[Seminar: Surviving the Internet] [Esmond Kane-Harvard University] [This is CS50.-CS50.TV] Hello, and welcome to "Surviving the Internet." It is one of the seminars that comprise part of this CS50 curriculum. My name is Esmond Kane. My name and address are on that slide deck in front of you. It is esmond_kane@harvard.edu. In my day job I am one of the IT security directors for HUIT, but I have to acknowledge that today I am on an away mission which is why I am wearing a red shirt. This is not going to comprise anything that is attributable  directly to my day job, so this is not about IT security to Harvard. This is more just personal information; this is how when you're-- these are the kind of skills that you'll acquire to try and help you harden your work stations and your environment throughout your career. But nothing that I mention today should be applied to any of your university material, your servers, or your workstations without contacting your local IT support. And indeed if I mention any applications or any incidents as part of this talk or discussion it is not reporting anything that I am privileged to report. It is usually public And nor indeed should any mention of any application imply any  endorsement through Harvard or indeed any condemnation.  

So today why we are here--now that we are done with the disclaimer-- we are here today to talk about surviving the Internet. And why is it such an important topic right now? So to paraphrase Perry Hewitt who works in the Harvard Press and Communications office-- I apologize for reading this right now--she has stated, "We live in an atmosphere of escalating risk, but also one of unparalleled innovation. The rapid rise of the Internet, the Cloud, and social technologies has resulted in many more people having public profiles online with indeed access to an ever increasing array of information. And that means that everyone and their associations have never been more visible. As Harvard's digital footprint--its digital network expands, we attract a broader audience. We hope for the betterment, but sometimes we will  attract some negative attention. So as a representative of Harvard," and this includes everybody  watching at home or indeed anybody here, "our faculty, our students, our staff, our researchers, the risk of compromise to you and indeed to your associated network has never been higher." 

So often in information security when we try to balance this risk it is a complicated trade off between security and the user experience. In the era of immediacy we have to make thoughtful decisions about what will enhance security without a major inconvenience. We are told sometimes an ounce of prevention is worth twice the cure, but when choosing to implement security precautions to reduce your risk we need to acknowledge that it will never reduce the potential risk to zero. So that said--we are here today to discuss some simple and not so simple security precautions that you can take right now. I should also add--if you have any questions throughout the  presentation just raise your hand. So the first topic--we are often told to pick a good password. A password is your first and best defense. It is often the only one that is available to you when you are choosing to use an online resource. But as we have seen throughout this summer and indeed the preceding year we've seen attacks like LinkedIn, eHarmony. We've seen RockYou. We've had some total of 70 million passwords and accounts compromised. And when those passwords were released into the public domain they also comprised the password hash. 

So basically these days if somebody retrieves an account hive they do not need to crack a password anymore.; they do not need to brute force a password because they have this massive trove of released information on what people are choosing. They've already got behavioral data to mind what people tend to use. And they have broken that down to a list of about a thousand passwords which comprise almost 80 to 90% of the passwords that we choose in common use. So a quick example--anybody want to hazard what you thought Bashar al-Assad used for his password when it was compromised last year? This is a gentleman who is subject to intense scrutiny. And his password was 12345. Okay--so these are lessons that we have learned; we need to move beyond just thinking of a password. We are told to start using a pass phrase. There is a great comic from or indeed a web comic from Randy Monroe which goes into choosing a pass phrase; he uses--I want to say-- battery, staple, limit or something like that--you know--just-- or indeed there is the joke that somebody who picked Goofy, Nemo, Pluto--all these different characters and London because he was told to pick 8 characters and a capital. But--so we learn we need to go think beyond just a password. 

There is actually an Ezine in Boston called Ars Technica. There is a gentleman called Dan Goodin who is doing a series on this changing scope--either from the attacker space where we have this massive trove available for us to either mind we no longer need to generate stuff through rainbow tables; we have 70 million passwords. But also we've had--you know--a changing scape in the actual cracking space because GPU cards have made this virtually near real-time. And there is a gentleman in Def Con in August who put together 12 of these cards into a commodity PC. He did it for about  $2,000 or $3,000, and he was able to crack the LinkedIn trove in--you know--near real-time. It was quite scary. Dan Goodin's article--I highly recommend it if you want to go read it. A gentleman called Sean Gallagher--this morning--also published a quick update on it; a lot of their work is built on-- from material available from Bruce Schneier, but also from  Cormac Herely from Microsoft Research. They kind of stated about 5-6 years ago that we need to start thinking beyond passwords. The suggestions at that time were things like pass phrases, gestural interfaces--that kind of stuff. You know--if something you know is no longer sufficient at this point; that is one of the things that I want to communicate today. If you do have to use a password, let us not be shy in stating you should still pick a good one; it should be hopefully something beyond 10 characters. It should vary between upper and lower case. 

