I’ve officially launched a weekly newsletter called Carey’s Weekly Security Tips. Every week, I’ll send out a short blurb on something you can do to improve your cybersecurity and/or protect your online privacy. By signing up, you will also receive a free copy of my booklet Carey’s Top Five Security Tips.
I will probably be posting fewer blog entries, putting most of the quick small stuff into the weekly newsletter. I’ll save blog posts for longer topics. So sign up now to make sure you don’t miss anything!
Teaser: I will be interviewing someone from LastPass (the company that makes my recommended password manager) in the coming weeks! Stay tuned!
The second edition of Firewalls Don’t Stop Dragons is now available on Amazon.com! I’ve updated the book for Windows 10 and Mac OS X El Capitan, expanded the coverage on mobile security and child safety, and updated much of the other content. It’s now over 30% longer than the first edition!
Thanks to support from my KickStarter backers, I’ve completely updated the cover art and will be launching a marketing campaign in the coming weeks – thanks so much to everyone that contributed!
I’ve been waiting to comment on this because more information seems to be coming out every day. Also, there has been so much written about this already that I wasn’t sure what I would have to add. But I’m not being hyperbolic when I say that this is a pivotal moment in our democracy, so I couldn’t just ignore it. One thing I haven’t seen is a good summary of what’s really going on here, so let’s start with that.
Just the Facts: What’s Really Going On Here?
First, let’s establish what’s really going on here, because it’s been very muddy. The FBI recovered an iPhone 5c that was used by one of the shooters in the San Bernardino attacks last year. This phone was issued to the shooter by his employer, and therefore was not his private cell phone – meaning that the data on that phone was technically not private. Nevertheless, that data was encrypted by default because that’s how Apple sets up every modern iPhone. The FBI believes there may be information on that iPhone that could help them perhaps find other co-conspirators or maybe uncover clues to some future plot.
This phone was backed up using Apple’s iCloud service, and it’s worth noting that Apple was willing and able to provide the FBI with the backed up data. However, for some reason, the backups to iCloud stopped about 6 weeks before the shooting – so the FBI wants to get to the data on the device itself to see what’s missing. Due to some sort of screw-up, the FBI instructed the local law enforcement to change the user’s iCloud password, which prevented it from doing another backup. If they had taken the device to a Wi-Fi network known to that device, the device might have backed up on its own, and then the FBI would have had the 6 weeks’ worth of data that was missing. But because the password was changed, we’ll never know.
The FBI is not asking Apple to break the encryption on the phone. That’s actually not possible. Encryption works. When done right, it can’t be broken. However, if you can unlock the device, then you can get to all the data on it. Unlocking the device means entering a PIN or password on the home screen – it could be as simple as a 4-digit number, meaning there are only 10,000 possible codes. With a computer-assisted “guesser”, it would be trivial to go through all the 10,000 options till you found the right one to unlock the phone.
To combat this “brute force” attack, Apple added some roadblocks. First, it restricted how often you could try a new number – taking progressively longer between guesses, from minutes up to a full hour. That would make guessing even 10,000 options take a very long time. Second, Apple gave the user the option to completely erase the device if someone entered an incorrect password ten times in a row. This feature is not enabled by default, but it easy to turn on (and I highly recommend that everyone do this).
The FBI is basically asking Apple to create a new, custom version of it’s iPhone operating system (iOS) that disables these two features and allows a connected computer to input its guesses electronically (so that a human wouldn’t have to try them all by hand). This would allow the FBI to quickly and automatically guess all possible PIN codes until the phone was unlocked. It’s not breaking the encryption, it’s allowing the FBI to “brute force” the password/PIN guessing. It’s not cracking the safe, it’s allowing a robot to quickly try every possible safe combination till it opens.
That’s just a thumbnail sketch, but I felt it was necessary background. This article from the EFF goes into a lot more depth and answers some excellent questions. If you’d like to know more, I encourage you to read it.
Why Is This Case So Important?
Both the FBI and Apple are putting heavy spin on this issue. The FBI has always disliked Apple’s stance on customer privacy (encrypting iPhone data by default) and picked this terrorism case to invoke maximum public sympathy. Apple is using this opportunity to extol its commitment to protecting its customers’ private data, particularly as compared to Android (which does not encrypt data by default). Despite what the FBI claims, this is not about a single iPhone and a single case; despite what Apple claims, creating this software is not really comparable to creating “software cancer”. We have to try to set all of that aside and look at the bigger picture. This is not a black and white situation – these situations rarely are. However, the implications are enormous and the precedent set here will have far-reaching effects on our society.
