More on password managers

Many of you have written me since getting a similar extortion email over the past few months. The emails all have similar characteristics: they usually mention an older password that you have used on one of your accounts in the subject line, and then suggest that the sender is monitoring your computer with spyware and will send out some compromising information about you if they aren’t paid the ransom.

As I said back in July, these emails shouldn’t be answered, or even opened. The sad fact is that if you are still using something with this password, you probably should be motivated to clean up your act and do a better job with your passwords.

I usually tell my correspondents to use this as an opportunity to do two things. First, to install a password manager. I use LastPass but there are plenty of others. These tools make your logins more secure because you can create complex passwords that you can’t remember, and more importantly, you don’t need to remember them either.

The second item is to use an authenticator app on your smartphone. These apps are probably the best security you can use to protect your accounts. Google, LastPass, Microsoft, Duo, Authy, and numerous other vendors have free ones. They work in conjunction with a one-time code that changes every minute or so. When you login to your accounts with this app enabled, you have that amount of time to enter the code that is shown on your phone’s screen into the web form as part of your login process. If someone has your password, they won’t be able to see this code and properly login.

Even better than using these authenticator apps is to make use of a special FIDO hardware key. Both Google and Yubico sell them. They are more secure but less convenient, because you have to remember to have the key on you when you need to login.

Certainly, there are other alternatives to authenticator apps and keys. Some of you have enabled a different authentication process with your logins, such as using an SMS text message to receive these one-time codes. This is much less secure than either the authenticator apps or the hardware keys, because a hacker can arrange to send this code to their own phone. Sadly, many websites (such as my bank) only support codes sent via the SMS method.

But here is the issue: apart from having authenticator apps and password managers, some of you are still writing your passwords down somewhere, and this is the most insecure thing you can do. Even if you keep a piece of paper in a locked safe, it is still less useful and less secure than the combination of password manager + authenticator app that I described above. That special piece of paper does you no good when you are across town from your office, for example.

There was this recent exchange on Twitter between Capital One and a customer, where the bank’s representative told the customer to not use a password manager. One person commented, “Hey Capital One! 1992 called. You need to hire a more up-to-date Security Officer.” Another recent study showed that password managers weren’t familiar or necessary to more than half of those surveyed.

Some of you have gone to great lengths to store your passwords on your phone’s address book, using a special code that will jog your memory about which password you have chosen for a particular site. Given the compromises that the mobile version of Facebook Messenger has at reading and distributing your contact data, this is also asking for trouble. It really isn’t worth the effort.

One of my readers called me about a month ago in a panic when he got the extortion email message. Once I calmed him down (he was up half the night worrying about it), we came up with a plan, such as I outlined above. I checked back with him recently and he did implement half of my suggestions. But he argued, “I can repeat my passwords on less sensitive accounts, because I don’t have anything to worry about with those accounts. There is nothing to steal here.” Wrong on these counts:

First, every reused password is another way for a hacker to worm their way into your digital life. Let’s say you purchase something from an online retailer, and never return to that site ever again. Meanwhile, you have forgotten that you saved your credit card on the retailer’s site, and then you have forgotten which retailer it was. When that retailer suffers a breach, your credit card is now at risk.

Consumers aren’t alone in reusing their passwords. A study for One Identity of 1000 IT professionals shows some poor security practices in place in several countries. They noted that admin passwords are often shared, among other bad practices.

Maybe you have a reused password for something blander, such as the account to your local library so you can download an ebook or two. Again, that library could be hit by an attacker, and that login could become compromised and reused on some other site. Hackers have automated routines that try username/login pairs across hundreds of websites, testing if you have used them elsewhere. While the hacker may not steal anything of actual monetary value, they are stealing and using your identity. So just don’t reuse them, ever. Please.

Second, whatever system you have developed to avoid using a password manager doesn’t scale. The more websites you need logins for, the more likely you are to forget you already used one of your favorite combinations. My password manager has more than 200 logins. Granted, I am an extreme case, but still your digital life is probably has dozens of logins too.

Third, you could argue that most modern browsers have password saving features to make it easier to login to websites, so you don’t need a password manager. Again, this gives you a false sense of security, particularly if you laptop or phone is lost or stolen. It is child’s play to read your saved password list on your device, and then you have a whole lot of hurt. When you install a password manager, you should turn off the saving password feature in your browser to avoid conflicts.