I would highly encourage you not to reuse passwords. I can speak to several instances where we've seen an account get compromised and somebody hopped and skipped--the domino effect. They mine each account at each stage in the process for this data, and then they proceed to use that data that they mined in each instance against another credential source. So--again--pick a good password. Make it unique. You may want to think about using a password manager service. There are ones out there from--they are all in the app stores. There is one called OnePass, KeePass, LastPass-- it is a nice way for it to help you create unique credentials, strong credentials, but also facilitate the archive and record keeping for you. The down side to that is you need to bring that to a password store; you need to make sure that that password manager that you're trusting is worthy of your trust as well. 

So make sure those guys are also using some valid password mechanisms. In particular the one I am going to mention right now is multi-factor authentication. So multi-factor authentication--and there are several instances I will go through shortly-- It is the simple expedient of taking something you know like your user name and your password and adding to it--you are adding another factor. So the first factor that we will mention today are these ones on the boards. It is something you have in your possessions, so that is either an application that is running on your smartphone or indeed on your phone itself. And you might be able to receive an SMS text. Beware if you travel abroad that is not necessarily going to follow you. An application can work greater in that instance. Or indeed the other factor you may want to think about is something you are. 

Now this is still kind of very much skunkworks. We do not see too much adoption of it. This is--you know--Mission Impossible style--you know--your vein print, your thumb print, your retina print. Those are kind of further out; they are not really very valid authentication factors. We see--when I talk to my security colleagues--more pressure that you put on a keypad, your particular typing pattern, is probably directly on the horizon--much more so than these other biometric identifiers. But the ones today are applications or SMS text or even just a challenge response email that you are going to get to validate that you did in fact choose to log on at this point in time. So there is a link right there; I have mailed out the slide deck this morning. It will be on the Wiki. 

Both Gmail and Google do this; Yahoo will do it. Paypal has it; Paypal also has a little actual hardware key which does a rotating number. But you can also choose to use a phone number. Facebook also does a log in approval, so you choose to approve it; they are also working towards more valid hard strength security. Dropbox has 2-step verification as well; you can also just purchase a hardware key for them. We also see in the Gmail one or the Google one, a lot of people are actually co-opting Google's authenticator, so--for instance-- I use LastPass--it does not imply any endorsement--but they can reuse Google's 2-step verification so that means I do not need to walk around with 2 applications on my phone. But also research computing within Harvard or using an analogy to Google's 2-step authentication because the one-time password algorithm was open sourced there about 10 years ago. Any questions? Good. 

So another factor consideration beyond passwords is when you are using these resources be aware of what data you are committing to them. Just limit what you are actually putting up there. So we are aware that these people who are providing a service for us on the Internet-- these Cloud providers--they have a vested interest in you not being as secure as you potentially can. They tend to make available a bare minimum set of security, and then there is a bunch of other ones that are optional that you need to choose to opt in to. The kind of take away from this talk is security is a shared responsibility. It is between you and the partners that you make--the alliances that you form. You need to take an active role. Choose to opt in to that. You know--take the time now; make it more secure. The alternative is there are already people validating and testing these security factors against you; the more you can choose to opt in to the better prepared you are for the eventual compromise. And it is eventual. 

But the other factor to think about is as I mentioned these Internet parties that you are trusting with your credentials--with your identity.  I'll give you 2 analogies; Larry Ellison and Mark Zuckerberg--they are both on record stating privacy is largely an illusion. And that the age of privacy is over. That is kind of a sad indictment that we really need to wait  for the government to step in to force these parties to be more secure, to introduce more legislation because when we try to work with these vendors for instance some of these Dropbox like parties, they are in the business of providing services to the consumer. They are not directly interested in having enterprise-grade security controls. The consumers voted with their wallet, and they have already accepted a minimum grade. It is time to change that thinking. So when we provide our data to these parties, we need to co-opt our existing trust mechanisms; so we are social creatures by default. 

