Two Factor Security Key – Keeping your computer stuff secure
The blog was being attacked by bots and AWA told us to increase security by using physical security keys. I was amazed that it was both inexpensive and not hard to set up, so I asked him to write a post and he was kind enough to give us a damned good one.
From the Trenches:
When we got started on the internet, we looked at our systems as being a shared resource. The “big” computer up at MIT had a guest login. Everybody knew the password. If you wanted to work on it, you logged in to the guest account and did your work. There was a cread and an ethos that said “Do no evil, leave no sign, leave it better than you found it.”
And for years that’s how it worked. Then money showed up on the Internet in the form of valuable resources or actual access to banking information.
At that point, the crackers and evil hackers came into existence. The goal was always: Just one sucker today. Just one account, today. These were the days of getting an email telling you of a penny stock that was about to explode in value. You could look, see that it had a low price, you could see the trendline and think “yeah, maybe so”. And you’d invest a few hundred or a few thousand dollars. If you got out early enough, you might not loose money.
Your email address became valuable, just as a probe. My ISP got hammered one day, some 50,000+ spam emails all trying to scam somebody. I contacted the provider and spoke to them about the spam. They acknowledge that it was spam, and that they were trying to stop it but had not succeeded. When their customer had come to them, they had acknowledge they would do bulk email and set up the contract to protect the provider. “If there is a more than 0.05% abuse rate on the emails, then it would be declared spam, and the accounts could be canceled.”
So how many abuse reports had the provider handled at that point? Over 3000. And what was that percentage? 0.03%. That spammer had sent more than 10 MILLION emails that day.
The website doesn’t allow user logins except via known sources. There have been more than 20,000+ attempts to break into the server in the last week.
There have been many more attempts at breaking into the website. We block many of them.
But all of this comes back to how they try to break into a server or website. The gist is they try lots guesses. They are good guesses but they are guesses non-the-less.
Security is based on authentication and authorization. Authentication is the process of proving you are you. There are only three ways to do this: Something only you know, Something only you have, Something about you. You password should be something only you know. They key to your car is something only you have (your partner has their key which authenticates them to the car). And only you have your fingerprints.
Once the system knows who you are, it can authorize you to do certain things. So once the website knows it is Miguel, it is willing to let him create new posts and publish them.
The problem in computer security has been that people are stupid and lazy. That means they pick weak passwords, or they write them down or they use them in multiple places. There is a story about the “crack” software. This is software designed to evaluate the password security on a server. When it was in it’s early release, a system administrator downloaded the software and tried it on his user base. And very quickly, just a few minutes, the software printed out the password and user name of the root user (Super User, System Administrator). The system admin was astonished as he thought he had picked a very good password. He had. Unfortunately he used the same password in multiple places. One of the places he used it was an online game. That game was owned by the author of the crack software. The author used all of the passwords in the game as part of the seed of guesses.
So password security is a problem. People do a poor job of picking passwords. They don’t change them often enough, and they write them down where they can be found. Sort of like buying a $5000 gun safe with a great biometric lock, and then putting the bypass key on the side of the safe held there by a piece of tape.
The search is thus for a way to have something people have (a key) or something about a person in order to authenticate. The fact of the matter is that most biometric readers are crap. They are easy to fool or easy to bypass. In some cases, what they do is generate a “password” from your fingerprint or voice or whatever.
So the tool we are starting to use is something manufactured by Yubico called an UbiKey. These are small USB devices, about the size of a thumbdrive or a bit smaller. They can be inserted into a USB port on your computer and when a website or the computer wants you to authenticate, you provide your user name and password and then push a button on the key to get a response that proves you have physical control of that particular key.
This is what we had Miguel and J.Kb get and start using. With this change and turning on MFA (Multi Factor Authentication), it means that if somebody manages to guess the user name and password of our blog masters, they still can’t get into the blog.
If you use google, if you use a Microsoft product, if you use Amazon, seriously consider getting yourself a Yubikey. They can be had from Amazon from around $25 to $50 depending on what you need.
Remember, if you ever lose control of your primary email account, you’ve lost control of all your website access. Almost every website will happily send you a password reset to the email you have on file. And that includes your bank and credit card companies.
Good luck to you all,
Troglodite Services A.K.A. AWA
