If you don’t want Google to have all of your passwords, you need to turn off Smart Lock

I know it’s convenient to have your Chrome browser save all of your passwords so that you don’t have to type them in each time. However, this is a big security risk.

If I were you, I would go to https://passwords.google.com and turn off “Smart Lock for Passwords.” I bet you didn’t know that such a URL even existed. Scary…

Also, if you use Chrome, go to your Settings > Advanced Settings > Manage passwords and turn it off along with Auto Sign-in.

Lessons From the Dyn DDoS Attack

A week ago Friday, someone took down numerous popular websites in a massive distributed denial-of-service (DDoS) attack against the domain name provider Dyn. DDoS attacks are neither new nor sophisticated. The attacker sends a massive amount of traffic, causing the victim’s system to slow to a crawl and eventually crash. There are more or less clever variants, but basically, it’s a datapipe-size battle between attacker and victim. If the defender has a larger capacity to receive and process data, he or she will win. If the attacker can throw more data than the victim can process, he or she will win.

The attacker can build a giant data cannon, but that’s expensive. It is much smarter to recruit millions of innocent computers on the internet. This is the “distributed” part of the DDoS attack, and pretty much how it’s worked for decades. Cybercriminals infect innocent computers around the internet and recruit them into a botnet. They then target that botnet against a single victim.

You can imagine how it might work in the real world. If I can trick tens of thousands of others to order pizzas to be delivered to your house at the same time, I can clog up your street and prevent any legitimate traffic from getting through. If I can trick many millions, I might be able to crush your house from the weight. That’s a DDoS attack ­ it’s simple brute force.

As you’d expect, DDoSers have various motives. The attacks started out as a way to show off, then quickly transitioned to a method of intimidation ­ or a way of just getting back at someone you didn’t like. More recently, they’ve become vehicles of protest. In 2013, the hacker group Anonymous petitioned the White House to recognize DDoS attacks as a legitimate form of protest. Criminals have used these attacks as a means of extortion, although one group found that just the fear of attack was enough. Military agencies are also thinking about DDoS as a tool in their cyberwar arsenals. A 2007 DDoS attack against Estonia was blamed on Russia and widely called an act of cyberwar.

The DDoS attack against Dyn two weeks ago was nothing new, but it illustrated several important trends in computer security.

These attack techniques are broadly available. Fully capable DDoS attack tools are available for free download. Criminal groups offer DDoS services for hire. The particular attack technique used against Dyn was first used a month earlier. It’s called Mirai, and since the source code was released four weeks ago, over a dozen botnets have incorporated the code.

The Dyn attacks were probably not originated by a government. The perpetrators were most likely hackers mad at Dyn for helping Brian Krebs identify ­ and the FBI arrest ­ two Israeli hackers who were running a DDoS-for-hire ring. Recently I have written about probing DDoS attacks against internet infrastructure companies that appear to be perpetrated by a nation-state. But, honestly, we don’t know for sure.

This is important. Software spreads capabilities. The smartest attacker needs to figure out the attack and write the software. After that, anyone can use it. There’s not even much of a difference between government and criminal attacks. In December 2014, there was a legitimate debate in the security community as to whether the massive attack against Sony had been perpetrated by a nation-state with a $20 billion military budget or a couple of guys in a basement somewhere. The internet is the only place where we can’t tell the difference. Everyone uses the same tools, the same techniques and the same tactics.

These attacks are getting larger. The Dyn DDoS attack set a record at 1.2 Tbps. The previous record holder was the attack against cybersecurity journalist Brian Krebs a month prior at 620 Gbps. This is much larger than required to knock the typical website offline. A year ago, it was unheard of. Now it occurs regularly.

The botnets attacking Dyn and Brian Krebs consisted largely of unsecure Internet of Things (IoT) devices ­ webcams, digital video recorders, routers and so on. This isn’t new, either. We’ve already seen internet-enabled refrigerators and TVs used in DDoS botnets. But again, the scale is bigger now. In 2014, the news was hundreds of thousands of IoT devices ­ the Dyn attack used millions. Analysts expect the IoT to increase the number of things on the internet by a factor of 10 or more. Expect these attacks to similarly increase.

The problem is that these IoT devices are unsecure and likely to remain that way. The economics of internet security don’t trickle down to the IoT. Commenting on the Krebs attack last month, I wrote:

The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

To be fair, one company that made some of the unsecure things used in these attacks recalled its unsecure webcams. But this is more of a publicity stunt than anything else. I would be surprised if the company got many devices back. We already know that the reputational damage from having your unsecure software made public isn’t large and doesn’t last. At this point, the market still largely rewards sacrificing security in favor of price and time-to-market.

