Sunday, January 26, 2020

Verify that Email Address!

I Get Confidential Email,
and My Own Email Address Can't be Used

 Last week I received the complete travel itinerary of a couple who're taking a trip on Southwest Airlines.  I have their full names because the TSA says so, that's why.  I know when they won't be home and where they're going.  I know when they're coming back.  They live in a medium-sized town in Texas and one of the couple has a somewhat unusual first name, so it was pretty easy to find their home address.  It's a good thing I'm not a burglar!

Today I created a new AppleID because I got an Apple device for the first time.  I couldn't associate my Gmail address with that account because it was already in use.  Apple accepted my alternate email address without verification.

I know people who routinely receive email for people in other countries and court filings that should be confidential at least until they enter the public record.  Same story.

How could such things happen?  Southwest and Apple were very careless; they blindly accepted the email address that someone typed into their form. 

Email can go astray in a number of ways.  A simple error in entering an email address could inadvertently change it to the valid address of a third party.  A person who is concerned about unwanted email might deliberately provide a “false” address that is actually the correct address of an unknown third party.  Although unlikely, it is not impossible that  someone could be the target of criminals who gain unauthorized access to the person’s email.

Legitimate Companies Verify Email Addresses

OK, spammers are never going to do this, but every legitimate company should verify every email address before accepting it as legitimate, and certainly before sending anything confidential to that address.  It's not hard, and the cost after implementation is extremely low.  I guesstimate that, in a professional setting, this would take a person-week, including specifications, managerial approval, and quality control.  Actual coding should take much less than a day.

Legitimate emailers should add to their customer databases an email status indicator with values unconfirmed, confirmed, and invalid.  When an email address is first added to the database, the status should be set to unconfirmed and an email to that address should be generated automatically.  The email should thank the person for providing an email address and should have a prominent link by which the recipient can confirm the email address and consent to receiving email from the sender.  Clicking the link should change the status to confirmed.

The same email should have a “this isn’t me” link; clicking the link would set the status to invalid.

No legitimate company should never send email to an address with a status of invalid.  Whether to send anything other than the confirmation message to an unconfirmed address is a business decision, but I’d recommend against it in order to protect your customers’ privacy.  It might be better to send another confirming email if there is further interaction with that particular customer.

The status of existing customers should be set to unconfirmed, or perhaps pending, and a confirming email sent when there is new activity on the account.

Well, then Why Not?

Companies  that don't bother to do this are either spammers or they simply don't care about either the quality of their databases or the security of their customers.  That's especially true in the case of companies that send information that's even mildly confidential.

Sunday, August 11, 2019

Using a MikroTik cAP as a Home Wireless Access Point

My people have no tradition of proofreading.  —Ken White

Beware: if you follow these instructions and then expose your device to the Internet, it will be hacked immediately. The instructions that follow are for installing the cAP inside an already firewalled network.  You have been warned!

The MikroTik cAP

The MikroTik cAP is a very cool device.  It's about the size and shape of a smoke detector and can be easily ceiling-mounted in any location that you can reach with an Ethernet cable.  It's a PoE device, so the wall wart that powers it can be in a network closet, or, in my case, in the garage, where there's a UPS.  The trouble is, it's a router, running the full RouterOS product.  It's designed to be plugged directly into the ISP's interface device and be the only source of Internet where it's installed.  I wanted to use it as a wireless access point in a mostly-wired network, and there was the rub!

Initial Access

 You will need a wireless device with a reasonable screen and keyboard, like a laptop.  Out of the box, the cAP's configurator is accessible only through the wireless interface.  That makes sense if the Ethernet interface is exposed to the wilds of the Internet, but it makes initial access hard.  The setup guide says you can associate with the cAP and it'll give you an compatible address via DHCP.  That didn't work for me.  Neither did MikroTik's Winbox software.

So, set your wireless device with a fixed address of, a gateway of, and no DNS.  Fire up the cAP and cause the laptop to associate with it.  Now you can open with a web browser and you will get the web interface.  If you make a configuration mistake, you can get back to this state by holding the reset switch of the cAP while powering on and for five seconds afterward, until the LED starts to flash.