In this country, we have the the Fourth Amendment which prevents unreasonable search and seizure, and basically says that you need a warrant from a judge if you want to breach our right to privacy. In this case, the FBI has done its job in this regard. And it’s technically feasible for Apple to create a special, one-time version of it’s iOS that would allow the FBI to unlock this one iPhone – and this special software would not run on any other iPhone. This is due to a process called “signing”, which is another wonderful application of cryptographic techniques. So in this sense, it’s not a cancer – this special software load can’t be used on other devices. However, if Apple does this once, it can do it again, and there are already many other iPhones waiting at the FBI and in New York that will be next in line for this treatment. There is no doubt that this will set a precedent and will open the flood gates for more such requests in cases – not just from US law enforcement, but from repressive regimes around the globe. Furthermore, the very existence of such a tool, even though guarded heavily within Apple’s walls, will be a massive target for spy agencies and hackers around the globe.
So the issue is much deeper than simply satisfying a valid warrant (even without all the arcane All Writs Act stuff from the late 1700’s that the FBI claims should compel Apple – a third party – to help them satisfy this warrant.) The outcome of this case will have severe implications for privacy in general – and that’s why Apple is fighting back.
My Two Cents
I’ve read a lot of good articles on this issue, and I’ll point you to a couple of them shortly. But the bottom line is that we, as a society, need to figure out how we handle privacy in the age of digital communications and ubiquitous monitoring. Like it or not, you are surrounded by cameras and microphones, and it’s getting worse rapidly. You carry with you a single device that can simultaneously record video and audio, track your position anywhere on the planet, track many of your friends and family, record your physical movement, and store your personal health and financial data, as well as untold amounts of other personal information. That device is your smartphone. That one device probably has more information about you than any other single thing you own. Beyond that, all of our communications are now digital and can therefore be perfectly preserved forever. And in the grand scheme of things, any person or group of people that can gain surreptitious access to this information – regardless of their intentions – will have unimaginable power over us. This was not envisioned by the Founding Fathers – we’re in new territory here.
It’s long since time that we have an informed, open and frank discussion – as a nation – about how we balance the need for basic human privacy versus the need for discovery in the pursuit of safety. It’s also about targeted surveillance versus mass surveillance, and creating an open, transparent system of checks and balances to govern both. If nothing else, I hope this case leads to a more informed public and some rational, thoughtful debate that thinks about the broader issues here – not just this one, highly-emotional case.
As promised, here are some links with some excellent info and perspectives around these topics:
- It’s worth reading Apple’s planned statement to Congress on this.
- Here is EFF’s take on this case and its implications.
- This is a well-written, highly-nuanced article about the deeper issues here.
Here are some links to more general but related topics:
- A brilliant TED Talk about the need for privacy in society.
- I strongly recommend reading Data and Goliath, as well.
I’ve launched a KickStarter campaign for the second edition of Firewalls Don’t Stop Dragons! This second edition will cover Windows 10 and OS X 10.11 (El Capitan), along with a host of other updates. This KS campaign is basically pre-sales of the book, with the idea of taking the proceeds and investing them in marketing and launching the second edition. Investors will also have the opportunity to review drafts of the book and provide input on the content. Help me spread the word!!
As the saying goes, if you’re not paying for the product, then you are the product. The business model for most of the Internet revolves around advertising – which in and of itself is not a bad thing. It may be an annoying thing, but passive advertising isn’t actually harmful. Passive advertising is placing ads where people can see them. And savvy marketers will place their ads in places where their target audiences tend to spend their time. If you’re targeting middle-aged men, you might buy ad space on fantasy football or NASCAR web sites, for example. If you’re targeting tween girls, you might buy ad space on any site that might feature something about Taylor Swift or Justin Bieber. And if it stopped there, I don’t think many of us would object – or at least have solid grounds for objection. After all, this advertising is paying for the content we’re consuming. Producing the content costs money – so someone has to pay for it or the content goes away.
Unfortunately, online marketing didn’t stop there. On the web, competition for your limited attention has gotten fierce – with multiple ads on a single page, marketers need you to somehow focus on their ad over the others. And being on the Internet (and not a printed page), advertisers are able to do a lot more to grab your attention. Instead of simple pictures, ads can pop up, pop under, flash, move around, or float over the articles you’re trying to read. Worse yet, ad companies want to be able to prove to their customers that they were reaching the right people and that those people were buying their product – because this makes their ad services far more valuable, meaning they can charge more for the ads.
Enter the era of “active advertising”. It has now become very hard to avoid or ignore web page and mobile ads. Worse yet, the code that displays those ads is tracking where you go and what you buy, building up profiles on you and selling those profiles to marketers without your consent (and without most people even realizing it). Furthermore, those ads use precious data on cell phones and take a lot of extra time to download regardless of what type of device you use. And if that weren’t bad enough, ad software has become so powerful, and ad networks so ubiquitous and so commoditized, that bad guys are now using ad networks to distribute “malware” (bad software, like viruses). It’s even spawned a new term: malvertising.
