Are you using a password manager? Joe talks about his latest CRT Labs post, where he outlines why strong secure passwords are important, as well as the benefits of using a password manager. As always, you can like our Facebook Page to be notified when we go live, Fridays at 3PM Eastern!
If you’ve heard any of the members of CRT Labs talk about online security, you’re likely to have heard us urge you to use a password manager. And if you spend a normal amount of time online, you’ve also read about password manager breaches. The most recent high-profile attack hit LastPass earlier this year, and the attack helped spawn a lot of “are password managers really a good idea?” think pieces.
Let me be direct: yes, it’s a good idea to use a password manager. It’s a really, really, good idea, and using them is something I will continue to recommend to the REALTORS® with whom I speak.
The reason we recommend using them so strongly is because password managers solve the two most common reasons why accounts get compromised: weak and reused passwords.
WHAT’S A PASSWORD MANAGER?
A password manager is a piece of software that helps a user create, store, and use complex passwords. (There are hardware-based password managers, as well as some browser based ones, but we’ll just be talking about dedicated software managers in this post.) By “complex passwords” I mean a combination of letters, numbers, and special characters; length and unpredictability can also increase the complexity of a password.
Password managers help you create these complex passwords; the software I use allows me to create passwords up to 64 characters in length, with up to 10 numbers and 10 special characters. For example:
Do I use complex passwords like this for online banking and shopping? I do. Not all are this crazy, but there’s actually no reason why they shouldn’t be. They can be as complex as the above, because password managers don’t require you to remember the passwords of individual sites and services you access online; they only ask you to remember one master password that gives you access to the rest.
HERE’S WHERE FOLKS GET NERVOUS:
It’s at this point that most people start to get nervous, and they usually have both of the following concerns:
- Are you crazy? You’re putting all of your password eggs into one basket!
- I can’t remember a password that’s complicated enough to be my master password.
Let’s start with the all-your-eggs issue. I currently have one master password that protects 55 very complex passwords that are stored in my password manager. My master password is complex but memorable. Am I worried about someone cracking my master password and getting to my banking, investment, and shopping passwords? Not really, and here’s why:
- My master password and password vault are shared with no one. Not even the company that provides my password management software has access to it. When you combine the strong encryption on your vault, a strong master password, as well as controlling where your information is stored – provides you multiple layers of security against any threats.
- The encryption used by most password managers exists not only during transmission of data but also at rest.
- My password manager encourages me to create very complex passwords because it can be done for me automatically when signing up for accounts at new websites.
- I don’t even have to use the Internet to use my password manager. I can run it on a local network, storing all my information on my computer and other devices. None of my password information need ever go near the cloud.
This last issue — cloud vs. local storage — could be the key for you to start using a password manager if you’re afraid of hackers but see the benefit of randomly generated strong passwords. Make sure any password manager you think of using has the ability to store information away from the cloud and away from the provider’s servers.
CREATING A MASTER PASSWORD
It may seem a little daunting to come up with a complex but memorable password, but I’d like to suggest it’s not as difficult as it seems. Let’s take a look at a made-up complex password: !M2j3B*s*T*. How did I come up with this, and how would I remember it?
Let’s assume you think Michael Jordan is the best basketball player ever. You’re sure to know he wore the number 23. Introduce some special characters, start to think about the words as single letters or abbreviations, and you’ve got a memorable and very strong password.
STILL DON’T WANT TO USE A PASSWORD MANAGER? AT THE VERY LEAST, DO THIS:
Whether or not you wind up using a password manager, at the very least remember that variation (not using the same password on more than one site) and complexity (passwords with letters, numbers, and characters) are essential to protecting yourself online. It’s easier for me to use a password manager to handle that variation and complexity. If it’s not for you, devise your own system, but stick to those two password virtues. Somewhere down the line you’ll be happy you did.
LEARN MORE FROM THESE GREAT RESOURCES FROM NAR:
Check out Cybersecurity Checklist: Best Practices for Real Estate Professionals, part of nar.realtors’s coverage of data privacy and security.
