This is a draft of remarks I delivered to a group of emergency management students at a presentation for National Preparedness Month today, at 2:00 pm, in the University of Akron’s Student Union, room 335. It isn’t complete, but it represents most of the presentation I have prepared for the event. Those of you who are more technically inclined may not find this presentation extremely compelling; my goal was to present this information to students who don’t (generally) have a background in computer science, cryptography, etc. You can view a copy of this presentation by clicking here.
Good afternoon and thanks for coming to this presentation. Last year, we invited a few speakers from the Ohio Emergency Management Agency and the Ohio Department of Homeland Security to speak to our students for National Preparedness Month. During the question and answer session, a student asked a question about what our most significant weakness is here in the state of Ohio. The answer stuck with me. Almost immediately, without any hint of hesitation, the answer was cybersecurity.
This answer got me to think about the emergency management degree program here at UA. For a while now, I’ve been thinking about how this very same weakness is true of our program. There are a lot of sexier topics in emergency management: hurricanes, earthquakes, active shooters, terrorist attacks, but not much attention is given to cybersecurity in our classes. What I hope to do, today, is to start the dialog on how we might prepare for cyber attacks. I hope to convince you that a true all-hazards approach includes the hazardous environment of the Internet – an environment where attacks of increasing sophistication and increasing ease are more prevalent than ever before.
Before I start, I want to make something clear: I don’t have much of a background in computer science. I’m a technology enthusiast at heart, but I’m certainly not as well versed in many of these topics as the experts. What I’m sharing with you today is a basic overview of topics in cybersecurity that you, the end user, can control. This comes from information I’ve gleaned from the experts that I follow. If there is anything I’ve learned about computer experts, it’s that they have a tremendous amount of passion for what they do and they’re not afraid to learn about complex systems all by themselves. Many technologically-inclined people are true autodidacts; they are self-directed learners. Many of them learn about complex systems by examining them without the help of traditional education. They do it because they’re passionately engaged in technology.
This is an overview of what we’ll be discussing today. First, we’ll discuss the nature of passwords – from what recommendations have been made in the past for creating good passwords to how crackers attempt to, and often successfully, crack passwords. Let me just take one minute, before I continue, to distinguish between hackers and crackers. In common, everyday parlance, the word “hacker” has been used to describe the bad guys of the Internet – those people who steal your credit card information, passwords, e-mails, and, in general, just wreak havoc on your machine. Traditionally, in the tech community, “hacker” doesn’t have that same connotation – it simply was a word used to describe a person who likes to tinker with technology in order to discover how it works and how it can be used for other purposes. In the tech world, hackers are good guys, crackers are the bad guys. In the tech subculture, hacking is a good thing as it encourages one to learn about computer systems; it encourages the self-directed learning that I mentioned earlier.
After we discuss password security and insecurity, we’ll discuss social engineering attacks. In many ways, social engineering is a type of tinkering in order to figure things out, but not with technology itself. Instead, this type of tinkering is much more about the manipulation of the users of technology – it’s the manipulation of human beings themselves. Then, I’ll briefly discuss some actions that you can take to safeguard your own data, first by encrypting it, and then by backing up your precious data in case a disaster strikes.
But, before I move on, I want to challenge you a bit. In emergency management, we spend a lot of time discussing ins and outs of a variety of natural and anthropogenic hazards. We learn about the role of tectonic plates and fault lines in earthquakes, for example. We know that not all incidents involving a person with a gun are the same; we know, for example, that hostage situations and active shooter situations demand different tactics from law enforcement. My point is that we take the time to learn about the intricate details of these hazards and then we come up with strategies to lessen their impact and to respond to their inevitable occurrence. But, when we become victims of online attacks, what do we often say? Can anyone guess?
“I got hacked.”
Doesn’t this strike you as strange? Those three words are quite revealing. “I got hacked.” In essence, when I hear someone say this, what I hear them saying is: “I don’t really know what happened with my e-mail account, or my Facebook account, or whatever, I just know that I’m a victim of an online attack. How? I have no idea; I just know that I got hacked.”
There’s a pretty famous description of the Internet that underscores this point quite nicely.