Gather Information

I suggest assigning a fixed internal address to the cAP, so you'll need an IPv4 address that's not in your DHCP pool. You will also need your IPv4 netmask, the address of your default gateway, and the addresses of your DNS server(s).

If, at this point, these instructions "seem complicated" you have overextended yourself.  The cAP is not really a consumer device.  Return it and get a consumer AP.


Everything I read warned me not to mix changes to the Webfig interface with changes to the Quick Set interface.  I wasn't able to accomplish everything that way.  Here are the steps.

Set DNS: Click Webfig (top right) then, in the menu at the left, IP and then DNS.  Add the addresses of your DNS servers.  Click the down-triangle to add more addresses.  Click the "Apply" button.

Delete the firewall rules:  Still in Webfig and IP, click Firewall.  Delete all the rules except "drop invalid" and "special dummy rule to show fasttrack counters" by clicking the tiny minus-sign button before each rule.  This will allow future configuration through the Ethernet interface.  If you expose the Ethernet interface to the Internet, it will also enable hacking of your AP. 

Click the images to enlarge.

Return to Quick Set by clicking the button at the top right.  Leave the pull-down at the top right set to "WISP AP," the default.  Set each of the following:

Network name:  This is the service set identifier (SSID) that the cAP will broadcast.

Set network security:  Check "wpa2" and "aes ccm" unless you have very old devices that need WPA or TKIP, in which case check those, too, and plan to replace the old devices!  In "WiFi password" put the preshared key.  It should be long but easy to type.  Four Dicewords will give almost 52 bits of entropy.  (Note that hacking this key requires physical proximity to the cAP.)

You can later set up a MAC access control list from the "Wireless" selection of Webfig if you like.

Set network parameters and admin password: Under "Configuration" select "bridge."

Under "Bridge" choose "Static" and fill in the IP address the router is to have, the netmask, and the default gateway.  DNS servers were set earlier.

Fill in the router administrative password twice.  (Make this a good one; an adversary who gets past the preshared key can then try to brute-force the administrative password.)  The two password fields will be replaced by a "Password" button after the password has been set and the configuration applied.

Apply the configuration: Click the "Apply configuration" button.  You will lose your connection to the router because its IPv4 address has been changed.  You can now remove the fixed address from your laptop and browse to the IP address you just set from a wired or wireless connection to your network.

Update the RouterOS Software

Return to the router, log in, and on the Quick Set screen, press the "Check for Updates" button.   If an update is offered, apply it by clicking the "Download&Upgrade" button.

Optimize WiFi Performance

Author 'gryzli' has written a guide for optimizing RouterOS WiFi performance.  He's absolutely right about the WiFi Analyzer app for your Android phone.

It is unfortunate that RouterOS uses frequencies rather than channel assignments.  Wikipedia has a list of channels and frequencies.

Copyright © 2019 by
Creative Commons License
Using a MikroTik cAP as a Home Wireless Access Point by Bob Brown is licensed under a
Creative Commons Attribution-ShareAlike 3.0 Unported License.

Sunday, July 28, 2019

Thoughts About Cloud Storage

There is no cloud, only a bunch of computers you don't own, run by people you don't know.  Anonymous
My people have no tradition of proofreading.  —Ken White

TL;DR:  Cloud storage might be suitable for storing backups provided one can afford the storage space and bandwidth needed.  It is not suitable for storing the only copy of anything.  Data stored with a cloud service must be encrypted using strong encryption to protect it from disclosure.  Cloud resources must never be set up as an "always on" mapped drive.

