If you’ve heard any of the members of CRT Labs talk about online security, you’re likely to have heard us urge you to use a password manager. And if you spend a normal amount of time online, you’ve also read about password manager breaches. The most recent high-profile attack hit LastPass earlier this year, and the attack helped spawn a lot of “are password managers really a good idea?” think pieces.
Let me be direct: yes, it’s a good idea to use a password manager. It’s a really, really, good idea, and using them is something I will continue to recommend to the REALTORS® with whom I speak.
The reason we recommend using them so strongly is because password managers solve the two most common reasons why accounts get compromised: weak and reused passwords.
WHAT’S A PASSWORD MANAGER?
A password manager is a piece of software that helps a user create, store, and use complex passwords. (There are hardware-based password managers, as well as some browser based ones, but we’ll just be talking about dedicated software managers in this post.) By “complex passwords” I mean a combination of letters, numbers, and special characters; length and unpredictability can also increase the complexity of a password.
Password managers help you create these complex passwords; the software I use allows me to create passwords up to 64 characters in length, with up to 10 numbers and 10 special characters. For example:
Do I use complex passwords like this for online banking and shopping? I do. Not all are this crazy, but there’s actually no reason why they shouldn’t be. They can be as complex as the above, because password managers don’t require you to remember the passwords of individual sites and services you access online; they only ask you to remember one master password that gives you access to the rest.
HERE’S WHERE FOLKS GET NERVOUS:
It’s at this point that most people start to get nervous, and they usually have both of the following concerns:
- Are you crazy? You’re putting all of your password eggs into one basket!
- I can’t remember a password that’s complicated enough to be my master password.
Let’s start with the all-your-eggs issue. I currently have one master password that protects 55 very complex passwords that are stored in my password manager. My master password is complex but memorable. Am I worried about someone cracking my master password and getting to my banking, investment, and shopping passwords? Not really, and here’s why:
- My master password and password vault are shared with no one. Not even the company that provides my password management software has access to it. When you combine the strong encryption on your vault, a strong master password, as well as controlling where your information is stored – provides you multiple layers of security against any threats.
- The encryption used by most password managers exists not only during transmission of data but also at rest.
- My password manager encourages me to create very complex passwords because it can be done for me automatically when signing up for accounts at new websites.
- I don’t even have to use the Internet to use my password manager. I can run it on a local network, storing all my information on my computer and other devices. None of my password information need ever go near the cloud.
This last issue — cloud vs. local storage — could be the key for you to start using a password manager if you’re afraid of hackers but see the benefit of randomly generated strong passwords. Make sure any password manager you think of using has the ability to store information away from the cloud and away from the provider’s servers.
CREATING A MASTER PASSWORD
It may seem a little daunting to come up with a complex but memorable password, but I’d like to suggest it’s not as difficult as it seems. Let’s take a look at a made-up complex password: !M2j3B*s*T*. How did I come up with this, and how would I remember it?
Let’s assume you think Michael Jordan is the best basketball player ever. You’re sure to know he wore the number 23. Introduce some special characters, start to think about the words as single letters or abbreviations, and you’ve got a memorable and very strong password.
STILL DON’T WANT TO USE A PASSWORD MANAGER? AT THE VERY LEAST, DO THIS:
Whether or not you wind up using a password manager, at the very least remember that variation (not using the same password on more than one site) and complexity (passwords with letters, numbers, and characters) are essential to protecting yourself online. It’s easier for me to use a password manager to handle that variation and complexity. If it’s not for you, devise your own system, but stick to those two password virtues. Somewhere down the line you’ll be happy you did.
LEARN MORE FROM THESE GREAT RESOURCES FROM NAR:
Check out Cybersecurity Checklist: Best Practices for Real Estate Professionals, part of nar.realtors’s coverage of data privacy and security.
Security cameras are ubiquitous. Are the intended audiences the only ones observing through these? Check out the post below from Cujo.
In this Things Thursday, we look at security for now and for the future, and how technology will impact the aging population.
- Watch a video of how a camera gets hacked (via Cujo)
The link above comes from an internet firewall vendor, but it’s relevant to security and what’s happening with the internet of things. Because of the rush to scale security systems years ago, there are tons of systems that are susceptible to programs like Mirai. Watch the video to see how easy it can be to hack a camera. As the post says, only buy cameras from companies that are adhering to security practices. One example for you to look at is Canary.
- How will IoT change the lives of our aging population? (via ReadWrite)
At CRT, we’ve been discussing this exact use case since we started the labs. What will the internet of things mean for accessibility for the aging and disabled populations? K4Communications is working on this problem, as they believe there is value in smart building tech beyond the flashy. We agree. We will be watching the work of this company.
