Pragmatic password pointers

It’s 2019 and we’re still having a problem with passwords.

The Disney+ hack shows why you need to up your password gameWired UK
Although it can still be referred to as a ‘hack’, it wasn’t Disney’s servers that were compromised – but its customers.

“What hackers do is they have a huge list of previously stolen username and password combinations and they use hacking tools to automatically check those username and password combinations against the target website,” says Andrew Martin, CEO of DynaRisk, a cybersecurity company. “They throw hundreds of millions of account details at them, and they see they see what sticks.”

Here’s some essential digital literacy advice that should be a compulsory part of every school’s curriculum. And every company’s induction programme.

The ultimate guide to passwords in 2019Fleetsmith
Putting to rest some of the most persistent falsehoods about passwords and what it takes to come up with strong passwords and practice good password security in 2019.

The main points:

  • How long should my password be? 10 characters long, minimum, but make it as long as possible. Length is the most important factor to strength.
  • Does my password need special characters to be strong? Nope.
  • Does my password need numbers to be strong? Nope.
  • What about switching numbers for letters(1337 speak)? This does nothing.
  • How often should I change my password? Only change it if you think it’s been compromised. Never force users to rotate passwords, this actually lowers security.
  • Can I use the same password on multiple sites? Absolutely not. Every service should have its own unique password so that you don’t have to change all of them when (not if) they get breached.
  • How can I remember my password? Don’t try to remember your passwords, use a password manager. If you don’t want to, write it down. If you have to make a long, memorable password, use the diceware method. But never reuse a password.
  • What about two-factor authentication? Always turn on 2FA if it’s an option. Use the strongest 2FA method you can. A text message is weaker than an authenticator app is weaker than hardware-based authentication. Never give a service your phone number if you can help it.
  • What about password recovery questions? Don’t give honest answers to these. For maximum security, generate a secondary random password for each question and store it in your password manager.

Via Khoi Vinh, who goes on to examine the poor user experience of passwords across platforms and products that almost encourages carelessness.

Passwords are a design problemSubtraction.com
Create six different accounts at six different web sites and you’ll very likely encounter six different approaches to encouraging and enforcing password strength and security, some egregiously lax and others excessively restrictive. That inconsistency alone undermines much of the vigilance that otherwise responsible users might bring to password creation.

xkcd hackd

I’ve been a fan of the web comic xkcd for a while, so it was sad to read of their recent security troubles.

Hackers breach forum of popular webcomic ‘XKCD’
“The xkcd forums are currently offline. We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration,” the forum administrators wrote.

It does give us the opportunity to share one of their comic strips again, though.

xkcd-hackd

Security advice

See also: password strengthsecurity question, morning news, right click, and of course the big hitters Earth temperature timeline and time.

Not even banks are safe

How many more of these stories will we read? Is someone keeping a list?

PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text
Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes effectively as plain-text in log files. As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs.

Major breach found in biometrics system used by banks, UK police and defence firms
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Don’t leave your computer unattended

Or this might happen.

Update faker
Update Faker allows you to “fake a system update”, it’s the perfect way to prank your friends, family members or colleagues. Especially when they’re working on something rather important.

Yes, it’s just a silly prank (reminds me a little of Hacker Typer), but you could see it as an important security/GDPR lesson.

Ever since the launch of updatefaker.com we’ve been flooded with positive feedback both online and in real life. And everyone who’s ever fallen victim to update faker will never leave their PC unattended again, which certainly is a good thing. You never know what bad things people are up to. This website is literally one of the least bad things that can happen to an unattended PC.

Buyer beware

A team of US academics have published research, Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites, which they believe shows the massive prevalence of sneaky user interface tricks designed to catch us out.

The seven deadly sins of the 2010s: No, not pride, sloth, etc. The seven UI ‘dark patterns’ that trick you into buying stuff
Dark patterns – user interfaces designed to deviously manipulate people into doing things – have become common enough on websites and in apps that almost two dozen providers have sprung up to supply behavior persuasion as a service.