We need to get past this ambiguous language – language that unequivocally advertises how little we know about technology. If we lived in Florida and got struck by a hurricane, we wouldn’t just throw our hands up in the air and say, “I just got smashed.” Right? Well, maybe you could say that if you were simultaneously an alcoholic and a hurricane victim. But, seriously, just imagine if we used such generalities when people experienced earthquakes. “I just got shook,” you might say as you throw your white flag and admit defeat. But, in an increasingly connected world, we can’t afford to remain ignorant about the technology that we use. We must raise the bar, at least for those of us who see it as our goal to mitigate the effects of disasters. At least for those of us who will probably have access to sensitive information someday, if not already.
So, are we ready?
I’d like to start of our discussion of passwords with a question. Which one of these passwords do you believe is more secure? In fact, let’s take a count – will those of you who think password #1 is more secure raise your hands?
Will those of you who think password #2 is more secure raise your hands?
We’ll come back to this a little later. But, for right now, I just want this to percolate in your head. Make this your thought experiment. Become, even if just for a moment, the autodidact just as many of your more technically inclined peers already have before you. Ask yourself why you think your answer is correct; what is it about your choice that makes it more secure?
There’s a security researcher that I follow online named Steve Gibson. He’s the host of a popular podcast called “Security Now!” – which is on the TWiT.tv network. He created a tool call the password haystacks calculator – a simple little tool that allows you to type a password on his webpage in order to examine how easy or difficult it is to crack your password. The idea that he promotes, and the idea I want you to take with you is the idea that your password is a needle in a haystack. An attacker’s ability to crack your password depends on how big you make your haystack. Now, it is important to remember that there is no such thing as absolute security. Imagine, for a moment, that we’re taking the haystack analogy literally. If I placed a real needle in a haystack and told you to find it, you may not be able to find it right away. But, if I gave you an unlimited amount of time to look through this haystack, eventually, perhaps after a lot of hard work, you would find the needle. Maybe it would take weeks, months, or even years, but you could eventually sift through the hay and find the needle. Passwords work in much the same way. They do not guarantee that your data will remain safe but effective passwords are like needles in very large haystacks; good passwords are difficult for crackers to guess.
Creating a secure password is achieved by randomness. In other words, the most secure password is one that is chosen completely at random, which makes it difficult for attackers to guess. But, don’t be fooled – true randomness is difficult achieve. One of the most sobering things I’ve learned is that many of the methods we’ve traditionally relied upon to randomly create passwords have now been cracked precisely because of the lack of randomness inherent in these methods. Human beings actually aren’t good at selecting truly random passwords. Instead, there are patterns that we’ve developed over the years that security researchers have uncovered and these trends demonstrate our inability to select truly random passwords.
But, before we get into the more recent trends, let’s first discuss some of the more conventional advice end users have been given in order to create more secure passwords.
Traditional approaches to creating secure passwords have focused, in large part, on four major areas. Password composition describes the characters that actually make up your password. Password length is just like it sounds – it’s about how long your password actually is in terms of the number of characters it has. Password lifetime refers to how long you use your password for a given account before changing it to something else. And that last bullet point describes the tendency of users to use the same password across multiple systems, which makes you more vulnerable.
Let’s examine password composition. Most websites now require that you choose a password with at least one number. Some also require a special character, such as an ampersand, a number sign, or a period. These requirements underscore attempts by the designers of the online services you use to force you to increase the key space size you are pooling from when you create your password. The key space is the size of the “alphabet” or character set that you use to generate a password. By “alphabet” – I don’t mean just a set of English letters starting from A and ending with Z. What I mean is probably better described as a character set – the number of characters I use to generate my alphabet – which includes numbers and special characters such as punctuation.
Let’s consider, as an example, a character set that is only composed of English letters. The key space is equal to the number of letters in the alphabet, which is 26. Now, also notice that this character set is composed only of lower case letters.
If I added all of the upper case letters of the alphabet, I’m increasing the key space by 26, which is equal to 52 characters. The haystack is getting larger.
Now, consider what happens when I add special characters to the set. The haystack continues to grow even larger. Notice in this slide how I’ve added numbers and special characters. They haystack is larger still. The goal, of course, is to make the haystack as large as possible. In this case, that means using a character set that has the most possible characters in it.
Now, let’s shift gears and talk about password length. With password composition, we were concerned with making the haystack larger at the level of each individual character. With password length, we’re concerned with making the haystack larger still at the level of the whole password. Adding more characters to your password makes it significantly stronger; it increases the strength of your password 26 times if you’re using a standard English alphabet with no numbers or characters. In this slide, we have the very insecure password of “ab” – both lowercase and only two characters long. It’s a terrible password, but it is stronger than a single letter. For each character, an attacker would have to try twenty six guesses for each letter.