In this Things Thursday, we look at security for now and for the future, and how technology will impact the aging population.
- Watch a video of how a camera gets hacked (via Cujo)
The link above comes from an internet firewall vendor, but it’s relevant to security and what’s happening with the internet of things. Because of the rush to scale security systems years ago, there are tons of systems that are susceptible to programs like Mirai. Watch the video to see how easy it can be to hack a camera. As the post says, only buy cameras from companies that are adhering to security practices. One example for you to look at is Canary.
- How will IoT change the lives of our aging population? (via ReadWrite)
At CRT, we’ve been discussing this exact use case since we started the labs. What will the internet of things mean for accessibility for the aging and disabled populations? K4Communications is working on this problem, as they believe there is value in smart building tech beyond the flashy. We agree. We will be watching the work of this company.
- Thinking of using voice authentication? Think again! (via Embedded)
Voice as a tool for authentication holds promise. There are challenges to it, however. Enter Lyrebird…a software platform intended to synthesize any voice and change intonation to make it sound more natural. The article looks at a biometric company called TrulySecure and the challenges around using voice for authentication. It’s definitely a good read.
This is the final piece in my three-part series about the Internet of Things and the DDoS attacks that have taken place in the last month. I’ve saved this post for last because I feel it’s the most essential. As I’d said in my last piece, we, as users, need to create secure passwords and credentials for all aspects of our online life. I focused on what consumers can do to improve their security, but it doesn’t stop with them. We need to hold manufacturers to account. Manufacturers have the biggest responsibility in this.
In the attack on Dyn, a majority of the devices used could be sourced back to one manufacturer, Hangzhou Xiongmai Technology Co Ltd. They make parts for cameras, DVRs and storage devices. You’ve may not have heard of them because they ‘white-label‘ a lot of their products. They also make components used in products and some of those components were open to attack. The reason I’m distinguishing here is I want to make clear that your devices are only as secure as your weakest piece. I should make it clear that Xiongmai has issued a recall for some of their devices, but this is complicated by the fact that, as a company who white-labels, you may have one of the devices and may not know it.
In order to provide perspective, let me cover some of the problems these manufacturers have.
In my second piece of this series, I covered what consumers can do with passwords. I called that piece ‘Wagging the Dog’ because, to me, IoT is the dog and credentials are the tail. Now, I aimed that piece at users and talked about what they could do to improve their security. I want to be clear, however, that for these DDoS attacks, a lot of the blame goes on the manufacturers. The devices in question had default or easy to guess credentials that users of the devices COULDN’T change if they wanted to. You might have seen the list compiled by Brian Krebs below:
This list is compiled from the source code for Mirai, the software used to attack devices. It’s pretty shocking to me to see some of the passwords and accounts listed here, honestly. For those who may not be familiar with servers and deeper computer usage terminology, let me say to you that seeing the user ‘root’ on so many of these is scary. Root is the main user of a system. It’s superadmin with all permissions. That means that anyone with those credentials can do whatever they want to that device. But that’s not all, you’re note that at least one of these devices just required the username of ‘root’ and NO password.
The one that really got me though is Xerox. For almost all of their printers, the default user is ‘admin’ and the password is ‘1111’. I decided to see if I could find these listed in documentation on their site. I wanted to see if it would be hard for me to get this information. Unfortunately, it wasn’t. Here’s what I did:
- I searched from my search engine ‘Logging in as system administrator on your Xerox printer’.
- I found the first unpaid result to be the link very similar to the link listed above.
- When I got to the page, this is what I found:
- I clicked on the support page link and searched for a model number.
- I clicked on a link to a pdf for the model in question.
- I searched the term ‘password’.
- I found the username and password for the copier. Here’s a screenshot:
Okay. That was way too easy. Now, I’m not divulging any secret here or hacking any system to get this information. Xerox is only an example of the problem. Their devices weren’t named in the Mirai attacks, BUT their credentials were found in the source code. I’m taking information you could get by reading an article, performing a search and voila! What can Xerox do about this? There are several things:
- Don’t use admin/1111 as the default credentials. Give each new customer a randomly generated way of authenticating.