And in some cases, these firms openly advertise deceptive marketing techniques, describing ways to generate fake product orders and social messages celebrating those fake orders.

These are their proposed categories of user-interface tricks.

Sneaking
Attempting to misrepresent user actions, or delay information that if made available to users, they would likely object to.

Urgency
Imposing a deadline on a sale or deal, thereby accelerating user decision-making and purchases.

Misdirection
Using visuals, language, or emotion to steer users toward or away from making a particular choice.

Social proof
Influencing users’ behavior by describing the experiences and behavior of other users.

Scarcity
Signalling that a product is likely to become unavailable, thereby increasing its desirability to users.

Obstruction
Making it easy for the user to get into one situation but hard to get out of it.

Forced Action
Forcing the user to do something tangential in order to complete their task.

‘Urgency’ and ‘scarcity’ sound like pretty standard advertising methods that we should be very used to by now, but some of those others are very dubious. Here are some screenshots from the research paper.

buyer-beware-1

Fig. 3. Three types of the Sneaking category of dark patterns.

buyer-beware-2

Fig. 5. Four types of the Misdirection category of dark patterns.

What can be done? Here’s one idea they discuss in the paper which I like the sound of.

buyer-beware-3

Fig. 10. Mockup of a possible browser extension that can be developed using our data set. The extension flags instances of dark patterns with a red warning icon. By hovering over the icon, the user can learn more about the specific pattern.

Another data protection failure

Hot on the heels of Facebook’s latest password problem, TechCrunch has news of another online service with a very shoddy approach to data protection – i.e. there wasn’t any.

The app, Family Locator, allows families to track each other’s movements, similar to the location sharing option in Google Maps. But it seems the backend database for their nearly a quarter of a million users wasn’t protected at all.

A family tracking app was leaking real-time location data
Based on a review of the database, each account record contained a user’s name, email address, profile photo and their plaintext passwords. Each account also kept a record of their own and other family members’ real-time locations precise to just a few feet. Any user who had a geofence set up also had those coordinates stored in the database, along with what the user called them — such as “home” or “work.”

They tried to get in touch with the developer, React Apps, but to no avail.

The company’s website had no contact information — nor did its bare-bones privacy policy. The website had a privacy-enabled hidden WHOIS record, masking the owner’s email address. We even bought the company’s business records from the Australian Securities & Investments Commission, only to learn the company owner’s name — Sandip Mann Singh — but no contact information. We sent several messages through the company’s feedback form, but received no acknowledgement.

On Friday, we asked Microsoft, which hosted the database on its Azure cloud, to contact the developer. Hours later, the database was finally pulled offline.

Oh Facebook, what have you done now?

The Register nails it, once again.

Let’s spin Facebook’s Wheel of Misfortune! Clack-clack-clack… clack… You’ve won ‘100s of millions of passwords stored in plaintext’
Facebook today admitted it stored “some” of its addicts’ account passwords in a plaintext readable format. For “some”, read hundreds of millions.

The antisocial network quietly made the mea culpa in a statement that followed its breathless announcement of the Oculus Rift S Virtual Reality headset. The password snafu confession was, as far as we can tell, forthcoming from the Silicon Valley giant only after investigative journalist Brian Krebs blew the lid off the blunder.

Other news sources are happy to pile in, of course.

Why Facebook waited 3 months to disclose its latest privacy screw-up
We reached out to Facebook in an attempt to answer this question, but unsurprisingly received no response as of press time. Troy Hunt, a security researcher perhaps best known for running the breach disclosure site HaveIBeenPwned, was significantly more willing to chat.

“I suspect Facebook decided not to initially disclose the issue as they had no evidence of the data being used maliciously,” he wrote over Twitter direct message. “I can understand that position insofar as whilst the storage was clearly improper, without a compromise of the stored data the impact on customers would have been zero.”

This, of course, assumes that the passwords weren’t improperly accessed. Facebook claims as much in its blog post, but that requires you to trust Facebook. Which, well, you’d be forgiven for not jumping at the opportunity.

They’re all talking about whether these plaintext passwords were accessed by Facebook staff, whether anything malicious happened, but I think they’re missing a question — how did this happen?

