The Cloud and Security

Being a computing professional has its perks and its drawbacks.  The perks include getting to hear about and try new technologies before many others do.  The drawbacks include being inundated with information and opinions by vendors in hopes they can steer your buying decisions.  ‘Bring Your Own Device’ (BYOD) is the current hot topic.  Most anyone who runs a business must find some way to deal with the fact that their employees will likely want to use their own tablets and smartphones for business purposes.  This can help a business save money on hardware costs and help their employees be more efficient.  However, BYOD can also cause headaches since the employer wants to secure a device they don’t own.

Let’s talk about the current challenges of BYOD and some new thinking that is making some leeway that could change the landscape.  BYOD by its definition calls for a device to be used for both business and personal use.  In most instances, business data is sensitive information which companies do not want to fall into the wrong hands.  Therefore, companies want that data encrypted and in the event the device falls into the wrong hands, they want the data destroyed.  The problem is telling the difference between what is personal data and what is business data.  Most of the tablets and smartphones don’t provide a way to delineate between the two.  Any destruction command will safely remove all the business data from the device, but will also destroy all of the employee’s family pictures, home videos, and reunion emails.  Not good!  Understandably, some employees are not so excited about letting their employers manage their devices.

One idea being bandied about is that of containerization.  Containerization is the partitioning of the device into two segments . . one for business use and one for personal use.  The end users must toggle back and forth between the segments depending upon what they plan to do.  In theory, this is a great idea since management can now target data it wants to protect.  However, in practice, containerization leaves much to be desired.  There is no way to ensure that the end user actually toggles the device when needed.  I’m sure many of you have created documents on your personal computer and emailed them to your business account and vice versa.  Simply putting a toggle in place does not force people to abandon this convenient practice.  In addition, containerization does not provide a way to load multiple instances of the same applications on to a device so if the end user wants to work with Outlook, Excel, and Word for personal use, those apps cannot be a part of the business side.  This forces solution providers and businesses to create their own scaled-down versions of the most popular email, spreadsheet, and word processing programs so they don’t trample the apps already on the device.  These applications are usually feature-starved and require a learning curve for end users.  Productivity takes a big hit in favor of security.

A new idea to solve the BYOD problem has developed out of the solutions to some other problems.  Microsoft Office applications are prevalent in almost every business environment, but are not available on most smartphones and tablets due to licensing agreements.  What if these applications didn’t reside on the device, but instead were accessed from a server in the cloud?  The ‘cloud’ refers to a place the user can always access as long as they have an internet connection.  Some companies are offering this capability to their customers to provide access to the needed applications, but they have stumbled upon a security solution along the way.  If a company can ensure that business-related applications and data remain in the cloud, then there would never be a need to destroy data on the device itself.  Security is achieved as soon as access to company servers is removed from the device.  This ‘cutting of the cord’ can happen quickly and easily.  The end user’s data is untouched, but whoever has the device can no longer access any business-related data.  While there may be some minor holes in this solution, it is easy to implement and maintain for even the smallest IT department.

I think containerization is too flawed to have much of a future so look for the cloud to help solve many of the BYOD problems on the horizon.

 

Sign Out!

I’ve written a lot of articles for this blog where I pontificate about why you need a password, why password strength is important, how you should protect your passwords, what the alternatives to passwords are, and computer security in general.  Let’s say you have followed all my advice.  You formulate your passwords using a proven method.  You don’t use your passwords for multiple sites and purposes.  You change your passwords often.  From a security standpoint, you are in pretty solid shape . . . or are you?

Many of us still find ourselves in situations where we are using community devices to complete our daily computing activities.  You could be on a business trip and you make use of the business center in the hotel.  You may be a student and you use one of the many public workstations available in the library.  The reasons why you can’t use your personal device range from cost to convenience to access issues, but the bottom line is you need to use a computer that is meant to be used by many.

The device may be a bit foreign, but let’s face it . . you are just accessing a web browser.  Let’s take a closer look at your everyday activities which require a user ID and password to access.  If you are using a web-based email program like Gmail, then you must login.  If you are a social media aficionado, most sites like Facebook and Twitter require a login.  Most of you will have likely opened several tabs within the browser window so you can monitor email, Facebook, Twitter, and any other messaging sites.  You do what you need to do at the community computer.  Now what?