Over the years, browsers have given users the tools they need to tame some of these abuses, either directly in the browser or via add-ons. It’s been a cat-and-mouse game: when users find a way to avoid one tactic, advertisers switch to a new one. The most recent tool in this toolbox is the ad-blocker. These plugins allow the user to completely block most web ads. Unfortunately, there’s really no way for ad blockers to sort out “good” advertising from “bad” advertising. AdBlock Plus (one of the most popular ad-blockers) has attempted to address this with their acceptable ads policy, but it’s still not perfect.
But many web content providers need that ad revenue to stay afloat. Last week, Wired Magazine announced that they will begin to block people that use ad-blockers on their web site. You will either need to add Wired.com to your “whitelist” (allowing them to show you ads) or pay them $1 per week. They state clearly that they need that ad revenue to provide their content, and so they need to make sure that if you’re going to consume that content that you are paying for it – either directly ($1/week) or indirectly (via ad revenue).
So… what’s the answer here? As always, it’s not black and white. Below is my personal opinion, as things stand right now.
I fully understand that web sites need revenue to pay their bills. However,the business model they have chosen is ad-supported-content, and unfortunately the ad industry has gotten over-zealous in the competition for eyeballs. In the process of seeking to make more money and differentiate their services, they’re killing the golden goose. Given the abusive and annoying advertising practices, the relentless and surreptitious tracking of our web habits, the buying and selling of our profiles without our consent, and the lax policing that allows malware into ads, I believe that the ad industry only has itself to blame here. We have every reason to mistrust them and every right to protect ourselves. Therefore, I think that people are fully justified in the use of ad-blockers.
That said, Wired (and other web sites) also have the right to refuse to let us see their content if we refuse to either view their ads or pay them money. However, I think in the end they will find that people will just stop coming to their web sites if they do this. (It’s worth noting that some sites do well with voluntary donations, like Wikipedia.) Therefore, something has to change here. Ideally, the ad industry will realize that they’ve gone too far, that they must stop tracking our online pursuits and stop trafficking in highly personal information without our consent.
The bottom line is that the ad industry has itself to blame here. They’ve alienated users and they’re going to kill the business model for most of the Internet. They must earn back our trust, and that won’t be easy. Until they do, I think it’s perfectly ethical (and frankly safer) to use ad-blocking and anti-tracking tools.
- uBlock Origin – ad-blocker
- Privacy Badger – anti-tracking plugin
- HTTPS Everywhere – forces secure connections whenever possible
- Better Privacy – another privacy plugin, slightly different from Privacy Badger
If you would like to get more involved, you might consider contributing to the Electronic Frontier Foundation.
I was approached by the continuing education group at Duke University to give a lecture on computer security and privacy, which I did last October. It was quite the hit and I will now be teaching a 6-week course for Duke on the same topic, starting mid-April of 2016! I’m very excited!
I’m planning to use my book as a text book for this class. And even though it’s only a year old, there have been many developments that I need to address (not the least of which are Windows 10 and OSX El Capitan). So I believe it’s time to finally put out an update to Firewalls Don’t Stop Dragons! I’ve already started work on this and hope to have it published in a couple months! Stay tuned…
LastPass is the password manager I recommend in my book and to anyone who asks. While there are a handful of good products like it, to me LastPass has a rock-solid security story and all the features anyone could want.
You may have heard last week about a threat to LastPass called “LostPass” on the news. Well, actually, you probably didn’t – the mainstream press doesn’t cover this stuff much. But I’m going to cover it anyway because it demonstrates one of the most troublesome security problems we have today: phishing. Unfortunately, this has nothing to do with a rod and a reel and whistling the theme to The Andy Griffith Show. Phishing is a technique used by scammers to get sensitive information from people by pretending to be someone else – usually via email or a web page (or both). Basically, they trick you into thinking you’re dealing with your bank, a popular web site (PayPal, eBay, Amazon, etc), or even the government. Sometimes they entice you with good stuff (winning a prize, free stuff, special opportunity) and sometimes scare you with bad stuff (freezing your account, reporting you to some authority, or telling you that your account has been hacked). But in all cases, they try to compel you to give up information like passwords or credit card numbers.
Unfortunately, it’s extremely easy to create exact duplicates of web pages. There’s just no real way to identify a fake by looking at it. Sometimes you can tell by looking at the web site’s address, but scammers are very good at finding plausible web site names that look very much like the real one they’re impersonating.