Facebook’s own statement:

Keeping passwords secure

Or rather, not keeping them secure.

As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.

Obviously not designed well enough, because that didn’t happen this time.

In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them.

No it doesn’t.

In security terms, we “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets us irreversibly replace your actual password with a random set of characters. With this technique, we can validate that a person is logging in with the correct password without actually having to store the password in plain text.

Yes yes yes, that’s all well and good, but that didn’t happen this time, because— ? Who knows, perhaps they’ll tell us the next time this happens?

IT in the dock

Things aren’t going well in the courts at the moment.

HMCTS suffers major IT issues
Significant IT issues at the HM Courts and Tribunal Service (HMCTS) have caused chaos across the UK’s courts as users have been unable to connect to the network and use IT systems that require access to it.

The issues began last week and are mainly affecting devices trying to connect to the main Ministry of Justice (MoJ) network, which is used by the department as well as all its agencies and several arm’s-length bodies.

Law courts in chaos as IT meltdown disrupts thousands of cases
The communication failures, which started last week, are a significant embarrassment for the Ministry of Justice, which is investing £1.2bn in a high-profile programme promoting online hearings which aims to replace the legal profession’s traditional reliance on mountains of paperwork.

The IT breakdown meant that staff at the MoJ were unable to send emails, wireless connections went down, jurors could not be enrolled and barristers could not register for attendance payments. Courts were left unsure of when some defendants were due to appear and some court files could not be retrieved, leading to prosecutions being adjourned.

The Register had reported on this a few days before, when the problem seemed to be restricted to just their CJSM (Criminal Justice Secure eMail) system.

Lawyers’ secure email network goes down, firm says it’ll take 2 weeks to restore
For reasons that were not immediately clear, Egress Technologies, provider of CJSM, said in an emailed update to users seen by The Register that restoring CJSM would involve wiping their mailboxes for up to two weeks.

It’s now more serious than that.

Nationwide UK court IT failure farce ‘not the result of a cyber attack’ – Justice Ministry
The Ministry of Justice has said a data centre outage was responsible for the widespread collapse of the UK’s civil and criminal court IT infrastructure over the past days.

In a statement to Parliament today, justice minister Lucy Frazer pinned the fault on Atos and Microsoft, saying there had been an “infrastructure failure in our suppliers’ data centre”.

Here’s a report from 2016, highlighting the issues the department was facing…

Ministry of Justice IT systems are ‘fragile and precarious’, say MPs
The Ministry of Justice (MoJ) must get to grips with its poor IT systems or risk “further demoralising essential staff”, the Public Accounts Committee (PAC) has warned. […]

“ICT systems in probation are inefficient, unreliable and hard to use,” the PAC said. “In a service that relies on successful joint working between multiple partners, it is essential that ICT supports, rather than frustrates, effective and efficient collaboration. This is far from the case for probation.”

… which led to the £1,000,000,000 plan to “transform courts with better use of technology”.

UK justice system set for ‘wholesale shift’ to digital
The reform programme foresees “a wholesale shift to accessing justice digitally” and flags up two “significant developments” that will affect the way courts and tribunals operate: “The first is our aim for all cases to be started online, whether or not they are scheduled for the traditional system or for online resolution. The second will be the completion of some cases entirely online, which will be much more convenient for everyone involved.”

How was that received? With not much confidence, it seems.

PAC doubts justice system transformation programme will be a success
Public Accounts Committee says it’s difficult to see how the government’s “extremely challenging” £1.2bn project to overhaul courts through use of technology “will ever work”.

I don’t know if that’s related to today’s IT breakdowns there, but it makes you wonder.

Stolen millions

More announcements of company data (our data) being stolen. The numbers involved each time are just incredible.

Hackers breach Quora.com and steal password data for 100 million users
Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests and downvotes. […] In a post published late Monday afternoon, Quora officials said they discovered the unauthorized access on Friday. They have since hired a digital forensics and security firm to investigate and have also reported the breach to law enforcement officials.