So why all of the sudden when we start putting the data online do we now have access to the same protections we do personally?  So when I can read your body language, when I can choose to network with a social circle and indeed to that circle divulge  just the information that I want to. So we have access to this body language, expression, to vocalize, we have access to these identity proximity protections in a physical location; they are still developing online. We do not have access to them, but we are starting to see them. So we have facets in Facebook--for instance--like groups. We have access to things in Google+ like circles. Absolutely use them. So the last thing you want to see is in this space in particular when you go to get a job is you have now made a lot of your personality public. And when somebody wants to--should they choose to--it might be part of company policy or not--it is certainly not part of Harvard's-- but they may choose to do a Google search. And when they do so--if you provided--let us say some information which you would have difficulty standing behind-- you have done yourself a disservice.  And indeed as I mentioned--these social companies they have a vested interest in making it public--you know--they need to mine your data. They are selling your demographics and your marketing material for someone. The kind of analogy in this space is--if you are not paying for a product are you the product? So create circles for your friends, be cautious, be diligent,  try not to make everything public. 

Another analogy I will make is end-user license agreements change; they are going to tell you what they can do with your data, and they are going to bury it in a 50-page click through. And they can choose to change that, and they just send you a quick email. But you are not a lawyer; it is very much in legalese. You need to be cautious of what you're doing. They may own your pictures; they may own your intellectual property. You know--just exercise diligence. Another example Library of Congress is archiving every single tweet known to man. Everything. Every 10 years roughly the body of material that is generated in that 10 years accounts or greatly outpaces everything we've created throughout human history. The Library of Congress has a vested interest in preserving that information for posterity, for future archivists, for future researchers and historians, so everything you are putting out there is there. It will actually make an immense resource at some point once people start to mine social engineering or social networking sites. So keep apprised of the protections available within each application.  

There is something I will mention as well; there is a third party tool called Privacyfix; it can plug right in to some of these social networking applications. And it can check to see where you are with respect to the protections that are available on them if you can choose to ratchet them up further. There are tools like the Data Liberation Front from Google where you can choose to export or extract your data. There are things like the Internet Suicide Machine which will log on to some of your profiles and actually delete every single attribute one at a time, untag every single association friends in your network would have made. And it will pursue to iteratively purge everything about you  that that site would know. If I can just exercise some caution there as well; there was an instance a couple of years ago in Germany where a citizen decided to exercise his freedom of information rights and ask Facebook to provide what information they had on record for him even after he deleted his account. They provided him with a CD with 1,250 pages of information even though his account theoretically no longer existed. There is the concept in this space a lot that some of these entities will maintain some data about you to do with your associations and your networks. They say that they cannot have control over it; that is a bit of a stretch in my opinion. They create these shadow accounts--the shadow personas. Just be careful. Limit what you can. At an actual device level when you are just talking about-- you know--hardware--your smartphone, your tablets, your workstation, your laptop, perhaps a server that you are responsible for. 

You have probably heard about concepts like operation, system updates, application updates, antivirus; you've heard of things like firewalls, disk encryption, and back up. The one thing you should be aware of is you don't hear about those kind of protections in the mobile phone space. They are just as susceptible to the same threats.  We had--I want to say--a million smartphones are going to be activated by the end of this month. That has vastly outpaced the--within the short amount of time that they have been available, that has vastly outpaced the growth of the PC, the laptop, the workstation market. But we do not have access to the same controls, and I will talk about that shortly. So before we get to the mobile phone space let us talk about what is available there that I just briefly went over. So antivirus software--here are some free choices. Microsoft gives away theirs--you know--Sophos gives away theirs for OSX as well Patch your computer--just be aware of whatever your vendor's current patch level is, and you shouldn't be a significant delta from that. There is a nice tool from a company called Secunia. And Secunia will run in the background, and it will tell you if there's an updated available and if you need to apply it. 

