Password

Password Vault: Success!

/ Mitch Garvis / Leave a comment

I can’t believe it has been two years since I signed up for my password vault, but there it was in my mailbox… the reminder that it is time to renew my ‘premium’ service with my password vault service.  I did it gladly, giving over my credit card information.

Why premium, you ask?  Well, for one, I appreciate the ability to use my Yubikey to authenticate.  Multi-Factor Authentication (MFA) is extremely important in this day and age, especially when it comes to password safety.  As I wrote in this article, it took me a very long time to start trusting password management tools, and I did not want to trust my passwords to a simple… well, password.

With that said, there is something psychological to my decision as well.  I know it is wrong, but there is something in my mind that makes me distrust – or at least, not completely trust – any company that is giving me a service completely for free.  Maybe I am wrong, but I feel that if it is free, I have no right to complain.  Paying that yearly fee – even though it is only $1 per month – makes me feel that the company is accountable to me, and that if something goes wrong, I can pick up the phone and complain.

Am I right about this? I do know that when I had a problem with my Microsoft Account a few months ago (See article), it took me 107 days to get the problem resolved.  In fact, it took me the better part of a month to find anyone at Microsoft who would even take me seriously.  And really, what could I do?  Their reputation may be damaged in some small way for those people who read the article, but I cannot sue them.  I can yell and scream and curse and jump up and down, but because it is a free service, I can’t do anything else.

I don’t think I have had a single problem with my password vault, other than, for some reason, it thinks all of my computers are called Windows Chrome.  Other than that, all is good.  So I’ll keep using it, and for the extremely nominal fee, I will, for the next year, once more feel the false sense of security that, should something go wrong, I have the right to complain.

…and if you didn’t pay, you might not!

A Big, HUGE Microsoft Security FAIL.

/ Mitch Garvis / Leave a comment

(NOTE: This article was written December 7, 2016. Not one word has been changed since that date.  To understand why it can only now be published, read the article on this site called 107 Days: A Microsoft Security Nightmare. -MDG)

For reasons that will become obvious, I am going to delay posting this article until the issue has been resolved.

A few days ago a colleague of mine discovered the password to my Microsoft Account.  I won’t go into the how and why… I knew that my password had been compromised and I took the immediate steps to change it.

image

Ok, I understand that things break… I tried a few times, and then I decided to follow the advice and try later.  I trust my colleague not to actually use my password, so even though I felt uncomfortable with it being compromised, I knew I could wait a couple of hours.

Throughout the evening I tried (unsuccessfully) to change my password.  As I was sitting with my father having dinner, as I had drinks and cigars with my friends… no joy, I still got the same message.  ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

I want to be clear… if my network had an error that was preventing users from changing their passwords I would consider it reasonably important, and I would take immediate steps to fix it.  But having trusted Microsoft for so many years, I assumed this would be fixed eventually.

Four Days Passed.

Yes, it was literally four days before I decided that my passivity would not eventually lead to a solution.  I sat down and figured out how to request support. I was hoping to be able to speak with a human being.  Before I could, however, the Virtual Support Assistant got me to try this link and that link.  It then made me go through seventeen steps to finally confirm that the account in question was mine… and once it confirmed that I really am me, it tried to reset my password… and I ended up with the same error message that ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

Okay, it’s been nearly an hour… and I am chatting with someone who is quite obviously not their first round draft pick.  After all, I asked for help with Outlook.com, not with something that people actually pay for.  I spent twenty minutes explaining to him the situation, and the added (and I assume rare) complication that I have two accounts with the same address… my Office 365 account and my Microsoft Account are both the same address that are completely different.  ‘Please don’t touch my Office 365 Account, I only want to change my Microsoft Account.’  This led to another five minute discussion on the meaning of the word change.

He had me fill out another form on-line.  I did.  At the end of that form I got a message that said that the product team would contact me within 24-48 hours to help me.  I told the Support Agent that I had filled out the form.  He told me that now I had to wait until they contacted me.

All in all, my Microsoft Account (which is the account I use for my MCT & MCP Benefits, Skype, and myriad other features) will have been compromised for the better part of a week… and there was nothing I could do about it.  Yes, I could have contacted Answer Desk a few days earlier, so it would have been compromised for only three days.  I want to know in what world is that considered an acceptable delay to be able to change a compromised password?

Some time ago I started using Multi-Factor Authentication (MFA) for many of my most important systems, which is why I am never concerned that my blog or my password vault could be compromised.  For various systems I have a hard key (Yubikey) and soft keys (Google Authenticator and Microsoft Authenticator) which keep most of what I do safe.  But most of the Microsoft systems do not support MFA and I am stuck with only a password.  I use reasonably complex passwords so I usually am not concerned, but in a case where my password is compromised and I am not able to change it, I wonder how it is that a company as advanced as Microsoft (in this case) does not allow me to use MFA.  I would love to be able to require my Yubikey in order to log in to Windows and many of the on-line systems I use, but it is simply not an option.

I am disappointed by Microsoft this week… and I hope that they take the lessons learned from this experience to improve.  However I sit here today, thinking of the myriad occasions I stood on stage in over a dozen countries on five continents and defended Microsoft’s security systems as among the best in the world; I was always sure in my knowledge that I spoke the truth.  Today I would not feel comfortable making that claim… and my faith in their systems, like shattered glass, will not be easily fixed.

107 Days: A Microsoft Security Nightmare

/ Mitch Garvis / Leave a comment

I have held off talking about something for quite some time.  I do not mess around when it comes to security, especially for my critical accounts. When the actual security of an account has been compromised, as was the case with my Microsoft Account, I do not advertise it. 

On December 7th I sat in the Second Cup cafe on Bank Street in Ottawa and wrote an article called A Big, HUGE Microsoft Security FAIL.  I wrote about how I had been unable to change my password and that their engine to do so was broken, but that it turned out it was not everyone, it was just me.

There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

It took several days for anyone at Microsoft to take me seriously, but my issue was finally escalated to a 2nd Level Support Tech named Gary (who, I want to be clear, was a nice guy, and as helpful as he could be under the circumstances).  Gary and I got to know each other sometime in mid-December.  Remember, the issue started happening the last days of November, I reported it on December 5th, and the case was escalated (grudgingly) around December 9th.

