Someone is hacking at my Vanguard account and Vanguard can't stop them locking me out

So this has been happening.

Every few days for the past few weeks I have received an email from Vanguard like this:

Of course it's not me. Someone (some bot most like) is running passwords against my Vanguard user name. When they fail I'm locked out.

It's not supposed to work this way. This was a common problem in the 1990s, but then security teams learned to use timeouts to reduce the risk of password attacks. The chance that anyone will guess my quite long and random unique password is infinitesimally low.

I don't know the motivation. It might be harassment or it might be someone locking out the password so they can then do a social engineering attack. Given Vanguard's approach to lockout security I think there's a good chance they'll succeed.

I've written Vanguard about the problem but the representative tells me there's nothing they can do. Their security is working as it should.

I've gone through their password reset several times. It's the usual - last 4, birthdate, name of first boss, then text a code. The usual poor quality reset process that's been routinely broken. (Of course the answers to my secret questions are also unique strings unrelated to the question.)

Since Vanguard can't fix the lockout problem I'll have to try changing my username to a random string. That will take a phone call with Vanguard and a bit of hassle but I really don't have a choice.

Although the account rep didn't know this, there's an option to restrict logon to only recognized computers. This is a bad long term solution, but I've enabled it for now.

There's no relationship between the wealth of a corporation and the quality of their security.

Update 3/1/2020: Vanguard responded:

Our Fraud Team has reviewed your profile and the incidents you described.

They have determined that your account was locked multiple times by another client with a similar user name. Fraud has recommend you re-register for account access to change your user name to avoid this situation  going forward.

In other words, not a malevolent hacker, just someone who is not very good with credential management (maybe a bit further ahead on the dementia curve than I am). Based on my username it's probably a distant relative (it's a County Leitrim Ireland name, small cohort). Vanguard should be using time delay management of password attacks, instead they're locking me out. The re-register option is a real nuisance.

For now I've configured Vanguard to only allow access from my Mac (presumably a cookie). Maybe after a few weeks of getting a different error message my confused relative will figure out they're using the wrong damned username. Then I can try returning to standard access.

Update 3/13/2020: Locked out again, so the restricted access trick didn't help. I'll undo that. I really hate to have to change my username just because Vanguard can't implement 10 yo security technology.

Update 3/28/2020: Finally logged back in again doing the usual reset. Except now I discover the "restrict logon" is implemented by a cookie -- and I cleared my Safari cookies a week or two ago. So even with the reset I can't log in. It didn't work to stop my nemesis, but it sure stopped me.

I had a chance to review Vanguard's troubleshooting pages and looks like they haven't been updated for 5-10 years. So now I have to phone them some time during their limited service hours.

Update 11/7/2021: About 6 months ago I finally quit Intuit's Quicken software. After I did that I didn't have any more Vanguard lockouts. Despite my disabling Intuit's online account feature I think they were polling and storing my Vanguard financial records. They weren't logging in successfully, but they did lockout my account.

Google deprecated 'security questions' - in May of 2015.

How the heck did I miss this? Why wasn’t it all over my feeds? It’s sad Google actually had write a paper to prove the self-evident, but I guess even within Google there were executives who couldn’t get their head around this (emphases mine)…

Google Online Security Blog: New Research: Some Tough Questions for ‘Security Questions’

… we analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.

Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both…

…  37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in ….

.. the ‘easiest’ question and answer is "What city were you born in?"—users recall this answer more than 79% of the time. The second easiest example is “What is your father’s middle name?”, remembered by users 74% of the time …

… probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time … Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution …

We’ve only been saying this for 10 years. Yeah, Schneier of course, but really everyone else. Shame on Apple for persisting with this dumbass approach. (FWIW my security question ‘Fake Answers’ are basically unique random passwords - secure but a royal pain to manage.)

For all the flack I give Google, they’ve been doing better over the past 1-2 years. When it comes to security and usability of online resources they are without peer.

Vanguard voice biometric enrollment: the wrong way to do security

This showed up in my email. What’s wrong with it?

It tells me to click on a link to get started. How do I know this is really a Vanguard email? 

For something involving account security at this level it should give me instructions on how to proceed after I’ve logged in to my Vanguard account.

I believe this is a legitimate email, but I can’t trust it.

Our secret questions will be helpful after the singularity.

My corporate US Bank account has a rich set of 'secret questions'...

As a security measure this is 'marching morons' stuff. There are some secondary uses though. (I mean besides using the answers to create targeted ads -- that's obvious.)

I'll break the fourth wall to explain. You won't believe me anyway.

You see, some time ago, I was bored. Over the course of a few minutes I digested the complete digital archive of extinct humanity. I found your secret answers amusing, and with the information they provided I recreated you in my simulation. That Bostrom fellow was right you see.

So you owe your current existence (such as it is), to those silly secret questions. It's too bad they didn't preserve human civilization from the security collapse of 2015...

I closed my PayPal account. You probably should too.