If you are at home and you are finished using your own computer, you likely stand up and walk away.  If you do that when using the computer in the business center or the library, the consequences could be dire.  You need to make a conscious decision to sign out of each of the sites you have logged into before leaving the computer.  Closing the tabs or even the browser will not always clear the session.  That means the next person walking up to your computer in the business center or the library could have access to any sites you did not log out of.  Facebook and Twitter posts could be made and attributed to you.  Emails could be sent to your contacts or others unknown to you as if you had sent them.  Open chat sessions could take a strange turn of events as your tone of voice may seem different to your chatting partner when it is no longer you.  All of this can happen even if you have the strongest passwords in the world.  The strength of the password is irrelevant if the thief never has to use it.

When traveling and in a situation where I have to use a community computer, I make a habit of ending my work by deleting the web cache and signing out of each of the sites I had logged into.  In this way, there is no trace of my time on the computer and nobody using the computer after me will have access to my personal information.  One more thing to remember . . I do make a habit of checking the ‘remember me on this computer’ box at home, but it goes without saying that this is a terrible idea when I am using a community device.  Be vigilant and your identity will be safe.

The Death of CAPTCHA

I just read an article proclaiming that CAPTCHA might be on its last legs.    The acronym is short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart.’  The purpose of CAPTCHA is to prevent automated computer ‘bots’ from performing actions on the internet that are intended for people to do.  These actions include making purchases and providing personal information.  The CAPTCHA is a picture of jumbled letters and numbers that the user is asked to reproduce.

I have made light of the CAPTCHA in previous posts and it appears I am not the only one.  Failure rates are high when end users are asked to retype the letter jumble and that leads to frustration, wasted time, and ultimately, lost sales.  Neither the vendor nor the shopper are happy.  Sure the CAPTCHA has prevented non-humans from invading the internet, but it appears it has also prevented a lot or humans from making purchases as well.

The solution proposed is about the last one I would have thought of, but it is strangely simple and effective.  Some companies are starting to run banner ads within their sites featuring complimentary products from other companies.  During the user verification process, they ask the customer to type in the name of the company featured in the banner ad.  As with the CAPTCHA, this ad is always changing so it insures that a human must verify the ad in place.

This new method of verification is great for the vendor.  They know they are dealing with a human being.  They know their customers won’t have to struggle with the squiggly letters in the CAPTCHA.  On top of all that, they make a further profit through the advertising dollars they raise from providing the banner ad space.

Likewise, the new method of verification is great for the customer.  There is no further angst with guessing the CAPTCHA letters as they simply have to type in the company name featured in the banner ad.  If they are so inclined, they can save time by surfing to the complimentary products found in the banner ad.

A new and third party benefits as well.  As long as they don’t compete with the hosting company, banner ad participants have found a new and lucrative home for their product placements.  Revenue is available in a way it was never really available before.

And to think, this all started with complaints about CAPTCHA, the very process which was to prevent the problem!

FTP Versus SFTP

I just finished doing a major cleanup of several web sites I own and manage.  An intruder released what is known as a ‘black hole exploit kit’ into my account.  The kit proceeded to modify all the web pages with a little piece of code intended to wreak havoc on the computers of people surfing my web sites.  I was warned by a few users with good anti-virus programs in place, but the questions remained . . ‘How did this happen and how can I prevent it from happening in the future?’

I called my hosting provider and had the good fortune of speaking with a support technician named Nathan.  Nathan confirmed that I had been hacked and helped me with the file cleanup required.  He asked what programs I used to upload files to my web sites.  I listed for him the ones I had used before and he said those were all fine as long as I used SFTP as opposed to FTP.  FTP stands for File Transfer Protocol while SFTP stands for Secured File Transfer Protocol.  Immediately, I knew what the problem was.  I was positive that I was using FTP to transfer files.  Nathan explained that the user ID and password used to initiate an FTP session were not encrypted and could be stripped by network sniffers. Nathan helped me setup SFTP logins for my hosting account.  He assured me that if I used SFTP to upload files, the user ID and password would be encrypted during transfer.

