What’s up with TrueCrypt?

TrueCrypt is a free encryption application that runs on Windows, Mac OS, and other platforms. I’ve suggested its use before to aid lawyers in securing data stored in various cloud services. Heck, there’s even an iOS app that can open TrueCrypt vaults, Disk Decipher.

Recently, though, TrueCrypt appeared to pull the plug on itself, suggesting users migrate to BitLocker for Windows and using encrypted disk images for Mac OS X. People wondered, is this a joke, a hacking incident, or the real thing? Security guru Steve Gibson predicts the plug being pulled is probably the real thing.

The biggest question is: Can we still safely use TrueCrypt? Fortunately, the answer appears to be yes, and Steve Gibson has done the world a huge favor by creating an archive where users can download the last fully working versions of the software.

As we learn more and more about the NSA and other government agencies around the world spying on communications and information that have nothing to do with terrorism, crime, or anything else remotely relevant to public safety, we have to be mindful that encryption tools are critical. Sorting through all of the various claims by developers (“Our product is impossible to crack!”) can be a headache unless you have a Ph.D. in math and can understand the encryption algorithms being used. TrueCrypt is (was) a known application with a long history of not being broken by hackers.

It’s good to know that it is still safe to use.

More on Dropbox security

A reader directed my attention to the fact that Dropbox now says that the data stored on its servers is encrypted. This is good news, but it does not completely resolve lawyers’ security/confidentiality concerns.

The crux of the issue here is who controls the keys to decrypt the data on Dropbox’s servers. Dropbox’s security policy is clear: they manage the keys. For lawyers (or anyone concerned about privacy), there are three potential bogeys in this situation:

  • The outside bad guy who wants to break in and steal your data for whatever reason.
  • The Dropbox employee who wants to steal your data (again, for whatever reason).
  • The person presenting a court order or subpoena requiring Dropbox to turn over your data.

In each of these scenarios, the data starts off encrypted. When the outside bad guy tries to review your data, he will get nothing but the unreadable gibberish that is your encrypted data. Bad guy is defeated, and all is well with the world.

When the Dropbox employee wants to steal your data, the question I have is how easily can the employee get the keys to decrypt the data? If there are systems in place to limit employee access to the decryption keys (perhaps multiple authorizations from key managers coupled with logging of access attempts and active monitoring), then the rogue employee is probably going to be defeated. Dropbox users are happy. But if the employee can easily decrypt data and cover his or her tracks, Dropbox users are not happy. I would like to assume that Dropbox has carefully planned systems in place, but one can never assume anything. I’d be surprised if they didn’t, but even then no system is 100% secure.

The most problematic scenario is the third one, where someone appears with a court order or subpoena requiring Dropox to turn over the data. In this instance, Dropbox can decrypt the data and turn it over. For lawyers, the Rules of Professional Conduct (or their equivalent in a particular jurisdiction) severely limit what information we can disclose and under what circumstances. We have an ethical duty to object to disclosure—but if we are unaware of the subpoena or court order, we do not have that opportunity. If Dropbox notifies us of the subpoena or court order so we can appear and raise the confidentiality/privilege objection, then we’re probably fine.

Still, the worry here is that Dropbox has the ability to decrypt the data (with or without notice). The best security philosophy is TNO: Trust No One. The wisest practice is to never allow a third party service provider to manage the decryption keys when it comes to client data. In a practical sense, Dropbox’s encryption is probably “good enough,” but it comes with a risk of disclosure. The risk may be small, but it still exists.

For lawyers, the bottom line is this: how much risk are you willing to take in exchange for the convenience of Dropbox? It’s not always easy to find the right balance, and lawyers of reasonable minds can disagree about which balance is right. For routine client data and documentation, Dropbox’s security policy is probably fine. But for more sensitive client information, I would still prefer encryption where I can manage the keys.

How lawyers can securely use Dropbox with an iPad in 13 easy steps

The security concerns with Dropbox have been bugging me for a little while now, and I’ve let my brain ruminate. As you will recall, the problem with Dropbox is that (in theory, at least), it is possible for third parties to access data on Dropbox’s servers, perhaps without your permission. Dropbox might be served with a subpoena for all data on a particular server—which might include your client’s files. The risk is not great, but some lawyers are not willing to try to explain the low risk to their disciplinary authorities. (Like many lawyers, I’ve received a couple of those dreaded envelopes in my 20 years of practice. Nothing ever came of them (I only had to send in one response), but I know that pit-in-the-stomach feeling.)

Dropbox would be a simple solution if only it would encrypt data on its servers, like SpiderOak does. I wrote earlier about how to encrypt your data before uploading to Dropbox, and with one extra step we can use our iPads. Because lots of us use Dropbox, however, I figured it was time to design a sure-fire method that is as easy as turning your iPad on. I’m still trying to figure that one out, but for now there’s always this method:

1. Encrypt your data on your work PC. (I use the term PC generically here; it includes Macs.) Use TrueCrypt or any other encryption software to encrypt the files.

