My Cybersecurity Essentials talk on November 09

I haven't presented an in-person talk since the plague struck almost three years ago, and it's finally time to try another one, before winter arrives.

My talk is entitled "Cybersecurity Essentials for Small Businesses and Professionals" and will be on November 9 from 11:45 to 12:45 (with then an extra 30 minutes for questions) at the Okanagan Regional Library (ORL) Kelowna downtown location.

For the details check out this notice by ORL:

Cybersecurity Essentials for Small Businesses and Professionals (kelownanow.com)

If you attended a past talk of mine with a similar title and you understood and implemented all the security measures I discussed, then there's no reason to attend this talk.  But otherwise there is.  :)

And please do pass this on to anyone you know who might benefit.


World Password Day 2022

Today is World Password Day!

It's a reminder that all your passwords (except for a few exceptions like device passwords/PINs) should be strong: random, long (a minimum of ~15 characters but why not choose 30), and unique (i.e. no password ever used for more than a one account). This may sound hard to do but it's easy with a password manager (e.g., BitWarden, 1Password, LastPass).

To go along with strong passwords you should enable two-factor authentication (2FA) on all your accounts that support it. For most users the TOTP type of 2FA (e.g., Authy, Google Authenticator) is a good balance of security and usability; use the SMS type of 2FA only if there is no other type available.

If you do nothing else, make sure your primary email account follows the above guidelines: if an attacker can take over that account, they can take over most of your other accounts by doing a password reset on them.

For larger organizations, Single Sign-On (SSO) is a nice way to get rid of most passwords for users.


Unblocking paste in web pages

Have you ever tried to do the usual password manager thing on a web page and had it fail?  It could be because the web page blocks pasting into one or more of its password text fields.  This post will tell you how to get around this.

Some web sites block pasting into password fields -- typically on a login page and/or a password change page -- because they think that by blocking use of a password manager they are somehow making them or their users more secure.  That's plain dumb!

This blocking used to be a lot more prevalent than it is today, but a few days ago I found that one of my important service accounts would not let me paste into the password change page.  This prevented me from using my password manager's password generator tool to generate a very long random new password, something I do for all new and changed passwords.

I refused to change the password to something short and simple that I could type, as the website clearly intended me to.  So I did some research and found an extension that is able to fix this, Allow Right-Click:

I suggest configuring the extension so that it appears in your list of extension icons in the top right of your browser.  Later, when you run into a page that blocks pasting, do this:

  1. click on that extension icon to enable it (the icon will darken)
  2. do your pasting, or have your password manager do the pasting
  3. click on the extension icon again to disable it (the icon will change back).  
Note that I'm suggesting #3 only because keeping unnecessary extensions disabled when not needed is good for security.

N.B. Be aware that any pasting of passwords into web pages comes with the risk that you could get phished.  By pasting a password -- instead of using your password manager's autofill -- you are bypassing a key protection that the password manager provides you: verification of the login page domain name against the expected domain name prior to pasting.  

Many users forget to check the domain name before they blindly start typing their userid and password, which is a nice way to get phished.  Your password manager, though, is smarter than that and will always verify the domain name.  So always use the password manager's autofill feature instead of manually copying the password from the password manager and pasting it into the login page.  
If the autofill doesn't work for some reason -- this will happen occasionally -- and you need to manually paste, be darned sure you're pasting into a valid login page, not a phishing page.  Check this by carefully examining the domain name.

The above applies to password change pages too, as a phishing page could just as easily be a password change page as a login page.


WebAuthn and Password Managers

I've thought for a while that password managers would be ideal places to store WebAuthn private keys. 

I already use a password manager to store my passwords so, as passwords move to WebAuthn, I'd like to use it to store my WebAuthn private keys as well, probably in parallel with a hardware security key like YubiKey.

WebAuthn supports roaming authenticators, which I believe could include a cloud service like a password manager.  This idea seems obvious so I'm surprised it hasn't gotten any traction.  Maybe there's an issue that I'm not aware of, and one of these days I need to do some deeper research.

1Password just announced support for SSH keys: SSH and Git, meet 1Password 🥰 | 1Password.  Hopefully this is a step on the path.


Update 2022-04-01: For a very relevant proposal, see the "Copyable, multi-device Passkeys" section here: What does the future hold for modern authentication? - Yubico


Defenses against phishing

In a local Slack forum someone recently asked about how phishing and IoT attacks compare in number.  My answer was...