All the password managers have automated checks to tell you when you are about to reuse one of your existing passwords. Why would you have dupes with using the password managers? This is because you might not have changed all of your old passwords, and the manager is on the look out for one that it already knows about and has squirreled away.

Finally, another nice thing about password managers is that you can have your logins available for all your devices, even if you move around from laptop to phone to desktop. It just makes a lot of sense to use them. So take some time, and get on board, and be secure.

It is time to get more serious about protecting your email

Did you get a strange email last week from someone that you didn’t know, including one of your old passwords in the subject line? I did, and I heard many others were part of this criminal ransomware activity. Clearly, they were sent out with some kind of automated mailing list that made use of a huge list of hacked passwords. (You can check if your email has been leaked on this list.) It really annoyed me, and I got a few calls from friends wanting to know how this criminal got ahold of their passwords. (BTW: you shouldn’t respond to this email, because then you become more of a target.)

But the question that I asked my friends was this: Do you still have logins that make use of that password? You probably do.

Email is inherently insecure. Sorry, it has been that way since its invention, and still is. All of us don’t give its security the attention it needs and deserves. So if you got one of these messages, or if you are worried about your exposure to a future one, I have a few suggestions.

First, you need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes, but my guess is that you need to budget more time. There is a lot to unpack in his post, so I won’t repeat it here.

Now Koff suggests a lot of tools that you can use to become more secure. I am going to just give you four of them, listed from most to least importance.

  1. Set up a password manager and start protecting your passwords. This is probably the biggest thing that you can do to protect yourself. It will make it easier to use stronger and unique passwords. I use LastPass.com, which is $2 per month. For many of my accounts, I don’t even know my passwords anymore because they are just some combination of random letters and symbols. If you don’t want to pay, there are many others that I reviewed at that link here that are free for personal accounts.
  2. Create disposable email accounts for all your mailing lists. Koff suggests using 33mail.com, but there are many other services including Mailinator.com, temp-mail.org, and throwawaymail.com. They all work similarly. The hard part is unsubscribing from mailing lists with your current address, and adding the new disposable addresses.
  3. Even with a password manager, you need to make use of some additional authentication mechanism for your most sensitive logins. Use this for as many accounts as you can.
  4. Finally, if you are still looking for something to do, at least try encrypted email. Protonmail.com is free for low-end accounts and very easy to use.

There is a lot more you can to make yourself more secure. Please take the time to do the above, before you get someone else trying to steal your money, your identity, or both.

Understanding email encryption

Earlier this week, we had a major storm with the release of a new report about email encryption issues.Called Efail, it starts with this research paper and website. What I want to talk about today is the following:

First, the vulnerabilities described in the Efail documents were well known, with some of them been around for more than a decade. Basically, if you use HTML email to read your email – which if you are concerned about privacy you shouldn’t be doing in the first place – certain email clients combined with plug-ins for PGP or S/MIME will expose encrypted data to a hacker, if the hacker has access to your email stream.

Second, notice the if in the last sentence. That is a very big condition. Sure, hackers could target your network or email flow, but chances are unlikely.

 

Third, the amount of bad reporting was immense, with most reporters missing the fact that there was nothing wrong with the PGP or S/MIME protocols themselves, only poor implementations. (The Efail authors do a solid job of reporting which clients are at issue.) There are numerous encrypted email solutions that aren’t affected by Efail.

Part of my problem with the reporting is the way that Efail was disclosed, with little or no advance notice to security analysts and other affected parties. This didn’t help matters.

One of the more alarmist posts was from the EFF, which weighed in with some very confusing suggestions. That is both unusual (since they are level-headed most of the time on technical issues) and unfortunate (because they are suggesting that folks stop using encryption). That isn’t a good idea, especially if you are one of the few that actually use PGP in your daily life. (Lesley Carhart’s tweet was spot-on.)

There were some standout reports that I will recommend. First, if you are new to email encryption, the best general source that I have found is Andy Yen’s TED talk from several years ago. He explains how encryption works and what to look for and why you need it. Yen happens to work for Protonmail, which is certainly a good starting place to use encrytion. The best overall report is from Steve Ragan at CSOonline, who documents the disclosures and what you need to do to update your email clients in this post. Finally, if you are ultra-paranoid, you should turn off HTML rendering in your email client.

