Password Recovery – Easy and Secure

So many accounts so many passwords. I have several computers, several phones, bank accounts, airline accounts, rental car accounts, brokerage accounts, Wi-Fi network protection and of course various work systems. You may suggest a SSO (single sign on) strategy. That is a reasonable suggestion but will be a topic for another day. I have most of my passwords “securely” stored but inevitably I lose track of a password.

A lot of systems offer means to recover your password. Most approaches offer little resistance to sophisticated attacks. The most basic is upon your request to send a new randomly generated password to your e-mail account. You log-in with the randomly generated password and then make a new password. You are back up and going. Or the bad guy is up and going. Just last week I used a system that used this approach. Most people should understand this approach is riddled with vulnerabilities. However, for a system that has minimal personal information that is used once a year this may be OK.

There are also systems that offer another level of protection. Challenge response. During enrollment you supply answers to several questions. The questions are usually something about you. This is done by your bank, brokerage accounts, social media sites and various government systems. This approach is only an incremental improvement. The answers to the questions are usually information that is easily researched or guessed. An example question: What is your mother’s maiden name? Pretty easy for a bad person to look in public records and determine the answer. In my case the answer is Hale.

We have implemented an incremental improvement to the basic challenge response strategy that significantly enhances the level of security and requires no more effort by the user.

1) Multiple challenge response questions. The questions are items that you will remember but cannot be “researched”. Example: What is your favorite saying?
2) You select a subset of the possible questions
3) All answers are stored but first go through a “slow” hash algorithm. This is completely transparent to the user.
4) The user can add to the basic challenge response questions by generating their own passphrase
5) The passphrase also requires an answer. The passphrase answer is also stored after going through a slow hash algorithm.
6) The questions, passphrase and hashed responses are not stored on your local device
7) If you need to recover your password, you will need to answer the questions to the various challenge response questions plus the passphrase and then the system will prompt you for a new password
8) All communication occurs through a secure tunnel

In the absence of this type of system make up answers that you will remember to the lame easily determined questions. Example: What is your mother’s maiden name = pizza5equals9cool13dudette17yea

Calling the Kettle Black?

Recently, a number of predominant high-tech companies have joined the growing list of companies upset with the government. It has been reported that the government has been harvesting (collecting) more information from these companies and their costumers than they were previously led to believe. I would be upset too! I am also very surprised by these companies’ reactions. The management teams of these companies must not understand the motives and perspectives of the people who operate the NSA. The NSA is collecting as much information as possible from as many sources as possible. The depth or their encroachment into people’s personal lives and personal privacy is no longer a secret. This shouldn’t be news to anyone.

These high tech companies are the big, advertisement-driven companies that many of us come into contact with every day. We are talking about Google, Facebook, Twitter and Yahoo. These are the very companies that collect data from you and make you their product. All of these companies generate significant revenues and profits (which drives their high market capitalization) by delivering targeted advertising to their users based on information they have collected from them. All of these companies have publicly available privacy policies written by very sophisticated legal teams. If you can understand the “legal speak” it tells the consumer what information will be collected and how it will be used. In ALL cases these companies are taking more information than their user communities are aware of and using it in ways not imagined or understood by their customers, which they see and treat as their products.

Has the government has overstepped their bounds? Absolutely. Have many companies driven by advertising revenue have also overstepped their bounds. Definitely. People who value their privacy must come to accept the fact that products that are “free” come along with both cost and consequence. The cost of using these tools is that people are putting their personal privacy and information at risk. The consequence is the unknown use of people’s personal information for corporate gain. I had to scratch my head. So, it’s ok for these companies to harvest their user’s information for financial gain but then these same companies complain about the NSA harvesting their corporate and customer information under the guise of national security. Seems a little hypocritical to me.

Bottom Line: If you value your privacy, both as an individual and as the employee of company, you will need to stop engaging with companies that see you as their product and mine your personal information for their financial gain and move to companies that do not embrace this. If you want to keep your information away from the NSA, you will need to use a set of personal privacy tools created to give individuals the ability to “become Invisible”. At IONU, we provide both.

Why Privacy Matters

For a lot of people, privacy just doesn’t seem to matter. They believe that the details of their lives are inconsequential…that they have nothing to hide. Or, that companies that make “people their products” are not interested in the details of “their lives”. Many still feel that the government will not be collecting their personal information – just the personal information of millions of other people. Most people don’t realize that any personal information can become sensitive information. I am still surprised at how many people do not understand the sophistication of the current data mining and digital surveillance technology being used and how quickly it is advancing.

Maybe that is a good thing for some people, as the more you know the more you become cornered. Ignorance may be bliss, but it is also very risky.
The following is a link to a talk by Alessandro Acquisti who is an Associate Professor of Information Technology at Carnegie Mellon University. He talks about really cool technology and at the same time raises concerns that we should all take to heart.