- Password protect any system administrator documents on their website. Require a ‘customer id’ number along with credentials.
- Remove the display of ANY credentials from PDFs. Instead, put a ‘customer support’ number there, where a person has to call in to get credentials or have a remote authentication mechanism as part of the customer support.
So, I know what you’re thinking. Why doesn’t the user of this printer just change the password? In fact, in the screenshot from Xerox’s site, they encourage users to do that. That can be easier said than done. That password is required in multiple places for support and maintenance. Also, changing the password can be an onerous task. The keyboards on copiers and printers are not the friendliest to use, so creating a more complicated password can be time consuming and having to reenter it all the time could be a nuisance. I will say, though, end user, you should think hard about this. How often do you need to access admin for your system? What constraints does it put on you to change that password? My answer is, do it. Don’t think about it, just do it.
So, it appears to me that admin/1111 is used for convenience of systems support. This lies at the manufacturer’s door. To me, this type of thing is essential to customer care. Build security into your device and work to educate them as to why this is essential to their business. As a non-user of a product, it should not be this easy for me to get this information. Period.
So, now that we’ve looked at passwords, let’s move on to hardware.
Security expert Bruce Schneier first called out the issues with hardware in his excellent piece from 2014. In fact, this was the piece that inspired me to push CRT into the IoT space. He helped me see that we need to protect our members and their clients as these devices were ramping up for the home. He literally ‘peels back the onion’ on the hardware and software and all the challenges wrought. Briefly, I’ll try to paint a picture of the challenge using Schneier’s paints. In order to make an internet-enabled device, you have to pull together a number of smaller components.
As the product manufacturer, it’s most likely you don’t make those components because they require specialized equipment and knowledge. They are also relatively cheap, so, economically, it’s better to buy than build. When you put these components together from various manufacturers, you now have a mash-up of pieces. Some of these pieces are essentially mini-computers and have software running on them. Now, each one of these components with firmware or running some low-level software are a risk because, as we know from owning computers for the last 40 years, software has bugs. Once a vulnerability is discovered in the software on these components, you now have a chink in the armor. The question then becomes, how does one get an update for the firmware for a component in a device you bought and expect to just work? It’s not easy. Does the component manufacturer step up and release the patch? Does the manufacturer then deploy the patch? How does a user of the hardware know when there’s a needed critical patch? Why not just release an update over the air?
Manufacturers need to have a plan on how to work with components companies to deliver better, more secure products. I do understand this is much easier said than done. But, we need to get there. Getting a product to market before anyone else does shouldn’t happen unless you’ve considered all the issues and what you can do to fix them. One company I want to highlight as doing very well at the Internet of Things is Canary. They make a security camera for the home. We’ve been in contact with them several times and have talked about these issues and how they’re approaching them. Out of all the companies we’ve met, Canary strikes me as taking these issues the most seriously.
First, they take their devices to a hacker conference called Defcon every year. They want to see if they can be hacked so they can fix any problems before they make a large impact. We’ve spoken to several people there who’ve said that they work really hard to make sure this device is secure because it’s gathering sensitive data. It’s a video camera in your home. They want to make sure it’s as secure as can be.
Second, look at the security measures they are taking, including hardware encryption:
What that tells you is that they’ve looked at the potential vulnerabilities in their device and are making sure they are covered. More like this, please.
Apple’s Homekit is another example of taking encryption seriously. People get upset with Apple because of their ‘walled garden’ approach to their systems, but there is a method to their madness. In order for your device to become a Homekit certified device, you need to have one of their encrypted chips in the device. You also need to use some ‘bleeding-edge’ security protocols for connecting to their system. Now, we’ve spoken to several manufacturers who’ve said it’s a pretty intense process, both in time and resources. Mirai highlights the need for these measures.