Cloud Storage and How it is Used

Cloud computing, or cloud storage, isn't really just a bunch of computers you don't own.  It isn't just "on the Internet," either.  It's a lot of computers and some very clever software that, together, have six important characteristics:
  1. Self service:  When you establish a "cloud" account, there's no human intervention at the other end.  That's convenient because there's no waiting to set up an account, add storage, etc.  It's also crucial to keeping the cost down.
  2. Excellent network access:  A cloud provider might serve millions of subscribers and must provide and must provide sufficient speed and responsiveness to make the customer's connection be the bottleneck.
  3. Elastic scalability:  People can make new accounts, or decide to add hundreds of gigabytes to their storage allocation, and the infrastructure must deal with that.  (But, note that paying for 100 GB of storage doesn't mean 100 GB is immediately allocated to you; that doesn't happen until you use it.)
  4. Resource pooling: The necessary scalability is achieved by sharing massive resources among many subscribers.  For the big cloud providers, "many" means millions or tens of millions.  The principle of multi-tenancy means your data will share disk space and CPU cycles with that of many others.  It's up to that clever software to keep things separate.
  5. Redundancy:  The cloud provider will keep multiple copies of customers' data on different servers; failure of a single server, or even of several, will not compromise the data.  The really big cloud storage providers keep redundant copies across multiple data centers.
  6. Measured service:  This implements the principle of paying for what one uses.  Google will provide 15 GB free; beyond that, there's a charge.  For cloud storage, generally what's measured is storage used.  Other cloud services might also measure CPU seconds, transfer bandwidth used, or other resources.
 With all of that, cloud storage might seem to be the perfect answer to limited storage and disk failures for consumers.  Not so fast.  We need to consider the way we use cloud storage, the properties of a secure system, and the causes, probabilities, and consequences of failure.

There are two ways one could use cloud storage: as primary storage and as backup storage.  When cloud storage is used for primary storage, the only copies of data are those "in the cloud." Failure of the cloud storage means irretrievably lost data.  If cloud storage is used for backup, the operational copy of data is stored elsewhere, usually on local drives.  Both the local storage and the cloud storage would have to fail to cause loss of data.

Cloud storage can also be used for file sharing.  Shared files are still either primary or backup, depending on whether another copy exists.

Security and Threats

The security of a system can be measured by three properties:
  1. Confidentiality is the condition that data have not been revealed to unauthorized people.
  2. Integrity means data has not been altered or destroyed.
  3. Availability means data can be used by authorized people when needed and with suitable response time.
To analyze the security of any system, we need to analyze the threats to the confidentiality, integrity, and availability of its data.  Broadly, those threats are disclosure, alteration, and denial.

I rate the risk of disclosure as high.  All major cloud storage providers scan uploaded files for contraband, specifically for child pornography.  Dropbox, and possibly others, scan shared files for material protected by copyright.  Even if you are absolutely certain you have no electronic contraband, a false positive could lead to law enforcement action.  Resource pooling and multi-tenancy mean one subscriber's data could be accessible to others in the event of a software error.  Poorly protected accounts, e.g. by weak passwords, could make data accessible to malicious outsiders.  Finally, a configuration error by the subscriber could share data not intended to be shared.

The risk of alteration is low; the nature of cloud storage protects the integrity of data.  An exception might be a configuration or software error that erroneously makes data shared and writable by others, or a malicious attack on a poorly protected account.

The risk of denial is medium.  Although redundancy and good network access mean that data will likely be available from the cloud provider, access also requires that the customer network be functioning.  Failure of the cloud provider's business could make data unavailable.  That need not be a financial failure; provider Megaupload was shuttered by United States law enforcement authorities and the stored data became permanently inaccessible.  Some cloud providers assert the right to remove files that violate their terms of service.  Finally, if a cloud drive is "mapped," that is set up to be viewed by the customer's operating system as a local resource, malicious software known as ransom-ware could render the contents inaccessible by encrypting the data.

Using cloud storage effectively

The consequences of disclosure, alteration, or denial could result in irrecoverable loss of data if cloud storage is used as primary storage.  Cloud storage must never be used for primary storage.

If cloud storage is used for backup, the consequences of alteration or denial are less severe; one is without backup until the situation is corrected.  However, denial caused by ransom-ware could make both primary storage and backup inaccessible.

For backup data, the consequences of disclosure are severe.  Even if disclosure does not lead to investigation by law enforcement, information in primary storage will be disclosed.  That could include financial user IDs, account numbers, and passwords, medical information, and other confidential data.  That leads to two conclusions:
  1. Cloud storage used for backup must never be "mapped" as a disk drive accessible to the operating system in order to protect it from malicious software.
  2.  Backup data on cloud storage must be be protected by strong encryption to protect against inadvertent disclosure and scanning by the cloud provider.