 

Becoming a better master of my email domain

This post adds my own personal experiences to improving the email authentication protocols of my own domain. I wrote about these issues in general for iBoss earlier this year and described the three protocols (SPF, DKIM and DMARC) and how they interact with each other. These protocols have been around for a while, and implementing them isn’t easy and hasn’t been very popular, outside of perhaps Google-administered email domains.

A recent survey from Barracuda shows how the majority of folks haven’t yet set up anything in their environments, as you can see by this graphic below. Another survey from Agari (who sells DMARC managed services, so they have something of a self-interest) says 82 percent of federal government domains lack DMARC protection. To try to fix this, the feds are getting more serious about DMARC, requiring it across all agency networks soon. 

So I wanted to be able to lead by example and actually put these tools in place on my own servers. That was easier said than done.

I first contacted Valimail in August. They have a managed email authentication service and agreed to work with me to get me set up. Valimail knows what they are doing in this space. As an example, a few weeks ago one researcher posted how he could deliberately break some DKIM records if he created some oddball email messages. Turns out Valimail has this covered and posted a counter reply. They claimed that the researcher didn’t really understand how it was used in practice.

And that is the issue: these protocols are very, very hard to implement in practice. Getting my domains setup wasn’t easy: part of that was my fault, and partly because this is a knotty area that has a lot of specific knobs to turn and places where a misplaced comma can wreck your configuration. So I am glad that I had them in my corner.

Let’s talk about what was my fault first. I have two different Internet providers for my domains. First is GoDaddy, which registers my domains. I have always felt it is a good idea to separate my content from my registrar, which is where my second provider, EMWD.com, comes into play. They host my blogs and mailing lists. The problem is that the three email protocols touch on aspects of both what the registrar has to do and what the content hosting provider has to do, and so I found myself going back and forth between the two companies and their various web-based control panels to add DNS entries and make other adjustments as I needed. For your particular circumstances, that may not be necessary. Or it could be more complicated, depending on how many individual domains (and sub-domains) you own and how you have set up your email servers.

When you first sign on with Valimail, they run a report that shows how messed up your email system is. Now right here I want to stop and explain what I mean. Your email system is probably working just fine, and your messages are flowing back and forth without any real issues. Except one: they aren’t using the full power of the various authentication protocols that have been developed over the years. If you don’t care about spam and phishing, then stop right here. But if you do care — and you should — then that means you need to get email authentication done correctly. That is the journey that I have been on since this summer.

OK, back to my story. So I got a report from Valimail that looked like this.  It shows that I made several mistakes in configuring my mail server because it uses a different domain (webinformant.tv) from the domain that I use for sending individual emails (strom.com). Duh! It was embarrassing, after all these years claiming to be this email “expert” (I did write a book on corporate email use once upon a time) and yet I still missed this very obvious mistake. But that is why you hire outside consultants to help you learn about this stuff.

That wasn’t my only problem. Second, I was using WordPress as my blogging software. Now, what does this have to do with email, you might ask? My problem was I didn’t immediately make the connection either. Some of my emails weren’t being authenticated properly, and it was only after further investigation did I realize that the comments that were being collected by my blog were the culprits. WordPress uses email to notify me about these comments. Luckily, there is a plug-in for fixing this that was available. Of course, it still took some effort to get it working properly.

This is why you want someone like Valimail to be working with you, because the chances of making any errors are huge, and your email infrastructure can be a bigger project that you realize, even for a small organization such as my own operation.

I have one other technology piece in my mix. One of the reasons why I chose EMWD is because they offer cheap but really good hosting of Mailman, which is a Unix-era email server that I have been using for more than a decade for my weekly Web Informant newsletters. It isn’t as fancy as Mailchimp or some of the other more modern mailers, but I also am familiar enough with its oddities that I feel comfortable using it. So any DKIM/DMARC/SPF installation also had to make some changes to its parameters too. Luckily, The folks at Valimail knew which ones to tweak.