The answer to making other companies follow suit really comes down to putting pressure on the manufacturers and their suppliers. Do we ask the government to intervene? Do we wait for hardware manufacturers to take action like Canary and Apple? The way we see it, there needs to be a way to either certify or validate these devices. At NAR, we are investigating how we could be a part of something like this. We’ve had conversations with companies like Underwriters Laboratories (UL, LLC) and Trusource Labs, public-interest groups like The Online Trust Alliance, Future of Privacy Forum, and Center for Democracy & Technology and some vendors, about how to proceed. We are actively working on setting up a certification/validation type system. We feel like we can help be a part of the solution as we have no economic interest in these devices, yet have interest in the best possible experience in owning or living in a home. As more of these devices are released, more issues will arise. We want to mitigate as many as possible, so a standardization of this process can help to clean this up.
But we have the problem now. What can we do in the meantime? To start, the US-CERT (United States Computer Emergency Readiness Team) provides a list of ways to mitigate and prevent these takeovers of IoT devices. At NAR, we worked with the Online Trust Alliance and issued a statement that 100% of IoT vulnerabilities are preventable in recent attacks. In fact, we released this a few weeks before the Mirai attacks. There are a number of simple steps manufacturers can take to improve their hardware security. What I recommend you do as a user of these technologies, before you buy any product, do a search of the product name along with the phrases ‘security issues’ or ‘hacked’. Search devices you have now in the home as well. Update software regularly. Also, keep following us. We are here for our members. So, if you’ve made it through the three pieces I wrote…what thoughts do you have? Share in the comments below.
RESOURCES FOR MORE READING:
- Bruce Schneier’s piece from 2014 pointing to the coming of this problem of internet security & the Internet of Things
- Scheier’s latest piece on the botnet attack
- Dark Reading’s piece ‘‘Root’ & the New Age of IoT-Based Internet Attacks‘
- Sophos Security’s analysis of the attack
Yesterday, I wrote in part one about the DDoS attacks that we’ve experienced in the last month and what went down to make them happen. In part two, I want to expound on one of the ways we can work to mitigate and or prevent this from happening again: secure passwords and better security.
I subtitled this ‘wagging the dog’ because I feel that’s what’s been happening in the media. They are focused on the result and not the problem. A lot of the titles included phrases like ‘IoT botnet’, ‘Mirai uses IoT to attack’, and the like, putting the focus on the types of devices used, rather than how Mirai gained access. This is about security and proper password and credential management. Period. In the third paragraph of a post on a site called Threat Post, they say how it happened (emphasis mine):
Mirai’s purpose is to continuously scan the public Internet for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks.
‘Known default or weak credentials’. That was the big contributor to this attack. IoT is the tail. Credentials are the dog. Passwords and usernames were easily guessable. If you’re using one of these 25 common passwords or equivalents, this could have happened to you. Brian Krebs wrote an article after he was attacked about the devices that were identified in the source code of Mirai, the botnet. Here is an image from that article showing the 68 devices, and their credentials:
IoT is the tail.
Credentials are the dog.
It starts with a mind shift. We’ve been thinking about Internet of Things devices as devices that we can access from our phones and control and get data from. Maybe that mindset is the problem. Before, when using my coffee maker, I didn’t have to have a password. So, here’s how I would encourage you to think about Internet of Things and smart home devices: Think of them as physical applications, equivalent to your app for banking or your app for your email, that need the same level of security. Rather than these physical apps being on a computer or phone, they have a real world presence that needs security. This is the most prominent example of our physical and virtual worlds co-mingling. You lock your door with a unique key, why wouldn’t you lock each device with a unique password? In part three, I’ll address what vendors need to do about their default passwords, but today I’ll take a look at what we can do once we own these devices.
What can we do about this?
You’ll note from the list the onus is on the users and manufacturers of these devices. Simply put, when installing a new IoT device, NEVER use the default password and username for it. Using simple passwords like ‘password’ or ‘1234’ are bad ideas when you’re using them for your online accounts, but even worse when you use them for internet-enabled devices like cameras and DVRs. First and foremost for your devices, make strong passwords and change default usernames. Most consumer grade devices have graphical user interfaces for you to work with and change your credentials. In fact, should a REALTOR sell a home with smart devices in it, they should work with the new homeowner to reset ALL of those devices. At CRT Labs, we worked with the Online Trust Alliance to produce a smart home checklist last year. Use this as a way to ensure you are securing these smart devices.