- Thinking of using voice authentication? Think again! (via Embedded)
Voice as a tool for authentication holds promise. There are challenges to it, however. Enter Lyrebird…a software platform intended to synthesize any voice and change intonation to make it sound more natural. The article looks at a biometric company called TrulySecure and the challenges around using voice for authentication. It’s definitely a good read.
That’s all for Things Thursday this week. Have questions? Want us to cover something? Let us know. You can follow us on Twitter @crtlabs or Facebook
Back to the drawing boards.
NOTE: This is part 3 in a series about the recent DDoS attacks using Internet of Things enabled devices. We look at where manufacturers are culpable in this latest attack.
The Insecurity of Things:
– Look into the Mirai
– An overview of what happened
– Wagging the Dog
– What Mirai is really about – security and secure passwords
– A Manufactured Problem – The ‘root’ of this lies with the manufacturers – Here’s what they’re doing, and what they need to do
This is the final piece in my three-part series about the Internet of Things and the DDoS attacks that have taken place in the last month. I’ve saved this post for last because I feel it’s the most essential. As I’d said in my last piece, we, as users, need to create secure passwords and credentials for all aspects of our online life. I focused on what consumers can do to improve their security, but it doesn’t stop with them. We need to hold manufacturers to account. Manufacturers have the biggest responsibility in this.
In the attack on Dyn, a majority of the devices used could be sourced back to one manufacturer, Hangzhou Xiongmai Technology Co Ltd. They make parts for cameras, DVRs and storage devices. You’ve may not have heard of them because they ‘white-label‘ a lot of their products. They also make components used in products and some of those components were open to attack. The reason I’m distinguishing here is I want to make clear that your devices are only as secure as your weakest piece. I should make it clear that Xiongmai has issued a recall for some of their devices, but this is complicated by the fact that, as a company who white-labels, you may have one of the devices and may not know it.
In order to provide perspective, let me cover some of the problems these manufacturers have.
In my second piece of this series, I covered what consumers can do with passwords. I called that piece ‘Wagging the Dog’ because, to me, IoT is the dog and credentials are the tail. Now, I aimed that piece at users and talked about what they could do to improve their security. I want to be clear, however, that for these DDoS attacks, a lot of the blame goes on the manufacturers. The devices in question had default or easy to guess credentials that users of the devices COULDN’T change if they wanted to. You might have seen the list compiled by Brian Krebs below:
From Brian Krebs’ follow up piece on the Mirai DDoS attack.
This list is compiled from the source code for Mirai, the software used to attack devices. It’s pretty shocking to me to see some of the passwords and accounts listed here, honestly. For those who may not be familiar with servers and deeper computer usage terminology, let me say to you that seeing the user ‘root’ on so many of these is scary. Root is the main user of a system. It’s superadmin with all permissions. That means that anyone with those credentials can do whatever they want to that device. But that’s not all, you’re note that at least one of these devices just required the username of ‘root’ and NO password.
The one that really got me though is Xerox. For almost all of their printers, the default user is ‘admin’ and the password is ‘1111’. I decided to see if I could find these listed in documentation on their site. I wanted to see if it would be hard for me to get this information. Unfortunately, it wasn’t. Here’s what I did:
- I searched from my search engine ‘Logging in as system administrator on your Xerox printer’.
- I found the first unpaid result to be the link very similar to the link listed above.
- When I got to the page, this is what I found:
- I clicked on the support page link and searched for a model number.
- I clicked on a link to a pdf for the model in question.
- I searched the term ‘password’.
- I found the username and password for the copier. Here’s a screenshot:
PDF containing this information was easy to find using a model number and searching the PDF for the word ‘password’.
Okay. That was way too easy. Now, I’m not divulging any secret here or hacking any system to get this information. Xerox is only an example of the problem. Their devices weren’t named in the Mirai attacks, BUT their credentials were found in the source code. I’m taking information you could get by reading an article, performing a search and voila! What can Xerox do about this? There are several things:
- Don’t use admin/1111 as the default credentials. Give each new customer a randomly generated way of authenticating.
- Password protect any system administrator documents on their website. Require a ‘customer id’ number along with credentials.
- Remove the display of ANY credentials from PDFs. Instead, put a ‘customer support’ number there, where a person has to call in to get credentials or have a remote authentication mechanism as part of the customer support.
So, I know what you’re thinking. Why doesn’t the user of this printer just change the password? In fact, in the screenshot from Xerox’s site, they encourage users to do that. That can be easier said than done. That password is required in multiple places for support and maintenance. Also, changing the password can be an onerous task. The keyboards on copiers and printers are not the friendliest to use, so creating a more complicated password can be time consuming and having to reenter it all the time could be a nuisance. I will say, though, end user, you should think hard about this. How often do you need to access admin for your system? What constraints does it put on you to change that password? My answer is, do it. Don’t think about it, just do it.