Nathan had saved the day, but I still felt naïve about the whole process.  I had assumed that creating a user ID and password to protect my file transfers would be enough.  Nathan explained that there was a way to secure an FTP login, but that most people were not aware of it.  I asked why the hosting company still offered FTP if it was so unsafe and he said there were some users who still needed this simple method of file transfer.  Nathan was giving me the company line.  I felt the hosting company should have been more proactive in getting this message across.  Unfortunately, many other hosting companies still provide an unprotected FTP login for their users.  It seems like everyone is sticking their head in the sand on this one.  I also have to point the finger at myself.  Since the incident, I am finding more and more articles warning of this exact same problem and how it can be easily fixed.

Here is an instance where I protected myself with a user ID and password, but I wasn’t really protected at all.  I have now become a bit paranoid.  I still like my hosting company and want to give Nathan kudos for his customer service skills.  However, in the future, I will trust but verify any services provided by vendors I work with.

Bring Your Own Device

In this age of smartphones and tablets, mobile computing is becoming more and more prevalent.  If I can do both my personal and work related activities from one device, I can be more productive.  Many  companies recognize this as an advantage for them and encourage their employees to ‘Bring Your Own Device’ or BYOD.  You, the owner of the device, can work the way that is most convenient for you.  Everything you need is on one computing device and you can respond quickly to messages whether they are of a personal or business nature.  Your employer saves money by not having to buy a computer for you and by not having to acquire as much software for the company in general.  Most of the software needed by the average employee is already on the newer smartphones and tablets.  This appears to be a win-win situation.

Upon further review, there is a big problem with this approach and most companies haven’t even scratched the surface regarding an acceptable solution.  When you buy a device for your personal use, you will likely employ a password to protect your personal data from the prying eyes of others.  Most of us are more concerned that our device will be stolen rather than worry about the data that is on it.  Businesses, on the other hand, have legal and fiduciary responsibilities to protect the sensitive company data that is on computing devices.  They need to encrypt the data and in some cases, they need a method to wipe the data if they feel it has fallen into the wrong hands.  If they know the data is protected, they will make little or no effort to recover the computing device and will write it off as a business expense.  It seems to me that individuals and companies have divergent goals regarding the use of one single smartphone.

You may surmise that this issue can be easily taken care of by compartmentalizing personal data and business data.  If my employer wants to encrypt and wipe data belonging to the company, that is fine by me.  Just don’t touch any of my personal information!  In theory, this solution works.  In practice, the operating systems for the popular smartphones and tablets are not built to support such compartmentalization.  For example, I cannot currently install two copies of Evernote on my tablet and expect to use one for business and one for personal use.   Even if I could, there are no tools available to help my employer target only specific data sets for encryption and wipe.

If my employer insists on putting a solution on MY tablet that could result in the loss of MY personal information, I am less inclined to use it in the work environment.  That is a lose-lose situation.  Hence, many large companies are pressuring the smartphone and tablet makers to provide a better solution.  Initial attempts miss the mark.  One vendor segments the drive on your tablet into two areas, one for business and one for personal use.  You can toggle back and forth between the areas depending upon your need.  However, since you still cannot install more than one copy of an application on the device, you must use hybrid applications in the business area.  These applications are feature scarce and require a learning curve for most employees.  Another solution makes use of a virtual machine (VM) on the device.  This shows some promise, but is not easy for the end user to understand and use.  In all likelihood, a VM solution will eventually win out, but it will require that Android and iOS device makers make some concessions in the BYOD arena.

BYOD is here to stay.  Security is the chief issue with this concept and until it is properly addressed, there will be a business loophole.  Device makers must make an effort to understand the new culture they have created and make the necessary adjustments to let people and businesses work the way they want to.