Gary spent a couple of hours trying to help, and then in discussions with the Product Engineering Team trying to get it fixed.  By the end of the day he said something to the effect of: “Yeah, neither I not our engineers have ever seen a problem like this.  It might take some time, but if you are willing we will work with you to get it fixed.”

Some time… It might take some time… that was on or about December 9th.

I am happy to say that the problem has now been resolved… As I sit and write this, with the resolution less than an hour old, it is 1:15pm, Wednesday March 22.

107I spent nearly a decade touting the virtues of Microsoft’s security… and then from the day I informed them that my password had been compromised, and that a glitch in their system was preventing me from changing it, it took 107 days to resolve the issue.

So let’s take a quick rundown of some of the sites and services that are accessed with my Microsoft Account:

  • Skype (One of the ways I communicate with hundreds of people)
  • OneDrive (All of my files!)
  • Microsoft Certified Trainer (MCT) account (including my MCT renewal, courseware downloads)
  • Microsoft Certified Professional (including my MCP Transcripts)
  • MSDN Subscription (including all my software licenses and keys)
  • Windows Store (including credit card information)
  • Microsoft Volume License Center (VLC)
  • Microsoft Store (including credit card information)
  • Bing
  • Microsoft Partner Portal
  • MSN
  • Outlook/Hotmail
  • MY WINDOWS COMPUTERS

And so, you can see, this is not like having my Words With Friends account compromised… This is extremely serious and far-reaching.  This was… everything.

Once a week I would get an e-mail from Gary telling me that they had not yet resolved the issue… but they were still working on it, and he would continue to keep me informed.

Proof Of Hack 2On March 6th a hacker compromised my Skype account, and sent a link to dozens of my contacts with malicious content.  Naturally those contacts let me know, and I reached out to Gary and told him that now that hackers had indeed compromised my account, they needed to resolve the issue and pronto.  Gary replied with: “I have taken a look into your account, to look for any evidence of unauthorized access, and I did not see any. Was any account info changed? Can you still login?”

a few days later that he had not been able to open the embedded picture, and asked that I resend it as an attachment.  Thank Heavens for that, because had he taken the next step immediately I would not have been able to renew my Microsoft Certified Trainer (MCT) credential in time.

So when Gary did finally get the picture (as seen above) he wrote (on March 18th):

If you received that message, then it could be that someone attempted to access the account.

To prevent that, I have placed a suspension on the account that will prevent any login activity. While my engineering team investigates this issue, no one will be able to break into the account. I have also left a note on the account so that the attacker will not be able to attempt to remove it.

Wonderful.  You are suspending my account now, probably after the damage has been done, but all this is doing is punishing me.  FIX THE DAMNED PROBLEM!

On the same day as I received this e-mail I wrote the following one line response:

Gary this is no longer acceptable. I am calling a lawyer.

On Tuesday (March 21) I received Gary’s reply:

In light of this recent reply, I have escalated this issue to a second team within Microsoft, and am awaiting to hear their response.

I understand the frustration, but please know that I cannot do anything to speed up the engineers and Ops teams working on this issue.

Wouldn’t you know it… The following day (that’s today, Wednesday March 22, 2017 – 107 days after I first reported the issue) I received a call from Gary that started with:

Well Mitch, it seems that when you threaten to call a lawyer things get done faster.  I think we have solved your problem.

Indeed, before the phone call ended I had successfully changed my password.

One hundred and seven days after I first reported the problem.

One hundred and seven days since I told Microsoft there was a problem with their security.

One hundred and seven days since I told Microsoft that my account had been compromised, that someone had my password, and that I needed their help to secure my data and reputation.

One hundred and seven days.  Actually it was only 105 days since I wrote the original article (which will be published shortly after this one, untouched since the original writing).

So why didn’t I publish sooner?

There are a handful… maybe four or five people who know the story and who understand some of my frustrations with this case.  These are also people who know I have a great bully pulpit in the form of this blog.  They have all asked me ‘Why didn’t you publish sooner?’  Two of them asked why I did not go to the mainstream technology media to let them know about this.

Simple… I have an account that is easy enough to guess, to which I could not change the password.  If the wrong people knew about that they would have focused on getting that password and, once they had it, they knew I couldn’t change it.  They would have literally owned me. 

And so I sat quietly, seemingly patiently, waiting for Microsoft to fix the problem.  I waited those 107 days knowing that when it was finally resolved I would a) breathe a big, huge sigh of relief, and b) sit down and write this piece, venting my facts and frustrations.

MICROSOFT! HOW DARE YOU? How can you let ANY problem, let alone one as serious as this, fester for so long unresolved?  Do you think you owe me nothing?  At this point I am still considering a lawsuit, and if you don’t think damaging my reputation and peace of mind is worth damages in a court of law then you are seriously misreading the system.  You should be ashamed of yourselves, and you should be tracking down who is responsible for this travesty, this shame, and firing them.

I got that off my chest.  I have, over the past two weeks, asked friends and colleagues for recommendations on lawyers.  I might just reach out to one this afternoon.  We’ll see.

Covering Your Tracks: Not so easy when walking in the Cloud!

/ Mitch Garvis / Leave a comment

I got a panicked phone call from a client a few weeks ago.

Mitch, we fired one of our sales people last month, and we just discovered that she stole all of our client information, and covered their tracks by completely wiping their Outlook clean.  We need that information back.  Is there anything we can do?

Firstly, I have told you over and over again… when you are planning on letting an employee go, do so with some planning.  Collaborate with your IT department and HR, so that when they are called into your office for that uncomfortable conversation, all of their passwords are changed.

(And no, it won’t do to change all of their passwords and wait for them to come to ask why…)

You may be letting the employee go for any reason, but all that employee knows is that they no longer have a job, and they have to find ways to protect their future.  While it is illegal and dishonest, some of them may think that taking your corporate secrets – client files, leads, whatever – is an investment that is rightly theirs.  After all, they helped bring in those clients, right?  Wrong… They were paid for what they did.

The days when you could simply fire someone and have them escorted out of the office and be done with it are over; most employees (and former employees, if you allow it!) can access their data – your data – from anywhere, and are probably carrying a smart phone in their pocket so they can do it while they are waiting for the elevator.

Of course, there are ways to protect your data so they cannot easily steal or destroy it, but why take the chance?  Disable their accounts before they have the opportunity to be tempted.