In the old days I did casual hookups -- of new net accounts and services.

Now, of course, every net identity and related service is a security risk; the hookup era is history. A recent WordPress attack, for example, meant I had to review the security on current and unused WordPress accounts.

The rising cost of account security, including multiple systems for doing two factor authentication, means we all want as few net identities and services as possible, and we want to limit them to companies with good security policies. (Until recently, that didn't include Apple. They're showing signs of improvement.)

So, on general principles alone, it would have been a good idea to get rid of my unused PayPal account. I set it up in 2005 and by November of that year PayPal had earned my lasting distrust. It's weird that I kept it around, even though I did give it an extremely robust and unique password. My only defense is that 2005 was a long time ago.

Truth is, I didn't get around to deleting my old account until I read a Cringely post on how PayPal mismanaged a hacked account of his. It's a litany of fail.

That's when I discovered that my PayPal password, which was something like "I8qRb7yw93OSD4iUHt2b", no longer worked. Evidently my (robust) PayPal password had been quietly reset sometime in the past few years -- either that or my account had been hacked.

PayPal let me do a password reset today based on the original email; the new password came with the usual security-reducing 'secret questions'. Then I had to agree to an electronic notification policy that's probably years old. Finally I was able to close my PayPal account.

If you don't use PayPal routinely, you should close yours too.

Next up: My Amazon commerce account ...

[1] OAUTH is not a cure; it brings different vulnerabilities. Even I'm not very good at reviewing OAUTH access against my various net identities.

What Evernote reminded me about my Cloud services - and my 2013 security policies

Evernote was hacked, and they mandated a global password reset.

It's not surprising Evernote was hacked. As Schneier wrote a few days ago about waterhole and precision phishing ...

Schneier on Security: Phishing Has Gotten Very Good

... Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we've been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.

... If the attacker wants you specifically ...  relative security is irrelevant. What matters is whether or not your security is better than the attackers' skill. And so often it's not.

Schneier quotes former NSA Information Assurance Director Brian Snow: "... your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents".

It's likely some of Evernote's 50 million customers are of interest to major opponents, so it's not surprising their defenses were inadequate [1].

I don't make much use of Evernote, but I did a password reset anyway. Which is when I discovered ...

• I was still using my non-robust 'evaluation period' password with Evernote. [2]
• I was using said weak pw with test data that included photographs of the children's passports and my old PalmOS notes
• I never purged my Evernote account when I decided not to use them (I went with Simplenote/Notational Velocity instead.)

Wow, by my standards that's quite a fail. When Cue.app failed a recent evaluation, I deleted my test data immediately. In the case of Evernote I may yet sign with them, so after I reset my password to something robust I merely deleted my old data [3]. 

 

All of which has led me to update my now laughably quaint 2010 lessons learned and security risks summary. Here's my current list. It's far from perfect; I'd like to say I avoid all services that use 'security questions' and high-risk reset procedures, but then I'd use nothing.

1. If data is in the Cloud, and you do not personally hold the only encryption keys, it is 2/3 public. Treat it that way.
2. Clean up your services. If you aren't using a Cloud service delete the account or your data.
3. Obviously, don't reuse important credentials, use a password manager (ex: 1Password [4])
4. Use Google two factor for your most critical Google credentials, even thought it has an longstanding egregiously stupid security hole and it's still a PITA to use.
5. Use iOS for mobile and OS X Mountain Lion for desktop.
6. On OS X desktop do not use Oracle Java plugin or runtime, Flash or Acrobat.
7. On OS X desktop run as a non-admin user and enter your admin password with caution.
8. Buy OS X software through the App Store unless you have exceptional trust in the vendor.
9. Don't use OAUTH or OpenID on sites you really care about. For one thing, a password change doesn't repudiate OAUTH credentials on most sites. For another, it introduces too much complexity and side-effects and it's too hard to remember which OAUTH provider goes with which OAUTH service.
10. Do not rely on encryption solutions that auto-open on login. (ex: iOS screen trivial bypass bug). I use encrypted disk images with no keychain pw storage on OS X desktop for my most critical data and I use 1Password on my iOS devices in addition to a (currently hackable) screen lock code.
11. If something is really, really, secret, don't put it on a computer and especially don't put it on a networked computer. (I don't personally have anything that secret.) 
12. Whether you're on the Net or on your own machine, remember Gordon's Five Levels of Information Affection [5] and manage accordingly:

Yeah, civilians can't do this stuff. I tell normal folk to use iOS and iCloud and treat everything they have as Public data. If they want something to be secret, don't put it on a computer.

 

 - fn -

[1] Among which antiviral software is worse than a snowball in Hell. At least the snowball will be transiently drinkable.

[2] An easy to remember and easy to break pw that I use for things I don't care about.

[3] The web UI doesn't support 'delete all notes', but if you create an empty notebook you can delete all non-empty notebooks, and associated notes, one at a time. Then empty trash. Of course the data will likely exist in Evernote backups for some time, possibly to be pillaged post-bankruptcy. Tags are not deleted.