Whenever these stories are reported, the articles often end with a little summary of other recent snafus. The one above ended with:

Quora’s post is only the latest disclosure of a major breach. On Friday, hotel chain Marriott International said a system breach allowed hackers to steal passport numbers, credit card data, and other details for 500 million customers. In September, Facebook reported an attack on its network allowed hackers to steal personal details for as many as 50 million users. The social network later lowered the number of accounts affected to about 30 million.

A post from The Register, about that massive Marriott breach, concluded with this reminder of previous losses.

Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years
Few hacks of individual firm’s customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees’ breached by hackers.

Remember the hacking cough?

More hacking schadenfreude, but with an added GDPR element this time.

First, the hapless Tories.

Major security flaw in Tory conference app reveals users’ data
Commentators said the flaw raised questions over the ability of the government to harness technology to solve issues around the Irish border and customs checks. The app may also have breached data laws. Its privacy policy states that it “complies with … the European Union’s general data protection regulation (GDPR)”.

Boris Johnson’s profile immediately vandalised with hardcore pornography in Tory conference app security blunder
The highly serious blunder allowed anyone to access details of hundreds of MPs including Foreign Secretary Jeremy Hunt and Defence Secretary Gavin Williamson – who have police protection and warn regularly of the hacking threat from Russia. But it also gave pranksters an opportunity to have fun with the profiles of prominent Conservatives.

And then Facebook. Again.

Facebook says at least 50 million users affected by security breach
Facebook said the FBI is now investigating. Because users in Europe are also affected, the company said it has informed data protection authorities in Ireland — where the company’s European headquarters are located. The Irish Data Protection Commission has asked Facebook to clarify the breach “urgently.” If Facebook is found to have breached European data protection rules — the newly implemented General Data Protection Regulation (GDPR) — the company can face fines of up to four percent of its global revenue.

Facebook hack: Here’s what you need to do to secure your account
Critically, for European users, Facebook has been in touch with the Data Protection Commissioner in Ireland – where it is registered – to inform it of the breach. This will be the first data protection incident from one of the major tech companies since the enforcement of Europe’s General Data Protection Regulation (GDPR) in May. GDPR gives regulators the power to issue huge fines but this is yet to be tested. In a statement the Irish Data Protection Commission said Facebook hasn’t given it many details yet. It is “concerned” that despite Facebook discovering the breach on Tuesday, it hasn’t been able to “clarify the nature of the breach and the risk for users at this point”.

Fake degrees still big business

The scale of this still astounds me. All the work that goes into administering and assuring our degrees – let alone the work the students themselves undertake – is put in jeopardy if these fraudulent qualifications are not challenged.

Fake degrees, real news
But as this recent File on Four investigation by the BBC demonstrated, this Diploma Mill business is still booming and, according to the report, over 3,000 fake qualifications have been sold to individuals (and in one case a company) in the UK out of a worldwide total of 215,000 which netted a profit in excess of £37m in 2015. It seems that the investigation in Pakistan has ground to a halt “amid claims of government corruption” and sales are continuing, but now with a new twist: extortion.

Belltown University? Queens Bay University? Just two from a very long list indeed.

Your favourite passwords

As well as the obvious “12345678”, “password” and “qwerty” (I can’t believe people really use those?), it seems people’s names beginning with J are especially common.

Top 500 most common passwords visualized
Most common passwords. Is yours here? Also, after some deep analysis, we’ve discovered that passwords fit into 11 categories. See what they are.

If any of your passwords feature on that chart, please read this and change them. Right now.

The usability of passwords
Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password. It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.

High tech in high office

For gadget geek in the Oval Office, high tech has its limits
Mr. Obama is the first true gadget geek to occupy the Oval Office, and yet his eagerness to take part in the personal technology revolution is hampered by the secrecy and security challenges that are daily requirements of his job. What counts as must-have features for many people — high-definition cameras, powerful microphones, cloud-connected wireless radios and precise GPS location transmitters — are potential threats when the leader of the free world wants to carry them around.

A little different from Bill’s time, though I guess Mr Obama doesn’t have these problems any more.