Enable automatic updates--both Apple and Microsoft will have some aspect of this. They will alert you that there is an update available. And Secunia--you know--is kind of a nice safety net to have as well--fall back mechanism. At the host layer--not getting to smartphones yet. Enable the firewall native to the operating system. There is some information about the Windows in the OSX one. Test your firewall; do not just leave it there and think that it is a secure mechanism. Take an active role; there is an application there from GRC--Steve Gibson. Wi-Fi security in this space--this can also apply to the smartphone and the tablet-- when you are choosing to go on the road you need to be aware that there are different classes of wireless network. And in particular do not choose the most commonly available one. It might be low cost, but there might be a reason for that. Perhaps they are mining your data. We see this more when you are traveling internationally. There are some really highly efficient cyber criminal syndicates that are able to leverage what we typically see in the nation states' espionage. A factor where they are outright injecting themselves in a network stream. They are pulling stuff out of there, and they are injecting  applications on to your workstations. 

It is--the other aspect that I know was mentioned in some of these security seminars--or not seminars CS50 seminars--is a tool called Firesheep. And Firesheep was a particular attack in the mobile phone space where some of these social networking applications were sending credentials in plain text. And this was quite commonly accepted because everyone at that time was thinking that there was no appetite in the consumer space for it, that to use higher strength encryption implied a performance burden on the server, so if they did not have to do it--they did not want to. And then all of the sudden when this security researcher made the attack trivial very quickly--you know--we started to see that kind of improvement that everybody in the security space had been complaining about for a significant length of time. So--in particular--Firesheep was able to retrieve Facebook, Twitter credentials from the Wi-Fi stream. And because it was in plain text, and they were able to inject. 

Again, if you are going to use Wi-Fi choose to use one that  is sufficiently protected--WPA2 if you can. If you have to use unencrypted Wi-Fi--and in particular I am talking to anybody that is using the Harvard University wireless-- you may want to think about using VPN. I highly encourage it. Other factors you may want to think about are if you do not trust the Wi-Fi that you are on you may want to limit use. Do not do any e-commerce; do not do any banking. Do not access your university credentials. There is a major win in this space if somebody does steal your credentials--you know--do they have your mobile phone? So--you know--that is another factor that they cannot necessarily hijack or just makes their attack more complicated. Encrypt your hard disk. We are at an era right now--encryption used to be a big deal 10 years ago. It was a significant performance impact. It is no longer--in fact--most of the mobile phones and that kind of stuff they are doing it in hardware, and you don't even notice-- the performance is so negligible. 

If you are talking about a workstation, we are talking about BitLocker. We are talking about File Vault; enable it--take the time now. In the Linux space obviously True Crypts can work across both of those. You may want to think about--in the Linux space--there is dm-crypt, there is Luxcrypt--there are a bunch of other options--also True Crypt. Other quick way to protect yourself at the workstation level back up your hard disk. And one slight wrinkle here--it is not sufficient to use one of  these Cloud synchronization providers, so Dropbox or G-Drive or something else That is not a back up solution. If somebody deletes something on one of these devices because they inserted themselves somehow it is going-- that deletion gets replicated across your entire persona. That is not a back up; that is just a propagation mechanism. So it is good to have a back up solution. There are some suggestions here for some people; some of them are free-- capacity based-- 2 gigs of back up--you can do it. If you are using university G-mail--university Google at college and co, G-Drive if it is not already--it will be available soon. It is a good replacement. We will also look at these things like Mozy Home. It is good to have 2 solutions. Do not have all of your eggs in one basket. If you are disposing of something or indeed if you are in the process of sending something confidential--some suggestions here to securely erase a device. Darik's Boot and Nuke--that is kind of more for the IT savvy. You may want to think about just giving it to some of these  commercial providers if you can. 

Encrypting email--if you have to--there are some services on campus called Accellion; you are off-campus or for personal use I will recommend Hushmail. We see it a lot used in whistle blower; it is one of the main mechanisms for WikiLeaks as well as Tor and some other equivalents. And--now to talk about the phone level--so the problem here is there is not that much of an appetite yet. Unfortunately most of the smartphones and the tablet OSs they are still based on some of the principles that we saw in the 1990s. They have not really incorporated some of the improvements that we see at the workstation level. They are not doing heat protection. They are not doing--you know--layer randomization. They are not doing address protection.  They are not doing execute protection--that kind of stuff. But also the device itself by defacto is not going to have any end point security built into it. So we are starting to see this change--again--most of the smartphone manufacturers--Android, Apple, and Windows--the appetite just wasn't there; the benchmark was Blackberry. But Blackberry has kind of lost its traction in the marketplace at this point. And Apple has really stepped in. About 2 years ago there was a watershed moment where they started to build in a lot more enterprise type controls. And--indeed--in August they did a presentation at Def Con which was just unheard of. 