Password lifetime refers to the length of time you use your password on a given system before you change it. It’s highly recommended that you change your password regularly. Changing your password at regular intervals makes it even more difficult for an attacker to guess your password for reasons that, I think, are pretty self-evident.
Now, as we discuss password security, a problem emerges. As a user tries to make her haystack as large as possible, she soon discovers that there is a constant tension between convenience and security. If we’re trying to create truly random passwords, it becomes increasingly difficult to remember passwords that are more complex. But, adding more complexity raises the level of entropy; it creates more randomness, and makes it more difficult for an attacker to guess the password. So, what are we to do? Should we choose ultra-high entropy passwords that we may not remember and, perhaps, write them down? That presents us with another potential vulnerability. Should we come up with shortcuts that are more memorable, but that risk lowering the entropy level used to generate the password? That, too, presents us with problems.
One potential solution is to add some salt. In this context, salting your password simply refers to adding an extra character to your password multiple times – a sort of password padding. Remember, before we discussed that increasing the length of the password can increase the security of the password. Salting enables us to make passwords longer, but also makes them easier for us to remember. Consider the password “corridor” in the above slide. “Corridor” as a password is about as weak as they come, but by adding 10 periods after the word, we increase the overall length of the word and, thus, we increase its entropy. Another strategy you could use simply comes with thinking of your password more as a passphrase or a pass-sentence. Consider this (“IamwalkIngthRoughthecoRRIdoR”) as an alternative to the password “corridor” that we used before. Again, the length is increasing, which means the haystack is growing.
Does anyone else notice a pattern in the passphrase too?
For this passphrase, I used my own algorithm for capitalization. Every “I” and “R” is capitalized while the rest of the characters are lowercase. An algorithm is like a recipe in a kitchen; it’s a formula or a set of step-by-step instructions in order to produce a certain result. Creating truly random passwords is hard. By creating algorithms, you can avoid having to memorize long and complex passwords and, instead, only remember the recipe you used to create your password.
You can combine strategies in order to make your password even more secure. Take the algorithm we just created and add some salt. They haystack is growing larger yet again. Remember, our goal is to create a password that is not easily guessable; it’s a password that would take crackers a long time to unveil.
Finally, I strongly urge you to consider enabling two-factor authentication to any e-mail accounts or other online web services you use. Two-factor authentication means using something you know and something you have to prove to an online service that you are who you say you are, thus, you are using two factors to authenticate. Not all web services provide this feature yet, but many more are adding this functionality to their services now. Google, for example, has enabled the use of two-factor authentication for its users. To use Google as an example: if you enable two-factor authentication on your Google account, you can have Google send you a six-digit code via a phone call, SMS message, or via its Authenticator app on your mobile device every time you log in. Thus, when you log in, Google would first prompt you for your user name and password, then Google would prompt you for the six digit code you were sent. This code changes every 30 seconds. Again, this results in greater security because you are using two things to authenticate to Google: something you know, your user name and password, and something you have, your authenticator code.
So, now that we talked about passwords for a little bit, which one of these choices do you think is more secure?
Now, all that work you’ve done selecting a good password doesn’t mean anything if the database it is saved in isn’t protected. Remember, your passwords don’t just disappear into thin air after you create them. They might travel through the air, but they must be stored somewhere in order for your e-mail provider to check and make sure you’re you. If the designers of online services you use saved your password in plaintext on their servers, anyone gaining access to their servers would hit a gold mine. Therefore, it’s necessary for these service providers to obscure your password in a manner that allows them to still utilize it to verify your identity, but to render it useless to attackers intruding on their network. This is done by utilizing cryptography – which is the science and art of writing secret messages. Basic cryptographic concepts are far too complex for the short amount of time we have today, so I’ll spare you the details. But, I’ll briefly discuss one particular cryptographic method for obscuring passwords that is commonly used by websites: hashing. When a service provider hashes your password, it takes your password and applies an algorithm to it that converts it to a string of text. The string of text generated is highly unlikely to match any other string of text generated when the algorithm is applied to other passwords.
Here’s an example of two hashed passwords. You’ll notice, in this example, only minor changes were made between these two passwords, and still, the algorithm applied to it produced a vastly different result. It’s isn’t realistic to think that you’ll be able to influence what type of hash your agency or company uses to store passwords on their servers, but if you ever do get into a job where you have the authority to make purchasing decisions, you should at least know that different hash functions exist and that some are secure while others have long been broken.
