seconds.

The whole idea of multi-factor authentication is that you need both something you know (your password), as well as something you have (your phone) in order to access your account. Some security systems even add another factor such as a finger print or iris scan in order to access an account or area. You can find out which services you use have two factor authentication here.

Step 3: Using a password manager

1Password is one of the most popular password managers, especially for Mac and iOS devices
1Password is one of the most popular password managers, especially for Mac and iOS devices

Earlier I said that one of the best ways to secure your email was with a strong password. The best passwords are those that are long, random, and include a variety of letters, numbers, and symbols. Equally important is using a different password for each service. Many people use the same password across all of their logins. This means that once someone gets that password, they can basically access your entire life online. A password manager facilitates both of these goals by generating strong passwords, and then storing them securely so you never have to remember what they are.

Password managers are very good at generating random passwords for you to use. Most of them have build in generators that allow you to customize parameters such as length and what types of symbols you want to use. I would recommend creating the longest password possible for the most security.

Note that for some reason, certain services implement a maximum length for passwords. For these services, you will have to limit the length to what the service allows.

The second part, and perhaps the more useful part, of a password manager is that it stores all of them. As a user, all you have to do is remember one master password that allows you to access the password manager. The password manager stores all of your login information in an encrypted database that unlocks with your master password. Both 1Password and LastPass have browser extensions that will enter in your information when you come across a login page for a given service. Since you basically never have to type in your passwords manually, this means that you can make them longer and more secured. The only password you ever have to remember and type out is the one that unlocks your password manager vault. And even on devices such as your iPhone, you can set it to unlock with your fingerprint, so you never have to type in any passwords.

LastPass's Browser Extension
LastPass’s Browser Extension

Conclusion

So much of your data is stored online, that it’s dangerous not to protect it to the best of your ability. For most people, there is a tradeoff between security and convenience. Its so much more convenient to have the same password across multiple services. This is easy to remember, plus its easier to type in since these passwords are normally short and something relatable, such as a pet name or some combination of initials and a birthday. But these same elements that make it easy to log in yourself also make it easy for hackers gain access. If your password is something easy to guess, then they don’t even have to brute force their way in.

The steps outlined in this post will help you to maximize your online security, while still holding onto the convenience that we desire as end users. A strong email password is the root of your security strategy, as this helps to prevent hackers from gaining access to all your accounts when they compromise one. Two factor authentication means that even if someone gains your password, they still won’t be able to enter your account unless they get your phone. Finally, a password manager will allow you to have strong passwords while having the convenience of a single password.

Categories
Operating System Security Virus/Malware

Free is Never Free: Protect Yourself and Ensure You Never Pay

The Virtual market place is one unlike any other in the world. Never before has there been such vast and widespread access to the goods and services found online. Before, answering questions meant buying books. Listening to music meant purchasing albums.  Contacting friends and family meant paying for paper and postage, or putting coins in a payphone. You get the point. Limitless abilities and possibilities are immediately accessible by anyone with an internet connection, and most of the time, its free. Or is it?

Currency 2.0

This vast access to free services on the internet is one many our age take for granted. But what is not immediately obvious is that free is rarely free; Information is the new currency. Companies big and small, righteous or malicious, will pay big bucks for user data. Has a free game or app ever asked for you to sign in using your FaceBook Account? When you agree to this, you are providing the company with information about your age, likes, friends, etc, so that they can serve targeted ads and track usage and spending habits.  What’s nice is that large companies, will ask for permission to trade this information for your use of their service. But what about when they don’t?

Malware, Spyware, PUP, Oh My: How Your Own Computer Can Be Used Against You.

Lets conduct an experiment. We are the typical internet user, and we are interested in streaming tonight’s Hockey Game. So we google it: Free live Hockey Stream. We click the first link we find!
scrot2
scrot1
We can stream totally for free if we just install what the huge LIVE HD STREAM button takes us to! Or not. Lets read the permission we are about to give software we’ve never used before:

  • Read and change all your data on the websites you visit.
  • Change your search settings to sports.searchalgo.com
  • Change your privacy related settings.
  • Stream your favorite team’s game for free!

What will this extension do? Redirect your searches through their own advert riddled search engine, create their own advertisements on the sites you try to visit, and finally, collect and sell your usage data, and for free at that.