So, it appears to me that admin/1111 is used for convenience of systems support. This lies at the manufacturer’s door. To me, this type of thing is essential to customer care. Build security into your device and work to educate them as to why this is essential to their business. As a non-user of a product, it should not be this easy for me to get this information. Period.
So, now that we’ve looked at passwords, let’s move on to hardware.
Security expert Bruce Schneier first called out the issues with hardware in his excellent piece from 2014. In fact, this was the piece that inspired me to push CRT into the IoT space. He helped me see that we need to protect our members and their clients as these devices were ramping up for the home. He literally ‘peels back the onion’ on the hardware and software and all the challenges wrought. Briefly, I’ll try to paint a picture of the challenge using Schneier’s paints. In order to make an internet-enabled device, you have to pull together a number of smaller components.
As the product manufacturer, it’s most likely you don’t make those components because they require specialized equipment and knowledge. They are also relatively cheap, so, economically, it’s better to buy than build. When you put these components together from various manufacturers, you now have a mash-up of pieces. Some of these pieces are essentially mini-computers and have software running on them. Now, each one of these components with firmware or running some low-level software are a risk because, as we know from owning computers for the last 40 years, software has bugs. Once a vulnerability is discovered in the software on these components, you now have a chink in the armor. The question then becomes, how does one get an update for the firmware for a component in a device you bought and expect to just work? It’s not easy. Does the component manufacturer step up and release the patch? Does the manufacturer then deploy the patch? How does a user of the hardware know when there’s a needed critical patch? Why not just release an update over the air?
Manufacturers need to have a plan on how to work with components companies to deliver better, more secure products. I do understand this is much easier said than done. But, we need to get there. Getting a product to market before anyone else does shouldn’t happen unless you’ve considered all the issues and what you can do to fix them. One company I want to highlight as doing very well at the Internet of Things is Canary. They make a security camera for the home. We’ve been in contact with them several times and have talked about these issues and how they’re approaching them. Out of all the companies we’ve met, Canary strikes me as taking these issues the most seriously.
First, they take their devices to a hacker conference called Defcon every year. They want to see if they can be hacked so they can fix any problems before they make a large impact. We’ve spoken to several people there who’ve said that they work really hard to make sure this device is secure because it’s gathering sensitive data. It’s a video camera in your home. They want to make sure it’s as secure as can be.
Second, look at the security measures they are taking, including hardware encryption:
What that tells you is that they’ve looked at the potential vulnerabilities in their device and are making sure they are covered. More like this, please.
Apple’s Homekit is another example of taking encryption seriously. People get upset with Apple because of their ‘walled garden’ approach to their systems, but there is a method to their madness. In order for your device to become a Homekit certified device, you need to have one of their encrypted chips in the device. You also need to use some ‘bleeding-edge’ security protocols for connecting to their system. Now, we’ve spoken to several manufacturers who’ve said it’s a pretty intense process, both in time and resources. Mirai highlights the need for these measures.
The answer to making other companies follow suit really comes down to putting pressure on the manufacturers and their suppliers. Do we ask the government to intervene? Do we wait for hardware manufacturers to take action like Canary and Apple? The way we see it, there needs to be a way to either certify or validate these devices. At NAR, we are investigating how we could be a part of something like this. We’ve had conversations with companies like Underwriters Laboratories (UL, LLC) and Trusource Labs, public-interest groups like The Online Trust Alliance, Future of Privacy Forum, and Center for Democracy & Technology and some vendors, about how to proceed. We are actively working on setting up a certification/validation type system. We feel like we can help be a part of the solution as we have no economic interest in these devices, yet have interest in the best possible experience in owning or living in a home. As more of these devices are released, more issues will arise. We want to mitigate as many as possible, so a standardization of this process can help to clean this up.
But we have the problem now. What can we do in the meantime? To start, the US-CERT (United States Computer Emergency Readiness Team) provides a list of ways to mitigate and prevent these takeovers of IoT devices. At NAR, we worked with the Online Trust Alliance and issued a statement that 100% of IoT vulnerabilities are preventable in recent attacks. In fact, we released this a few weeks before the Mirai attacks. There are a number of simple steps manufacturers can take to improve their hardware security. What I recommend you do as a user of these technologies, before you buy any product, do a search of the product name along with the phrases ‘security issues’ or ‘hacked’. Search devices you have now in the home as well. Update software regularly. Also, keep following us. We are here for our members. So, if you’ve made it through the three pieces I wrote…what thoughts do you have? Share in the comments below.
RESOURCES FOR MORE READING:
Image from New Old Stock. Original source for the image here.