Where Have all Your Contacts Gone

Multiple sources have recently reported the NSA on a “representative” day collects more than 500K address books and buddy lists. Yes, you read that correctly – in one day. This is accomplished with sophisticated technology combined with relationships with foreign telecommunication providers. The NSA is definitely in the relationship business. For the most part, they are looking for bad guys communicating with other bad guys. However, their ability to collect personal contact lists is another example of the level of sophistication that is available to obtain all sorts of electronic information.

The NSA has a huge budget with limited supervision. Companies that generate revenue from targeted advertising (providing ads based on what they know about you) like Google, Facebook, LinkedIn and Yahoo, are equally sophisticated and have large R&D budgets with teams focused on collecting data.

The good news is that people are becoming more aware of the issues that they face with the assault on their personal privacy. The bad news is, most people feel like they there is nothing they can really do to stop this. For most people, it seems like a daunting task to protect their privacy. In some cases, it really can be.

Here’s just one example, truly protecting your contact list is not a simple task. It can be exposed if it is not encrypted on the device(s) where is exits. Portions of your contact information are also exposed when you send a message. As you send messages to different people it is possible for someone to piece together bits of information about your contacts based on your messaging patterns and ultimately recreate it. Tracking the people who are sending messages to you can also be used in piecing together your contact list.

Interesting Video
Big Data: NSA Isn’t The Only One Collecting All Your Personal Information

At IONU, we believe that people should be able to experience the benefits of the connected world without having to continually worry about their personal information being collected. They should be able to do this without having to become a security expert in order to feel safe. Individuals need solutions that will significantly mitigate these exposures. That is what we create.
Stay tuned.

No Reasonable Expectation of Privacy?

On the way home last night I was listening to the radio. I heard an alarming report. It has been uncovered that in the source code of the HealthCare.gov website, it clearly states, “you [a participant in the Health Care Marketplace] have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system”? Additionally, it goes on to point out “At any time, and for any lawful Government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system.”

I decided to do a Google search and found an article that supported what was being said on the radio. I learned that security experts agree that these disclaimers were put place due to the fact that the HealthCar.gov website is not making any guarantees toward being able to protect people from identity theft.

This is pretty ironic as there are regulatory standards in place, like HIPAA and HITECH, to protect the personal information of individuals within the heath care system. Granted, HealthCare.gov is just a portal for collecting the information of people that want to enroll in the Health Care Marketplace, it is concerning that they are making of point of saying that you should have no expectations that your personal information will be kept private or safe? A Health and Human Services Department has released a statement, “When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.”

Whether or not any of the personal information on the site is going to be protected is up to any individual who uses the site to decide. This is just another example of the protection of people’s personal privacy and information being at risk. Would you sign up with a doctor who told you that you would need to have no reasonable expectation of privacy regarding any communication or data stored within their information system? I wouldn’t.

We All Work for Google

I woke up this morning and realized that I now work for Google guess what, you do too! I hear Google is a great place to work but I don’t want to work for Google. And, I surely don’t want to be a pitchman for them. Google announced their plans to now use people’s profiles, pictures and comments that are posted in the various Google tools to endorse products and services. Your picture could end up in the inbox of someone you don’t even know to help them increase their ad revenue. They even came up with a very “Politically Correct” name for the new program, “Shared Endorsements”.

This trend of companies making their users and their data “their product” is really concerning to me. Based on the premise that consumers are more apt to purchase a product or service that someone else has endorsed, and fueled by Google’s relentless focus on making their corporate profitability more important than people’s privacy, they are continuing to follow in the government’s footsteps and overreach into people’s lives. This is another shot across the bow of our digital privacy! It can expose people to personal consequences that they never signed up for. For example, what happens if people saw the below ad? My friends know that I like to get out for a round of golf . I like to use Titleist clubs. Do I need to see something like this show up in people’s inboxes or across their browser so that Google can make more money? NO!

Is Our Personal Privacy Now Considered Non-Essential?

If you are like me, every time you tune into the news; listen to the radio or scan an article online these days you will hear something about the government shutdown. We can’t seem to escape it, which is good as this is a serious issue. The shutdown bantering has even found its way into the late night show’s entertainment focus.

“The Tonight Show’s” Jay Leno asked his audience who was worried about the government shutdown, then asked how many people were more worried about it starting up again. “I am glad the government is shut down,” he added. “For the first time in years it’s safe to talk on the phone and send emails without anybody listening in!”

Although this was meant to be funny, it also points out something that is really important. As the government made choices about what “essential” agencies would remain open and what “non-essential” personnel would be put on furlough there were some civilian NSA employees placed on furlough but the charter of the NSA was left unchanged. While it appears that the NSA will remain largely functional during the shutdown, the inquiry into the agency’s spying activities will not. Maybe that was considered “non-essential”?