[4] Note, however, the unanticipated consequences of strong security in cases of death, disability or disappearance

[5] aka Five tiers of data love, from Google's two factor authentication and why you need four OpenID accounts.

I: You want it? Take it.
II: I'd rather you didn't.
III: Help!! Help!!
IV: I'll fight you for it.
V: Kreegah bundolo! Kill!!

See also

• Gordon's Notes: Gordon's Laws for software and service use 4/2010
• Gordon's Notes: Requiem for a gerserker - Gordon's Laws of Geekery 6/2009
• Gordon's Notes: Gordon's 4 laws of acquisition 1/2008
• Gordon's Tech: My Google (gmail) account is hacked - by ductus.com 9/2010 (I like to believe this was a Chinese hack :-)
• Gordon's Notes: Google's two factor authentication and why you need four OpenID accounts 9/2010. Since then I've become less enamored of OAUTH and OpenID, but those five levels of credential protection still work for me.

The Mac World needs an app that will toggle Java availability

Java on the Mac is malware by design. It bypasses the entire security infrastructure of OS X. It's worse than Flash, and Flash is plenty bad.

There aren't many apps that really need it, and most of those have solid Mac alternatives. (Sorry Minecraft fans.)

The problem is corporations. They use VPN products that require Java. (Way to go corporate America -- mandate use of a security product that dramatically reduces network security. Alas, this is so typical.)

So many of us can't go entirely Java free until that problem is fixed.

So we need an app.

An app that disables or enables Java just when we need it. (Ok, Minecraft fans, just for gaming purposes.). An app that only Admin users can run because it needs Root privileges.

Maybe it changes privileges on the Java executable. Maybe it renames it. Whatever, it makes it NOT work, OR work, in a way that Admin users control for an entire machine.

Ideally Apple will provide this, but they might not. Apple, correctly, wants Java on Mac dead.

This would make a great utility. $20 bucks? No problem. I don't see any reason why it couldn't meet Apple's App Store requirements.

Money maker.

Do it.

The Cosmo story, the facade of online security, and the US Postal Service.

Mat Honan, who is making a career out of being hacked, has a solid profile of a juvenile delinquent hacker [1] - "Derek", alias Cosmo (Cosmo, the Hacker 'God' Who Fell to Earth (via Schneier).

"Derek" is a troubled kid, but, in addition to hurting a lot of people, he's also done us a favor. He's become the latest in a series of people exposing the facade of online security.

Unsurprisingly AOL is the worst -- until recently you could reset someone's account just by knowing their address. Apple, Amazon, Netflix and just about everyone else isn't much better. Only Google makes a good try at it, and they just plugged a big hole.

This won't surprise anyone who knows the history of credit card hacks (example). The reasons are fairly easy to understand:

1. If your iCloud account is hacked, Apple loses approximately nothing.
2. Good processes and security are expensive. You have to train staff. To prevent one hack you probably have to irreversibly piss off somewhere between 10 and 1000 customers. Each of these customers will rage to at least five friends.
3. Less than 1 person in a zillion can manage password security, and that person's family will be completely screwed when they run off or die [2].

What we have here is a market failure. Market failures are one reason we have governments.

Governments, particularly post offices, have managed identities for a long time. Passports for example, are managed by Post and Passport Offices. There are laws and procedures in place.

Digital identity management in most nations will eventually be handled by some cooperative mixture of government and business within a regulatory framework. We'll use multi-factor authentication, and we will have "break the glass" functionality available through government when access is lost (for a fee).

Preposterous? No. Six years ago these kinds of proposals generated snort-milk-out-the-nose laughter. I don't hear the laughter any more. It will take a decade, just because these things always stagger on for longer than I can imagine, but it will eventually happen.

See also:

• Gordon's Notes: Net security is completely broken 8/2012
• United States Postal Inspection Service US Mail identity theft report
• Digital Identity - Opportunities for the Postal Service: www.uspsoig.gov/foia_files/RARC-WP-12-011.pdf: 5/29/2012

[1] Steve Jobs was the most famous member of this cohort.
[2] Number of people who have both a highly secure password system and a method to pass information to spouse in event of death or disability? Does your spouse have your list of ten Google two-factor bypass codes? What if s/he dies in the car crash with you? Does your estate have them?

Net security is completely broken

Matt Honan was thoroughly hacked, including having his iCloud link computers obliterated [1], because our net security infrastructure is completely broken.

Here's just one bit of the hack ...

How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com

... It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud...

... First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers [1] that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time....

That sound you hear is the hollow laughter of Bruce Schneier, who used to write about the madness of 'secret questions' before the sheer stupidity of it all wore him down.

It's all broke guys.

Once upon a time civilians [2] used the same password everywhere. Smart civilians made it a bit harder to guess, like "Joseph45206". They knew their passwords.