2. Upload your encrypted files to Dropbox. Drag the file container to your Dropbox folder, and a few minutes later it will be uploaded to Dropbox servers.

3. Go home (or wherever else you will access your files). This won’t work if you don’t have a PC at home, of course. At your home PC, make sure you have Dropbox installed and synced to the same account you use at work. Copy the file container from your Dropbox folder to your PC’s desktop.

4. Decrypt the file container on your PC. Of course, you’ll need to use the same encryption software that you have on your work computer—which is another reason I like TrueCrypt: it’s free and available for different platforms. No need to buy an extra copy of anything to run on your home computer, no need to worry about bringing a serial number home, etc. ONE THING: Make sure you’re decrypting the file on your desktop and not in your Dropbox folder!

5. Copy your files from your home PC to your iPad. This is the toughest part, perhaps. Using whatever method you have available to you, get the files onto your iPad. You can do it through iTunes (ugh) or using an app like Good Reader, make a wireless connection to your PC and copy the files over (probably the easiest way).

6. Work on your files on your iPad. Do whatever you need to do: read them, edit them, email them to someone. When you’re done, you’re going to reverse the steps above.

7. Copy the files from the iPad back to the PC. Easy to say, and hopefully you know how to do this already. I have to admit, even I can’t find a simple article on Apple’s web site that explains how to do this on a Windows PC.

8. Encrypt the “new files” on your PC. Gather up the edited or reviewed files that you just transferred to your PC, and use your encryption software to create the encrypted file container—just like you did at the office.

9. Copy the encrypted file container to your Dropbox folder. You may want to name your newer encrypted files so you’ll know which is which. As before, after a few minutes your new file container is uploaded to Dropbox’s servers.

10. Go to sleep/enjoy the rest of the weekend/etc. You probably don’t need instruction on this point.

11. At the office, copy the new encrypted file container to your PC. This will seem familiar by now.

12. Decrypt your files. Again, just like you did at home.

13. Copy the “new files” to the appropriate place on your computer or file server in the office. You probably do this dozens of times a day, so you don’t need me to explain how to do it.

That’s it: 13 “simple” steps. As I said, it’s a kludge, but it will have to do until a better option comes along. The problem with this method is that you have to have Dropbox and your encryption software installed on the computer where you want to access your files and get them to your iPad. If you’re counting on using a client’s computer, you will at least have to know how to install both pieces of software—and how to uninstall them when you’re done.

In case it wasn’t obvious, this article is written tongue-in-cheek. If you’re going to use your iPad to work on files at home or on vacation, just copy them to your iPad while you’re at the office—it’s as easy as that! (I suppose a situation might occur where you’d have to actually do all of this, like maybe your iPad cable was left at home and you can’t connect your iPad to your work PC.)

Why your passwords suck, and how to fix them (pt. 3)

In this final part of the series on good password practices, we’ll take a look at how to create strong passwords.

The three keys to password strength are the number of possible characters, the length of the password, and not reusing passwords. Let’s look a bit closer at what I mean.

  • You may recall the example of the ATM card personal identification number: four spaces, 0 through 9, yielding 10,000 possible combinations. If you use a four-digit code as your password, a password cracker can break it in 11 seconds (assuming 1,000 guesses per second, which is quite feasible).
  • If you use a password like 123a, there are now 1.7 million possible combinations: 10 for the first character, 10 for the second character, 10 for the third character, and 26 for the fourth character. A password cracker will need almost 30 minutes to break this password (again, assuming 1,000 guesses per second).
  • If you use a password like 123aA, there are now 931 million possible combinations (10 for the first, second, and third characters, 26 for the fourth, and 26 for the fifth–keep in mind that in the world of computers, a and A are two different characters). The same password cracker would now need 1.5 weeks to crack it. If we’re talking about a serious hacker with top of the line crackers, though, it could take as little as .00931 seconds. Ouch.
  • If you use a password like 123aA!, there are now 742 billion possible combinations (assuming 33 possible special characters). A typical password cracker will need 23.62 years to break your password, but a high-powered cracker can do it in 7.43 seconds. Ouch again.
  • If we take that six-character passcode and double it (123aA!123aA!), there are now 546,108,
  • 599,233,516,079,517,120 (or, 5.46 times 10 to the 23rd power) possible combinations. Your average password cracker now needs 1.74 hundred billion centuries to crack it. The higher end equipment would require 1.74 thousand centuries. Even a massive cracking array setup (doing one hundred trillion guesses per second) would require 1.74 centuries to break the password. That’s pretty safe!

The lesson to be learned from these examples is that you need a long random password (at least 12 characters in length) with numbers, lower case characters, upper case characters, and special characters. Why does it have to be random? The answer is simple: because you don’t want anything even resembling a dictionary word. Password hackers often launch an attack with what’s called a dictionary attack. The cracker tries every word in the dictionary, A to Z. Even a longer word like Mississippi will be cracked in seconds.