The answer, by the way, is yes… I was able to recover all of the deleted Outlook Data by going into the Exchange Administration of their Office 365 account.  It cost them a few hundred dollars for my time, and it was a good lesson learned.  However what I cannot get back for them – and no technical expert can – is the proprietary that the dismissed employee took and used to secure their next job with the competition.  That will require attorneys, and you can only hope that in your jurisdiction the law favours the employer and not the dismissed employee.

Higher Security: How’s it going a month in?

/ Mitch Garvis / 1 Comment

lockA few weeks ago I wrote about how I started using a password vault.  Some of my keener observers noted that I did not mention which one I chose, and that was not an oversight.  I am not an expert in the technology, and unlike many of the products and solutions I have reviewed over the years, usability is not the primary factor in selecting a password vault, and I am not qualified to evaluate how well any of them secure your passwords.  However with regard to usability, I would like to talk about some changes I have made in how I work, and how it has affected me.

1) Completely Randomized Passwords

Over the course of my time in IT I have heard myriad complaints from users who did not like having to remember complex passwords, and liked even less having to change them every so often.  I gave them a lot of advice of how to choose and remember and cycle their passwords, but no matter how hard I tried, yellow sticky-notes (yes they come in other colours too) remain the biggest enemy of IT security.

I have used a lot of different passwords over the past fifteen years, but it is rare that I forget one.  Why?  Because there are probably a dozen ‘series’ of passwords that I have used at any given point.  I won’t give any of them away (there is probably some obscure site that I have not logged into in a decade that still has my account with one of these old passwords, and somebody would figure it out).  But let’s make up an obscure and completely fictitious password that I could have used:

Four Score and Seven Years Ago, Our Fathers…

The opening words of the Gettysburg Address.  It is easy enough to remember… nine words.  If I were to take the first letter of each word, and change numbers and booleans into their characters, we would have 4S&7yaof.  Upper case, lower case, numbers, and characters.  More than eight characters.  I just created a password that would pass almost every minimum password requirements algorithms.  I would then use that as a password for a dozen sites and applications.  Of course, some algorithms insist on starting with a letter, so Fs&7yaof would be similar but completely different.  We’re happy.

As I have mentioned before, I maintain a text file of most of the sites I have credentials for, and every few months I go through them all and change my passwords.  It takes time and effort, but I have done it.  Fortunately, I have always had pretty simple passwords (for me) to remember… because I knew the context.  Password Hint? GETTYSBURG.

Now that I am using the password vault, it has a tool that helps me to create long, complex, random passwords that would be completely impossible for someone like me to memorize.  However I wouldn’t have to memorize them, because the vault app enters it for me when I need it.  So:

Hello1 = BAD

Passw0rd = BAD

Fs&7yaof = Good

L9Gya$(aWPl47+~R2t7*^1> = EXCELLENT!

With passwords like these (and a management app that helps me create, remember, and every few months change them), combined with the fact that every site has a completely different nearly impossible to remember password, and I can sleep better at night knowing that my identity is secure.

The problem is: how am I securing the password vault?  Well, that has a couple of answers.  Two factor authentication for sure, but that would be different on my phone and on my computer.

2) Multi-Factor Authentication

YubiKey_Neo_and_NanoWhen I am accessing the vault on my computer, I have to enter my password, and then two-factor authenticate using my Yubikey.  On my iPhone I have to a) log on to the phone using either  password or a fingerprint, b) log in to the application using a different password.  It is not ideal, but it is better than nothing… and for my needs, it is just fine.

There are some sites that I use (such as WordPress for my blog) that interacts with applications, and supports Multi-Factor Authentication (MFA).  The process for these sites is a bit different:

1) The password vault application (or WordPress) generates a ridiculously long and complex password, and stores it in the vault.

2) The site allows me to create ‘application passwords’ which are for individual applications (and different installations of the same application), which the applications can store.

3) The WordPress app is installed on my phone.  When I try to authenticate using either the web or an application, WordPress sends a code to the app on my phone, which asks me if I tried to log on (and from where).  I can either Accept, which will allow the logon to proceed, or Reject, which will block the logon.

Other sites, such as Microsoft ID protected sites, allow me to either remember my password, have my password vault application enter the un-rememberable password for me, or it will generate a one-time code which it will send to my phone by SMS message, and I can log on with that code.

A few sites and applications, which include my corporate VPN and my health insurance website (not to mention my password vault application), allow me to authenticate using a token, a device that I plug into my computer and then press a button.  The device then sends a code to the computer, and authenticates.  I will not go into the back-end of this, but it is quite secure from what I understand… as long as it doesn’t get stolen.  Of course, for most of the sites that I use it for the Yubikey only works when used in conjunction with a password.

3) Oops…

I hope by now I am beyond the ‘forgetting my cell phone’ syndrome… after all, I have been carrying one for the better part of two decades, and knowing that the replacement value of my phone is nearly $1,000 I do my best to have it on me at all times.  But what about the Yubikey?  I am relatively new to carrying it around, an it is absolutely tiny… about the size of my thumbnail.  I have it attached to a little charm that I was given at a bar in Shinagawa (Tokyo).  The two combined might weigh a few grams… and I am extremely hopeful that it is more durable than it looks.  However here’s the thing… I carry a lot of things in my pockets, and because of that I will, on occasion, take things out that do not have to be there… including on the weekends my card access key for the office, and yes – my Yubikey.  Only, there are days (and not a few of them) when I forget my key card at home… and as such, I will often also forget my Yubikey.  Fortunately my company still has a secondary VPN that I can use, and as for other sites that require it… well, let’s just say that most of them are not required for me to perform my job.

Oh wait… my password vault requires it.  So I had better hope that during the course of my day without my Yubikey I don’t need to access too many sites, because while I can get the passwords off my phone, typing in passwords that look like this:  L9Gya$(aWPl47+~R2t7*^1> can be a pain.

4) When all else fails…

I actually had to do this more often when I was using my old password methodology than my new one.  Most sites have those helpful ‘Forgot my password’ buttons that will, after asking you a couple of questions, send you a link to reset your password.  I used it a lot before, but admit that the only time I used it recently was with my health insurance company… where the password hint was useless, and the ‘Forgot my password’ button told me to call so that they could delete my account and then I could recreate it.  Thanks, I’ll wait until I pick my Yubikey up off the night stand.