Using Protection and Getting Checked: Mom Would Be Proud

So free isn’t always free, and not every where on the internet is friendly. How do we navigate this treacherous virtual world safely? Common sense, Careful reading, and Curated content.

Common Sense:

  • Never install something if you did not set out to install it.  For example, while trying to install a free music player to replace iTunes, I found this:
    scrot3
    “Add and Start Download” could seem right, but that is not the installer for the Audio Player. That is the installer for another malicious Chrome Extension
  • Do not provide personal information to an unknown source. A company will not ever contact you first. Microsoft will never tell you they’ve detected a virus, but malicious scammers will tell you that they are Microsoft, and make away with credit card numbers, email addresses, and more. Can you believe people would just go on the internet and lie?!

Careful Reading:

  • Always read the permissions given when installing, and disable unwanted or unneeded ones. Installing an application on any platform, phone or desktop, will request your permission when making a change to your system, when downloading an unknown software, or when collecting information about your friends, your location, or your personal data.  Many times, these functions can be disabled or these permissions denied.
  • Always be sure the installer is installing what you expect. Many times, an installer for a free program can be packaged with unwanted or malicious software.  Always read what you are agreeing to before clicking “Agree” ,”Next”, or “Finish” when installing.
  • Check out reviews and guides. On the internet you are never alone, and as creepy as that may sound, there is safety in numbers. “Is MacKeeper a virus?” or “Is (new website) safe?” are great searches to see if people have been able to use services successfully

Curated Content

  • Find trusted routes to free services.  There are many non-malicious free services and programs out there, and there are many places where people have done the work to ensure that they are safe. http://www.umass.edu/it/software has a list of programs that can be obtained for free or at a discount. Another powerful tool is https://ninite.com/. An all in one free to use installer for a wide variety of programs. Pick and choose what you need.
  • Use a content blocker, check your security settings, and use an anti-virus software. Be sure pop-ups are disabled, get an ad-blocker (but whitelist the sites you want to help fund like your favorite Youtube channel), and get Malwarebytes, or McAfee from the UMass IT software page above.
Categories
Hardware Security

Disproving Einstein: the Phenomenon of Quantum Entanglement and Implications of Quantum Computing

Quantum-Entanglement

Albert Einstein famously disparaged quantum entanglement as “spooky action at a distance,” because the idea that two particles separated by light-years could become “entangled” and instantaneously affect one another was counter to classical physics and intuitive reasoning. All fundamental particles have a property called spin, angular momentum and orientation in space. When measuring spin, either the measurement direction is aligned with the spin of a particle -classified as spin up- or the measurement is opposite the spin of the particle -classified as spin down. If the particle spin is vertical but we measure it horizontally the result is a 50/50 chance of being measured spin up or spin down. Likewise, different angles produce different probabilities of obtaining spin up or spin down particles. Total angular momentum of the universe must stay constant, and therefore in terms of entangled particles, they must have opposite spins when measured in the same direction. Einstein’s theory of relativity was centered around the idea that nothing can move faster than the speed of light, but somehow, these particles appeared to be communicating instantaneously to ensure opposite spin. He surmised that all particles were created with a definite spin regardless of the direction they were measured in, but this theory proved to be wrong. Quantum entanglement is not science fiction; it is a real phenomenon which will fundamentally shape the future of teleportation and computing.

Categories
Security Web

The Web’s Move to SSL

These days, there is a lot of talk about cyber security, secure web browsing and tips to keep your information safe. One of the best ways to do this is to stick to websites that use an encrypted connection. Browsing completely secure can only truly be accomplished through websites using something call SSL, or Secure Sockets Layer. This allows an encrypted connection to be established between the web browser that you’re using, and the website you’re accessing. This kind of connection is usually indicated by a green lock and HTTPS in the URL bar of your web browser.

google1

A note about URLs starting in https: a green https is good; a red https, usually precluded by a warning that the certificate shouldn’t be trusted, is questionable at best. The way that ssl ensures a secure connection is by installing a certificate in your browser that is signed by a trusted entity, such as VeriSign. When this occurs, you’ll access the page and the lock and HTTPS will be green as shown above. However, anyone can create certificates, and if they aren’t signed by a trusted entity, your browser will warn you.

Untitled

This doesn’t mean that your connection isn’t encrypted, it still is and no one will be able to see your information in between your computer and the website’s server. What it does mean, is that the person or company who owns the website isn’t necessarily to be trusted.

