ikawnoclastic thoughts

Facebook Security: Use One-Time Passwords to Keep Bad Guys Out

October 23rd, 2012
Some Facebook users access Facebook using a variety of computers, some of which they do not own. If you are at the library and want to ask a question of your teacher or fellow students, you can use a library computer to log into Facebook and ask your question. If you are visiting a friend’s house and want to share a photo you just took with your friends on Facebook, you can log into your Facebook account and upload the photo. You may just be hanging out at a cafe and want to check into Facebook to see what’s going on. You can use the cafe’s computer to check in at Facebook. But have you thought about that computer on which you are logging into Facebook?

Not every computer is safe to use. Personal computers are the targets of spammers and attackers and are often hosts to malicious software. Malware known as “keystroke loggers” can record every character you type on the keyboard, including all of the ones for your online account usernames and passwords. Once collected, those usernames and passwords can be used to access your online accounts without your permission, and perhaps without your knowledge. Keystroke loggers and other malicious software can be “installed” by deceiving the user or using vulnerabilities in software on the computer. Users can be tricked into installing software that appears to be legitimate but is not. Other types target and exploit weaknesses in the software of the web browser, an extension or plugin, or even the operating system itself.

One-time passwords are a way of authenticating yourself to a system through the use of a single-use secret that is specific to you and may have a limited time period of validity. In other words, you have two passwords. One that you know. One that is generated for you or sent to you. You have to have both passwords to log in. Some one-time password systems involve the creation of one-time passwords through a software tool, having a printed list of passwords that you carry with you, or a small hardware device that displays a new series of numbers every minute.

Facebook’s one-time password system uses your mobile phone and its text message capabilities. When you need to log into Facebook on a public computer or someone else’s, you send a text message to Facebook and within a minute or so you will receive a message back with a six-digit number, which is your one-time password. This password is valid for twenty minutes. In order to use the Facebook one-time password system, you will need to register and verify your mobile phone with Facebook first. This is necessary to prove that you are the owner of the phone number for your mobile phone.

Facebook also added the ability to generate the one-time password using the Facebook Mobile App. I’ll cover that App in a future article.

Enabling One-time Passwords

Setting up your Facebook Account to use the Facebook One-time Password system requires that you have a registered mobile phone with Facebook. I cover registering your mobile phone in another article. Once you have that configured, you can request one-time passwords from Facebook when you need to log into a computer that you do not own.

Requesting a One-time Password

Here is how to request a one-time password to log into Facebook from a public computer or someone else’s computer:
1. Use your registered mobile phone and send a text message with the message “otp” to 32665 (“FBOOK”), which is the SMS short code for Facebook. Within a minute or so, you should receive a text message in reply with a one-time password.
  The One-time Password you receive should be entered into the Password field instead of your password.
2. Go to the Facebook login page. Enter your Facebook email account username and the 6-digit one-time password into the password field. If you entered everything correctly and within the twenty minute time period, you should be logged into Facebook.
One-time Passwords Considerations

One-time passwords reduce the likelihood that your Facebook password will be captured by spammers or attackers, but there are some things to keep in mind.
1. Any computer can be untrustworthy, including your own. Your best defense is to make sure your computer has the latest software updates installed and that your anti-virus software is updating daily and scanning the system regularly. Always install the updates when prompted and enable auto-updates, if available. Does this mean that you should use one-time passwords on your own computer? The answer might be “yes” if you have not applied updates in a while or have no anti-virus software installed.
2. Sometimes the Facebook One-time Password system may not send a response quickly after you request a one-time password. Be patient. They usually arrive within a minute.
3. The one-time passwords that you receive from Facebook over SMS are valid for twenty minutes. If you request one and are not able to log in before the twenty minutes are up, just request another one.
Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Facebook Security: Register Your Mobile Phone to Use Advanced Security Features

October 22nd, 2012
Facebook has added several security features to keep your account safe from attackers and spammers. Some of these features use your mobile phone to alert you about activity on your account and to request and receive security codes to log into your Facebook account. Facebook One-time Passwords allow you to request a unique code to log into your account from untrusted public or borrowed computers. This system protects your account because you need your account password and a code that is sent to your phone. Facebook Login Approvals send codes to your mobile phone when you log into your Facebook account from a computer that you have not used before. Facebook Login Notifications alert you when your account is accessed from a computer have not used before. All of these advanced Facebook security features take advantage of a device that you are likely to be carrying nearly all of the time. Mobile phones are a quick way for Facebook to notify you about login activities on your account and to give you access to your account when you are using a different computer.