Multi-Factor Authentication Alternatives

I’ve posted a few articles in this blog about the need for passwords, the problems with passwords, and the alternatives to passwords.  In the end, it looks like passwords are here to stay.  What can be done to make them stronger and more effective in protecting the end user?  One method that has been in place for years now is multi-factor authentication.  From our friends at Wikipedia:

Multi-factor authentication is as an approach to security authentication, which requires that the user of a system provide more than one form of verification in order to prove their identity and allow access to the system.  Multi-factor authentication takes advantage of a combination of several factors of authentication.  Three major factors include verification by something a user knows (such as a password), something the user has (such as a smart card or a security token), and something the user is (such as the use of biometrics). Due to their increased complexity, authentication systems using a multi-factor configuration are harder to compromise than ones using a single factor.”

Logically, multi-factor authentication is more secure since any potential thief will have to acquire two or more items instead of just your password.  Most of you have probably been exposed to various methods of multi-factor authentication in the past, but here are some examples I have run across:

  • One of my banks requires my user ID and password combination, but they also want me to verify that the picture they show me on the web site is one that I selected during my account setup.
  • I used to work at a large hi-tech company in the Silicon Valley as part of their Treasury department.  One of the banks we dealt with provided us with a smart card that generated a new four-digit number code every five minutes.  The number code served as our password into the bank’s system, but the code was dependent upon the time at which we attempted to login.
  • In my travels, I have run across companies who use fingerprint authentication to grant access to systems.  Small hardware devices plugged into your computer are taught to recognize your thumb print and use that as the method by which you login. When fingerprint authentication fails, a traditional password is the backup plan.
  • With tablet use becoming more prevalent, the use of fingers on the screen is in wider use.  Windows 8 allows for a ‘swipe’ method of authentication.  You choose a picture and a series of finger swipes from points on the picture to create your authentication. When the swipe pattern is forgotten by the user, a traditional password is the backup plan.
  • Physical device authentication has seen a surge in popularity lately.  I may set up my account on one computer, but several weeks later, I try to access my account from another computer.  Companies with a higher standard of security will recognize that this is a computer you do not normally use.  They make take the authentication beyond a simple user ID and password and ask some of the security questions you set up when you created your account.
  • Another security method gaining acceptance is to require the end user to respond to an email before gaining entry to the web site.  In the past, this was usually reserved for resetting passwords, but recently, some businesses are requiring that you respond to the email each time.  Their thought process is that it is unlikely the thief has compromised both your web site password and your email account.

Of course, there are more multi-factor authentication methods out there, but this should give you a good flavor.  Are they overkill?  My answer would be ‘yes’ and ‘no’.  A simple user ID and password is probably sufficient for buying a book from Barnes and Noble as long as I haven’t stored my credit card information online.  However, a multi-factor solution is better for banks and web sites containing my personal information.  Health care facilities and government entities should require multi-factor authentication.

Passwords Are Here To Stay

Many of the visionaries in the technology field have predicted that the password will cease to be a part of the user authentication process on future computing devices.  They point to the fact that passwords do not have a solid history of providing the best security.  They are too hard to remember by end users who end up writing them down or reusing them.  They are too easy to guess by thieves who understand the bulk of technology users are novices.  The overhead that passwords create for the organizations and companies that must manage their end users and customers has reached a tipping point.

Those of you on the leading edge of technology may have forged ahead into the new world of Windows 8.  If you have decided to protect your tablet with user authentication, Microsoft has provided you with a new option.  Instead of choosing a password, you can now identify yourself with a series of swipes on the screen.  When compared with passwords, these series of swipes provide a much stronger barrier to entry.  The swipes are created by the end user upon a background picture featuring distinct people and objects.  The user must memorize these swipes (direction, angle, length) so they can gain access to their tablet each time it requires authentication.  This sounds revolutionary.  It is.  Stealing your swipes is much harder than stealing your password.

I’ve seen a few of these ‘swipe’ solutions in action and they are quite impressive.  However, sometimes a user forgets their swipe sequence . . . just as they do a password.  Frequently the vendor response is to provide hints for each of the swipe sequences . . . just as they do for a password.  When all else fails and the hints do not help a user remember their swipe sequence, the backup plan is for the user to provide a user ID and . . . and a password.  The backup plan is to use the old plan.