DDoS prevention works best deep in the network, where the pipes are the largest and the capability to identify and block the attacks is the most evident. But the backbone providers have no incentive to do this. They don’t feel the pain when the attacks occur and they have no way of billing for the service when they provide it. So they let the attacks through and force the victims to defend themselves. In many ways, this is similar to the spam problem. It, too, is best dealt with in the backbone, but similar economics dump the problem onto the endpoints.

We’re unlikely to get any regulation forcing backbone companies to clean up either DDoS attacks or spam, just as we are unlikely to get any regulations forcing IoT manufacturers to make their systems secure. This is me again:

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

That leaves the victims to pay. This is where we are in much of computer security. Because the hardware, software and networks we use are so unsecure, we have to pay an entire industry to provide after-the-fact security.

There are solutions you can buy. Many companies offer DDoS protection, although they’re generally calibrated to the older, smaller attacks. We can safely assume that they’ll up their offerings, although the cost might be prohibitive for many users. Understand your risks. Buy mitigation if you need it, but understand its limitations. Know the attacks are possible and will succeed if large enough. And the attacks are getting larger all the time. Prepare for that.

Yahoo: One Billion More Accounts Hacked

Just months after disclosing a breach that compromised the passwords for a half billion of its users, Yahoo now says a separate incident has jeopardized data from at least a billion more user accounts. The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password.

yahboohoo

On September 22, Yahoo warned that a security breach of its networks affected more than 500 million account holders. Today, the company said it uncovered a separate incident in which thieves stole data on more than a billion user accounts, and that the newly disclosed breach is separate from the incident disclosed in September.

(Update, Dec. 15, 2016: Yahoo users looking for more advice on what to do next should check out the Q&A just published here, My Yahoo Account Was Hacked! Now What?).

“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”

The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

In addition, Lord said the attackers had worked out a way to forge “cookies” that Yahoo places on user computers when they log in. Authentication cookies are text files that contain information about the user’s session with Yahoo. Cookies can contain a great deal of information about the user, such as whether that the user has already authenticated to the company’s servers.

The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.

Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.

“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.

Yahoo says users should change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo account. The company is asking users to review their accounts for suspicious activity, and to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation.

Most importantly, if you are reusing your Yahoo password anywhere else, now is a great time to change those passwords. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.

How To Use a USB Stick To Securely Log In to Gmail

If you’ve configured two-step verification for your Gmail account, rather than checking your mobile for codes you can plug in a verified USB stick instead. You can carry it wherever you go, and of course, it doesn’t lose battery or signal. According to Google, it also offers better protection against phishing attacks. Here’s how you can set it up.

 What you need first is a USB stick that’s compatible with the FIDO Universal 2nd Factor (U2F) standard. A variety of different models are available, which shouldn’t break the bank—in this guide we’re using the Yubico Security Key. You’re also going to need the latest version of Chrome (40+) on your Chrome OS, Windows, Mac OS, or Linux machine.

Head to the two-step verification page from your Google account portal: it’s under Signing in to Google. If you don’t already have the two-step process switched on, it’s time to improve your account security and set it up. If you have the additional layer of security already in place, Security Key appears as one of the alternative options along the top of the settings page.

Choose Add Security Key to begin the setup process. Click the Register button, push your key into a spare USB port, then tap the button on the stick itself. ClickDone and you’re all set—whenever Google’s two-step verification process kicks in (usually when you’re signing in from a new computer), you can use the stick in place of the Authenticator app on your phone.

 The same key can be used with multiple accounts but of course keep a safe watch on your backup codes and have the Authenticator app ready to go as well should your new ultra-secure USB keyring go missing. In places where you can’t use the stick—on phone and tablets, for example—you’ll be prompted for a verification code instead.

How To Check If You’ve Been Hacked Within Seconds

Even if your password is a bit more complicated that “qwerty,” your information is always out there in the big, bad world of the Internet. Just this week, it was revealed that hundreds of millions of account details had been stolen from many popular email services and websites.

So, if you’re worried or curious that your account could be compromised, head over to haveibeenpwned.com. Simply by tapping in your email address or username, you’ll instantly be able to find out whether any information from your account has been leaked.

If there is “no pwnage found” on your accounts, it’s still not a bad idea to change your password regularly. But while you’re at it, perhaps it’s best to stay away from these most popular passwords.