To use these features, you need to register your mobile phone with Facebook. By registering, you confirm that you are the owner of the phone. The registration process is designed to ensure that you have the phone in your possession. This is accomplished by having you send a brief message to Facebook’s text messaging number. Once you do, you will receive a reply text message with a code that you then enter into mobile phone configuration on Facebook’s web site.
Registering Your Mobile Phone

Here is how to register your mobile phone with Facebook.
1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Mobile” with a mobile phone icon next to it. Click on it.
  Facebook Mobile Settings configuration in Account Settings.
4. If you have not added a phone before, there will be a green button that says “Add a Phone”. Click on it. (If you have registered your phone, you can see the details about your currently registered phone.)
5. A small window will open. You need to select your country and mobile carrier. Once you have made your selections, choose “Next”.
6. Pick up your mobile phone and send the letter “F” to 32665 (“FBOOK”), which is the SMS short code for Facebook. Within a minute or so you should receive a confirmation code in a text message reply.
  Facebook Mobile Settings configuration window to enter the confirmation code you receive.
7. Go back to the Facebook web page and enter the confirmation code that you received. If all goes well, you have now confirmed that you are the owner of the phone.
8. You can configure various settings associated with your phone from the “Mobile Settings” tab.
Mobile Phone Considerations

Registering your mobile phone with Facebook will help you to protect your Facebook account. There are some things to remember if you decide to use your mobile phone with Facebook for the advanced security features.
1. You will be sending and receiving text messages with your mobile phone. Make sure that you aware of the costs of these messages. If you have a large number of messages available per month or an unlimited plan, then you should have no issues.
2. If someone borrows or steals your mobile phone, they can request a one-time password to gain access to your Facebook account. This assumes they know the email address you use to log into Facebook. Prevent someone from using your phone without permission by enabling a lock screen on your phone.
3. If you loose your mobile phone, you should remove that phone from Facebook’s Mobile Settings configuration to prevent a thief from accessing your account with one-time passwords and accessing other Facebook services through text messaging.
4. If you replace your mobile phone with a new one in the future, you will need to update your mobile phone settings in Facebook.
Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Facebook Security: Use Secure Browsing to Keep your Facebook Session Safe

October 22nd, 2012
UPDATE (November 26, 2012): Facebook has started rolling out HTTPS by default for all users. More information was released in a November 14, 2012 Platform Update on the Developer Blog.

In October 2010, Eric Butler demonstrated a problem with open networks. It’s easy to capture network data and steal authentication credentials (a “cookie”) from other wireless users. It’s especially easy to do on open wireless networks. So easy, that Eric created a simple Mozilla Firefox plugin for everyone to try called Firesheep. Using this simple tool, anyone could grab the cookie that allowed an authenticated user to browse their private web pages from sites like Twitter and Facebook. Very easy.

In response, Facebook and many other sites provided a security feature to prevent Firesheep and similar tools from working. They now provide the option to encrypt your entire session over the Secure Socket Layer or SSL. This is also referred to as “https”. When your session is encrypted, other network users cannot see the data you send and receive. You also guaranteed to be communicating with a legitimate Facebook server because SSL provides server authentication as well. On Facebook, this advanced security feature is called “Secure Browsing”.

Enabling Secure Browsing

It is a good idea to enable this feature. Here is how you do that:
1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge next to it. Click on it.
4. A list of security settings are presented. Look for “Secure Browsing” and click on it.
5. The option to enable Secure Browsing will slide down. Select “Browse Facebook on a secure connection (https) when possible” and click the “Save Changes” button.
6. Reload the Facebook pages you have open. You should now be able to verify in your web browser that the connection is encrypted to prevent eavesdropping.
The Facebook account settings page showing that Secure Browsing is enabled.

Once you have Secure Browsing enabled, you’ll notice that your web browser location bar will change. It will display a lock indicating that the site uses SSL.

