Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

United’s New Security Questions

By

When I logged into United’s site to check in for a flight this week, I discovered that they’ve changed their user security approach. There’s been some chatter on flyertalk, twitter, and a couple of other places about the changes, and I thought I’d chime in.

First, let’s take a look at what United’s trying to protect. Obviously, they want to avoid mischief with cancelled reservations, fake reservations and other annoyances.   They’re also working to protect user identity information – they’re right up there with doctors and financial institutions in holding PII. From passport numbers, global entry and/or TSA redress numbers, it’s all information that we want held in confidence. Obviously they deal with credit card numbers and are subject to PCI-DSS requirements.  Even the travel information itself is sensitive – if a corporate officer is consistently traveling to a competitor’s headquarters, that’s valuable insider information about a pending merger. They also hold in trust billions of air miles worth hundreds of millions of dollars – essentially a virtual currency. And that’s probably one of their crown jewels.

Major airlines have some unique challenges in their user base. They have to support access worldwide – which makes two factor very difficult (SMS and phones don’t work overseas reliably). They have a large population that doesn’t speak English (for United, particularly in Asia and Latin America).  And they have a mobile user population, who (contrary to good practice), probably use untrusted devices on a regular basis.  Airlines need to have pretty good security, and it appears United is trying to up their game.

The first change is the elimination of the PIN as a login option, a long-overdue and essential change.   Good for them.

Now on to the security questions. These have a mixed reputation in the security community, and can often degrade security rather than improve it.  The strongest (in potential) option is to enter both the question and answer, but that only works if you provide good questions and good answers. Unfortunately, users are generally terrible at doing that.

So most typical security questions are prescriptive – you’re either given the questions, or allowed to choose them from a short list of common ones. Once that’s done, in most implementations you’re allowed to enter free form text as a response.

And that’s where the problems start. With social media, the majority of ‘security question’ answers can be easily discovered – the celebrity breaches over the past few years all resulted from that kind of attack.  In those cases, I always recommend that folks, well, lie – pick random words (diceware is excellent for that), and record those fake answers in a secure repository (like 1Password as notes in the login entry), with appropriate backups in a secure location.

In most cases, the worst option, is a prescriptive question with restricted answers. So a question like ‘When is your parent’s wedding anniversary?’ and a system that requires a valid date is terrible.   By forcing a real date with a restricted range, the site leads users to enter real information, and a date that’s likely on social media. Terrible design.

My initial reaction to United’s system was not very complimentary – but it’s mandatory, I have to fly, so I did it (using false answers at least).   Now after I did my account, my wife did hers – and received a different set of questions. Interesting. So I asked around, and sure enough, it looks like there’s a fairly large population of questions available. Something’s going on here.

So let’s look at the questions themselves. They’re fairly odd. While some of the answers may be on social media, not all of them will be. There’s also a fairly large number of pre-selected answers – much larger than most prescribed systems I’ve seen, and many answers you would normally expect are missing.  Something’s definitely up.

What I think is going on here is that United is doing some pretty serious math behind the scenes. Multiple questions, with a large number of answers, adds up to a decent amount of entropy (a measure of security strength) – not as much as a robust password, but far more than most security questions. I haven’t been through the re-authentication process with the questions yet, but if they only ask for a subset, that’d be more information pointing in that direction.

Now why would United choose this system? Well, let’s look at a couple of ways people use and access their accounts. Aside from their own trusted machines, the most common, and the dumbest was possible, is using a public kiosk in a hotel, business center, rental car hub or similar location. I’ve told folks for years to never, ever use one of those – miss your flight first.  Most are infected with malware and keyloggers designed to capture credentials, steal information, and then infect your own machine if you’re careless enough to use a thumb drive in both.  If a machine’s in public, assume it’s compromised – using one is the digital equivalent of visiting a kissing booth in a mononucleosis ward at a hospital.

dreamstime_6843020-2
Using a public computer is like kissing a mononucleosis patient.