Other considerations

Encryption:  The only safe encryption is that for which you generated and hold the encryption key.  If the cloud provider holds the encryption key, you are trusting them not to unlock your data.  A strong encryption algorithm is needed; I recommend AES with a 128-bit key.  Suggestion: keep copies of the crypto key on two separate USB drives stored in different buildings; do not keep a copy on the system being backed up.

Storage size and cost: A 500 GB laptop drive will need at least 2 TB of backup space to do progressive backups.  That would be $50-75 if paid annually.

Bandwidth:  A 500 GB drive that's 60% full will take nearly a week to upload at DSL speeds and over 24 hours at 10 Mb.  A 15 GB progressive backup will take nearly 25 hours to upload at DSL speeds and almost four hours even with a 10 Mb connection.  To use cloud storage effectively for backups, you'll likely need a 50 Mb or faster Internet connection.

Account security: Use a strong password to protect your cloud account.  Choose a provider that offers two-factor authentication.  If possible, use a physical token like a YubiKey or an app that generates one-time passcodes; pass codes sent by text message are not secure because of SIM-swapping attacks.

Copyright © 2019 by Bob Brown

Creative Commons License
Thoughts About Cloud Storage by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 4.0 Unported License

Saturday, February 27, 2016

Avoid the Wretched Spammers at MailChimp

I've had the same email address for a long time, so it's gotten passed around.  It's also short, so people who think they're inventing an email address often hit on mine.  I get a lot of spam.

About half of it comes from MailChimp.  The people at MailChimp will tell you, "we help our customers comply with spam laws and best practices."  It's not true.  They're spammers.

To understand that, we first need to define spam.  I like the definition from  Spam is unsolicited bulk email.  Bulk email is OK; I subscribe to several mailing lists.  They send bulk email, and I get it because I want it.  Unsolicited email is OK... in fact, it's even normal.  An old friend recently sent me email inviting me to lunch.  Great!  It was unsolicited, but I was happy to get it.

It's Spam, Jim!

Email is spam when it is both bulk and unsolicited.  In the case of bulk mail, "unsolicited" means "the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent."  Those words are from Spamhaus, and I couldn't say it any better.  It's about consent.  "Verifiably granted" means what is sometimes called the double-opt-in.  The emailer sends you a message that says, in effect, "Thank you for signing up for our stuff.  Click here to validate your email address."  That is verifiable.  That is what MailChimp doesn't do.

Don't Get Tarred with MailChimp's Reputation

If you are thinking of email marketing and you're thinking of hiring help, be careful not to get tarred with the reputation of a spammer.  If people get spam from you, they'll naturally and correctly think you're sleazy.  That's what will happen if you hire MailChimp.  They send from several domain names, and every time I find one, I block it on my home email server.  That mail "bounces;" it gets rejected without being delivered at all.

I also have an email address with one of the big, public email providers.  I haven't figured out how to block entire domains there, but I do block the individual spammers, one by one.  Their future messages get received and go into my spam folder.  The sender paid MailChimp to send that message, but I never saw it.  Don't let that happen to you!

"Just Unsubscribe"


I feel no obligation to "unsubscribe" from anything to which I didn't subscribe in the first place.  In fact, I see a great advantage in not unsubscribing.  It makes the sender's email campaign that much more expensive because the sender pays for those messages that go into my spam folder.  Don't let that happen to you.  I feel no obligation to make spamming cheaper or more cost effective.  Besides, unsubscribing just confirms that the email address works.

Be Like Me

When you get spam, block the sending domain entirely.  If you can't block the domain, block the specific sender.  Only unsubscribe if you cannot block domain or sender.  Spam works because it's cheap.  Help make it more expensive.  And never, ever, buy anything from a spammer.  Read what Spamhaus says about unsubscribing.  Remember, it's spam if it's both bulk and unsolicited.

Sunday, December 7, 2014

About PGP Signatures

My people have no tradition of proofreading.  —Ken White

I started attaching PGP digital signatures to my work email a few months ago.  That's kind-of an appropriate thing for me to do since I'm a teacher of computer security.  For many people, that signature is just a mysterious hunk of garbled letters either appended to the email message or sent as an attachment.  Such a signature looks like this:

Version: GnuPG v2.0.22 (MingW32)


Ewww... that's ugly! But why?

