Hey you get off of my cloud

I have a Network-attached storage (NAS) disk that I use for music files, backups and so on. It’s basically a Linux computer with two mirrored 4TB disks. It can also work as a private cloud, à la Dropbox. In the interests of security, I secured it with 2 factor authentication (2FA), as I discussed in an earlier blog. To be precise, I created a new admin account, disabled admin rights on ordinary users and disabled the old admin account. Or so I thought.

In fact, what I had done was make the web access more secure from inside my home network, while leaving the external access exactly the same. The only useful feature I had enabled was tracking of any attempts to break into the system.

The first point that I had overlooked, in my enthusiasm, was that web access to the system admin account is only possible from the local network, because external access is blocked by the router. The second point I had missed was that although I had disabled the web admin access, it was still possible to get in via a command line interface. And that’s exactly the way remote hacking software tries to get in, not by a web interface. What I had done was bolt the living room door, while leaving the front door open. It’s not quite that bad as I had a strong password on the admin (root) account. Moreover, I had set the system to permanently block any IP address from which there were 3 failed login attempts in 10 minutes. But it wasn’t too clever.

The logs revealed (after decoding the IP addresses) that the attempted break-ins were all coming from one country. Yup! China. I don’t take this personally. These break-in attempts are run by automatic systems, trying random addresses, followed by common username/password combinations. This is probably how most corporate break-ins occur. However, the fact that two or three attempts are made a day and are all coming from China is disturbing.

Given that my security attempts were not particularly effective, what could I do? First, 2FA from within the home network is a bit pointless (as long as my wi-fi is secure) and annoying. So I turned that off. Second, I have changed the login method. Being able to log in using ssh is incredibly useful. It’s possible to use the sftp protocol to move files and it’s possible to do things that the web interface makes difficult. But that means allowing root access in some way.

The solution is actually straightforward, albeit slightly tricky to get working. Instead of using passwords, ssh access is now only allowed with public/private keys. Anything that wants to connect to my NAS now has to generate a public/private key pair and to pass the public key to the NAS. Apart from setting up the ssh configuration on the NAS, the tricky bit is generating keys on, say, Android devices and passing the key to the NAS via a third, trusted computer. Now, any attempt to log in without a key is immediately rejected.

It is possible to put another level of security on top of this, by using certificates. I’m not yet sure I need that.


What you have, what you know… and who you are

I wrote in my last post about two step authentication (aka two factor authentication, two factor verification, TFA, 2FA, etc, etc). In other words, your online identity has to be verified by two steps – what you know (a password) and what you have (a one-time code, generated by Google Authenticator, for example). There is a third option: who you are. That suggests some form of biometrics. Now we can choose two from three.

In the spirit of experimentation, rather than paranoia, I tried adding a third level to my mobile phone. I have a 3 year old phone. I can’t do fingerprint recognition, but it has two cameras and a microphone. There are various apps that will do face and voice recognition. I chose one that does both of these. I’m not going to name names, because I don’t think it’s fair, but after a week of playing, I gave up!

Problem 1: face recognition is fine in principle. It works if the lighting is good. I could lock appropriate apps, such as Google Authenticator. The drawback is that the light is not always good. In practice, I kept finding myself with my back to a light, or in front of a window, or simply in a badly lit room.

And problem 2 is that speaking a phrase to a phone just seems odd. Every time I wanted to unlock something, I ended up typing in a PIN, as the fallback option. This kind of defeats the point.

In summary, I gave up because the pain outweighed any benefits. That’s not, however, to say that biometrics are a bad idea. Apple, in particular, seem keen to push for biometric identification to replace passwords. They don’t appear to be pushing for biometrics plus something (2FA), however, which doesn’t seem, to me, to be the right way to go.

There are a number of interesting questions here, that I will return to, in a slightly different context, at a later date. First, what biometrics should we use? Face and voice recognition are easy to support in laptaps and phones. These devices have forward-facing cameras and microphones. Fingerprint recognition requires special scanners. Iris recognition needs special hardware, too. Second, what constitutes a unique identity? How unique are fingerprints? The short answer is that nobody knows. Related to this is the question of what is being measured. A fingerprint is not a digital code. It’s a measure of particular features, subject to a certain resolution. The same applies to irises, faces, voices and DNA.

Finally, even if a biometric pattern is unique now, will it stay the same with time? We all know (unfortunately) that our faces change with time. How about our fingerprints and even our DNA? Do the distinguishing features remain the same over many years? I suspect not.

Ultimately, I think we are going to go in the direction of who you are plus something else. That raises some interesting questions about how we can validate what’s connected to the internet. It’s not just people, but things – how can we know that a smart meter is just a smart meter and not a Trojan?

