Thursday, 26 November 2015

This is what to do to not get hacked


Another facebook trojan doing the rounds, no doubt aiming to steal passwords, and another few friends had their accounts tumbled into.  Here is what to do to stop it happening to you.

First, the simple rules.

Rule 1.  The people trying to hack your accounts usually pimple-faced geeks (PFGs) with nothing better to do.  They are looking for an easy ride.  They are lazy, and generally speaking don't want to cause a major incident by identity theft.  They may be after a few dollars from your bank account, but mostly they are after a bit of fun.

Rule 2.  Most people have passwords that are pretty easy to guess.  It's either the same as their login name, or it's the same with a few numbers, or can be figured out by looking at their on line profile.  Or it's just "password1".

Rule 3.  Catch one, catch them all.  Most people have the same password for their facebook account as their linkedin account as their gmail account as their internet banking.  Either that or add or remove a few numbers from the end and you have them all.

Rule 4.  Most people who don't fall into rule 2 or rule 3 have a complex and difficult to remember password that is written on a yellow sticky note next to, or under, their keyboards.

Rule 5.  People who don't fall into rules 2, 3, or 4 make life hard for the PFGs and they will go elsewhere looking for fun.  See rule 1.

So here's what to do.

Step 1.  Get hold of a decent password safe program.  There are many of them about, and most of them are free.  The one I use is called KeePass, and it can be found here:  There is a Linux version that is compatible with KeePass version 1 files, which is here:  The thing I like about it is that it's free, and it can be obtained in a "portable" edition that can be copied onto and run from a USB stick.  In fact it's not that hard to compile the Linux version statically, so that it can also be run from a USB stick.

Preferably, use a free one.  This is not an endorsement of KeePass as a product, but free is the way to go.  Whatever you do, don't use one where the source code can't be obtained, or one that says "we have a fantastic proprietary encryption algorithm that's all our own that nobody else knows about so it's ultra safe".  That is BS.  The best encryption algorithm to use is AES, preferably in the 256 bit variant.  The US government uses this algorithm for all of its defence needs and mathematicians all over the globe have been studying the algorithm for years and failed to find any faults.  The worst algorithms to use are the secret and proprietary ones, because they haven't been scrutinised by hundreds of mathematicians, and nobody knows if there are faults or not, or what those faults are.  The source code and mathematics behind AES are publically available, which makes it more secure.

Step 2. Go buy a USB stick.  Doesn't have to be big.  Get one with a swivel, that has a small loop on the swivel so that it can be stuck on your keyring.  Yes, that keyring, the one you keep your house keys on.  This is going to be your "internet" key, and you should keep it safe just like your house keys. Fetch and install KeePass or KeePassX or whatever onto the USB stick.  Make a folder on the USB stick and call it something like "holiday snaps".  Copy a couple of hundred of the most boring holiday photos you can find into the folder, preferably the ones of Uncle Ernie when he got drunk at your sister's 21st and felt up the cocktail waitress.  In addition to those holiday snaps, create your password safe file (KeePass calls this a KDB file but you don't have to give it a .kdb extension, in fact you can call it ernie_001.jpg.  This will confuse your JPEG viewer but won't bother KeePass.

Step 3.  Think of one password that you will never forget.  That's going to be the password to your KDB file.

Step 4.  Use KeePass or your favourite program to generate new, random passwords to all of your on line applications.  You want a different password for each app, so your facebook password and your LJ password and your internet banking password will all be different.  What size password you use may vary from place to place, e.g. LJ requires 8 or more characters in a password, and some require a minimum of 8 and a maximum of 32 or something like that.  16 or so randomly generated characters of upper & lower case plus some numbers is usually pretty good.

Don't try to think of different clever passwords for each application.  Use the program to generate a random one, within the constraints allowed by the application.  There might be something in your thinking that allows a hacker to guess what password you might choose, but nobody can guess what happens when you push the "Generate" button to create a random one.

The other simple rules

This is not a tutorial about how to use KeePass.  It's a pretty simple program, really, and there are many others like it.  There are on line manuals and tutorials and stuff for them, it's not rocket science.