So they will do the minimum controls that I described. They will do strong password; they'll do a prompt for that password on idle-- the device--you forget about it and after 15 minutes it activates. They will do encryption, and they will also do what is called remote wiping. In the Android and the Windows space these are still TBD--to be determined. Android has access to some applications called Prey and Lookout. And indeed some of the end point security tools like Kaspersky I know does it. I know ESET does it as well They will let you send an SMS text and purge the device. Windows phone at this point it is primarily oriented toward corporate style--what is called exchange. Exchange is a robust mail infrastructure, and it can mandate some of these controls. Windows 8 just shipped last week, so I cannot speak to that definitively. Windows 6.5 was the great security device. Windows 7 Mobile was a disaster; they didn't make all these native controls mandatory across the different vendors. So you had to ratify each Windows Mobile 7 phone one at a time. 

Android--since the 3.0 space has had a major improvement as well. Honeycomb, Ice Cream Sandwich, Jellybean--they will support these minimum controls, and indeed they will support some of the enterprise control that you can do as well. In your personal account space there is a Google personal sync that you can enable if you have your own Google space as well. So what do you do when it all goes horribly wrong? And if I can--another takeaway from this is really when--it is not if. This is going to happen to all of us at some point. What can you do? So what you can do--and there is a slide--the next slide will point you to some of the FTC resources for it, but a bare minimum place a fraud alert on your credit cards. If I can encourage you to think about when you are using a credit card in an online capacity--depending on the transaction you're making debit cards--the ability to claim or the ability to retract a fraudulent  claim on a debit card is actually a much smaller window than it is on a credit card. So once you get your report on a debit card you only have a certain time frame--and it is very low--to notify the bank of a fraudulent transaction. Credit cards it is much larger; there tends to be a limit up to about $50,000 before they will really be able to reimburse you. So that is quite a lot of money; they bumped it up from about $13,000 or $18,000 there quite recently. So--you know--when you think about using a credit card online, can you think about using a top up card or a disposable credit card, a burner card? 

If you do see anything--and I will show you how you can get access shortly-- close any fraudulent accounts if you are made aware of it. File a police report if you are on campus. Reach out to HUPD--let them know. Think about an identity monitoring service. if as part of--if you do get compromised--you may have to-- they may fund identity protection service. If they do not perhaps you should do it. Collect and keep all evidence--in particular any discussions you've had with any criminal authorities particularly for insurance purposes. Change all of your passwords. Change the answers to any security questions that can be used to reset your password. Disable any past identity services. So if you are reusing your Facebook account to log on to Twitter or vice versa, break that; if the compromise involved your email account check to see if anything is being forwarded. Because otherwise they still have access to your data. And if the theft includes your Harvard account please notify IThelp@harvard.edu. I cannot state that enough, but also in particular if the device gets lost or stolen and it had access to your university data and perhaps you  did not have some of these protections be respective; please let us know-- HUPD and IT Help at Harvard. 

So the link that I just mentioned that goes into that with more detail FTC.gov/identitytheft. The Postal Service also has some fraud or identity protection services-- you just put a hold or a stop on credit cards going through or stuff like that. The FBI has a link as well; it is in the notes of the slides that I sent out. And indeed Massachusetts Better Business Bureau and  Consumer Protection Bureau has some guidance as well; it is in the notes. Take the time now, make yourself aware of what you can do, and take the action. The principle--as I mentioned earlier--is if you do not have a plan for your identity being stolen you are immediately going to be  subject to a lot of work when it does happen, and it is when. But even when you take these precautions--let me just add a slight word of caution--no plan survives first contact with the enemy. So even at that we still think that there can be some subversion--you know-- your bank for instance who you have built all these protections around they may get compromised; these trusted parties that you have given your data to. So you are your own best defense. You know--remain vigilant--remain alert. Take the time now to choose to opt in to these; hopefully socialize this, talk to this with your friends. Pick good passwords; use unique passwords for your accounts. And do not reuse passwords--in particular--around some of  your more sensitive assets; do not use your university account elsewhere. Do not use your credit card account elsewhere. Password protect your mobile device right now. And by mobile device I mean smartphone, I mean your tablet. 