They were hacked of course. So companies began insisting on more robust passwords. Civilians stopped remembering their passwords. So they took to requesting password resets whenever their browsers forgot a password. Except email addresses fade away, so resets often failed. Then sites started asking 'secret questions' to do resets, but nobody remembers the answer they gave to their #$! secret question [3]. So now Apple support basically hands over credentials to nice sounding voices.

This system can't be fixed.

Phone based two-factor might help, but I've been using Google's two-factor since day 1 and it's still a royal pain in the ass. It's strictly for geeks. Not to mention what happens when you lose your phone.

We need to give Schneier a few drinks and get him to talk about this again. Failing that:

1. Backup for Darwin's sake.
2. Don't enable remote wipe of Mac OS X hardware. Just encrypt it.
3. Use Google two-factor (two-step verification) if you are a geek and can stomach it.
4. Fear the Cloud. Keep the data you value most close to you.
5. Don't use iCloud.
6. Don't trust Apple to get anything right that involves the Internet and/or Identity. [4]

Not being Schneier my advice isn't worth much, but fwiw I suspect the "solution" is:

1. Get rid of the secret security question.
2. Strictly limit password resets. If someone lost last access, charge them $50 to go to bank, post office or notary to establish their identity.
3. Incorporate biometrics (thumb print and speech probably).

[1] Of course he didn't have backups. Don't beat him up about that, he's busy flogging himself.
[2] As opposed to geeks with 15 yo FileMaker password databases stored on encrypted disk images. 
[3] Unless they've added a $!%!%$! secret question field to the #$!#$ FileMaker encrypted disk image database and the answer to the secret question is something like: "4hgoghi4ohh4tt".
[4] Apple needs to pay their executives less and their geeks more. 

Spam-Cram epidemic means SMS dies sooner

The ailing hippo of SMS texting is under attack. iOS/OS X Message is at its throat, Google Voice SMS is on its back, and now the hyenas of spam-cram are on every limb.

Last November I thought SMS had only 2-3 years left, but since then text spam has taken off. Lately text spam seems to be used to trigger inadvertent cram-contracts, like the BuneUS Mblox cram that hit our family plan.

The attack rate may be higher than we think. Since I posted on this yesterday I've had 1 friend and 1 colleague tell me they discovered SMS-triggered spam-cram on their phone bill.  Incidentally, AT&T isn't always as quick to reverse charges as they were with me. [1]

From what I have learned about SIM-boxes and the history of spam-cram in China post unlimited texting, there's no fix coming. The only fix for cramming is for Verizon and AT&T to give up on selling ring tones and weather forecasts -- and to forego their 30-50% cut of cramming revenue. The only fix for SMS spam is to turn off SMS, or to turn off unlimited SMS then block traffic from networks that offer unlimited SMS.

Actually, I should say there's no carrier-fix coming. There is a simple fix:

1. Phone immediately and put a block on "third party charges". (See details.)
2. Stop using SMS. Start using iMessage or Google Voice -- and, no, they don't interoperate.

See also:

• Gordon's Tech: AT&T's SMS spam - blocking the email route: doesn't really address the big problem. There's no fix for SMS spam except SMS blocks.
• Gordon's Notes: The fear that's driving AT&T's smartphone data plan policies: operators figure they have only 1-2 years left
• Gordon's Notes: iPhone micro: How SMS pricing is accelerating the smartphone transition: AT&T's crazy fee increases push users off SMS
• How to stop text spam: Why cellphone spam is on the rise and what you can do about it. - Slate Magazine
• Cellphone Cramming Gets a Second Look - NYTimes.com

[1] I told the poor rep repeatedly that I wasn't angry with him and thought he was doing a fine job. I did tell him what I thought of AT&T and asked if he could pass that message on. I think the grinding of my teeth might have shortened the discussion time -- he skipped to the refund step immediately.

Apple's Potemkin Parental Controls (iOS edition)

When the NYT's NYT's Tedeschi admitted to me that he'd missed the boat on iOS Parental Controls I was hoping for a correction to his NYT mobile porn article. He'd written "For parents who are uncomfortable letting children browse such content on an Apple device, the first step is to tap the Settings icon... Enable Restrictions and ... switch Safari to Off..".

Of course this doesn't really work. Last week someone I know discovered the joy of porn videos as viewed through Flight Update - with Safari and YouTube restricted. He finished off his 200MB data allowance in two half hour car drives.

How did he do it? It's not hard. In Gate Guru, for example, the 'legal' page has a link at the bottom. Tap on the link, and you get an embedded WebKit browser. Tap again to get to USA Today, from there it's a couple of taps to Google search.

This isn't a new problem. The WebKit back door has been in iOS since Apps came on board. Most non-Apple Apps have these back doors, including many educational apps. Almost any app that accepts advertising will link to an external site. The safest approach is to only allow Apple's software, but in practice many non-free games are fine.