In the case of “LostPass”, a research demonstrated that they could act as a “man in the middle” to steal your LastPass login and password – even if you use two-factor authentication (which I strongly recommend). LastPass is a browser plugin that watches what web pages you’re on, and when it detects a login web form, it offers to automatically fill in your ID and password. This researcher was able to create a malicious web page that could log you out of LastPass and then pop up a dialog asking you to log back in – but not the real LastPass dialog! Instead, it was a fake. So you would enter your email address and password, then it would store this juicy info. It now had the keys to the kingdom! It had access to your entire LastPass vault! All your passwords, secure notes, credit cards!
To keep you from getting suspicious, it would actually then turn around and use the email and password you gave it to actually log into LastPass. This is the “man in the middle” part – to you, it pretends to be LastPass; to LastPass, it pretends to be you. If you had two-factor authentication turned on, it still did you no good. LastPass would tell the malware to prompt the user for the two-factor auth token, and the malware would turn around and ask you for that token – again, placing itself in the middle.
So, should you be worried? Should you abandon LastPass? Yes and no, in that order. Phishing is a problem for ALL browser-based plugins, including those of other password managers. Phishing is a major problem for everyone who uses email or web browsers. So in that sense, you should be worried about it. In a minute, I’ll give you some tips for protecting yourself.
This researcher picked on LastPass because he perceived it to be the top dog in password managers, not because it was the only one susceptible to this attack. He also contacted LastPass well before he released his research (as any good security researcher would do), and LastPass was able to patch their software before he even announced this problem. That is – if you’re using LastPass, you’re already safe from LostPass, as long as you’re updating your browser plugin. LastPass reacted properly to this, from what I can see, and has mitigated this particular risk (and ones like it). LastPass, in my experience, has taken all security concerns very seriously and is constantly updating its software to react to even potential risks. So I feel very comfortable continuing to recommend it.
How can you protect yourself from phishing attacks? Here are some tips:
- Never give out sensitive info in email. This includes credit card numbers, passwords, and social security numbers. Any reputable organization will never ask for this via email.
- Don’t click on links or buttons in emails. If the email is fake, they will take you to a fake or malicious web site – one that may look exactly like the real one. Instead of clicking the links provided, just go to the site “manually” – that is, type in the main web site address by hand (or Google it) and then log into your account or whatever from there.
- Don’t fall for scare tactics. It’s common for scammers to tell you that something bad will happen or has already happened, and you MUST click here NOW to fix it. For example, your PayPal account has been frozen and you need to click this link now to log in and set things straight. Instead, go to your web browser, type in “paypal.com” and log in. If there’s really a problem, you’ll see it immediately when you log in.
- Help protect others by using strong, unique passwords on your email accounts. Hackers love to get into your email account and your email address book to send emails to everyone you know. These people (presumably) trust you and will be more likely to click on bad links.
- Use LastPass and keep your browser plugin up to date. They are adding new features to help prevent phishing attacks.
Identity theft is arguably one of the worst things that can happen to a person, financially. When someone steals your identity, they can basically do anything you can do – including obtaining loans or credit cards in your name. And when the spending spree is over, you are left holding the bag. If it’s not bad enough that they’ve taken your money and left you with a huge bill, it may also have a major negative impact on your credit report. It can be very difficult and time consuming to undo all this damage.
In order to open a new loan or credit card in your name, the criminals have to pass a credit check through one of the big three credit bureaus: Experian, Trans-Union and Equifax. Therefore, if you can somehow stop the credit check from passing, you can prevent the bad guys from getting a new line of credit in your name.
The easiest way to do that is to “freeze” your credit – basically you tell the credit bureaus to put a halt on all credit checks until you tell them otherwise. This obviously only works if you yourself don’t need to have your credit checked. If you’re about to get another credit card (including store cards) or need to finance something (car, house, appliances, etc), then you’re going to need to run a credit check. Also, some other activities will trigger a credit check, such as background checks, opening a new financial account, or even signing up for a new utility (cable, for example).
Freezing your credit has absolutely no impact on your credit score. You have to do it with all three credit companies and there is a small fee involved usually (up to $10). There’s also a fee to “thaw” your credit, so you don’t want to do this often.
Basically, if you rarely if ever need to open new lines of credit, you should go ahead and put a freeze on your credit. It does no harm and can save you a ton of heartache. I recommend reading this Clark Howard article. It has all the details on how to freeze your credit with each of the three credit companies.
If you’d like more info on credit freezes, check out this Federal Trade Commission web site:
If you’d like to stop getting “pre-screened” and “pre-qualified” credit card offers in the mail (which can sometimes be stolen and used to open credit in your name), see this FTC web site. It will tell you how to opt out. It’s a bit of a pain, but well worth it.