Google Chrome Location Bar showing a lock symbol for Facebook.

Secure Browsing Considerations

There are many advantages to using Facebook Secure Browsing and no significant disadvantages. Once enabled, you no longer have to worry as much about your information being captured over the network, having your account compromised through session hijacking, and that you are connected to a legitimate Facebook server through server authentication. Facebook also now requires all third-party developers to provide SSL-enabled Apps through the Facebook platform. This means that the Facebook Apps you use are exchanging your information over an encrypted communications channel using SSL. One common complaint is that using SSL is slow. Most modern computers and laptops are so fast that there is literally no noticeable delay when using Secure Browsing. Facebook and other services also use very fast servers that can crunch through the cryptographic operations quickly too. You should see no delay that can be traced to Secure Browsing.

Just remember that you can be fooled. Periodically check your web browser location bar for the lock symbol. Some attackers create fake web sites (called “phishing” sites) to capture usernames and passwords by tricking users into thinking they are using the correct web site. If the lock is not present, then your information is not private and may have been compromised. If in doubt, return to the real Facebook URL.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Purdue 2012 National Cybersecurity Awareness Month

October 20th, 2012

Purdue CISO David Shaw

Professor Eugene H. Spafford

Professor Lorraine Kisselburgh

On October 5th, 2012, Purdue held a local online security, privacy, and safety event on campus for the National Cybersecurity Awareness Month. The cybersecurity awareness event program included many local information security experts at Purdue and from the Greater Lafayette area. I had the honor and pleasure of working with Cherry Delaney of ITaP to put the program together and invite our distinguished speakers.

Morning Program

I was thrilled with our line-up of experts from the Purdue community in the morning program. Executive Directory of CERIAS and Computer Science Professor Eugene H. Spafford (@TheRealSpaf) gave the keynote address. Purdue CISO David Shaw (@Info_Sec_Pro), as a new Purdue staff member, provided some insights into his vision for information security and outlined the next steps in advancing information security at Purdue. Next, we had a panel discussion on “The Promise and Peril of Social Media”. This was exciting for me because I came up with the topic and got to moderate the discussion. Professor Lorraine Kisselburgh (Brian Lamb School of Communication), Kyle Bowen (@kyledbowen, Director of Informatics), Professor Spafford, and Mr. Shaw were our panelists.

But don’t just take my word for it. Watch the recording. Note: I am the guy introducing Professor Spafford and moderating the panel.

Afternoon Program

In the afternoon, we split into two tracks. One on security awareness. The other focused on technical topics.

Technical Track

The technical track consisted of talks on intrusion detection, incident response, and auditing tools. These talks were geared for a more technical audience. Matt Jonkman, CTO at Emerging Threats Pro based in Lafayette, talked about Suricata. It is an open source, multi-threaded intrusion detection engine. Doug Couch and Nathan Heck, security engineers at ITaP, talked about the Purdue incident response process. George Bailey, security technical operations manager at Purdue Healthcare Advisors, and Josh Gillam, an IT auditor with Purdue Internal Audit, talked about using nmap, CIScat, and Metasploit to assess system and network security.

The technical track was recorded.

Awareness Track

The awareness track focused on a higher level presentation of information that would be useful to a general audience. These talks were designed to inform people about risks as well as Purdue policies, Indiana state laws, and federal laws related to the protection of sensitive information. I did a presentation on social media security and privacy. I covered some risks associated with information sharing, social networking, and location-based services. Dr. Peter Dunn, the Associate VP for Research, talked about Purdue policies and federal laws on sensitive and restricted research. Joan Vaughan, the Purdue HIPPA Privacy Officer, talked about HIPAA-related rules for researchers using electronic patient health information (EPHI). Greg Barnes, an information security analyst at ITaP, talked about best practices for researchers that have control of sensitive research data. Finally, Mike Hill and Preston Wiley from the Center for Regulatory and Environmental Information Systems (CERIS) talked about mobile devices security. They also demonstrated remote wipe for Apple iOS devices.

The awareness track was not recorded.

Resources

Panel discusses promise, peril of social networking, offers security tips by Andrea Thomas, ITaP News

Purdue 2012 National Cybersecurity Awareness Month program (morning video, afternoon video)