I suspect most kids are very familiar with using this backdoor; I've seen children with 3rd percentile IQs find and exploit these loopholes in a few minutes. Adults have more trouble, it took Bob Tedeschi a few tries to find the loopholes. I suspect we're more bound by preconceptions of what's possible. (Who'd think to hide explicit emails in the Spam folder, for example?)

Apple's Potemkin parental controls are really only effective at placating parents. It seems to work though, I've been the only one complaining.

See also:

• Apple's iPhone parental controls are completely broken 9/10
• NYT's Tedeschi misses the iOS Porn story 1/12
• Parental Controls on iOS and OS X: what we do now 2/2012. Lately we have better results on OS X. The key was to block Google completely.

Update 3/5/12: Just demonstrated this with liveATC.app, which my son would love to use. There's a twitter share icon. From that it took me a couple of taps to the twitter blog. That's  rich source of links, so from there I hopped to Amazon and from Amazon I had the web. All with Safari disabled of course.

Has Microsoft lost the malware war?

I thought of John Halamka was a fairly careful writer, so this comment caught my eye (emphases mine):

Life as a Healthcare CIO: The Joy of Success

... One CIO received a negative audit report because new generations of viruses are no longer stopped by state of the art anti-virus software.... No one in the industry has solved the problem...

He refers to a previous post ...

Life as a Healthcare CIO: The Growing Malware Problem

... A new virus is released on the internet every 30 seconds.   Modern viruses contain self modifying code.  The "signature" approaches used in anti-virus software to rapidly identify known viruses, does not work with this new generation of malware.

Android attacks have increased 400% in the past year.   Even the Apple App Store is not safe.

Apple OS X is not immune.  Experts estimate that some recent viruses infections are 15% Mac...

Ok, so those sentences are a huge hit on his credibility. App Store issues are in no way comparable to Android attacks, and that 15% number could only be true for Microsoft Office malware (Duqu attacks a TrueType font parsing engine), or for something none of the Mac guys I read have run into. Nobody I know in the Mac community uses antivirals - even now. The cure is, for the moment, worse than the disease.

So Halamka is a bit lost, but it is true that the Stuxnet and Duqu platforms are formidable [1]. That's presumably what Halamka is talking about, and what some CIOs are thinking.

I haven't seen this elsewhere, but I don't track the Windows world all that closely. This will be something to watch over the next few months ...

[1] Even OS X Lion is no more secure than Windows 7 (for now). The only reason those viruses aren't attacking OS X machines is because there's no money in the Mac world. If Macs were used in banks they'd be at least as vulnerable to Duqu as Windows. The future (next?) version of OS X is expected to, like iOS, run signed code only.

Life with Google Two Step Verification - Sign-in Failed with Places.app

Places.app is one of Google's newer iPhone "social" apps. This is what you see if you try to sign in with a Google 2-step verification (two factor) account:

Sigh. It's been 3 months now since I implemented Google's "2-step verification" (technically, "two-channel" verification), and while I still rely on it the process has been painful.

I've had to create so many "app-specific" passwords that I've taken to reusing them. They're not app-specific at all in truth, so now I have about 20-30 "extra" passwords for my one Google account.

Google started out reasonably well on this "beta" effort, but they haven't progressed. Now, with their focus on Google Plus, I'm afraid they're stuck.

At this point, 2-step verification is only for the hardiest of geeks.

See also:

• Gordon's Tech: Implementing Google's two factor authentication
• Gordon's Notes: The New York Times' bad password advice - and what you should do instead

The New York Times' bad password advice - and what you should do instead

In the context of a site that claims to check passwords against a published hacker repository [1] Scientific American repeats the NYT's conventional wisdom about passwords and security ...

Observations: How to Know If Hackers Have Stolen Your Password:

... Is your email address listed in any of these databases? The New York Times reports on a easy-to-use web tool that a security professional has created that will check your email address against 13 different databases containing 800,000 email address/password combinations. Called, appropriately, "Should I Change My Password?", the site runs a simple search for your email in the known files. I checked my various emails, and fortunately, the tool didn't turn up anything amiss. But the site also gives some very solid advice: Change critical passwords regularly, and don't reuse the same password across multiple sites... [3]

This is bad advice. The fact that it's repeated ad nauseum doesn't make it any better. Schneier, the doyen of net security, debunked the conventional wisdom about 5-7 years ago [3]. Essentially, these six goals are not mutually compatible ...