Save your KDB file back to your USB stick.  Carry the USB stick with you.  Don't copy the KDB files to your hard disk, and don't write a copy of your password onto the USB stick (or on a yellow sticky note on your keyboard).

Make a backup copy of the USB stick every now and again (get a second USB stick) and give it to your mother, sister, aunt or some other trusted family member (probably not Uncle Ernie, especially if he's prone to getting drunk and feeling up cocktail waitresses).  Don't tell the person who you give the USB stick to what it's for, or what's on it, or what the password is.  If you like, make a copy of the password, put it in a sealed envelope with the name of the KDB file and give it to your solicitor, to be opened in the case of your accidental or untimely death.

Don't write the passwords down somewhere else.  It's an easy enough job to cut and paste the passwords from the KeePass program into your web browser or whatever other program you use that needs the passwords (your work's VPN client software for example).  KeePass has a special mechanism where it will put the password into the clipboard so you can copy and paste it for 10 seconds or so, and then erase it.


Carrier Sense, Multiple Access / Collision Detect.

Well it's moved on a bit since then at the topology/packet transmission level, but fundamentally it's still the same principle.  Ethernet networks, that sort of network that your computers at home are connected together by and also the network that is the main and primary communications channel holding the internet together, is CSMA/CD.

Carrier Sense:  All parties wanting to talk on the network have a quick listen to the network first to see if it's quiet.  If it is not, then they wait a bit and try again.

Multiple Access ... and here's the rub:  Many parties have access to the same shared network at the same time.  All parties can talk at the same time.  All parties can hear what the others are saying.  Well things have moved on a bit since CSMA/CD came out, network switches by and large have a larger backplane bandwidth than the bandwidth of the network so can isolate various network segments from each other based on MAC layer protocols, but even then it's reasonably simple for any listener to inject a MAC layer packet into the protocol that switches use to figure out who is where, so that the listener can hear some or all of the conversations on the network tha were not intended for it.  Alternatively it's also reasonably easy to program that at the switch level, so that the switch will (unbeknownst to the talkers) send all traffic to a specific listener as well as the listener that it was intended for.

There are a few Point-to-Point protocols on the internet, mostly used over long distances, but when packets are rattling around in a data center (where they tend to spend a large portion of their lives), there is nothing to stop party A listening in on a conversation between parties B and C.  That's how ethernet works, and so that's how the internet works.

Collision Detect.  If two parties talk at the same time, there will be a collision.  So if party A and party B send a packet at the same time, there's a protocol for party C (the intended recipient) to say "I didn't get that, it was garbled, please send it again".  Alternatively, party D, not the intended recipient, can also say "please send it again" so that it has a better chance of analysing the conversation going on and perhaps capturing the keys for any encrypted traffic that's being sent.

I recall an anecdote told to me by an ex-US military guy who worked for signals during the war in Vietnam.  He'd listen in on VC and NVA radio traffic, having learned the Vietnamese language, record them and translate them to hand back to intelligence corps.  If something was said on the radio that he didn't clearly understand, he'd ask the talker to repeat that and the person being listened to would politely and often more slowly and clearly repeat the information that he was after.  After all, HF radio is a difficult medium, and traffic can be lost as it bends around mountains and bounces around the atmosphere, so why wouldn't you repeat what you just said if someone on the other end of the radio asked you to do so?  Even if they were an enemy spy listening in on the orders you were relaying from Hanoi.

My, what a lot of computerised gobbledygook.  Del's talking c**p again, what does it all mean?

What does it all mean, dear readers (you've gotten this far so I'll be presumptuous enough to call you "dear")?

It means that nothing you say on the internet is private, at any time, on any level, ever.  All sorts of people could be listening in, traffic logging, all without your knowledge.  If they didn't get it the first time, they'll ask you to say it again, and your network layer will do precisely that without asking questions.  No, it's not Big Bad Facebook or Big Bad Google or Big Bad Pirates out to get you, it's the fundamental protocol that hangs the internet together.  Get used to it.  If you want to have a private conversation with someone, use the phone, or better still, have it in person.