A PGP Digital Signature Authenticates the Message

When people get email, they naturally assume that the name on the From: line is the sender of the message, especially if it's someone they know and with whom they communicate frequently.  Unhappily, that doesn't have to be true; it is trivially easy to forge a sender's identity in email.  The PGP digital signature provides strong evidence that the message is actually from the purported sender and that it hasn't been tampered with in transit.

How Does it Work?

The PGP digital signature depends on two cryptographic technologies, cryptographic hash functions and public key cryptography.   A cryptographic hash function produces a "fingerprint" for a message.  The text of the message is input to a computer program that computes the hash code, called a "digest."  Every possible message probably has a unique digest, and even a tiny change in the message would change the computed digest dramatically.  Why is it called "hash?"  Look at the example above!

Public key cryptography uses two keys called public and private.  The public key is widely available, often published a key server like the OpenPGP key server.  If you know someone's email address and they have a PGP key pair, you can probably find their public key easily.  A very useful feature of PGP  keys is that they are cryptographic inverses of one another.  If you encrypt a message using my public key, it can only be decrypted with my private key.  If I've carefully kept my private key, um, private, only I will be able to decrypt the message.  It works the other way, too.  If I encrypt a message using my private key, which only I have, anyone can get my public key and decrypt the message, but I'm the only one who could have encrypted it because only I have the private key.  So, a message encrypted with my private key is digitally signed.

My email program generates a PGP signature by first computing a cryptographic hash digest from the message, then by encrypting the digest using my private key.  The recipient can use my public key to decrypt the digest.  If the rest of the process works, the message could only have come from me because only I have the corresponding private key.  The recipient then computes a new digest from the message using the same cryptographic hash algorithm.  The newly-computed digest is compared to the decrypted digest.  If they're the same, the decryption worked and the message hasn't been tampered with because tampering would have caused the newly-computed digest to be different.

I wrote that a valid PGP signature "provides strong evidence that the message is actually from the purported sender and that is hasn't been tampered with in transit."  How strong?  The main consideration is whether the sender has kept his private key truly private.  Anyone with a copy of my private key can sign a message that will appear to come from me.  You also have to trust that neither the cryptographic hash algorithm nor the public key algorithm has a flaw that can be exploited.  Modern cryptographic algorithms are strong enough to make the cryptographic safety of PGP signatures a good bet.

What is PGP, Anyway?

PGP stands for "Pretty Good Privacy," invented by Phil Zimmerman to allow exchange of secure (confidential) and authenticated messages.  Zimmerman's original PGP ran into patent problems and Zimmerman himself was the subject of a long criminal investigation for "exporting munitions," namely cryptographic algorithms.  (The FBI, CIA, NSA, TSA, DHS, DoJ and every other three-letter agency known to man hate encryption because it makes dragnet surveillance and casual snooping very difficult.  With that said, I cannot emphasize too strongly that, in the United States, there is nothing illegal about using encryption. )

I'm actually using Gnu Privacy Guard, or GPG, an open source implementation of the OpenPGP standard, along with the Enigmail plugin for the Thunderbird email program.

What About Snooping?

A digital signature doesn't do anything to protect the confidentiality of a message.  To do that, one must encrypt the message itself.  It's easy to do, and if you start sending me encrypted email, I'll be sure my replies are encrypted.  That way, even the NSA won't know what kind of pizza we're planning to have.  See the articles below for instructions.

Want to Know More?

I've written a series of three articles on using and understanding encryption:
There's also plenty of information in the links above. Knock your socks off!

Too Long; Didn't Read

The XKCD comic, which everyone who does anything with technology ought to read, explains PGP digital signatures this way.

You have to actually validate the digital signature, not just check that it's present to be certain.  But really, if the signature is there, odds are good that it will validate, and if you have any doubts, you can validate and be sure.  How?  See Using Encrypted Email.