Stronger, better passwords
TLDR; Chris and I spoke about this in our office hours a couple of weeks back. You can take some time to watch that video here (go ahead, I’ll wait):
Okay, before we get started on this, I want you to think about me as a password personal trainer. The equivalent Jillian Michaels preferably. I will push hard on this. I’m going to ask things of you that you know you should be doing, but haven’t because ‘it’s not easy’ or ‘it’s hard to remember’. Listen, the Internet of Things is coming and you need to get in this habit because there will be BILLIONS of these devices in about 4 years time. Anytime you use an insecure password, you are not just exposing your information, but potentially, personal information about your clients. How many documents, contracts, or pieces of personal information of your clients do you have in your email? You need to think of your passwords as you do your keys or keys to a home you’re showing. You don’t just hand those out willy nilly or make them flat because ‘getting the notches cut means I have to go to the hardware shop and I only like the way that Eddie cuts the keys but Eddie only works on Thursdays’…do you? If you do hand them out, can I have a key? Sorry, got a bit side tracked. So, what do you do to protect yourself? Here is what you do.
Stronger passwords. Period.
Rather than using personally identifiable information, make your passwords tough. I mean really tough. So tough, you have to change how you think about passwords to remember them. Let me give you some easier to remember examples, followed by harder to remember examples.
So, here is how I like to think about my ‘easier’ passwords. I will take either a song, poem, book or other source material and I’ll look for a line or two that I can remember or memorize. Then what I’ll do is condense that to some letters, numbers and punctuation or symbols to make a password. Let me give you an example. Robert Frost is a poet we all know. The Road Not Taken seems like a good teaching poem for this. Here are the first couple of lines from that poem (please don’t use these two lines to make your password now):
|Two roads diverged in a yellow wood,|
|And sorry I could not travel both|
Okay, so, here is what I would do with this:
So, to show you how I put this together, I’ve taken the line of poetry and added highlighting to show what my thoughts were:
|And sorry I could not travel both *1920|
You’ll note that I changed the word ‘Two’ to ‘2’ and used the whole word of yellow. I did these to mix it up a bit. The *1920 is also there to add some complexity. The year 1920 was the year this poem was published. I added the asterisk to put another character in there. Please note, this is a minimum I would do for a password. I’m using it for demonstration. The next section will show you how to generate and store more complex passwords using a service.
Get a Password Manager
One of our big recommendations are password managers. Password managers are applications that you use to store your credentials for your different applications. You have 1 master password (and you don’t want to forget it because if you do, you essentially are locked out of your password manager and can’t get back in. You can use the technique above to generate that password.). That password is used to unlock your vault of passwords and other sensitive information. Many of these apps make it extremely easy for you to add passwords from all of your accounts. I use one called 1Password. You can find many that were recommended and reviewed by PCMag this year at this link. And guess what, you may have to spend some money. 🙂
Many password managers offer a password generator as part of the software. Here is a password that 1Password generated for me (I’m not using it anywhere):
Here is an image of that password being generated:
You’ll note from my password manager, I can change the number of characters, symbols and numbers and I can also see how strong the password is. My password manager has a browser plugin that makes it easier for me to use these devices on the web. Look at the list provided by PCMag and you can see if there’s one that meets your needs.
By the way, I want to be clear that the responsibility for password security isn’t JUST on you. If you have a bank or service provider that has limits on what you can enter as a password (example, no symbols, or all upper case or no upper case), don’t worry about changing your password. Worry about changing that bank or service provider.
Finally, the next step in securing your devices is two-factor authentication. We will dive more into this in a later post, but this is a start. To see if your applications (banks, Dropbox, Google) support 2-factor authentication, you can use this link and search for a specific program. This is where you take something you know (a password) and something you have (a phone) to gain access to applications. In order to do this, you can download apps for your phone, like Google Authenticator. After you’ve set up 2-factor authentication, here’s how it works:
- You login to the site with your username and password (what you know in the 2-factor auth scenario).