But even though my wife’s horse stall is cleaner than a machine in a hotel business center, every trip I see someone logging in and printing boarding passes. Want to bet that’s a major threat vector for the airlines?

So what happens if someone has a momentary mental lapse and uses United’s new system from an infected kiosk? It’ll grab the password – no way around that. But by not entering the answers on the keyboard, it’s much harder to capture the security questions. I suppose malware could evolve to scrape the screen, but that’s much harder to do – and even if it did, if United only presents a subset of answers, the account is unlikely to be completely compromised.

The other use case for those answers is phone transactions. Right now, if you want to redeem miles over the phone, you have to provide a PIN number. So that means that the call center representative now has a PIN that can login to my account. Don’t get me wrong – I think United has amazing people (they work in a tough situation, but the new CEO is improving that). But any organization is going to have some bad eggs get through the screening process. From a security standpoint, again, the most they can capture is a subset of answers, so the account is still secure.

A colleague recently pointed out something I hadn’t considered: some folks use profanity or vulgarity in free form answers, so this protects the call center reps from having to deal with that. Many years ago I built a marketing system for a large restaurant chain based on delivery records. You wouldn’t believe what I saw entered into the ‘comments’ field. Comcast has had recent problems in this area too, so its an additional benefit.

I do have some open questions:

  • Do they really only ask a subset of questions?
  • How do they deal with indicators of compromise (consistently getting one or two questions right, but others consistently wrong)?
  • How do you gain access back if you’ve forgotten all the questions?
  • Do they treat untrusted computers differently?
  • Do they have a threat feed that monitors known compromised machines (probably via IP addresses) and deny them access completely?

Not to feed conspiracy theories, but I did wonder if they’d had an incident that triggered this change. I don’t think so: United would have had to disclose a breach, so it looks like this is just an upgrade. If we continue to see additional features in this area, it’s probably a broad strategy to improve their security posture.

United gets a lot of grief these days. Some is deserved – I’d like to see them install the slim-line seats in their board room and executive suites, and their operations folks need to add slack back into the system for when things go wrong. Some isn’t – the customer facing people I’ve dealt with will do their best to make things right when something goes wrong. They’ve just been working in a really tough operational environment.

So which category do these changes fall in? My first, off the cuff reaction, wasn’t promising. Yet, after a deeper look, the system appears subtly robust. It’s clearly designed to be unobtrusive, and if what I’ve outlined above is correct, it’s about as secure a ‘security question’ solution as I’ve seen. It’s far better than most – mother’s maiden name? Last four of SSN? Please.
So kudos to United, for working to make the skies both more friendly and more secure.

iPhone repairs – scam or security?

By

Over the past few days, there have been a number of articles as people discover that their iPhones are bricked after undergoing third-party repairs.  Apple has a FAQ about it, and  iFixit has a good article with details, though I don’t necessarily agree with all their conclusions, and they do have a vested interest in third-party repair options.  Not that that’s a bad thing – I’ve been a customer in the past myself, but will full knowledge that I was voiding my warranty by doing so.

So a couple of specific points:

“As long as the device requires a PIN on boot, then the device would be just as secure as it was before the part swap.”

The secure paring between the sensor and the fingerprint reader (from published information), protects the biometric data in the secure enclave from compromise by a malicious sensor.  The PIN is a different subsystem, and may protect the device, but not necessarily the biometric data.

“repair professionals should be able to unlock devices—and that they should have access to the same parts and the same tools that “authorized” repair shops do”

This is a widespread practice:  witness key and lock manufacturers restricting secure blanks to licensed locksmiths, and the entire automotive industry requiring that new ‘smart’ keys be programmed at the dealership.  So the question is, should it be?  I’m annoyed at the hour’s time and $100-200 charge for a spare key to my car.  That “feels” like gouging.  But those keys have made a big impact on car theft, and my lower insurance rates reflect that.  It’s tough to know the difference between security and a scam without a lot of details.