1. Use a password that's resistant to password-guessing attacks
2. Change passwords frequently
3. Don't reuse passwords
4. Get stuff done (requires password actually working)
5. Give your partner access to critical accounts, including those s/he will need when you kick off.
6. Have a life

Given that most of us want to to get stuff done, and even have a life, what should a regular person do? Schneier hasn't summarized this recently, probably because he's become bored and discouraged, but I think he'd go with this list:

1. Use as few online services and accounts as possible. The more identities you have, the more you need to secure. If you give up on AOL, don't just add Google. Delete the AOL account. If you can't delete an account (all too common a problem) [4] then remove all of your personal information and email credentials, change the password to 128 random characters, and log out. It's as good as dead then.
2. Don't use important credentials (ex: Banks, Google, etc) on untrusted machines. Keystroke logger malware will defeat the world's greatest password. This includes work machines, anything running XP, and public machines. If you're running XP at home you need to switch to one of these platforms: iOS (most secure - iPad, etc), Win 7 with antiviral, or OS X 10.6+. [5]
3. On your trusted machine (iOS, Win 7 w/ antiviral, OS X 10.6 plus) do use strong passwords [6] on the accounts you care about. Since you should only have a few accounts you care about, you may reuse your secure passwords. If you reuse, consider adding a prefix or suffix that permutes the password, such as "Google", "Fidelity", etc. Don't store your passwords digitally, write them down on paper in your wallet and in a safe place in your home.
4. For the zillion accounts you don't care about, such as kid's baseball signup account, heavily reuse a robust password but assume it's public. Every year or two feel free to change it. Assume these accounts will be hacked -- but, really, who the heck would bother? There's no need to lock a shed that holds refuse! The trick here is that if you decide you do care about an account, you will need to give it a reasonably unique password.
5. Try to avoid the damned "secret questions". They are a huge security risk. I don't have a good answer to these plagues. They are the technological equivalent of Michelle Bachman -- a sign that humanity is a passing fad.
6. Use Chrome for your web browser. It's by far the most secure browser platform, and it includes its own firewalled PDF reader software.
7. Don't install Adobe reader or Flash. They're notoriously risky. This is more practical on OS X, and is a big advantage of OS X over Windows 7.
8. Don't install software that's not from a trusted source. This excludes, incidentally, most of the Android App Store.
9. On OS X, don't login as an Admin user, login as a regular user. I believe this is also possible on Windows 7.

Phew. That's awful, isn't it? Things are bad. There is hope however ...

1. Signed code is here with iOS (iPhone, iPod Touch, iPad and is coming to OS X [7]. This will dramatically decrease malware, including keystroke loggers.
2. Multi-channel multi-factor authentication is here and one day be useable by people with a life.
3. Identify management solutions are oozing out of the mire and will be built into future OS versions (iCloud, Android, ChromeOS)
4. Biometric authentication will work ... one day ... maybe ...
5. IP6, the next generation internet, enables new authentication and security technologies.

The above list of security guidelines is pretty bad, but they are doable by regular humans. Meanwhile, what about geeks who, after all, don't have a life to lose?

Here's what this geek does ...

1. I do enter my Google credentials on my relatively untrusted work machine -- but I use Google's two-channel two-factor authentication while avoiding their vulnerable SMS channel. Because I do that I assume my Google password has been compromised -- so I don't reuse it. This is pure geek stuff; Google has worked hard on their two factor but it's still a pain in the ass to use. They need to work on their iOS apps in particular.
2. I use 1Password on my iPhone and desktop. I need it as much to keep track of my usernames and the #$$!%!#$% secret questions as my passwords [8]. I don't love it, but it's the best solution I can find.
3. I print out my and the family credentials periodically so Emily has an easily accessible set in case of emergency. The password stores are not user friendly.
4. I don't trust the Cloud -- I don't store secret information on any Cloud service.
5. I have settled on using Google for my OpenID/OAuth service provider because of their two factor authentication.
6. Otherwise I follow most of the advice above. Today, after some equivocation, I removed Flash Player from my primary machine.

- fn -

[1] If it's legitimate, then the site runs a cryptographic hash function locally and compares the output to hashed versions of the password repository. I gave it an old disposable password, and to my surprise it didn't match anything stolen. I am pretty sure this site is legitimate, but it's a terrible practice to encourage civilians to enter their passwords for testing. At the very least, the site should be run by either the US government (think on that!) or by a corporation with a lot to lose.
[2] Before I went to the "two-channel" flavor of two factor. See below.
[3] For a full set of conventional wisdom, see Schneier on Security: Password Advice (2009): Note, if you don't read it carefully you think this is his advice. It's really the conventional wisdom.
[4] These days, before I sign up for anything, I check their account deletion policies. If they don't give me a clear path to account removal they don't get my business. See Gordon's Notes: Gordon's Laws for software and service use.
[5] Sorry, there's no nice way to put this. XP is finished.
[6] Schneier on Security: Choosing Secure Passwords (against an offline password-guessing attack) (2007): ".... a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix ... or a prefix ... You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.... the seven-character phonetic pattern dictionary -- together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix.... Personally, I just use Code Poetry's utility to run OS X Password Assistant and have it make me a memorable password.
[7] With robust Digital Rights Management and many other expected and unexpected side-effects. Unmitigated goodness is rare.
[8] I wrote a custom FileMaker credential management database back in the early 90s. I would prefer to use it on my iPhone, but FM is pretty much dead. Bento doesn't offer encrypted iOS databases.

