Friday, 20 March 2015

Understanding Online Security

Online Security

How are you protected when you're on the web?

Although security is an issue many of us are very concerned about, there are a lot of ways you can make your online life more secure that you may not be aware of. From device-secured password authentication to always-encrypted traffic to file integrity verification, the protocols and software exist to help make everything you do that much less vulnerable to interception and attack. If you're not using at least some of these, then you should be!


Two-Factor Authentication


Sometimes called 'two-step authentication', two-factor authentication is designed to make logging into a secure account more difficult than simply stealing the login credentials. It accomplishes this by requiring an additional step of verification - a second factor - without which the username and password alone are not sufficient.

Perhaps the most common form of two-factor authentication is your bank card. You need both the physical card and the PIN number to withdraw money from a cashpoint, and without both, the verification process cannot be completed. Secure VPN services often have similar requirements, needing both the correct login credentials and a code generated by a secure hardware token issued beforehand.

Many two-factor processes use a mobile phone as part of their procedure, since it's something that the owner is likely to have access to at all times. When a login process is initiated, the website will check whether the device or location it originates from has been previously authorised, and it if hasn't, it will send a message to the mobile phone (either by SMS messaging a verification number or contacting an app on the device), which the user must then respond to on the website. If the person trying to log in doesn't have the phone, the second factor of authentication cannot be completed, and the login will fail - even if the username and password is correct!

The only major drawback of this method is that if the user becomes separated from their second-factor device - for example, if a phone is stolen or the battery runs out - then they would have to return to a trusted device to access and administer their account, which may not be convenient. Most systems get around this by providing single-use access codes, which can be used for verification in emergencies, though these must obviously be stored somewhere apart from the second-factor device so they remain accessible as well!

Although two-factor authentication isn't perfect, it is significantly stronger than a single username/password combination at the cost of only a little usability. It also has the advantage of alerting you if someone tries to use your username and password without permission. If you receive a request for authentication that you didn't ask for, you'll know someone tried to enter your username and password in an unauthorised location, and that in itself can act as a warning to change your login details! Not all services support two-factor authentication, but it's highly recommended that you enable it on those that do - particularly your email account.

One-Time Passwords


Similar to two-factor authentication, a one-time password (OTP) is, as the name suggests, a password that is valid only once. OTPs avoid a number of problems associated with the traditional form of password use and are often deployed alongside two-factor authentication to shore up the security further. It's almost impossible to steal a OTP because once it's been used, it becomes invalid.

Like two-factor authentication, OTPs are often distributed to a phone or other hardware token, though they can also be issued through a web service. Crucially, OTPs can be issued alongside existing passwords to provide an extra means to log into a service if you're worried about your main credentials being stolen or intercepted.

At present, OTPs are most often used to create app-specific passwords for third-party software and devices that may log into sensitive accounts. Rather than risk allowing your username and password to be stolen by an attack on a third-party app or system, services can issue a one-time password to authenticate the device once without the need to disclose the true password. The OTP can only be generated by someone who already has the correct login credentials available, so it's guaranteed to be secure even if the system it's used on isn't.

The downside of OTPs is that they tend to be long and random, which makes them hard for users to input and remember even for the short periods of time necessary. If the generating algorithm is flawed or stolen, it may also be possible for attackers to develop their own valid OTP.

But if you want additional security, it's worth investigating the use of OTPs. Many services employ them to verify apps on tablets and smartphones. Most notably, Google may require that you use app-specific one-time passwords when linking up your phone and email account. An additional benefit of this is that you can later revoke access, so if your phone is stolen, you can log in and disable the OTP so the thief is unable to read your emails without you having to change your main password - which is obviously a huge inconvenience!

PGP


A form of encryption designed for personal use, PGP (Pretty Good Privacy) is bound to individuals so recipients can verify and authenticate correspondence. If a PGP signed email is valid, you know it came from the person it purports to have come from, and you can decrypt the key to ensure that the content has not been tampered with.

Although originally free, use of PGP's software now requires a small commercial fee, but it remains the most popular email verification standard, having been in wide use since 1991. The system uses a public key, which is available to everyone, and a private key known only to a user. When you send a message, you use the recipient’s public key, and when they receive it, they use their private key to decrypt it. Sometimes emails include both the encrypted and unencrypted form, so non-PGP users can still read the email, but PGP users can verify the content and sender of the message if they wish.

To use PGP, you have to download and install some PGP software, which can be delivered in the form of a browser plug-in, mail-client extension or standalone application. The software should take you through the process of acquiring and registering your public key and dispense a private key for you to use.