From a National Security perspective this is a good thing. But we all know the NSA is also spying on people who are no threat at all to our National Security or checking up on the behaviors of their love interests. This made me stop and think, “how essential does the government really feel our personal privacy really is?” Regardless of the decisions tied to the shutdown, by taking no action towards stopping the overreaching of the NSA into the lives of American Citizens, the message that is being sent is that our government currently feels that our personal privacy is “non-essential”. Shutdown or no shutdown, we all need to take personal responsibility to protect ourselves! I don’t know about you…but I surely do not feel that my personal privacy is “non-essential”.

So while it appears that the NSA will remain largely functional during the shutdown, the inquiry into the agency’s spying activities will not.

Ease of Deployment is the Key

I got up Sunday morning and after a brief bike ride looked at the local Sunday paper. An article on the front page caught my eye. The title of the article was “Few options available for those concerned about NSA intrusions”. The article referenced experts who state with the capabilities and polices of the NSA consumers have few choices, we are more exposed to criminal hackers, sophisticated users who take precautions are still exposed and most people are essentially powerless. The efforts of the NSA have weakened our security exposing us to criminals and foreign governments. Since we cannot determine the vulnerabilities there a few steps we can take to ensure our privacy is not compromised. This is indeed a bleak picture.

However, the article did not sufficiently explore the real situation. There are steps sophisticated users can take. Consumers can encrypt their local drive. They can take measures to ensure personal communication is done with some sort of encryption technology. You should also us commercially available anti-virus and anti-malware solutions. Consumers should be smart when accessing network information. Do not expose personal information on social media sites. For a lot of people this will protect your personal information. However, it is a pain in the ass. It is a lot of work and you need to regularly update your security technology.

For the longest time the security business has not listened to the user community. Security is just too hard. What the user community needs is a solution that raises the security bar and at the same time significantly reduces the complexity of deployment and day to day use. Stay tuned….

Privacy and the Frog

The activities of Edward Snowden and the NSA have re-energized the long standing debate regarding personal privacy protections and government authority. In the US this has been a debate since the founding of our nation. To what extent can government gather personal information as part of some government sponsored activity? Should the activity be clandestine? Who should review? What communications should be considered “off-limits”? It is a complex topic with many nuances and significant implications.

Americans are very fortunate. We have the opportunity to have this debate. Many countries have strict policies against this type of discussion. We live in an environment where most (notice most and not all) citizens feel free expressing their opinion with little concern of repercussion. The environment exists because of the insight of the founding fathers. Their perspective has legally persisted through many generations. We should all be grateful.

I have discussed privacy with a broad set of individuals. The opinions vary but I do hear one recurring perspective. A minority but still a significant number of people feel their individual privacy is not an issue. These people feel the government or some other powerful organization will have no interest their personal information. Privacy issues are a concern for other people. This is a dangerous perspective. It reminds me of the boiling frog anecdote. There are law abiding citizens that have been targeted and lost almost everything most of us would consider private information. At some point in time anyone could find themselves in this situation where there expressed opinions are different and negatively impact those in power. Incremental loss of privacy is hard to see but with current trends it will eventually evaporate along with many aspects of our democratic society. Do not end up like the frog.

The NSA and Football

Professional football is off and running. A good start for one of the local teams and as expected a loss for the other team. Football has a lot a nuance but it really comes down to offense, defense and special teams. You have the leadership team developing a game plan (strategy) and motivating the players to execute the strategy at extremely high levels. You also have the rules of the game which bound the players to a certain code of conduct. Anyone who has played football or is a reasonably informed fan knows each and every player will do what it takes to win the game which includes pushing the bounds of the rules. Some players push the bounds more aggressively than others. Think Joe Montana compared with Conrad Dobler. There is a fine art to bending the rules and not getting caught by an official. For example, on almost any pass play the defensive player holds the receiver. In the case where players are caught the team is given a penalty. The severity of the punishment is commensurate with the severity of the penalty (off sides verse roughing the kicker).

Many people do not realize this is very similar to the NSA. The NSA has offense, defense, special teams and a management team setting the directions and motivating the employees to execute. It is part of the charter of the NSA we have the absolute best technology to effectively and securely communicate around the world. You can view this as the NSA defense. Very few people would argue with this critical function. Additionally, the NSA aggressively collects and analyzes information. Very few people would argue with the benefits of being able to listen to a cell phone conversation of a bad guy in the state of a recognized foreign adversary. This is the NSA offense.

The NSA also has rules of engagement. Similar to football the players (in this case including the management) do everything they can do to win the game by stretching the rules and as long as they do not get caught everything is good. People just need to realize the officials are lined up to support the NSA and not administer penalties. Occasionally the NSA will be caught off sides here but certainly not a roughing the kicker or intentionally grounded. Getting a new set of officials is unlikely. Therefore, to protect your own privacy you will need to change the game.