So it took several months of elapsed time to work with Valimail to get things correctly setup. And that is probably a good thing because uncovering all the various applications that make use of email in oddball ways will take some time, particularly if you are a decent-sized company. Most of the elapsed time for my situation was because I was busy on other matters, and also because it took me several tries to understand the scope of what I had to do. Also, because Valimail’s typical customer is a larger enterprise, they weren’t very familiar with the cPanel interface that EMWD (like a lot of smaller ISPs) employs, or working with WordPress, so they had a learning curve too.

The team that helped me was very patient, which was great because I did need a lot of hand-holding (in the form of JoinMe meetings and screen sharing sessions) to walk me through the various processes. But what this demonstrated to me is how ingrained using email for various tasks can be, even for a company of one employee.

So the moral of the story: even if you know what you doing, this is one area that requires very specialized knowledge. But if you want to make an effort to reduce spam and phishing, you should implement all three of these protocols. And you might end up fixing some other email issues across your enterprise along the way too.

Why you should be afraid of phishing attacks

I have known Dave Piscitello for several decades; he and I served together with a collection of some of the original inventors of the Internet and he has worked at ICANN for many years. So it is interesting that he and I are both looking at spam these days with a careful eye.

He recently posted a column saying “It sounds trivial but spam is one of the most important threats to manage these days.” He calls spam the security threat you easily forget, and I would agree with him. Why? Because spam brings all sorts of pain with it, mostly in the form of phishing attacks and other network compromises. Think of it as the gateway drug for criminals to infect your company with malware. A report last December from PhishMe found that 91% of cyberattacks start with a phish. The FBI says these scams have resulted in $5.3 billion in financial losses since October 2013.

We tend to forget about spam these days because Google and Microsoft have done a decent job hiding spam from immediate view of our inboxes. And while that is generally a good thing, all it takes is a single email that you mistakenly click on and you have brought an attack inside your organization. It is easy to see why we make these mistakes: the phishers spend a lot of time trying to fool us, by using the same fonts and page layout designs to mimic the real sites (such as your bank), so that you will login to their page and provide your password to them.

Phishing has gotten more sophisticated, just like other malware attacks. There are now whaling attacks that look like messages coming from the CFO or HR managers, trying to convince you to move money. Or spear phishing where a criminal is targeting someone or some specific corporation to trick the recipient into acting on the message. Attackers try to harvest a user’s credentials and use them for further exploits, attach phony SSL certificates to their domains to make them seem more legitimate, use smishing-based social engineering methods to compromise your cell phone, and create phony domains that are typographically similar to a real business. And there are automated phishing construction kits that can be used by anyone with a minimal knowledge to create a brand new exploit. All of these methods show that phishing is certainly on the rise, and becoming more of an issue for everyone.

Yes, organizations can try to prevent phishing attacks through a series of defenses, including filtering their email, training their users to spot bogus messages, using more updated browsers that have better detection mechanisms and other tools. But these aren’t as effective as they could be if users had more information about each message that they read while they are going through their inboxes.

There is a new product that does exactly that, called Inky Phish Fence. They asked me to evaluate it and write about it. I think it is worth your time. It displays warning messages as you scroll through your emails, as shown here.

There are both free and paid versions of Phish Fence. The free versions work with Outlook.com, Hotmail and Gmail accounts and have add-ins available both from the Google Chrome Store and the Microsoft Appsource Store. These versions require the user to launch the add-in proactively to analyze each message, by clicking on the Inky icon above the active message area. Once they do, Phish Fence instantly analyzes the email and displays the results in a pane within the message. The majority of the analysis happens directly in Outlook or Gmail so Inky’s servers don’t need to see the raw email, which preserves the user’s privacy.

The paid versions analyze every incoming mail automatically via a server process. Inky Phish Fence can be configured to quarantine malicious mail and put warnings directly in the bodies of suspicious mail. This means users don’t have to take any action to get the warnings. In this configuration, Outlook users can get some additional info by using the add-in, but all the essential information is just indicated inline with each email message.

I produced a short video screencast that shows the differences in the two versions and how Phish Fence works. And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in. Check out Phish Fence and see if helps you become more vigilant about your emails.