- The site prompts you to enter a number (typically a 6 digit number) that you will receive either via email or sms or other means.
- Your device (what you have in the 2-factor auth scenario) receives the number from the company. (
- You enter said number and submit.
- You now have access to your account.
That extra step of having the device and a method for creating a ‘token’ as it were is important. It makes it harder for the baddies to get in. Definitely use it. We’ll need it when we get this Internet of Things thing figured out. Tune in tomorrow to see what we have to say about Internet of Things vendors and what they need to do to make their sites secure. Thanks for reading. Now drop and give me 20 burpees!!
Well, it’s happened. The Internet of Things did us in. We can’t use it. It’s going to shut us down. My fridge just swallowed my kid.
This past Friday we saw one of the largest attacks on the internet to date, and it was fueled by Internet of Things-connected devices. This means that the Internet of Things is just not ready for prime time…right? Well, it’s more complicated than that. If done right, Internet of Things devices can deliver on the promise. What we’re seeing, however, are gaps not being covered by vendors and those using the products. This happens in emerging spaces very often. I’m not looking to excuse behavior, but only point to how nascent this market is. I’m also in no way looking to blame users on this. Unless we start thinking about how we work with security as consumers and vendors for these devices, we will see this continue. Over the next few days, I’m going to put up a series of posts on how we can do that. Here at CRT, we focus on educating consumers about the Internet of Things, including how they can keep themselves and their devices safe. This first post aims at addressing what happened.
Two large-scale attacks have been unleashed on the internet using Internet of Things-enabled devices. Specifically, these were security cameras, DVRs and storage devices that had default credentials on them and were accessed using software called Mirai. A little over a month ago, this weapon was used to target security researcher Brian Krebs. Last week, you may have noticed that a lot of sites (Netflix, Twitter, Spotify, as well as some real estate sites) were inaccessible or not working properly.
You may have heard of DDoS attacks before. DDoS stands for ‘distributed denial of service’. What happens in a DDoS attack is that hackers use bots (essentially other people’s computers) to send a LOT of traffic at either one particular website or a server. This type of attack puts that website out of commission because it is receiving way more traffic than it can handle and it causes the site to go down and become inaccessible. As I’d said, the main tool in creating these attacks were other people’s computers. Hackers will gain access to these computers through various means: phishing, viruses, and links on the web that you click on, to name a few. This is why having security software like antivirus and malware scanners is really important.
In this attack, using a program called Mirai (‘Future’ in Japanese), the hackers scanned IoT devices and looked for those devices that had default passwords or hard-coded credentials. When they found matches, they took control of them and used them in their attack. The attack on Brian Krebs’ site saw about 620 gigabytes per second of traffic for a sustained period of time. Luckily, Krebs was working with Akamai (one of the Internet’s largest content provider networks) to keep his site up and they succeeded. Brian notes on his blog that Akamai said this was twice the traffic they’d previously seen in this type of attack.
Moving to last Friday, rather than target one person or site, the target was a company called Dyn. Dyn provides DNS (domain name system) services for the internet. What this means is, for example, when you type in ‘crtlabs.org’, it is mapped to an IP address for our site. This mapping helps you get to our site. Dyn does this for countless numbers of sites. Some of their biggest clients were taken down in this attack. According to Dyn, over 10 million
devices IP addresses* were used to send traffic in the attack. Details are still emerging.
The real issue in both cases is how the attack was carried out. Using the Mirai software (and maybe other bot software) millions of IoT devices were scanned and found to be using default passwords and usernames. Once the devices were under the control of hackers, all they had to do was set up when and where they wanted to attack. This does not mean that the Internet of Things is the problem. What it means is our (vendors’ & consumers’) best practices around security and hardening our devices are the problems.
Tomorrow, we’ll look at what we can do to mitigate and prevent these style of attacks.
* UPDATE 10/25/2016 – The difference between IP addresses and devices in this instance is that you can have many IP addresses for one device. So, according to this post on Threat Post, about 550,000 devices are affected by Mirai. Of those, 10% were used in the attack on Friday. This comes to about 50,000 devices sending 10 million requests.