In April, about 1/3 of all web traffic was encrypted, in large part due to Google, Facebook and Twitter. With Netflix planning to make the switch to HTTPS, some research indicates that this could jump to as much as 2/3 of all web traffic by the end of the year. On the subject of Facebook and Twitter, though, is yet another type of encryption that further secures your data: end-to-end encryption.

This mostly relates to private messaging between you and someone else. Examples include email, Facebook or Twitter messages or even text messages. End-to-end encryption allows all your data to be encrypted not between you and the website you’re using, but between you and the person you’re messaging. This ensures that Facebook or Twitter or Google, etc. can’t see your private messages. While this advanced privacy tool isn’t yet available for most services, there are browser extensions and add-ons that can provide this for you. As far as texting and even phone calls go there are a number of apps available for both iOS and Android that are designed to provide private communication.

So while truly secure internet access isn’t inherently provided with an internet connection, it is relatively easy to secure your web activity by making sure that your data is encrypted. This could be through secure sites, browser add-ons, or mobile applications, but whichever method(s) you use can go a long way in ensuring your data stays private.

Categories
Operating System Security Virus/Malware Windows

How to get rid of Superfish

Superfish
Superfish

As you may be aware, it was recently revealed that many Lenovo computers shipped between October 2014 and December 2014 were pre-loaded with a piece of AdWare called “Superfish.” In addition to being annoying, Superfish introduces a serious security hole in the way your computer uses HTTPS on the internet. It’s gotten bad enough that the Department of Homeland Security had to advise people to remove the software. Lenovo has since gone on full damage-control, and is no longer shipping computers with Superfish pre-installed. The following is everything you need to know about this piece of AdWare.

What is Superfish?

Superfish is your typical piece of AdWare. It runs in the background on your computer and when you go to a webpage Superfish injects pop-up ads in to the page you’re looking at. It does this on all pages, regardless of whether they use HTTPS.

Why is it bad?

First of all, no one likes ads. If you happen to be someone who does enjoy pop-up ads you may want to remove Superfish anyway, and here’s why: in order to make sure that it can show you ads even on encrypted secure webpages, Superfish has to break your computer’s encryption. It does this by installing its own “root certificate.” The way that HTTPS works is that each website needs a certificate to verify its identity. If you’re interested, Wikipedia explains the details behind HTTPS and certificates fairly well. These certificates must be signed by a trusted authority such as VeriSign or InCommon. Because Superfish installs its own certificate on your computer it can pretend to be one of these trusted authorities and thus it can pretend to be any website it wants. This is what is called a “man-in-the-middle attack.”
In addition to being annoying and malicious, this was also poorly done. Superfish installed all of its root certificates using the same password, which this man figured out in 3 hours. That means that if your computer has Superfish installed, you could be vulnerable to a phishing attack or anything similar since anyone can take Superfish’s certificate and pretend to be a website they aren’t.

How do I fix this?

First of all, let’s find out whether you have Superfish or not. A nice, white-hat citizen of the internet built this website to help you figure it out. If you do have Superfish installed, Lenovo was nice enough to put out a handy uninstall guide, along with a nice automatic tool. The steps are written for Windows 8, but they should be similar if you are on Windows 7. Here’s the synopsis:

1. First, open up Control Panel and go to “Uninstall a program.” Then find Superfish in the list, select it and hit “Uninstall”
2. Go to Window’s search function and look for “Manage Computer Certificates.” Go into Trusted Root Certification Authorities, and delete the Superfish cert.
3. Finally, Firefox and Thunderbird also need to have the certificate removed manually. See the Lenovo article for instructions on how to do this.

You’re done! Remember to keep all your software up to date, and always feel free to come to UMass IT for help with security or anything else you might need.

Categories
Security

Passwords, Security, and Beyond: Keeping a Password Secure

Last time, we went over the best ways to create secure passwords, so now we’ll finish it up with keeping those new shiny passwords secure. By keeping them secure, we mean that it will be difficult for anyone to gain access to it, while you, the user, can easily access it. But before we get down to the details, it’s best to first realize that there will never be a 100% fool proof way to keep all of your passwords secure forever- there’s no guarantee regarding digital security. So there’s really no point to going to extremes and keeping all of your passwords in a super secret vault in your basement with the only key buried in the backyard in an unmarked location. But rest assured, with a few relatively simple steps (and some healthy paranoia) you can significantly reduce the risks of losing the element of security with your passwords.