Conclusion

I wasn’t entirely sure what to expect, but I was hoping the transition to the password vault (and scores of completely different and un-rememberable passwords) would not be too painful.  I was not disappointed.  I did have to log on to some sites and manually change the passwords, but for others the vault’s app did it for me.  I haven’t been locked out of anywhere (YET), and to the best of my knowledge nobody has logged on anywhere as me because they have compromised my data.

The Multi-Factor Authentication (MFA) is great as long as I have my devices with me… and my phone’s battery isn’t dead.  Fortunately some of the sites that use it have alternate methods (e-mail me a code?) but also fortunately my phone is usually pretty charged, else I bring a portable charger with me.

Does this new methodology benefit me?  Let’s be honest… the world has changed.  Twenty years ago I was afraid someone would steal my house keys and would then break into my house and steal my stuff.  Today with alarms and cameras that threat is nearly obsolete, but the threat of losing our data and banking information and credibility to hackers is very real, and being able to take steps to prevent it… well, it’s a small price to pay.

Why You Need a Personal Computer If You Have A Corporate Computer

/ Mitch Garvis / Leave a comment

Last week without paying attention I scheduled this article to publish Monday morning, not realizing that in North America we would be celebrating Labour Day.  Almost none of my readers were in the office, and many (including myself) were relaxing by a beach somewhere.  As I expect the article was largely overlooked in lieu of late mornings and lazy afternoons, I decided to re-schedule it for this slot.  Enjoy the article! -MDG

You have a job that gives you a computer.  Maybe it’s even a laptop that they let you take home with you.  It is probably better than the old computer that you’ve been using… and maybe there isn’t even a policy at work about using your corporate computer for reasonable personal use.  Cool, right?  You can let your old computer at home gather dust and use the company’s computer for everything.

This is a really bad idea.

If you work for a company like any of the ones that I have managed then you have worked with some pretty scrupulous (i.e.: HONEST) IT Professionals.  However like every other profession, there are a lot of bad apples out there.  Here is a scenario that I hope will haunt you… or at least scare you into segregating your personal computer tasks from your corporate laptop.

The Setup

In my last article (Passwords: Beware) I wrote about some of the dangers of passwords, and especially of using catch-all passwords… in other words, the same password for many sites.  Here’s how an unscrupulous IT admin can make all of that irrelevant.

The story:

You get your shiny new laptop from work.  You use it for business… but you also use it to pay your bills, do on-line banking, connect to Facebook, and any of a thousand other tasks you do during the course of a normal week.

‘Don’t worry… your computer is secured with an Active Directory password which we forced you to make complex, and we cannot see your password or log in as you.  Of course, we could change your password… but you would know that pretty quickly the next time you tried to log on to your system and your password didn’t work.’

In most cases this statement is true… and let’s assume for the time being that it is absolute (whether it is or not).

Times are tough all over, and you have not been selling as well as you were expected to.  You are dreading that call into the boss’ office, but as you are preparing to leave the office on Friday you get the call.  ‘Please come see me for a minute.’  You lock your computer (as you have always been taught), and walk over to his office.

Of course, s/he might tell you to finish out the month, but usually this conversation officially ends your employ.  You go back to your desk to clear out your personal belongings, but if you do try to log in to your computer you will discover that your account has been locked out.

What happens next?

An honest IT Admin will back up your data, then wipe your profile and prepare the computer to be given to your replacement.

A dishonest IT Admin will change your password to something that he or she knows.  He will log on as you (and remember, he doesn’t have to sit at your old desk out in the open to do this – he can do it quietly from the comfort of his cubicle).  He will install a password recovery software (maybe the one he used to help you when you forgot your e-mail password last month).  In seconds he will have a list of every website that you have visited, your username, and your password.

It won’t take long for him to order a new credit card in your name… and maybe buy some goodies on eBay with your PayPal account.  I don’t know what else he might do, I am not that kind of guy.  But I have met people who were… and they scared me straight.

So what happens now?

Any website that is business-related won’t matter… once you have left the company they have a right to whatever data you would glean from them anyways.  If the IT Admin does anything on those sites with your credentials it will be easy to prove – ‘Hey, I was let go at 3:45pm on Friday the 13th, and that malicious post was written from my corporate laptop on Tuesday the 17th… four days after the laptop was taken from me.’

Anything that’s personal… well my friend, you should not have been using your business laptop to do your eBay shopping, or your on-line banking.  You could file a criminal complaint and you might get your money back… but by the time the cops come to investigate (and they will almost certainly never do that) they dishonest but not stupid IT Admin will have wiped the laptop clean and there will be no record of wrongdoing.

So what do I do?

Once you are in the position you are already too late; what you need to do is separate business from pleasure at the very beginning.  If you are already using your company computer for personal use then a) stop now, and b) from a personal computer change all of your on-line passwords now.

But would he really…?

I don’t know your IT Admin… Maybe he’s a good guy (or a good girl) who would never do anything like this.  But why put yourself at risk?  Take the temptation away from him or her and just don’t use your corporate computer for personal activities.

…Or you can take the risk, and then find out how frustrating it is to have to cancel credit cards and swear affidavits that the offending transactions were not yours in the faint hope that your bank will reverse the charges Smile

Passwords: Beware

/ Mitch Garvis / 2 Comments

I held out as long as I could; I have never used a password vault, thinking that I could remember all of my passwords for several dozen sites and applications without having to trust them to any third party.

Of course, many of the passwords I used were reused a few times, and oftentimes I would have to ask a site to remind me of what my password was.  I finally broke down and said okay, I was going to do it.

I signed up for the site that a trusted friend recommended; I even spent the $12 to get the premium service (mostly so that I could use multi-factor authentication with my Yubikey).  I then downloaded the app to my laptop.  I installed the app…

…and what happened next scared the wits out of me.

I should mention that I knew this was the case; I have in the past used tools to discover passwords on peoples’ computers (and on mine when I forgot them).  So why was I surprised when the password app showed me a list of every site I have ever visited from this computer, with a button that said ‘Click here to display passwords’??

Yes, it is true.  Unless you take special preventive measures, your computer saves every password you ever use; they are hardly even secured – this program did not take hours or even minutes to list them off, they were readily viewable in under ten seconds… including the passwords for my online banking.