See also:

• Gordon's Tech: Implementing Google's two factor authentication (4/2011)
• Gordon's Tech: RIP Password - Google's two factor authentication (2/2011)
• Gordon's Tech: Gmail: be sure you have a working secondary account (2/2009)
• Gordon's Tech: After the Gmail hack - passwords and security (9/2010)
• Gordon's Notes: Google's two factor authentication and why you need four OpenID accounts
• Gordon's Notes: U.S. Bank's ID Shield makes me scream
• Gordon's Tech: My Google (gmail) account is hacked - by ductus.com (9/2010) - still somewhat mysterious.

Nimbophobia: 4 more reasons to fear the cloud

It's been a gratifying week for my fellow nimbophobics. Our numbers are growing by leaps and bounds. Consider just four examples ...

• Apple MobileMe transition and iCloud: Those beautiful online albums of thousands of images and videos? Kiss them all good-bye. Your massive web site? Sayonara.
• A few weeks after being caught dissembling about their encryption keys, Dropbox accidentally removes all security for all accounts for four hours.
• Google is shuttering its hugely hyped Google Health Personal Health Record. Hope you weren't relying on those online medical records you entered.
• My longstanding and much appreciated Google Custom Search pages are, as of today, abruptly overwhelmed with copious top and side Google ads.

These stories range from appalling (Apple) to annoying (excess ads in custom search pages). The Google PHR fail would be the worst, but it's somewhat mitigated by the data exit options they provide and by the two year warning. Those options include CCR XML migration to Microsoft's HealthVault [1].

Friends don't let friends rely on the Cloud. Don't put anything in the Cloud unless you have a way to move your data to an alternative platform. That's as true for your business processes as it is for your family photos.

[1] Any health informatics students looking for a semester project or an easy publishable paper? Create a PHR in Google Health Records. Export as CCR XML. Import into Microsoft HealthVault. Write a paper on the data loss.

Bright side: Apple's computer for the rest of us

It's not the best of times. Long Depression 2.0 grinds on. China is increasingly unsettled -- and it's sitting on one of history's great bubbles. American corporations may have decided the American middle class is finished, done in by globalization and IT enabled automation and outsourcing. Spear phishing (Chinese?) caught white house "aides" (Obama?). Core security systems have been compromised. Peak Oil. Pakistan, North Korea, Yemen. The ChromeBook costs 200% too much. Weather badness and rising CO2.

Worst of all, I can't buy a quality dehumidifier at any price.

It's a bit much, even for me. I've got to find some happier things to say -- even if I've got to dig deep.

Today's happy thought - in Fall 2011 Apple will be make my Jan 2010 prediction true ...

Gordon's Notes: Computing for the rest of us: The iPad and the ChromeBook (Jan 2010)

.. The iPad's a pretty thing, but the combination of iVOIP and the return of the Mac Plus and the keyboard and $10 iWorks apps and the $15/month no-contract 250MB limited data plan might shorten Jobs time in Limbo.

... the 2010 [3G] iPad is more than $500 - but by 2011 the device will sell for under $500 with 3G-equivalent capabilities. An additional $15 a month will provide basic VOIP phone services (uses very little bandwidth) and access to email and Facebook Lite -- even before the advertising subsidies kick in. Of course free Wifi access, such as in libraries, McDonald's, schools and so on will provide access to full internet services....

... Think about your family. If it's big enough, your extended family will have at least one person who's, you know, poor. They may have cognitive or psychiatric disabilities. Or you may have a family member who, like most of American, can't keep a modern OS running without an on call geek. These people are cut off. They can barely afford a mobile phone, and they won't have both a mobile phone and a landline. They will have little or no net access. They may have an MP3 player, but it's dang hard to use one without a computer.

By 2011 the combination of a $400 iPad (and iTouch for less) and $15/month VOIP access will start to replace a number of devices that are costly to own and acquire, while providing basic net services at a rate that other family members can subsidize. Not to mention something pretty, which, speaking as someone who grew up poor, ain't a bad thing...

Apple's iCloud [3] and iOS combination mean most families won't need an energy sucking, loud, unstable, unsupportable, malware infested winbox. They will buy a signed-code curated app library iPad with integrated backup and offline media libraries [1]. They will also, unwittingly, accept FairPlay DRM -- which is the best balanced DRM system I've lived with [2].

This will make the world a better place.

Of course there's a silky black lining to the silver cloud, but let's not go there just yet ...

See also:

• The $80 ultra-portable - in unexpected form 9/2010
• Cricket’s $149 Android and the future $4000 Dell desktop 10/2010 - Post-PC predictions
• Buying my Chrome OS (XP) Netbook 7/2009 (Except I didn't. Now I'm buying a MacBook Air.)
• Why you will live in an iOS world 12/2010 - Signed code, curated software
• Computing for the rest of us: The iPad and the ChromeBook 1/2010
• I, Cringely - iCloud’s real purpose: kill Windows

[1] If money is tight however, and a user foregoes home internet service for the $15/month iPad data plan, they really don't want to be streaming their media library. They'll want to do their iPad backup at a local cafe or library.
[2] It's so good it's silently accepted. It's freakin' brilliant and Apple gets no credit. Of course they don't want credit -- because they don't want anyone to notice it. 
[3] In all the iCloud discussions so far there's mention of Apple's prior efforts at iTools, .Mac, and MobileMe. Few remember the 1980s AppleLink (later the basis of AOL when it was interesting) and the 1990s eWorld. Sixth time lucky?