I believe the swipe method will work out the kinks in the future, but I think it will always tow passwords with it.  Swiping will resonate with end users because it is easy and fun.  Other authentication methods may be more secure, but they have failed in the mainstream because they are simply too hard for the end users to remember and perform.  Two-factor authentication combines something you know with something you have.   This method is clearly more secure, but because it requires two items, it is twice as likely to fail.  Failure does not mean that security is broken.  In this case, failure means the user does not have one or both items and therefore, cannot gain access to their computer.  They are then unable to perform their task and become unproductive.

Despite all of their warts, using passwords is still seen as the best fit for those seeking both security and ease of use.  Even some of the visionaries I spoke about earlier are admitting we will continue to use passwords for the foreseeable future.

The Social Login

In some of my previous blog posts, I’ve written about the stringent password rules that some web sites employ in the name of protecting themselves and the end user from theft.  In turn, the end user, while acknowledging the need for security, is always looking for an easy and quick way to get things done.  I admitted that in the past, I had taken to using the same user ID and password combination on many different web sites.  I quickly learned that many thieves think the same way.  They are hoping you use this shortcut because if they steal your password for one site, they have it for many others as well.

A new phenomenon which introduces some of the same benefits and problems is the practice of allowing an end user to use their social media user ID and password to log into a web site.  I can login to some web sites now without setting up a site specific user ID and password.  These sites are giving end users the option to click on an icon for sites like Facebook or Twitter to verify who the end user is.  End users do not need to spend time choosing a user ID, choosing a password, answering security questions, and building account information.  Their existing identity on Facebook or Twitter is enough to provide verification.  The convenience is a huge plus for both the web site owner and the end user since the selling and buying can take place so much quicker.

Upon further examination, this convenient practice might be even worse than using the same user ID and password for all your online accounts.  Why?  Let’s say I am already logged onto my Facebook account as I busily work away at my local coffeehouse.  I take a much needed break and get in the long line to order a vente café mocha latte double espresso (sorry . . . I don’t drink coffee).  At any rate, a curious coffeehouse patron with evil intent notices my unattended tablet.  They pop open a browser window and logon to Best Buy  . . . using my Facebook identity!  If I made the mistake of storing my credit card information within the account, I have just gifted our thief a new Wii console.  Wow!  This new social login process is convenient for everyone… site owners, end users… and thieves!

I realize I’m not providing a solution here, but I do have a concern that the rush to make things easier will end up making life more difficult in another way.  I’m all for advances that make me more productive, but they need to be thought through to determine if security holes have developed.  I think it is clear that there is a problem with the current social login approach so maybe this approach shouldn’t be used by web site owners who are selling something or those who have the end user’s personal information available.

Facebook and Your Employer

Sometimes I worry that important events are going on around me and there is no way for me to weed through all the unimportant media noise to get to it.  The local TV news is embarrassingly bad.  Newspapers have become irrelevant.  The internet has the real news if you know where to look and don’t get distracted.  I am easily distracted.

So it shouldn’t come as any surprise when I read a news story about a law which will prevent an activity I didn’t even know existed.  I just read that a new law is going into effect in five states that will prevent employers from requiring employees or job applicants to provide their personal social media passwords.  What?!!  This was a real thing that companies could do?  I am angry on many levels:

  • How is this not a direct violation of one’s privacy?
  • What pompous executives think this is not a rights violation in this day and age?
  • Why did a specific law need to be written to protect our privacy on social media?
  • What rock have I been living under that I didn’t know this was a real thing?

As I understand it, employers believe your presence on social media is a direct extension of you.  For a job applicant, they feel they can have access to your social media accounts as part of the background checks they perform.  For existing employees, they want to keep tabs on your social media accounts to make sure you aren’t breaking any of the rules in your employment contract.  All of this makes sense if you live in a society where enterprise and government rule the individual.  However, the United States was built on a different set of principles that these policy makers can’t seem to understand.