How could this be?  It’s simple… passwords suck.  They are probably the best option that most of us have available to us, but they really do suck.  Multi-Factor Authentication (MFA) solutions like a Yubikey or smartphone authentication programs provide much better solutions, but there are problems with those – firstly they require you to have a device, and secondly they require the site (or application) that you are connecting to support their tool.  So if you are connecting to YouTube (which is a Google site) you can use Google MFA; however if you are logging on to some random site where you participate in forums, there is a good chance that this will not be available to you, and you will have to use old fashioned passwords (see article).

The problem with passwords isn’t that they are hard to use, it is that most people do not use them correctly.  That is a pretty broad statement, but if you are honest with yourself, how many passwords do you use that are over 90 days old?  How many of your passwords are repeated across sites?  Some password vault tools will let you run a test across all of the sites in the vault, and it is a cold splash of water in the face to run one of these tests and get a 32% score (yes, I am as guilty of many of these behaviours as everyone else).

PasswordsFor years I said the worst enemy of IT security was yellow sticky notes, and they still are.  However it has gotten so much worse than ever, because every site wants complex passwords, and to get around the complexity rules people are using things like DogName1, then DogName2, and so on.  I see stickers like the one shown more often than I care to say.  The more often we have to change a password, the worse the situation will be.  The problem grows exponentially when we have more sites forcing us to do the same thing. So if we have to change a password on ten different sites every ninety days, we are exponentially more likely to pick the same passwords, or derivatives thereof.

But is it reasonable to expect everyone to pick completely random, un-guessable passwords?  Is *880638Z7965 a good, completely secure password?  Probably not.  For one thing, it is going to be impossible for us mere mortals to remember, and so we are going to write them down; for another, if someone gets access to your computer (or smartphone, or any device that you use to log onto whatever site you are trying to keep secure).  Remember… if the Password Vault software can determine what your passwords are, so can the hackers.

I recently sent out an e-mail called The Ways of Small Business IT in which I highlighted some of the perils of a small business IT environment; one of the issues I highlighted was users leaving their unlocked workstations unattended.  There are much more dire (and scarier) consequences to this behaviour than having your local information stolen.  Simple programs installed from a USB key can reveal and steal every password you have ever used on the workstation – business, pleasure, banking, personal, dating sites… everything.  So the miscreant would not have to sit at your computer for very long to own you – all they have to do is sit down for a minute and then walk away with all of your sites, usernames, and passwords.  Then at their leisure they can access your life from wherever they want.

Scary?  Yes.  Preventable?  Of course.  A user who locks their computer when they walk away has taken great steps to prevent this attack.  But what happens if the miscreant did not target your computer?  What if they target a site where you use your catch-all password?  Well it shouldn’t be a problem because that site will shut itself down until it has fixed its own security holes, right?

WRONG.  The scary phrase in that last sentence is catch-all password.  Here’s what I mean, and for the moment we are going to use the example of a site that we know to have been recently hacked.

Yeah I know you didn’t have an account, and you are completely faithful to your partner, but for the sake of the example, the user list on AshleyMadison.com is compromised.  They have your credit card information, but that’s okay because your credit card is insured; they have your name and dating preferences, and that’s a damned shame… but there are fourteen million other men (and seventeen other women) who are in the same boat as you. It’s in the media and it’s ugly, and you are spending half of your time fighting with your partner that someone had used your credit card (and name, and picture, and your sexual preferences) to create their own profile on the site, and the other half of the time speculating about who else was on it, and… you know, doing whatever else you do during the day.

What you do not spend any time doing is changing the password on YourBank.com, YourTradingCompany.com, YourOtherServices.com, and so on.  It doesn’t matter that you had been using the same password on those sites as you did on AshleyMadison.com, because… well, in truth you just never gave it much thought, and isn’t it just so much easier to use the same password everywhere so you don’t forget?

Now the bad guys have your password… and believe me, it isn’t tough to guess your username for all of those sites… especially since you also used the same password for your e-mail account, so what they can’t easily figure out they can easily ask all of the other businesses to resend it and the businesses will do it because the hackers asked from your e-mail account.

Is there a good solution?  For businesses there are several… multi-factor authentication, soft tokens, and so on.  For individuals?  Well, there’s vigilance… and listening to people like me when we tell you not to use the same passwords, and not to write them down, and to change them frequently.

In my next article I am going to use a lot of the tools I discussed in this piece to demonstrate why your work laptop should only be used for your work resources.

Sharing Passwords

/ Mitch Garvis / 2 Comments

This is NOT an article about my mother.  She just happens to be the person at the other end of this conversation, but it could have been any house guest.

My mother has been staying with me for the past few days.  It is the first time she has stayed with me, and it has been a learning experience for both of us.

One of the things that she had to get used to was that my TV is not set up in any useable way to anyone but me.  I know, it’s a pain in the ass, but I live alone, and under normal circumstances the only person (other than me) who would ever use the TV is my son… and he is just as happy to let me log in for him.

I promise, someday I will get around to making the system more useable, but it’s just not a priority.

So this morning I had one foot out the door when my mother asked me ‘Oh… if I want to watch TV, how do I do it?’  The simple answer is… You don’t.  Okay, you have an iPad, you can watch Netflix.

‘But why can’t you just show me how to use your TV?’

Well there are a couple of reasons for that, but the one I opted to go with was that I would have had to give her my password, which was my primary password for everything on my network.  I could have gone with ‘I don’t have the time,’ or ‘I’m sorry, but the media device is very finicky and you would be calling me all day to ask questions,’ or ‘I don’t want you surfing my porn collection.’  No, I went with the password.

‘Oh, really… like I would use your password for anything other than watching TV.  Really, I don’t even know how to use your computer!’

There are a lot of arguments that people could make in favour of sharing passwords… and they are all wrong.  There is in my mind no legitimate reason why two people should share their passwords with each other… not when information security is an issue.

What do I mean by ‘Information security?’ Let’s look into this.  If I were to give someone my password, what could they possibly do on my computer?

1. My banking credentials and information may be cached.

2. I have letters and documents that are extremely confidential.  Some are personal, some are business, none are anyone’s business other than the people I share them with.