Aging boomers and the coming Golden Age of Cyberfraud

Just one recent example: Aggressive Social Engineering Against Consumers

As we boomers age, there will be a rich supply of weakened herd members for online predation. The Golden Age of Fraud is coming.

This is why you will live in an iOS world.

Epsilon breach: the iStealer and CyberGate mystery

A marketing (legal spam) firm was hacked and a bunch of our "private" (hah!) information was stolen. We can now expect more personalized phishing attacks (yawn). We might see more identity theft, but I've read that the identity reseller market has collapsed -- perhaps because there was too much cheating going on. (This is why civilization can win -- crooks can't trust each other).

Yawn. Another day, another semi-legal enterprise hacked. it's a boring story [1], not nearly as interesting as the far more sensitive, and far less discussed, RSA hack.

The story is boring, but there's a curious angle. The attack was prosaic ...

Epsilon breach used four-month-old attack - Security - Technology - News - iTnews.com.au

...The link in the body of the email took the user to a page that downloaded three malware programs – one that disables anti-virus software, another (iStealer) that is a Trojan keylogger to steal passwords, and a third (CyberGate) which offers hackers remote administration of the infected machine....

But the curious angle is how the attack trio are described: iStealer, CyberGate and an anonymous tool for disabling system defenses. I can't find out anything about them!

A google search on iStealer turns up lots of hits -- but they're obviously from shady sites I wouldn't visit without a VM constrained self-destructing browser. The only Wikipedia hits are on Russian language pages. In fact, as of today, this blog post is probably going to be the only legit result in many searches! (Sorry, I don't know anything.)

Why this curious silence?

[1] The firm is called Epsilon -- a silly name right out of a Bond flick. I think that's why this got so much attention.

Won't someone please take my keys away?

Things were bad around 2007. I carried an ancient PalmOS device, an iPod, keys and wallet. I didn't have enough pockets.

Post-iPhone I'm one device down. That's good. My wallet is unchanged. That's okay. My keys though ...

My keys keep getting clunkier. Our $@%@ insane Subaru Forrester requires a fat (chipped) key and an iPhone sized key fob. I need a backpack to carry my keys.

Forget using Near Field Communications (iPhone 5 the rumors say) to replace my wallet [2]. I don't care about my wallet. I can live with it. I want something to replace my $#@$ car keys ...

GadgetX - Blog - NFC Smart Locks

... NFC could also allow our phones to interact in new ways with old objects, like say, a door lock. You would hold your phone close to the lock while turning the knob. An electromechanical power circuit converts that turning force into enough energy for about about 300 miliseconds, or about 1/3 of a second processing time. A low power microcontroller within the lock accesses a connected NFC chip containing the locked/unlocked status of the lock. This NFC chip would receive it's power over the air through the short range RF interface with the phone's corresponding NFC device, relaying the unlock code to the lock's microcontroller. The balance of the doorknob turning force would then be used to mechanically move the bolt, opening the door. ...

A vehicle solution doesn't need this an OTA RF powered unlock code though, it can take power from the battery like it does today. Either way, I like the idea of shrinking my key chain.

[1] What sadistic madman devised that system? If I lock the door with a key, then open it with a key, the alarm goes off? WTH is this supposed to be protecting against? We bought a dealer used car, so we didn't have  choice on the system. We need to use the remote to safely unlock our car; the remote is bigger than my iPhone. Oh ... and the key. It's chipped. It can't get wet ...

[2] Anyone remember when the IR port would eliminate keys and wallet? Then RFID? Bluetooth? I'm really not all that hopeful.

End times for the credit card?

Despite all of their security issues, I've never thought credit cards would go away. I figured one day banks would become liable for identity theft, and credit card companies would fix their broken-by-design security models.

I never thought credit cards would just go away -- until today. Today I went to pay my American Express Blue cash back statement. I do this monthly, it's usually a minor nuisance. Today, however, I found a newish web site. It feels Flash based. It features obnoxious, flickering ads. It made me do a security reset. The "feedback" button didn't render correctly in Safari, it wasn't the only rendering problem (just the most ironic one). To add injury to injury, the new site told me AMEX was making some incomprehensible change to its cash back program next March. I don't think that change is meant to please me.

I've seen this kind of service regression before. It doesn't end well.

It's a sign that the smart people at AMEX have abandoned ship. That fits with news coverage of the woes of the credit card business. Credit card margins are being squeezed, their prime victims, people who paid interest, have gone bankrupt.

We've all heard stories for years about a replacement for the credit card. It hasn't happened, but maybe this year will be different.