How to protect your emails using Inky Phish Fence

Inky Phish Fence is an anti-phishing platform available for many email systems and can detect and defend against many types of suspicious emails and phishing attacks. It comes as an add-in for Outlook for Exchange/Office 365 accounts. It is also available for G Suite and Gmail as a Chrome extension. Enterprise users would most likely use a purely server-side gateway version where the checks are performed automatically and the warnings get inserted into the actual email. The consumer add-ins are free, the corporate version starts at a few dollars per month per user with quantity discounts available.

I tested the product in November 2017.

 

And you can download a white paper that I wrote for Inky about the history and dangers of phishing and where their solution fits in.

iBoss blog: Implementing Better Email Authentication Systems

To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.

You can read my latest blog for iBoss here to find out more.

Network World review: Email encryption products are improving

Email encryption products have made major strides since I last looked at them nearly two years ago in this review for Network World. This week I had an opportunity to revisit these products, and found that they have gotten easier to use and deploy, thanks to a combination of user interface and encryption key management improvements. They are at the point where encryption can almost be called effortless on the part of the end user.

I reviewed five products: the two that I reviewed in 2015 (HPE/Voltage Secure Email and Virtru Pro) and three others (Inky, Zix Gateway, and Symantec Email Security.cloud). The overall winner was Zix (shown here). It was easy to install and manage, well-documented, and the encryption features were numerous and solid. The only drawback was that Zix lacks a separate mobile client to compose messages, but having a very responsive mobile web app made up for most of this issue.

You can read the complete review in Network World here, and you can watch a screencast video comparing how three of the products handle data leak protection:

What, me worry (about my emails)?

I never thought I would see the day where executives and major public figures would be proud of their techno-luddite status. Scratch that. Not proud, but grateful. In a story in today’s New York Times, several senators and other public figures are quoted about how they have given up their personal email accounts, or have begun scrubbing their sent folders, thanks to the recent series of leaks from the mailboxes of the DNC and Colin Powell.

chuck2Senator Lindsey Graham said, “I haven’t worried about an email being hacked since I’ve never sent one. I’m, like, ahead of my time.” Senator Chuck Schumer is noted for still using a flip phone. And of course there are the email-related stories that doggedly follow one of our presidential candidates around. All of a sudden, it is cool to be more disconnected. Especially ironic, given today is also the day millions will flock to the nearest Apple Store and buy a phone that doesn’t have a headphone jack. (Shelly Palmer’s rant on this is pure pleasure.)

The hacked emails seem to be genuine, at least according to press reports and the impact they have had with the shake up of the DNC leadership. But they have also had the effect that others in the public eye are reconsidering the contents of their own message store.

I have even learned a new acronym: LDL, for let’s discuss live. Meaning, “too hot to talk about in email.”

So let’s all just take a deep breath and look calmly at a few simple rules for your own email usage going forward. First off, yes, emails can be compromised. Don’t say anything there that you wouldn’t want anyone else to read. While you may not think you are a target or of any interest, you have no control over where that message might end up. You might want to walk down the hall for a quick FTF meeting, or even pick up the phone. Think about the 80’s.

Second, if you are very worried, start using encryption, and make sure it covers the complete path end-to-end. There are several instant messaging platforms that are easy to use (Network World did a recent review comparing them, and I have written reviews of encrypted email products for them as well). Yeah, I know, encryption is a pain, but the current crop of products is actually pretty easy to deploy and use. Having said that, hardly anyone sends me encrypted emails, ever.

Third, take a moment to review your password collection for your communications products, including your IMs, email accounts, voice mails and VoIP products. If you use the same password for more than one of these tools, take a day and install LastPass or some other password manager and start treating these passwords more seriously. Do it this weekend.

Finally, don’t hide behind your personal accounts such as Facebook or a non-corporate email address. Those are just as much at risk, as one network anchor realized who hurriedly deleted his Gmail account that was cited in the Times story. Everything is discoverable and vulnerable these days.

Quickbase blog: Signs your team is misusing email for collaboration

There are numerous articles on the misuse of email (including this post where we talk about ways to onboard Gen Y workers), but one of the biggest mistakes is email becomes the general all-purpose tool for all kinds of inappropriate collaboration methods for your team. While email is great for point-to-point communications, it falls down when it comes to sharing and editing spreadsheets and documents, scheduling meetings, and tracking projects — all things that I talk about in my latest post for the Quickbase Fast Track blog here.