Phishing in all its variants is by far the biggest vector because (in most forms) it requires essentially no effort by an attacker.  An IoT attack needs to be specifically executed against a target by an attacker, so most "run of the mill" SMBs are not that likely to be on the receiving end of this.  All orgs are going to be on the receiving end of phishing, though, and continually.

For phishing, the best defenses are:

  • training users about phishing
  • using long, random strings for all passwords
  • providing the org's users with a password manager (e.g., BitWarden, 1Pasword, LastPass)
  • enabling 2FA on all accounts that support it (preferably not SMS-type 2FA; TOTP authenticator apps like Authy are nice compromise between security, cost, and convenience)
  • through the org's Acceptable Use Policy (AUP), requiring employees to (a) use long, random strings for all passwords, (b) use only the org's designated password manager for storing the credentials for all accounts, and (c) enable 2FA on all accounts that support it, and to use SMS-type 2FA only if there is no other option available
  • using an email provider that does a very good job of filtering out spam
  • if the org is larger, providing a Single Sign-On (SSO) system to employees, to get rid of as many password-based account logins as possible (e.g., Okta, Ping, Microsoft AAD)


SIM swapping

If you think that SIM swapping just means you putting a new SIM card into your phone, you should read this great article:

Sharp SIM-Swapping Spike Causes $68M in Losses | Threatpost

SIM swapping is a very real threat that, if executed against you, can result in the takeover of some of your Internet accounts.  And it's quite easy to execute.

Here are some addition suggestions beyond those in the article:

  1. Put a strong, unique password on your cellular account login. The article mentions "variation of unique passwords" but that's not secure.  You should be using long random passwords for all accounts and a password manager to manage those passwords.
  2. Call up your cellular carrier and tell them you want to place a special password on your account to block malicious porting (= SIM swapping) of your phone number.  Not all carriers will allow this.
  3. Alternatively, for more security but less convenience, call up your carrier and tell them not to allow any changes to your account unless you're physically present in one of the carrier's stores and a carrier employee verifies your ID.  Not all carriers will allow this.
  4. Even better, get a second, separate phone number for use only for account ownership, authentication, and 2FA.  Don't this use account to call anyone, and keep the number as private as possible. Google Voice is a great choice.  There are ways of getting a GV number if you live in Canada or another unsupported country.
  5. Put a PIN on your phone's SIM card. You do this from your phone's settings. This is actually to protect you in case your phone gets stolen, not to prevent SIM swapping. But the effect of a stolen phone -- and therefore stolen SIM card -- is essentially the same as that of SIM swapping: your accounts that use SMS for ownership, authentication, or 2FA can get taken over.
  6. Make sure you store the passwords/PINs mentioned above in your cloud-based password manager, and for resilience make sure you can access your password manager from all of your devices.  (This also applies, of course, to all your other account credentials.)


Cybersecurity hygiene for the new year

Happy new year!  Here are some cybersecurity greetings for the new year -- it's a very dangerous world out there.

I hope all of you are doing these basic cybersecurity hygiene things:
  • You're using a cloud-based password manager, e.g., 1Password, LastPass, or Bitwarden -- and all your passwords are long, random, and unique (never reused).  (Proper use of a password manager will make you very resistant to phishing.)
  • You're using cloud-based 2FA, especially Authy -- and you've enabled 2FA on all services that support it.
  • You're backing up all your data both to at least one cloud backup service (e.g., CrashPlan, Backblaze, Sync.com, Duplicati) and to at least one external drive -- and those external drives have full-disk encryption.
  • You've hardened all your devices with strong passwords/PINs, full-disk encryption (for Windows you need BitLocker), and regular updates.
  • You've junked all computers, phones, and tablets that no longer get updates.
  • (I could go on and on, but that's a good start.)
  • You might think all this will consume too much time, but you'll be saving yourself a lot more wasted time from your digital life getting compromised.  Most of the above are mainly one-time actions to set up.
If you're still using your ISP's email service, like @telus.net and @shaw.ca, this is for you:
  • If/when you decide to look to greener hills, you'll find it really painful to move to a new ISP since your existing one has you by the short and scruffy. The issue is not all your contacts that use that address, it's all your cloud services that have that address as the owning email id.
  • I recommend that you start fixing this now: create a permanent email address like @gmail.com or @outlook.com and slowly move over all your cloud accounts to that new address. Then you'll be free to switch ISPs if you ever want to. The longer you wait to do this, the more cloud accounts you'll have, and the more painful the eventual fix will be.
  • (Yes, the above falls under security: it's availability, which is a key part of the confidentiality/integrity/availability security triad.)