Categories
Operating System Security

Passwords, Security, and Beyond: Creating a Password

Passwords are nothing new. The provide a secure way to access information that only one person should have access to.  Under normal circumstances, this shouldn’t be a problem, but when the human condition of greed and evil are taken into consideration, passwords suddenly become a big deal: they are a bunch of characters that provide access to your entire life. But a lot of passwords aren’t taken seriously, like those that are only used on one account, or that are protecting things that aren’t really worth anything. These passwords are usually easy to guess, are not stored properly. This is exactly what you want to avoid. So in this two part blog, I’ll go over two of the most essentials things know about passwords: how to make a secure password that you will remember, and how to keep it that way.

Categories
Virus/Malware

Savings Bull, the malware that keeps trying to save you money, but just goes a little too far!

Pop-ups, advertisements, new home screens,  and more come  for free when you obtain a browser targeted virus.  If you are experiencing any of these, or any other issues that are browser related, this article is for you!  There are multiple viruses that will make changes to your browser’s settings for advertising purposes so that every time you want to surf the web, you have to surf through numerous popups and ads.  These are a little different from your normal computer maleware or adware because after infecting your computer, they make permanent changes to your browser, that need to be manually changed back.  They can find their way in and make their home in your browser’s Add-ons or Plugins/Extensions.  This means that when you run your normal virus scans, they might be overlooked.  To remove these, you must do it manually.  An example of this type of virus is Savings Bull…

Categories
Android Apps iOS Operating System Security Virus/Malware

Mobile Malware

Modern smartphones are becoming more and more like portable computers, which has advantages and disadvantages. The advantage is obvious; having the functionality of a computer at your fingertips. The disadvantage is less obvious; there are some security compromises involved.

Categories
Operating System Security Virus/Malware Windows

Help! I think I have a Virus (Windows)

First it’s important to verify that your computer is infected. The general sign for malicious software is that your computer stopped working as expected. The obvious problem with this is that there are a whole lot of reasons your computer can stop working correctly that are not caused by viruses. For example software updates can often cause unexpected side effects, hardware can stop working, and users can change settings without truly understanding the effect of the change they made. The most general way to determine that you actually have malware is to ask yourself could somebody be making money off of what is happening to my computer. The fact is that almost every piece of malicious software in existence was created with the intent of making money. That being said here are some common signs that your computer may be infected:

Categories
Security Virus/Malware

Avoid Adware to Keep Browsers Running Like New

As a Help Center Consultant, I have seen countless computers come into our office with persistent advertisements, unintentional redirects, and other annoyances within web browsers. In addition to being an annoyance, the software that is generating these ads can also be harmful to your computer, and is often prohibitive when attempting to access websites. These symptoms are caused by software known as “adware”.

This is a browser infected with adware, notice the toolbars and homepage ads.
This is a browser infected with adware, notice the toolbars and homepage ads.
Categories
Security

Cyber Security: Sound Computer, Sound Mind

Our computers hold a lot of information about our lives. With this being the case cyber security has become a topic of growing interest; however, many people at the consumer level only have a basic understanding of what cyber security is, and what steps they can take to help protect themselves.

Categories
Mac OSX Operating System Security Software Windows

Keychain Access and Keepass

Have you ever had that awkward moment when you forgot the password to your bank account and missed your rent payment? Maybe not, but I’m sure you’ve forgotten a password at least once in your life, which is easy to do considering the average person uses about 10 passwords a day. So how can one avoid the inconvenience of forgetting important passwords in today’s fast-paced world? Simple, Keychain Access and Keepass.

Categories
Mac OSX Security Windows

Password Security

Daylight Savings Time has just occurred and as we change our clocks we should also change our passwords. Having a strong password is important and it is good practice to change your passwords regularly. By changing your password you can make sure that your accounts are safe and secure.

Categories
Mac OSX Operating System Security

Time Machine: Automatic Backups for your Mac

What is Time Machine?

Time Machine is automatic backup software that comes with Mac OS X. It allows you to backup your entire Mac, including system files, applications, accounts, preferences, email messages, music, photos, movies, and documents to an external drive. After the initial backup is complete, Time Machine will continue to perform hourly backups on any files that have been changed since the last time it ran. When your external drive is filled, Time Machine will start to delete the oldest existing backups in order to free up space.