So, now that we’ve discussed ways to make your password more secure, let’s discuss how password crackers try to, and often successfully crack, your password.
Password crackers know that most people do not follow the advice I just gave in order to secure their online accounts. Many people think they’re being clever when they choose passwords like “12345” or “monkey” or even the word “password” itself. But, what these people don’t realize is that those very same strategies at password creation have been used time and time again by an endless number of other users. One strategy password crackers employ is the user of password dictionaries. These dictionaries contain the most commonly used passwords that have been discovered as the result of years of trial and error. They can contain common English words, common variants of these words, and other passwords that were generated using the not-so-clever tricks we know many people use. Now, those hash functions we talked about earlier are difficult to reverse. So, in cases where crackers obtain access to a database with a list of hashed passwords, one of the ways they figure out hashed passwords is to take these dictionaries and use the same algorithm to hash all of the common passwords. Then, once that table is complete, they take the hashed password that is the target of their interests and compare it to the table of hashed outputs produced by hashing other passwords. Such tables are called rainbow tables.
If there is one thing I want to drive home to you today, more than anything else, it is that I want you to consciously think about the password you are choosing to secure your account. This will make it increasingly more difficult for password crackers to employ these methods. The more random your password is, the less likely it will appear in a dictionary or rainbow table, thus the longer it will take for anyone to figure it out.
When dictionary attacks fail, an attacker can then choose to employ what is called a brute force attack. Imagine, for example, that someone hands you a set of keys and you decide you want to open the door to their house. You’ve never seen this set of keys before, but you know that one of the keys is probably the key you need to open to the door. If that were to happen, you would probably try each key on your key ring until you found the one that opens the door. Brute force attacks work in the same way. When no discernible patterns are evident, the only option left for attacks is to simply try every possible password that could exist. Of course, it makes more sense to start with simpler passwords first during this exhaustive search for the right password because it’s more likely that your mark has chosen a simple password rather than a complex one. This underscores the point we’ve been discussing earlier; here, it becomes even more necessary for your haystack to be as large as possible. The goal on the user’s end in a brute force attack is to slow the attacker’s progress in guessing his password as much as possible. This is achieved by choosing as random a password as possible so that, when he resorts to trying all possible combinations, it will take him forever to find your needle.
A study as late as 2007 recently found that the average web user maintains 25 separate accounts, but only uses an average of 6.5 passwords to protect them. We already know that users often use weak passwords. Combine that with the number of accounts a user creates over the course of a lifetime and it is highly likely that the user took some shortcuts, including re-using the password on multiple websites and by choosing passwords that are easy to remember.
Now, I’m sure we’ve all had those moments where we just can’t remember the password we’ve used for a service we really need to use. Most websites offer a password recovery option that allows you to answer some questions in order to change your password. But, remember that any option that is available to you is also available to your attackers too. Many password recovery questions, if answered honestly, will contain information that your attacker might be able to find out about you. For example, it’s possible for people you know to figure out things like your mother’s maiden name by searching the public records database provided to us online by the Probate Court that issued your parents a marriage license. One potential way to combat this is to answer these questions dishonestly. Select answers that have nothing to do with your mother’s maiden name, your favorite pet, your high school mascot, or whatever else you are prompted to answer.
Now, we’ve spent a lot of time talking about the technical aspects of gaining unauthorized access to an online account. But attackers are not limited to technical attacks. Human beings design the computer systems we use to access information and, more importantly, human beings also design the security policies that govern the disclosure of confidential information. Attackers know that human beings implicitly tend to trust each other. Most people don’t generally want to challenge others for fear of being seen as confrontational or uncooperative. Attackers often use social engineering attacks to manipulate people into getting the information they want. This can be done in a variety of ways, such as by posing as company employees with a need to know. Social engineers develop plausible narratives that allow them to sound like they have legitimate authority or access to things they shouldn’t be accessing, they develop trust in the users they target, and they design the their attacks to work in such a way that they eventually con users into giving them what the attacker wants.
I’m going to take you through a recent example of a social engineering attack that was performed by a technology journalist for Wired.com: Mat Honan.
My written transcript ended here, but my presentation was a little bit longer. I also didn’t follow this written transcript verbatim; I used it as a guide to structure my talk. We had a fairly small audience and I was fairly familiar with my prepared remarks, so I simply addressed the audience from memory.