What you know and what you have

At first I tried to resist having a mobile phone. Then I tried not to have a smartphone. Now I realise it’s become almost part of me. In the past three months, I’ve upgraded all my online security and now I have become almost completely dependent on a three year old smartphone, that has a poor battery life and insufficient memory.

Having been part of the team that won accreditation for our MSc in CyberSecurity, I finally thought I should do something about my own cybersecurity. I realised (with some horror) that I had about 120 web accounts (I’m not exaggerating) with more or less the same password. All of these accounts were low risk, with no personal information (I hoped). What would happen if one site were hacked? That’s not a silly question and we’re going to see more and more of that happening. How much trivial information had I distributed between accounts, that could be assembled into a bigger picture? Time, therefore, to do something.

Trying to remember distinct passwords for 150 websites is beyond anyone, I think. So I signed up to LastPass. The idea is to have one “vault” containing all your websites and passwords. The vault is encrypted, but stored in the cloud, so it’s available to any PC, laptop, phone etc. There are a number of similar services, but LastPass seems to work on everything. LastPass will also generate secure, unique passwords. It also gives you a security score, and after a lot of editing, I’m now in the top 2% of users (yea!).

One password to get access to everything is great, but what if that LastPass is hacked? What if my password is stolen on some public machine? The next step is two factor authentication (TFA) – something you know (a password) and something you have (a security device). A neat little app called Google Authenticator runs on my phone and generates a sequence of pseudo-random digits that change every minute. To log into LastPass, I now need my password and my phone. I’m now unhackable! To be even more secure, I’ve now turned on TFA for as many other accounts as I can – WordPress, Google and even Microsoft accept Google generated codes. Some other sites (Apple, Twitter) send a code to my phone by SMS.

Now my phone is a trusted device, which I need to keep by my side. What happens if I lose my phone? I nearly managed that at the start of this exercise. I put it down (I won’t say where) and wandered off. There are two lines of defence. First, for all these TFA accounts, I can generate a “one time password” that does what it says. I can log in once, without a security code to an account. The one time password is either generated in advance and stored (somewhere) or sent to me by email. I haven’t quite created an Escher staircase here, I think there’s a way in whatever, but I don’t really want to test it. Second, I can wipe my phone remotely, with an app called “Where’s my Droid”… if I can log into that account. That I really don’t want to test.

Am I now more secure? Undoubtedly yes. As I wrote at the start, there will be more data breaches. Soon there will be a really serious hack on a major player. I don’t have any insider knowledge, it’s just inevitable. But I’m now tied to this bloody phone. Upgrading would involve turning off all the TFA security while I migrated across to a new device and then turning it all on again. It’s not just Google Authenticator that regards that phone as my most trusted device. There’s online banking, too. It’s not impossible, but it is a day’s work. What’s the alternative? Fingerprints? Retinal scans? DNA?

Interconnected Social Media

Over the past few months, I’ve signed up to various sites that might be described as “social media”. Not Facebook – I’ve had a Facebook account for years, and I almost never use it. These sites are professional/academic sites like academia.edu and researchgate.net. The idea is that papers that I write with students and colleagues are indexed and sometimes stored on these sites, so that other researchers can find them. To some extent they duplicate Google Scholar, but there is also space to share ideas, ask questions and so on. In other words, they’re social media.

Then there’s this, a WordPress blog, which isn’t so much social media as a monologue. This blog automatically links to my LinkedIn account and to my Twitter feed*. I can post from LinkedIn to Twitter automatically. And although LinkedIn sometimes looks like a more restrained version of Facebook, it seems to work. Yesterday I put up message about a paper that has been published in IEEE Transactions on VLSI, and 76 people have looked at that post. Perhaps some will even read the paper.

From a professional, academic point of view, all this linked “social” media seems like a good idea. If I can publicise what I’m doing, and more people read my papers, that’s a good thing, surely. But where to stop? I could link Facebook to Twitter and have all my LinkedIn posts copied to both Twitter and Facebook, but that seems like a bad idea. While on holiday, over the summer, I posted several reviews to Trip Advisor. I could link Trip Advisor to Facebook (and hence to Twitter) or to Google+. That’s starting to sound like a really bad plan. Do I really want to mix my opinions of restaurants and pubs with notice of technical papers?

As far as I can see, I either have to unlink all this social media, which means I start repeating myself manually, or I’m going to have to create two or more online, linked identities… and then I have to remember what’s connected to what.

*My first attempt to share this was spectacularly unsuccessful – a link entitled “Auto Draft”. Let’s try again.