3. On my desktop there is a link that connects my personal PC to my corporate VPN.  While I do not have my credentials cached, the extra layer of security provides Defense-in-Depth, which is eliminated by sharing my password.

4. My e-mail… In other words, anyone with my password could very easily send an e-mail in my name… to anyone.

5. My blogs are set up so that anyone authenticating to my PC can post to any of them… and that is not acceptable.

6. Oh come on… do I really need to go further?

So if I trust someone 100% should I be willing to trust them with my password?  Well, I don’t trust anyone 100%, but that is not the question.  In this case, even if I trust her 100%, we have to assume that my boss (who has never met her) doesn’t… and since some of the information that my password is protecting is my company’s, the answer is no, I should not trust them with my password.

Do I believe my mother would use my password for any reason other than watching TV?  Frankly I do not.  Do I think she is capable of getting into anything that she shouldn’t? Well, she does know how to use e-mail, so that is a possibility, but I do not think that she would.

The problem is not what I think she would do.  The problem is this: What happens if I get back to my computer tonight, and something is amiss.  What happens if something is missing, or changed, or whatever?  Well the reality is that chances are it is from something that I did, but my first reaction would not be that.  So why take the chance?  Why risk losing the ability to trust my mother because of something that may or may not have been her fault?  Simple… don’t put yourself into the position.

I connected my mother’s iPad to my wireless network, and she should be able to do anything she needs on that device… if she had the wherewithal to hack into my systems via wifi then I would be a sitting duck, but she doesn’t… in fact not only does she not have the ability, she also does not have the desire or malicious intent.

On the first page of the book The Sum of All Fears there is a quote that I have always liked.  I thought it was a Winston Churchill quote, but as I looked it up on the Internet it looks like it is attributed to Benjamin Franklin.  It is:

Three can keep a secret, if two of them are dead

Is that true?  Maybe yes and maybe no, but the only true way you can know for certain that nobody will share your secrets is by not sharing them with anyone else.  Passwords are the same way.

I have been asked before if I have a password store in case I get hit by a truck.  The answer is that I do not.  Why not?  There is nothing that I need people to access if I am dead.  They can reformat my computer and all of my hard drives and use them to their hearts’ content… but the information is mine.  I don’t need anyone logging into my Facebook or LinkedIn after I am gone, and with regard to my banking, well the executor of my estate will have the legal means to deal with the banks.  Some information can die with me, and I am quite at peace with that knowledge.  My blogs?  Once I am dead the last post will have been posted, and they will remain there until WordPress decides to take them down.  E-mail?  Nobody needs to be notified of my death who cannot be notified by other means.

Passwords are private, and should remain so.  The integrity of your data and systems and reputation relies on that.  Sharing them with anyone is a bad idea, and if you disagree?  Well don’t tell me I didn’t warn you!

An Unexpected Consequence of Super-Stability

/ Mitch Garvis / Leave a comment

This would never have happened with Windows XP.

As I always do after a long day of driving I woke up this morning and reached for my phone.  I had driven 1,092kms the previous day, which meant that I spent my attention on the road and not on my phone – doubly so because it was a Sunday, and in my current role nothing earth-shattering ever happens on Sunday.  I did, however, check my email during the occasional stop… and it worked.

This morning it did not.

My email password for my @microsoft.com email account was not working, but I wasn’t worried… I was sure that I would log on and find out that there had been some glitch in the system between 7:48am and 7:51am, and that all was well.

…and then it occurred to me that it has been roughly a year to the day since I got my account, and it was possible that it had expired – or worse, not been renewed.

I checked Lync.  Lync works on an entirely different system than email, and it should work.

We can’t sign you in. Please check your account info and try again.”

Crap… this is serious… I may, as of this morning, no longer be an @microsoft.com!  That would be terrible for many reasons, not the least of which was that someone decided to shut me off without a conversation 😦

When you log on to Windows 8 (or any version for that matter) Windows (Kerberos actually, but that’s another story) checks your credentials against an Active Directory Domain Controller.  It happens every time.  It doesn’t only check to see that your password is valid, it checks that your account is valid, and if your password is expired (or set to expire).  It gives you plenty of notice too… it will start warning you two weeks or so before the expiry date so that you don’t miss it.

Unfortunately it does not work the same way when waking your system from sleep or unlocking your previously authenticated account.  All it does is confirm that your account was valid when you last logged on, and that your password is correct.  Kerberos does not go out to Active Directory for this, it just checks the locally cached credentials.

So what happens in a world where Windows is so solid that you almost never have to log off?  In the last three weeks I have worked from the office in Mississauga, the office in Montreal, the office in Ottawa, several locations in Portland (Maine), and of course a weekend in Redmond and a day on campus… from hotel rooms, Internet cafes, and for 20 stressful minutes last week from the passenger seat of my wife’s minivan as we drove from Toronto to Montreal.  At the end of my session I simply closed the lid to my laptop and put it away,  or simply locked the screen.

In three weeks I have not had to log off my computer because Windows is so much more stable than it ever was.

The unfortunate and unexpected consequence to this, unfortunately, is that this morning rather than working from home as I had planned I had to come into the office because once that password expires you have to be physically connected to the internal network to change it… DirectAccess (one of the greatest tools ever invented for the purpose of working remotely) doesn’t cut it… because your credentials to connect are currently invalid!

So yes, my password expired.  No, my account has not been disabled, and yes, you are going to have to put up with me for a while longer.  However I hope you learn from my experience… if it’s been a while since you were prompted to change your password don’t wait… do it proactively so that you can work in your pajamas and avoid the Monday morning rush hour!

Passwords Revisited… a post from a fellow MVP

/ Mitch Garvis / Leave a comment

Many of you know that I am a fanatic about changing passwords and password complexity.  I have written time and again about the subject. (See Pass the Word…)

I am also a big hater of what my friend Dana Epp refers to as ‘Security Theatre.’  I have often berated people at Rogers, AT&T, and a plethora of other companies who ask me ‘and for security purposes can you please tell me your date of birth?’  REALLY? IT’S ON MY FACEBOOK PAGE!  How about you ask me what colour tie I wore to the last Black Tie event I attended, or what colour was the hockey puck we used when I played ice hockey?

