The blog was being attacked by bots and AWA told us to increase security by using physical security keys. I was amazed that it was both inexpensive and not hard to set up, so I asked him to write a post and he was kind enough to give us a damned good one.
From the Trenches:
When we got started on the internet, we looked at our systems as being a shared resource. The “big” computer up at MIT had a guest login. Everybody knew the password. If you wanted to work on it, you logged in to the guest account and did your work. There was a cread and an ethos that said “Do no evil, leave no sign, leave it better than you found it.”
And for years that’s how it worked. Then money showed up on the Internet in the form of valuable resources or actual access to banking information.
At that point, the crackers and evil hackers came into existence. The goal was always: Just one sucker today. Just one account, today. These were the days of getting an email telling you of a penny stock that was about to explode in value. You could look, see that it had a low price, you could see the trendline and think “yeah, maybe so”. And you’d invest a few hundred or a few thousand dollars. If you got out early enough, you might not loose money.
Your email address became valuable, just as a probe. My ISP got hammered one day, some 50,000+ spam emails all trying to scam somebody. I contacted the provider and spoke to them about the spam. They acknowledge that it was spam, and that they were trying to stop it but had not succeeded. When their customer had come to them, they had acknowledge they would do bulk email and set up the contract to protect the provider. “If there is a more than 0.05% abuse rate on the emails, then it would be declared spam, and the accounts could be canceled.”
So how many abuse reports had the provider handled at that point? Over 3000. And what was that percentage? 0.03%. That spammer had sent more than 10 MILLION emails that day.
The website doesn’t allow user logins except via known sources. There have been more than 20,000+ attempts to break into the server in the last week.
There have been many more attempts at breaking into the website. We block many of them.
But all of this comes back to how they try to break into a server or website. The gist is they try lots guesses. They are good guesses but they are guesses non-the-less.
Security is based on authentication and authorization. Authentication is the process of proving you are you. There are only three ways to do this: Something only you know, Something only you have, Something about you. You password should be something only you know. They key to your car is something only you have (your partner has their key which authenticates them to the car). And only you have your fingerprints.
Once the system knows who you are, it can authorize you to do certain things. So once the website knows it is Miguel, it is willing to let him create new posts and publish them.
The problem in computer security has been that people are stupid and lazy. That means they pick weak passwords, or they write them down or they use them in multiple places. There is a story about the “crack” software. This is software designed to evaluate the password security on a server. When it was in it’s early release, a system administrator downloaded the software and tried it on his user base. And very quickly, just a few minutes, the software printed out the password and user name of the root user (Super User, System Administrator). The system admin was astonished as he thought he had picked a very good password. He had. Unfortunately he used the same password in multiple places. One of the places he used it was an online game. That game was owned by the author of the crack software. The author used all of the passwords in the game as part of the seed of guesses.
So password security is a problem. People do a poor job of picking passwords. They don’t change them often enough, and they write them down where they can be found. Sort of like buying a $5000 gun safe with a great biometric lock, and then putting the bypass key on the side of the safe held there by a piece of tape.
The search is thus for a way to have something people have (a key) or something about a person in order to authenticate. The fact of the matter is that most biometric readers are crap. They are easy to fool or easy to bypass. In some cases, what they do is generate a “password” from your fingerprint or voice or whatever.
So the tool we are starting to use is something manufactured by Yubico called an UbiKey. These are small USB devices, about the size of a thumbdrive or a bit smaller. They can be inserted into a USB port on your computer and when a website or the computer wants you to authenticate, you provide your user name and password and then push a button on the key to get a response that proves you have physical control of that particular key.
This is what we had Miguel and J.Kb get and start using. With this change and turning on MFA (Multi Factor Authentication), it means that if somebody manages to guess the user name and password of our blog masters, they still can’t get into the blog.
If you use google, if you use a Microsoft product, if you use Amazon, seriously consider getting yourself a Yubikey. They can be had from Amazon from around $25 to $50 depending on what you need.
Remember, if you ever lose control of your primary email account, you’ve lost control of all your website access. Almost every website will happily send you a password reset to the email you have on file. And that includes your bank and credit card companies.
Good luck to you all,
Troglodite Services A.K.A. AWA
Just bumped a couple of the current-model YubiKey from the “maybe someday” list (where such things had been for well over a year) to “OK, go ahead and order them”.
Then I gotta figure out how actually to use them, for my particular circumstances.
(Yeah, there’s a heck of a lot of suspicious activity on the mail server, like several zillion probes a day trying to use it as a spam relay.)
… One of these days, I really ought to update my password on all the inconsequential sites where I used a generic trivial password, back in the day.
And ferchrissakes, don’t use a cloud-based password manager.
I understand part of the “why not” I think. Vulnerability, to hacking and to the provider itself. But.
Just banking, credit cards and “major retailers” like Amazon can get you up to 10 or so accounts. Given the number of online accounts we wind up with these days – it seems like every online retailer demands you make an account, no more guest checkouts – it’s not hard to get up to hundreds of “accounts,” none of which should have the same password.
That’s far too many for most people to remember, especially if they are good, randomized non-word passwords. A password manager that can generate decent passwords as needed, and sync the database across devices (say desktop, laptop and phone), would seem to be a way to help deal with that problem.
How do you balance the competing requirements of having many strong, random passwords and not having them “written down” somewhere?
At a bare minimum, use KeePass as your password manager (free) and Dropbox to sync across multiple devices (also free). I imagine you could also use OneDrive or some other cloud storage. You would have to use different (STRONG) passwords for the KeePass file and Dropbox so that if one is compromised, then your password data is still safe.
Personally, I use KeePass and a self-hosted installation of Nextcloud behind a certificate based VPN. That’s an extremely technical solution that isn’t for most people, but KeePass+Dropbox is fairly easy.
“But Dropbox is the cloud!”
Yes, but it’s not the juicy target that LastPass or other cloud-based password managers are. That’s the distinction. If I get your LastPass password (or hijack a session, or…) that’s the ballgame. The LastPass uaer database has been stolen several times,although I think theyve only gotten hashes and nothing cleartext.
I also hate cloud storage in general, but if you only use it for this it’s less risky.
Make sure you guard your cell phone and SIM card as well. Lots of 2FA relies on apps or text messages. Have recovery and revocation info handy. Unfortunately you can’t do much about crooked phone company insiders cloning SIM cards but physical security limits less privileged attacks
Once thing you also have available on a WordPress themed blog (well, at least I can on mine) is the ability to “whitelist” the URLs than can be used to log in from.
It doesn’t matter if someone figures out your login/password. If they’re not logging in from the correct URL, they can’t even get to the log in prompt.
So, Mr. Troglodite, what was your connection to that magic guest account at the MIT Lab for Computer Science (LCS)? Just curious… I had an Arpanet account and an account on the MATLAB machine (one of four DEC-10s connected by the ChaosNet) from some time in the latter half of the 70s until someone deleted it about four or five years after I graduated. I never paid attention to the guest login, since I never had to use it….
You’re spot on, though, about the ethical code to which most of us adhered. In those days, anyone who would send spam emails was seen as the epitome of evil.
YMMV….