mfa – Rogue Security

Personal Cybersecurity Tips and Resources

By Justin Robinson / June 18, 2021 June 18, 2021 / Personal Cybersecurity, Privacy, Risk Management / Leave a Comment

As infrastructure surrounding network connectivity improves, the number of Internet users will continue to increase. As of April, 2021, there is an estimated 4.27 billion of the 7.6 billion people in the world , who are using the internet. That’s more than 60% of the world population. Many users aren’t just using the internet at work, but they are also using it at home to keep connected with friends, use internet of things devices, and stream television and movies.

Cybersecurity starts with us, and there are simple things that we can do to get started on a path towards to a more cyber secure future.

Check Your Existing Accounts For Breaches

You probably use your email address or a pretty standard username or two when signing up for new accounts. This information may also assist you in finding out if your were a victim of a data breach.

‘;–have i been pwned?

The godfather of data breach reports, HaveIBeenPwned, allows you to search your email addresses and phone numbers to find out if either has appeared in a data breach. As of this writing the site has recorded over 11 billion “pwned” accounts.

DEHASHED

DEHASHED allows you to search multiple different fields including email and username in order to find compromised assets. DEHASHED acts as a search engine and is not an illegal data repository.

Have I Been Sold?

Inspired by HaveIBeenPwned, Have I Been Sold allows you to enter an email address and does a check to see if it was seen on any email sell lists. Have I Been Sold also allows you to receive notifications if they find it moving forward, as well as allows you to remove your data from their database.

BreachAlarm

BreachAlarm is another service that will allow you to check and monitor if any of your account passwords show up online allowing you to change your passwords before damage can be done.

Don’t Use Breached Passwords

“But, how can I know if the password that I’m using was found in a breach?” Great question! Various tools allow you to check whether a password was found in a data breach, without compromising the security of your passwords.

Pwned Passwords

Pwned Passwords stems from Troy Hunt’s tireless work with HaveIBeenPwned. Pwned Passwords is a gigantic database of over 600 million passwords found in real world data breaches. You simply enter a password and Pwned Passwords will tell you if it was exposed during a data breach.

Is that safe? Pwned Passwords uses a concept known as k-anonymity to only send the first 5-characters of an encrypted version of the password that you entered. In other words, the password that you enter isn’t even the same data that gets sent to the server. k-anonymity means that Pwned Passwords is only able to tell you that the password you entered matches any number of passwords it found, and is not a one-to-one lookup. You can read more about how Pwned Passwords uses k-anonymity, here.

Use a Password Management Tool and Never Reuse Passwords

I continue to preach password management as credential theft and password reuse is still far too common. Password management tools integrate with browsers and devices to help you create and store passwords, securely.

BitWarden is the only password manager that we recommend. It’s open source and is available on every platform, for both individuals and enterprises.

Use Multi-Factor Authentication

Authy (All)
Google Authenticator (Android and Apple iOS)
Microsoft Authenticator (Android and Apple iOS)
Duo Mobile App (Android and Apple iOS)

Use Antivirus and Firewall Protection

“What Antivirus should I use?”, “Which firewall do I need to download?”, “Do I need a hardware firewall?” Look, leave the tough stuff for the engineers. Both MacOS and Windows 10 have Antivirus protection and firewall software out-of-the-box. Instead of loading your devices with additional security software, you should educate yourself on how to be cybersafe.

Educate Yourself on Cyber Safety

Cybersecurity awareness and education isn’t always fun, but it doesn’t have to be boring. Here are some personal cybersecurity awareness links that will help you with better identifying threats, reminding you to perform regular security checks, and keep you in the know on the latest cybersecurity trends.

Knowing how, and where, to Report a cyber incident is important, too.

Relevant Articles

Telework Security Basics – NIST
Before You Connect a New Computer to the Internet – CISA
Protecting Portable Devices: Data Security – CISA
Understanding Firewalls for Home and Small Office Use – CISA
Understanding Patches and Software Updates – CISA
Evaluating Your Web Browser’s Security Settings – CISA

Keep Your Software Updated

Some of the biggest data breaches of our time have been due to unpatched software. When you your update software, computers, devices, and even apps you aren’t just getting cool new features and visuals, but you’re also usually getting security updates.

This website is hosted on WordPress, a commonly used Content Management System (CMS). According to the Sucuri 2019 Website Threat Research Report , just under half of WordPress websites were outdated at the time that the infection occurred.

Use a VPN When On Public Wi-Fi

It’s impossible to be certain whether the operators of a public Wi-Fi Hotspot are taking the necessary steps to protect your data from being stolen when using their services. You can, however, encrypt your communications using a Virtual Private Network (VPN) whenever you do connect to public Wi-Fi.

There are a lot of VPN providers available and we really can’t recommend one. However, here is a pretty regularly updated VPN Provider comparison Google Sheet that gives you information on 96 VPN providers including whether they log, limit traffic, what VPN technology they use, and even if they provide protections against a number of VPN attacks.