I came across an article written by fellow Microsoft MVP Bill Pytlovany.  I have never met Bill but he makes some very good points about answering security questions (my mother’s maiden name is Brown by the way) that people should keep in mind when answering these questions.  Bill’s MVP Award is in Consumer Security, and I can see why.  Enjoy the article! –MDG

http://billpstudios.blogspot.ca/2013/02/banking-system-fails-due-to-security.html

Pass the Word…

/ Mitch Garvis / 3 Comments

padlockHow often do you change your online passwords?  If you are like the vast majority of us then the answer is not nearly often enough.  Until recently I fell into the same category, and fixing that took a little bit of doing.

One day several months ago I looked at Theresa and said ‘I think I am going to change all of my on-line passwords today.’  Easier said than done.

The first problem that I encountered was not an easy one – what passwords do I have?  I figured I must have dozens if not hundred of on-line accounts.  The not so simple task of creating a list of all of them was a task I was not looking forward to.

Like so many other things that I discuss, the old truism applies: If you cannot measure it then you cannot manage it.  I had to figure out a way to start tracking my on-line accounts.  Where should I start?

Of course there are easy ones – the low-hanging fruit.  My Microsoft Account (formerly Live ID) is tied to dozens of sits from Microsoft Learning to TechNet to Zune and Xbox and everything in between, not to mention my primary e-mail account.  By changing that password I immediately changed nearly half of the sites that I log in to.  Unfortunately the rest of them would not be that easy.

I decided to take a measured approach going forward.  I opened a text document on my laptop and named it passwords.txt.  Of course this file is not going to have any of my passwords in it – I have a pretty good memory, but some people like to use password vault software like AuthAnvil Password Server, which allows individuals and organizations to centrally organize, synchronize, and audit their passwords.  The only thing that I am keeping in my password text file is a simple list of all of the sites that I either have to type my password into or, in many cases, that I have logged into previously and clicked the ‘Remember my Password’ option in Internet Explorer. 

I kept this text file open for several days and was alarmed at how long it was getting.  The obvious ones are sites like on-line banking, social networking sites, and of course my blogs.  The next tier were sites like ebay (and PayPal), amazon.com, and YouTube.  Sites for my travel rewards points accounts (Aeroplan, AirMiles) came next, followed by things like DNS sites and Prometric.com (where I take my Microsoft exams).

After a few days I thought I was done, but just in case I saved the file to my desktop.  In the meantime the real work started.  I logged on to each of these sites and started changing passwords.  Of course I did not use the same password for each site, and for my own peace of mind I will not explain how I chose.  However I did make sure that all of my passwords were long enough and complex enough to thwart the average hacker (and onlooker). 

Next I watched my Inbox.  Many sites will send you an e-mail confirming that you made changes to the account.  I skimmed through each one carefully for two items: 1) Do I need to take any action (click a link, etc…) to confirm that I actually did make the changes, and 2) Does it say ‘You changed your password to P@$$w0rd.’ 

The first wasn’t a problem – I took the necessary steps.  However the second is more important; if any site sends you an e-mail with you password in clear text then you know that they are storing them that way (rather than using a one-way encrypted verification method).  I flagged these sites and made a notation to never use the same password on these as I do on any other site.  In the event that their site gets hacked not only would my account there be compromised, but you could be sure that the hackers would then try to use the same password against my account on other sites.  VERY DANGEROUS.

As I went from site to site I made notations on my text file list.  A dash next to an entry meant that the password has been changed; an asterix meant that the site e-mailed me in clear text.  An ampersand meant that it is an account that I share with my wife (I don’t share any accounts with anyone else), and so before I change that password I should let her know what it is going to be, lest she get locked out of anything important.

While I thought I was done, I left the text file on my desktop.  It does not take up a lot of real estate (especially since Windows 8 helps me to keep my desktop clean of shortcut icons), and I knew that as the weeks went on I would stumble upon the occasional site that did indeed slip my mind.

I dated the file and e-mailed it to myself; I set up an occurring calendar reminder telling me to change my passwords on a schedule.  While not all of my credentials need to be changed as often as others, it is still important to change them all a few times per year.  Now that I have the procedures in place, I will be able to do it without the anxiety that I faced the first time I went through it!

Oakville.com

/ Mitch Garvis / 3 Comments

Today is the day… My first article went live at Oakville.com, and that is very exciting for me.  It is great to be able to give back to the community where I live… that I have called home for the past five years.

It is amazing… the first time I spoke with my wife (Theresa) – we met on-line – she said that she lived in Oakville, and I said ‘Where’s that?’ I had moved to the Greater Toronto Area (more specifically Mississauga) two months earlier, and although I had heard of Oakville had no idea that it was ten minutes away down the 403 (or QEW… or Burnhamthorpe… or Dundas).  Now, nearly five years later, I consider it home, and do not want to live anywhere else.

So for my introductory article I wrote (as promised) about password security.  I hope you read it and like it! –M

http://www.oakville.com/articles/expert-advice-to-keep-your-passwords-safe/

Why we need a backup…

/ Mitch Garvis / 4 Comments

This is a story about IT Security.

It is hard to believe that within three weeks we have had our Kia Rondo.  However it is easy enough to gauge… we brought it home (used) on New Years Eve, December, 2009… When I drove Theresa to the hospital to deliver Gilad it was still on its first tank of gas.

Now, the fact that it has taken us this long to learn our lesson is testimony to our diligence, but nonetheless the lesson would eventually be learned.  New cars, as you know, come with two sets of keys.  Used cars, unfortunately, do not.  More often than not they come with only one, as is the case with the Rondo.  Theresa and I switch off driving the two cars every so often (usually when one needs gasoline or other maintenance I get it).  As such, we are usually pretty good about leaving the keys on the secretary by the door.

This past week-end was a disaster for me.  I got home from two weeks in South America & Mexico on Thursday, jetlagged and exhausted from the travel.  So much so that Saturday and Sunday I essentially slept all day, although I did venture out in the evening… on Saturday I took Theresa to Niagara Falls for dinner, and on Sunday after they came home from Buffalo I took her to a movie.  When I came home Theresa had warned me that both cars needed gas, so we drove the Toyota on Saturday (and I filled the tank) and the Kia on Sunday (and I filled the tank).  As we arrived home after the movie, there was a confluence of many irregularities – a dog jumping at the door, a phone ringing, and a need for the restroom. 

The keys to the Kia ended up in my pocket…

…and the following morning they came to the airport with me…

…and then they came to Halifax with me.