Copyright © 2014 by Bob Brown

Creative Commons License
About PGP Signatures by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Wednesday, August 27, 2014

A Note on Card Safety

My people have no tradition of proofreading.  —Ken White

There's been a lot in the news lately about malicious software invading stores' computer systems and stealing credit and debit card numbers.  A couple of people have asked me about how to be safe using credit and debit cards.  I wrote a big long piece about that.  After I read it, I decided it was mostly useless.  It can be boiled down to three rules:
  • Use your credit card sparingly,
  • Use your debit card almost not at all, and,
  • Check your accounts frequently.
Using your cards sparingly minimizes attack opportunity.  It is true that big, national organizations like Target and Neiman-Marcus have been compromised but it is also true that smaller organizations are often easier targets for the bad guys.  Each time you use that card, you potentially expose it to theft.  If you use a card for fast food or sundry purchases a dozen times a week, you've potentially exposed it a dozen times a week.  It really won't hurt you to carry some cash and make those small purchases with cash.  If you're worried about getting mugged, ask yourself how often that has happened and set the amount of cash accordingly.  Also, remember that not having cash won't keep you from getting mugged; it'll only limit your loss.  If you're worried about losing your wallet, remember where you keep those credit cards!

I carry about a hundred dollars and pay for nearly every small purchase with cash.

If you decide to use a card, and you have a choice, use a credit card, not a debit card.  If you use a credit card and become the victim of fraud, it's the card company's money that's tied up.  If you use a debit card, it's your money that is gone.  A $5,000 fraud on a credit card is bad because you'll have to wrangle with the card company about whether you have to pay that fraudulent charge.  A $5,000 fraud on your debit card is much worse because it's your money, not theirs, that's been stolen.  You will probably eventually get most of it back if the fraud is reported promptly, but while you are dealing with your bank, that money is not available to do things like buy food or pay your mortgage.

I use my debit card in exactly two places: my bank's teller machine and a store that gives me a discount for debit but not credit.  So, those are my only two potential exposures to fraud.

Speaking of teller machines, there's a threat other than malicious software.  It's the "skimmer," a device that attaches to a teller machine or credit card reader like those on gas pumps.  The card gets read twice, once by the skimmer and once by the real device.  So, your transaction works, but the bad guys now have the numbers, too.  You guard against skimmers by using the same teller machines, gas pumps, etc. as often as possible and noticing what they look like.  If something looks funny when you visit, go elsewhere and then check with your bank.

If your card number is used for fraud, the sooner it's reported, the sooner it can be stopped.  Early detection lets you limit the damage.  These days, we can check our accounts on line in seconds.  You should check every account at least weekly, and your debit card account daily.  It's especially important to keep an eye on that debit card.  Federal law limits your liability to $50 for fraud reported within two days.  After that, it's $500 until 60 days, then unlimited! (If you have so many cards that checking would be hard, you have too many cards!)

Reduce opportunity for fraud by minimizing your use of cards and reduce your personal exposure by using credit cards, not debit cards.If fraud occurs, find it early by checking your statements regularly.

Copyright © 2014 by Bob Brown

Creative Commons License
A Note on Card Safety by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Monday, June 23, 2014

Hack Your WiFi Password? Easy!

My people have no tradition of proofreading.  —Ken White

Using free WiFi?  Here's something to watch for: If you have a wireless router, you know you can set it up to broadcast any name you want. (Mine is "emorycottage.")

If you have service from AT&T or Comcast you know they're promoting their free WiFi hotspots like crazy.

Well, the Bad Guys have discovered this, and place wireless routers that broadcast names of "attwifi" or "xfinitywifi" in likely places. If your phone is set up to associate with such a hotspot automagically, it will connect to the evil hotspot.  If the attackers spoof a login screen, you could transmit your AT&T or Comcast password to the operators of the evil hotspot.  Even if there's no login, you're on a network you think you can trust, but you can't.

What to do? Don't allow your gear to connect automatically. Consider where you are if your gear asks for permission to connect, and never, ever use your carrier's WiFi password for anything else. Especially not for your email account, because if the Bad Guys can take over your email, they can probably reset your passwords for other accounts... like your bank.

Copyright © 2014 by Bob Brown

Creative Commons License
Hack Your WiFi Password?  Easy! by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.