Review Your Accounts Regularly

Put it in your calendar right now. I’ll wait. All that you need to do is login to your accounts, verify your security settings, make sure MFA is enabled, and do a check of any third-party connections that exist when you use services like Google and Facebook to login to websites that are note Google or Facebook. Disconnect any services that you no longer use and bask in your account security.

The Dangers of Reusing Passwords and Password Security Tips

By Justin Robinson / June 16, 2021 June 16, 2021 / Password Security, SMB Security / Leave a Comment

You don’t need to tell me how annoying keeping track of your passwords is, and you really shouldn’t be expected to remember a subset of unique passwords for every login that you have; that might be a lot of passwords. So why is it then, that passwords are still the primary authentication mechanism for most of our logins?

The first use of password authentication is suspected to date back to the 1960’s at the Massachusetts Institute of Technology (MIT) during the development of a time-sharing computer, the Compatible Time-Sharing System (CTSS). Even then, passwords were not very effective and they have only gotten worse.

Risks of Reusing Passwords

I know many people who have a few passwords that they use over and over again on the different accounts that they need passwords for. This includes both work accounts and personal accounts. This wouldn’t normally be a problem if it weren’t for the almost 7 billion people in the world, very powerful computers, and data breaches. Let me explain.

How Data Breaches Increase Password Reuse Risk

Every time a data breach occurs there is the risk that an attacker will obtain usernames and passwords. What is increasingly happening is that these password repositories (both encrypted and unencrypted) are being sold, or traded between cyber criminals. This allows a cyber criminal to obtain large subsets of possibly legitimate credentials without doing much work.

Using these credential repositories cyber criminals can automate checks and logins to determine if any of the credentials are still valid. Once they’ve determined if any of the credentials still work, they can either use it to continue the cyber attack or sell the credentials to other criminals including nation states such as Russia and China.

Moore’s Law and Increasing Microprocessor Capabilities

Moore’s Law is an observation that the density of transistors in microprocessors doubling approximately every two years. This increase in density has lead to a direct effect of the increase of microprocessor capabilities

Passwords can only be as complex as our language, as well as any other limits we place on passwords (i.e. special characters), thus our passwords have limits. As computers become more and more powerful, they become more and more capable of performing a lot of calculations in a short period of time. Cracking or guessing a password involves using hardware in order to try and recover passwords.

There are a number of different methods and applications for password cracking but they also work similarly. They attempt to take a given input, cryptographically hash it, and compare it to the hash of an encrypted password that we have. If they match, then we’ve guessed the password.

Due to this increase in power, passwords have actually become weaker over time in terms of how quickly a certain length can be cracked. Here are some estimates from betterbuys.com.

Password cracking times decreasing between 2000 to 2016.

As you can see, a 9 character alphanumeric password in the year 2000 would take almost 4 years to crack. As of 2016, this same 9 character password takes just under 3 months.

Password Security

As I mentioned earlier, it’s not feasible to remember a large subset of unique passwords for every account that we may have. So stop trying to remember them!

Password Managers

Password Managers such as LastPass and BitWarden not only allow you to store passwords, but they also allow you to generate random passwords based on needs. Your password manager will have a single password to access, and then will provide you with complete plain-text access to all of your passwords.

By using your password manager, generating a random password for every login, and storing it securely, you will never have to remember any of your passwords other then the one that you use to login to your password manager.

Even if your password is stolen, it’s uniqueness prevents it from being used on any of your other accounts.

Multi-factor Authentication

I’ve mentioned Multi-factor Authentication (MFA) many times before. In short, MFA adds a second and even third authentication method that must be successfully entered, along with the password.

Authentication methods fall under three categories; something you know, something you have, and something you are. A true MFA solution must have at least two of these methods involved. Here are some examples of authentication types that fall under these categories.

Something You Know	Something You Have	Something You Are
Password	Smart Card	Fingerprint
	Software RSA Token (Mobile Phone)	Voice
	Hardware RSA Token	Retina/Iris
		Face

Length Is More Important Than Complexity

Although it’s recommended that we include not just letters, but also numbers and special characters in our passwords. At the end of the day, the length of your passwords is going to be more important then the complexity. An 8-character complex password will still be cracked before a 20-character simple one.

Government of Canada Quietly Rolls Out Multi-Factor Authentication

By Justin Robinson / November 23, 2020 June 8, 2021 / Information Security, Security News

I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.

This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.

If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.

InfoSec Check

Identity Validation

This identity validation confirms that your phone number should be associated with your username.

You should never allow anyone to access your telephone or text messages. A threat actor with access to your text messages can bypass text message based two-factor authentication (2FA) very easily. If given the choice, you should use a 2FA application such as Google Authenticator.

After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.

Multi-factor Authentication page on the Government of Canada CRA Login — Multi-factor Authentication page as seen during the Government of Canada CRA Login

The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.

We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.

It doesn’t specifically mentionÂ which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title:Â Invitation to Qualify (ITQ)Â Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).

This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFAÂ does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.

And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.

Additional Resources:

Multi-factor authentication to access CRA login services

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.