And that’s rub.  Apple isn’t disclosing enough details about the paring process to understand if that’s possible.  What I do know is this – Apple got the security of their fingerprint reader right.  From storing the biometric data securely, to paring the sensor, to enforcing a maximum number of attempts before triggering a PIN.   If someone’s TouchID is compromised because of a malicious sensor, who will be blamed/sued/dragged through the media?  Apple.  I can’t blame them for locking down the secure subsystems to authorized repair agents.

You know,  demands that Apple ‘should be able to allow unauthorized repairs’ sound a lot like demands that Apple ‘should be able to implement a backdoor in their encryption’.    In the latter case, it can’t be done (math is hard after all).  In the former?  We need more details to know for sure.

But, in the end, my recommendation is to only use authorized repair services for secure components – for any product, not just Apple’s.  It’s more money, but it’s worth it.

2/18 Update:  Apple’s stopped bricking the device, but still won’t allow TouchID to be used until an authorized repair is completed.  That seems a lot more reasonable than bricking the device, and still maintains TouchID security.

 

 

 

Gentlemen, Encrypt Your Data, Part I

By

A friend of mine used to shoot dead chickens out of an air cannon at fighter jet canopies to test them against bird strikes. She told me a story that a team in the UK was trying to replicate the process, but kept shooting the birds right through the canopy. When they reached out to the US team, our folks replied with a simple message: Gentlemen, thaw your chickens. That’s become a sort of shorthand for doing something that should be obvious, but isn’t.

From whole disk encryption to public key cryptography, encryption has a long history of being the magic bullet that will solve all our information security problems.   If only in were so!   Yet encryption is a key defense against the Bad Guys™ for as individuals and as organizations. In part I of this two-part post, I’ll share some thoughts about using it to protect your own information. In part II, I’ll talk about how it can help businesses protect their employees, customers and shareholders.

I know there’s a lot of concern about secret back doors (or front doors as they’re now being rightspeaked) in major encryption solutions. While I do have a large stock of tinfoil hats (they hide me from the black helicopters), let’s be a bit pragmatic here for a minute. If a nation state wants to get my data, they’re going to. They’ll break into my home, install a keylogger in my machine, and capture my password. Or book a seat next to me on an airplane or grab the table next to me at my local coffee shot so they can record me unlocking my computer, or even use Rubber Hose cryptography to get me to reveal my passphrase.

Likewise, when I’m online, my computer is unlocked and the information accessible, so any malware on my computer will be able to phone it home (that’s why patching is so important). So why do we worry about encryption? The big one is theft.   I’ve had a laptop stolen in the past (right out of my docking station over a weekend) in an office behind a door with a badge reader and a security guard – and I’m not alone. By some estimates 10% of all laptops are stolen in the first year of ownership.  So the threat we’re talking about here is that if someone grabs my laptop out of the tray at the airport, hacks the hotel room door, or simply steals my car with my backpack in the trunk, my entire digital life is now exposed and at risk.

And that’s what encryption helps protect. It’s the difference between “oh crap, I lost a piece of hardware and have/get to buy a new model” and “oh bleep, I have to drop everything and try to figure out what the damage is”. It’s important to use a good passphrase or password, and you’d better remember what it is. If you forget it, you’ll lose your data for sure. By the way, that’s why I like passphrases for this kind of thing more than passwords – it’s easier to remember a complex phrase, than it is a complex password.  I recommend putting all your drive encryption passwords into a secure password vault like 1Password, because it may be years later when you have to decrypt the data, and you may not remember the one you used.

If you use a Mac, it’s easy to turn on FileVault 2, just follow these instructions. Make sure you also encrypt your Time Machine backup too.   For Windows, turn on Bitlocker.   Just be careful – if your windows 10 device came with bitlocker turned on, you need to turn it off, then back on in order to encrypt the entire disk. For cloud services, well, that’s a whole different post!

It’s easy, simple, and free. Like thawing your chickens.

Image (c) DepositPhotos / Cseh Ioan