I checked into the Maple Leaf Lounge at the airport in Halifax when I called my beautiful, loving, absolutely understanding wife whom I love dearly and who is always the first person I call when I land anywhere.  I heard Gilad crying in the background, which was strange for the time of the morning when he was usually at daycare.  ‘No, nothing is wrong with him… but he is rather upset that you took my car keys and stranded us here.’

Oh, crap.

To cut a long story short, after losing most of a day, a very understanding friend drove my very loving and wonderful and understanding wife to the airport parking lot and picked up my car from the long-term parking lot.  It was a huge hassle, but all was well.

At this point – if not several paragraphs ago – you have probably started wondering why I prefaced this tale of an absent-minded husband as a story of IT Security.  Keep reading and all will be made clear!

Many small and mid-sized businesses rely on one person to be the ‘Keeper of the Keys’ for their network – one user’s account is the Domain Administrator, or Root account.  Of course it is best practice to not share passwords, so that person is the only person who knows the credentials.  In some cases, that ‘person’ is not even an employee, but an IT Service Provider, who maintains their computer for them.  While the skies are clear this poses no problem.  Too often I have heard horror stories of things going very bad very fast.

Over the course of my career I have received no fewer than a dozen calls from companies who needed for me to reclaim their networks following a falling-out with their former IT Manager.  In most of these cases the company had decided to lay them off because they were going to outsource their IT services, although on a couple of occasions there was a fight between the owner and the IT guy who stormed off in a huff.  In one unfortunate case the IT guy died suddenly in a car accident.

On the other side of the same coin, I have on a number of occasions been told by IT service providers that their clients were late paying their bills, so they were going to deny them service and would not provide any credentials until all of the accounts were adequately settled.  I advised these IT pros that while I understood their frustrations, they were likely breaking the law and opening themselves up to legal action that would far outweigh any disputed monies.  I can only hope that they followed my advice and reversed their stances… As they did not name the client, there was no way for me to follow up on that.

While the IT guy who refuses to share the credentials is breaking the law (except for the guy who died, who was pretty action-proof) it is the company that suffers until the issue is resolved.  Resolving the issue – either technologically or legally – can be time consuming and costly.  It is also a situation that is very easy to avoid.

I do not think the solution is giving anyone in the company Admin/Root credentials… nobody should ever have higher credentials than they need to do their job.  What I would recommend, however, is that a second Admin/Root account be created with a long and super-complex password.  Those credentials should be stored separately and securely in sealed envelopes that hopefully will never need to be used.  However just like having a spare set of keys, it is a safety net against the sudden souring of the relationship between the SMB and the IT provider, whether that provider be an employee or contractor.

This plan is unfortunately not bullet proof.  It would be simple for the provider to either disable this account or change those credentials.  Legally speaking this would be an overt criminal act, but the jaded tech may not be concerned about that.  That is why it is crucial that companies manage their HR – specifically their layoffs – carefully.  If they are planning to lay off their administrator it is a good practice to use the following steps:

  1. Plan the timing carefully.
  2. Before you call your administrator into your office for that uncomfortable conversation, ensure that those credentials work, and access the Active Directory Users and Computers console using that account.
  3. When you know that he is waiting to come into your office, disable his account.

It is unfortunate, but a jaded former employee can cause a lot of damage.  I have heard horror stories of companies laying off their IT manager, but not disabling their account.  That laid off employee then goes back to their desk and starts wreaking havoc on the network.  The IT administrator is, unfortunately, not a position that you can lay off and give them two weeks notice, expecting they will faithfully continue to perform their duties.  If you are getting rid of the IT admin, you have to pay their settlement out but terminate their employment – along with their credentials – immediately.

If you think you may be protected by loyalty, remember that you are about to demonstrate a termination of that two0way loyalty street.  In cases I have been involved in neither long-time friendships nor family relations have protected the company. 

I am not saying that this will happen in every case, but you cannot gamble that it will not happen to you.  Don’t take the chance, and you will never have to write an article about how loving and understanding your wife is because you flew to Halifax with her keys Winking smile

Cover Your A$$ – Secure Your WiFi Now!

/ Mitch Garvis / Leave a comment

I honestly hate saying ‘I told you so.’

For years I have been telling everyone who will listen (and a lot of people who didn’t want to) about the importance of securing wireless networks.  I’ve told stories about the possible consequences, and have scared some of them into doing the right thing.  Unfortunately far too often my pleas have fallen on deaf ears.

Don’t get me wrong… like anyone else who has ever hopped on an unsecured access point to check my e-mail, I appreciate that so many people have made it unnecessary to actually hack secured wireless networks – which of course might be considered illegal so I would never actually do it.  However my convenience should be trumped by the well-being of the masses.

As was reported by Carolyn Thompson in the Toronto Star (c/o Associated Press) there have been several cases recently where innocent albeit naive wifi users have gotten a very rude awakening.  At least one such user was awakened very rudely by heavily armed agents of the FBI and/or ICE (Immigration and Customs Enforcement) raiding their houses after having tracked child pornographers to their networks (See the full article at http://www.thestar.com/living/article/979849–no-password-on-your-wi-fi-this-nightmare-could-happen-to-you).

The Internet is so often equated to the Wild West… a potentially lawless society with hoodlums and gangsters and very little law enforcement to speak of… and it’s true.  A friend of mine who works in cyber-crime for a major American law enforcement agency confirmed that it likely only 1-3% of cyber-criminals are ever arrested.  With that being said, the Wild West had sheriffs, posses, and eventually the US Army.  SOME cyber-criminals are pursued, arrested, and convicted. 

I don’t know what percentage of cyber-criminals captured are child-pornographers, but I would not be surprised if it was a very high number, and for good reason.  I do know that of all criminals, most law enforcement officers view them as the lowest of the low – as the AP article demonstrates they are seldom arrested politely and calmly.  I have heard of several cases of mistaken identity because child pornographers are smart enough to try to cover their tracks, and the difference between them going through you or not is as simple as a couple of check-boxes and a password on your wireless access point… so what’s stopping you?

If you are uncomfortable trying to configure this encryption and password yourself, I implore you once again to ask for help, or if you must take your router to a Geek-Squad-type service who will do it for you.  Trust me, it is a small investment compared to what could happen.