Don’t overlook the issue of length. Earlier this year, my Gmail account was hacked, and I had a six-character random password. Fortunately, I was able to limit the damage (and Google caught the hacking and disabled the account), but it taught me an important lesson. Passwords that we used to think of as being strong are becoming weaker as computing power increases.

So, you come up with a long random password with numbers, lower and upper case characters, and a special character or two. Now what?

Do not use this password for everything. Doing so is like using the same key for your office, your car, your home, your safe deposit box, and your post office box.

You can use this password as a root for a password system, however, and add something unique on to the root for each web site you use. For example, you could use 123aA!123aA!amazondotcom as your password for Amazon. If it’s too long to type, think of a way to abbreviate it, such as amzn. If you’re a WordPress user, you could use 123aA!123aA!wrdprss (which would require trillions of centuries to crack).

A long, random password, combined with an application like 1Password or Lastpass, is your best bet to ensure your accounts–not to mention your clients’ data!–are safe.


Technorati Tags: , , , ,

Why your passwords suck, and how to fix them (pt. 2)

Password security is a necessary evil in today’s society. Too many people online have weak (even guessable) passwords. As identity thieves and hackers become more sophisticated, we users need to improve our own security habits.

The first step you should take is to stop using the same username and password for every online service. When you use the same password for “cutekittens.com” that you do for your bank accounts, you are asking for trouble. A security breach at “cutekittens.com” means the crooks now have your bank password, and they can clean you out. The crooks don’t even need to break into the web site: there is an entire market online for usernames and passwords. Hackers do the hard work, and they sell the information to the people who want to steal your money (and more).

But wait, you say, how do the crooks know where I bank? They don’t. They don’t have to. They can simply play the odds that you bank at one of the big banks: JP Morgan Chase, Citibank, Bank of America, Wells Fargo, and so on. The crooks simply try your username and password at the various bank web sites. They find that enough of these efforts work that they keep doing it.

Admit it to yourself: you are vulnerable.

To protect yourself, you have to use different passwords for each online service you have. Yes, it can be a royal pain to keep track of them (although there are some tools for this, which we will look at momentarily). But it is the only way to protect yourself. Think of it this way: would you use the same key for your car, your home, your office, your safe deposit box, and so on? Of course not. Most of us have at least two or three keys on our key rings, sometimes more.

So how do you keep track of these various passwords? One way is old-fashioned yet effective: you write them all down on a single piece of paper, fold it up, and put it in your wallet. We are already pretty good at protecting our wallets (or purses), but there are still pickpockets and purse thieves who would no doubt be thrilled to find a bonus in the stolen item.

The better practice is to use a password manager application. I am most familiar with two of them: Lastpass and1Password. There are undoubtedly others, but they all work in similar fashion. You use the applications by creating a good, solid master password to unlock the app, and then the app can fill in your unique password on the web site. What I like about Lastpass and 1Password is that they work on multiple platforms: Windows, Mac, iOS, etc. Lastpass also works on Linux, if that’s your preferred operating system. Let’s look at this idea in a little bit more detail.

Let’s say you sign up for Lastpass (did I mention its basic–yet feature-rich–version is free?). You create a master password, like round#fa?77 (this example is actually too short, but it will do for now). Then, Lastpass can create a strong, secure password for each web site you use. You pick how long, how many numbers, special characters, and the like, and Lastpass does the rest. It can even fill the password into the proper field on the web site. Save it, and you’re set. Lather, rinse and repeat for each web site, and pretty soon you have a collection of unique, completely unmemorable and unguessable passwords. The only thing you have to remember is round#fa?77.

Whenever you visit one of the sites, like your local bank, you unlock Lastpass, use the Lastpass browser extension to fill in your username and password, and voila! You’re in. It really could not be easier. 1Password works the same way.

The simple fact is that if you’re not using something like Lastpass or 1Password, you’re asking for trouble. Yes, modern browsers have “keychains” that will remember your passwords, but if your computer is stolen (or hacked by malware), the crooks have your passwords. You need a solid password manager to keep your password data encrypted, and all they require of you is remembering one master password.

Given that Lastpass is free for its basic service, you owe it to yourself to give it a try. It may seem like a bit of a headache at first, but it’s nothing compared to the headache of dealing with the police, banks, insurance companies, and so on if your bank account is cleaned out. Lastpass has a premium version that runs $12 (US) per year.

1Password is more expensive, but it operates as a standalone application, meaning you can store plenty of things like Social Security Numbers, credit card account information, software licenses, and so on without having to launch a web browser. 1Password also has a free trial, so it cannot hurt to give both services a look.

Your homework assignment is to start using one or both of these services and use them to create long, impossible to memorize passwords for your various web sites. In the next (and hopefully final) article in the series, we’ll look at how to create a good master password.

Technorati Tags: , , , ,