Although Symantec currently owns PGP and has discontinued freeware versions, similar non-proprietary versions of the technology exist. OpenPGP is an open-source implementation of PGP, which is available for free and which is natively supported by several existing email services.

As well as being used for authentication, PGP-encrypted emails are useful for sending sensitive information, such as passwords or personal information that might be useful for identity theft if intercepted. In an ideal world, all emails would incorporate a form of PGP, which would prevent phishing, mistaken identity, spam masquerading as genuine correspondence and forged emails. Unfortunately, the effort of converting everyone to PGP is rather more than would make this possible, but at least the tool is there for those who want to use it.

MD5


A form of checksum, MD5 (message-digest 5) is a cryptographic hash, which produces a 32-digital hexadecimal string that is effectively unique to the input. The output can therefore be used to verify whether a file has been tampered with or not. The original creator or uploader can supply the MD5sum of a safe copy, and the downloader can test their copy to check that the MD5sum output is the same. If it isn't, the file has been altered in some undisclosed way, and while it isn't necessarily a problem (the download may simply have not completed properly), it can imply malicious practices. At the very least it's an indication to download it again from another source.

Checking an MD5sum isn't difficult, but most versions of Windows don't provide the tools to do this as standard. Windows users will need to download a tool such as WinMD5 Free (available from www.winmd5.com), which is able to calculate MD5sums and test existing ones against a file.

It's worth noting that while it remains in common use, MD5 has been repeatedly broken, and it's possible for hackers to produce MD5 'collisions', which creates the same output for two different files. Therefore, MD5 should never be the sole test for whether a file is unaltered, but it can be an effective proof that it has been. Many government agencies now require that encryption is tested using the more recent SHA-2 algorithm, but MD5 remains in common use across the internet and is still a valid tool.

Traffic Encryption


Traffic encryption has become a big topic of late, particularly in the wake of surveillance scandals over the last year or two. Many browsers and companies have switched to using the HTTPS (secure HTTP) standard by default, but some other, more robust protocols exist that you can use to protect your traffic.

Transport Layer Security, sometimes called 'Transport Level Encryption', is a protocol designed to ensure that all communications between online services and their users is encrypted and therefore resistant to tampering and eavesdropping. It is, in effect, a successor to the Secure Sockets Layer (SSL), which allows communications to be secure when sensitive material is being sent, such as credit card details or passwords. The goal of TLS is to ensure that all communications receive the same high level of security.

TLS is composed of two parts: the TLD Record Protocol and the TLS Handshake Protocol. The former provides security for connections but can also be used without encryption, while the latter allows servers and clients to authenticate one another securely over a connection, establishing which algorithm and cryptographic keys will be used before exchanging any actual data.

Although TLS has not been fully implemented in major browsers, there are alternatives available. TCPcrypt is an extension to the existing TCP network protocol, which is in the experimental stage, but software implementations do exist for most operating systems. The encryption is 'opportunistic', which means if either side doesn't support the TCPcrypt protocol, then it will revert back to regular TCP.

TCPcrypt works using unique session IDs as keys and adds a small Зб-byte overhead to each data packet, which is negligible for broadband connections. The performance impact is lower than TLS and SSL because authentication is provided by individual applications, rather than on the transport level. You can download the software to implement TCPcrypt on your system from tcpcrypt.org.

VPNs


Along similar lines, it's possible to use a VPN (virtual private network) to encrypt your traffic, which is particularly useful if you're using a public wi-fi connection and want to make sure your data is secure. VPNs create an encrypted 'tunnel' to a trusted third-party server, ensuring your traffic can't be intercepted along the way. That server then handles your requests and serves them back to you over the tunnel.

Although this isn't a fully secure system (the unencrypted traffic might be intercepted after it reaches the VPN server), it does ensure that traffic is difficult to intercept locally and certainly not by simple means.

Setting up a VPN is a relatively simple matter, but the resources involved in running one mean that it's rarely free. There are many web-based VPN companies that charge a small fee for easy access, but watch out for limitations on things like bandwidth and protocol.

If you feel capable, it's possible to set up your own VPN server using Windows, though you will need to ensure that it's secure - the port it runs on will be open to the internet and therefore vulnerable to hacking, so a strong password is essential, and it's also worth choosing a non-standard port to run it on. Having your own VPN does have other advantages; you'll be able to access your desktop system and local network without being in the house, for example, but so would anyone else who manages to crack your password, so take care!