I challenge these policy makers to look at the supposed problem in a different way.  How would they feel if the tables were turned and we had access to their accounts?  I know… you will find a few who will proudly say, “If you have nothing to hide, then why won’t you give me the passwords?”  My reply is that if I tell you it is my personal information and I am not willing to share with you, the laws of this country protect me and compel you to treat me as you would any other candidate or employee.  What I do in my personal life is of no concern to you unless it directly affects your business.  Your job application has questions like, “Do you have a criminal record?”  and “Have you taken illegal drugs before?”  How about adding another one like, “Do you engage in any social media activity that could be detrimental to our company’s business?”  That should suffice.

Only five states will see the law go into effect in 2013.  That’s means it is still legal in many other states.  Social media is an animal that much of our government is just beginning to understand.  I’m guessing they just didn’t know how to apply existing rights that individuals have to new technology.  Common sense should have prevailed.  Just as I own my personal information such as my bank accounts, my credit card numbers, and my stock portfolio, I also own my social media accounts.  One may argue that social media information can be shared with hundreds and thousands of others and that a company is just looking out for itself by looking over the shoulder of the user.  Sounds like these companies are acting like Big Brother to me.

Social media is the way the young technologist communicates.  It is foreign to the old guard including myself, but I’m willing to learn.  What worries me is that with each new technology change, our world has to adapt.  Information flow and how it applies to business and government must be constantly reviewed so that laws like this do not have to be written and passed.

Don Friesen

I got hooked on live comedy in the 80’s and have loved it ever since.  My friends and I saw the starts to so many careers including Bobby Slayton, Ellen DeGeneres, Paula Poundstone, Dana Carvey, Tom Kenny (SpongeBob Squarepants), and even Robin Williams.  Even though there are not as many comedy clubs as there used to be, I still like to take in a show now and then.  One of my new favorites is a comedian by the name of Don Friesen.  Don is the only two-time winner of the San Francisco Comedy Competition and recently had his own Showtime comedy special called “Ask Your Mom”.  While I having nothing against a comedian who uses harsh language and sexual situations to produce laughs, Don is a refreshing change from all of that.  His observational humor is storytelling at its finest.  Check out Don at his web site: http://www.donfriesen.com.

Don has one particular routine called “Forgot Password” that is funny for all kinds of computer users.  See the five minute bit at here.  Without spoiling the act, the comments that really struck a chord with me were:

  • We get conflicting advice about how to select a password.  On the one hand, we are asked to choose something we can easily remember… like a pet’s name.  On the other hand, we are asked to use capitalization, numbers, and special characters in our passwords.  Don asks, “Who names their pet ‘P 3 Underscore’?”
  • If you don’t go to a web site often, do you find yourself clicking the ‘forgot password’ link automatically?  You are then asked if you want a hint which is usually constructed of questions and answers you set up long ago.  Don laments, “Can I have a hint for my hint?”
  • Many of the security questions we are asked at web sites must be chosen from a predetermined list:  What is the name of your first grade teacher?  What was the mascot at your high school?  What is your mother’s maiden name?  Many months later when you return to the site, those hints seem like they were selected by somebody else.  Don has a different theory… “I think ‘Previous Me’ decided to play a joke on ‘Future Me’!”
  • Sometimes we get so frustrated trying to figure out our user name and password, we resort to setting up a whole new account from scratch.  We smile smugly thinking we have found a way around the hoops.  We put in our new user ID and new password.  Alas, we are told the password is too weak and too easy to guess.  Don disagrees… “If it were so easy to guess, why did I just resort to setting up an entirely new account?”
  • The last thing you have to do when setting up most new online accounts is the CAPTCHA.  The name is short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart.’  The purpose is to prevent automated computer ‘bots’ from performing actions on the internet that are intended for people to do.  These actions include making purchases and providing personal information.  The CAPTCHA is a picture of jumbled letters and numbers that the user is asked to reproduce.  Don’s view… “That Squiggly Letter Test always takes me six or seven tries.  It might work better if they chose real words or phrases, but they never make any sense.”

I don’t believe Don is trying to change anyone or anything.  He is just pointing out the funny things that occur to him when he is forced to interact with technology.  Judging by the number of laughs he gets, I suspect the same thoughts have crossed the minds of most members of his audience.