Think about using good security reset questions, and I will talk about this shortly why; check your credit report. Another way that you can be a good citizen in this space is the government forced the 3 agencies Experian, Transunion, and Equifax to release credit reports. For some of the Harvard community, especially in the student space, this might be new to them, but you are allowed to pull those agencies at least once a year. Good caution--go on to that site; it is available on the FTC one. And do it every 4 months instead, and you are able to keep tabs on who is soliciting requests for your credit card information,  or if indeed if anybody opens any fraudulent accounts. And--in general--the guidance is to be aware. And I am going to give you a specific example shortly,  but that is essentially the meat and potatoes of the discussion. 

So why this is important right now is during the summer there was a gentleman called Matt Honan--if you are out there thank you very much for being so forthcoming with your information. But what happened with Matt is he worked for Wired Magazine, and some cyperhacktivists went after his Twitter account. And they used some of these resources--some of this public persona that he made available. And they built a map; they knew where to attack and when. So from that they started to slice and dice the information that he made available, and they found that he had a Gmail account. So he was using a less than wise password for his Gmail,  and he did not have any multi-factor authentication on it. So they compromised his Gmail; once they had access to his Gmail they saw all these other accounts that he had plugged into his Gmail. Indeed, they had access to his whole entire Gmail or Google persona. And--in particular--they started to notice that he had an Amazon account because there were some emails being reported to him. So then they got on to his Amazon, and they got on to his Amazon by just resetting his password because it went to his Gmail. He did not have--he kind of had a domino effect or credential chaining going on here where once they got his Gmail they had the keys to the kingdom. So once they got on to his Amazon--and this was through no fault to these other guys--this was--you know--Matt had not chosen to opt in to these more secure mechanisms that only these people had made available and all of these Internet sources. 

So once they got on to his Amazon they had access--it didn't show them his credit card, but it showed them the last 4 digits just so he knew what it was; it showed them his shipping address. It showed them some other information that he done on some orders. And then from that they decided to attack his Apple account. And they social engineered the Apple help desk. Apple should not have done it, but based on this information that they were able to mine from the other 2 accounts. You know--the guy at the help desk probably thought he was being a good citizen--you know--I am being helpful; there is an Apple customer out there that is stranded out there on his own, and I need to help him. But it wasn't the real Apple customer. So they reset his Apple account, and they sent the information to the Gmail. Once the attackers had access to his Apple account Matt had all of his devices tied into his iCloud, and they started issuing perjury sets and wiping everything. Again, he had just his data propagated; he was using iCloud as the synchronization mechanism. So when they deleted it everything went bang. They still had access at this point to his Twitter account which is what they had tried to attack. I do not know if they used Maltego or some of these other mechanisms to build out his Internet persona, but--you know--within a matter of course they got access to 4 different identity services before they got to his Twitter, and it cost Matt-- Matt was quite lucky he saw it happen because his kids came to him when the iPad locked itself off. And they said--you know, "Dad, there is something going on with the iPad." And he shut everything down because he noticed it was happening everywhere. And he started calling Apple to see what the hell had just happened. And Apple genuinely thought that there was something going on that iCloud had gone rogue until they figured out-- he actually figured out that they were sending information, and  they started calling him the wrong name. Because Apple had on file information that the attacker had subverted. 

Okay--so that is the kind of information that we use to build this kind of best practice; we use this as part of a whole series of seminars through October--National CyberSecurity Awareness Month. It has been made available to you guys. I'll make sure that I sent it out in the Wiki when David makes it available to me as well. But there is advice and guidance in there much more granularly than I am able to summarize in this short amount of time I have available. around what is called, Cloudy with a Chance of Identity Theft: Picking Good User Names and Passwords. Is it ever not social? And the answer is no, it is always social, but you need to be aware of what that means. And it is Taming Lions, Tigers, and Windows which is around hardening operating systems with some of the information we went to today. And the last one was about, Have Device, Will Travel to talk about going mobile with these kind of data sources. So other than that if you have any questions my email address is there, and if anybody in the room has any questions please raise your hand. Other than that, I am going to stop recording. All right. Done. [CS50.TV]