Tag: security

Categories
SPOIL - Security and Privacy Online and In Life tech

Write That Password Down!

I am thinking about how dependent I am on my password manager application these days. I use 1Password myself. There are several players in this market place. I chose 1Password because they are not owned by a company that I prefer not to do business with, and it has all the features I need. YMMV (your mileage may vary) of course.

I was thinking about two facets of this. One is that all password managers come with instructions for creating a “password manager emergency kit” (PMEK). They don’t use that term, I made it up. However, they always tell you to back up the credentials that you need to regain access to your password manager database, whether it is stored on your local disk or in the cloud.

This is really important to do, as soon as you start using a password manager. Even before you figure out how to get your passwords in, or go through changing your passwords to unique nonsensical ones. A secure password manager is only secure if your password vault can only be accessed by authorized individuals, meaning those who know the vault password. Assuming that you selected a sufficiently strong vault password, and you keep that password from falling into the wrong hands, then nobody … nobody except you … can unlock that vault. Ever. Nobody, not even technical support for your software company, not the police, not the NSA, no deity in any pantheon can unlock that vault without the password. If that last sentence is untrue, then the password manager is NOT secure. Period. With some exceptions for hierarchically managed vaults.

1Password provides information about their emergency kit here: https://support.1password.com/emergency-kit/. Others do something similar. It is really, really, really important to save your Master Password and your account key some place secure, on paper! Preferably in sealed, tamper-evident envelopes stored in a locked box or drawer or safe deposit box, or all of the above. “Lots of copies keeps stuff safe.”  You don’t want to have copies easily available to anyone who is wandering through your home (think cleaning people, guests, children, etc.) but you also want to have a way to recover those bits of information if you forget the password.

Two very important additional considerations: Off site access, and access in case of your incapacitation.

Off site access means that you have a copy somewhere that you can get to if your home / computers / etc. become unavailable. Fire, flood, catastrophic failure of your home … we imagined these. Losing access to our mother’s apartment because of COVID-19 quarantine protocols was not one that we had thought about. We always assumed that one of her children would have physical access to her apartment if necessary. This has been an epic FAIL with safety restrictions in retirement facilities. I leave it as an exercise to the reader whether you save a copy with a trusted friend (someone who would never have reason or desire to steal your identity who has your best interests at heart), in a safety deposit box, or with your estate executor / personal representative / attorney. That may be a good idea regardless. Unless / even if your estate passes automatically to your spouse, it would be wise to share an escrow copy of that with the people who will have to sort out your finances after you become incapacitated. I consider “death” to be a special case of incapacitated.

Also very important … it is necessary for you to teach the person who will become your proxy in case of incapacitation how to use your password vault software. They will need to know where to find the emergency password, they need to have the password management software installed on their computer, and then need to know how to use that software.

More and more, everything we do is online. Banking, credit, salary / retirement management, recreation, identity, social networks, you name it … it is all online and it all requires a username and password. Using a password manager is important (I would say essential, but who listens to me). In most cases, you have been trained not to write down passwords. However, in the case of the credentials needed to get access to your password manager, either remotely for yourself after  a systems (or home) failure, or for your family member, estate executor, etc., write that password down (and keep copies in safe places).

Categories
genetic-genealogy

Two Quick Notes About MyHeritage DNA

MyHeritage Password Compromise

If you have not changed the password on your MyHeritage web account since June 2018 or earlier, do it now. Do not finish reading this post, go log in to MyHeritage change your password.

When you log in to MyHeritage for the first time after the breach they will force you to change your password. Make sure to choose a password that is different from any other password that you use elsewhere. Do not reuse the password that had been there, or some permutation of it. If you used that password on other sites, you should change the password on all those sites.

In June of 2018, MyHeritage discovered that their servers had been breached in October 2017. The email addresses and hashed passwords of about 92 million MyHeritage usershad been obtained by computer hackers. MyHeritage described the breach in three blog posts:

MyHeritage also implemented 2-Factor Authentication (2FA) on the day that they revealed the breach. It is very likely that they were working on 2FA already, but it is a little sad that it takes having a massive breach of password data to make it available to their customers. They (and the other three of the “Big Four” DNA testing services) should be proactively implementing good security controls, not bolting them on as an afterthought after they learn about 92 million password hashes and emails have been stolen.

Their description of the risks from this incident downplays the loss of email addresses and password hashes. Any moderately-skilled hacker can extract weak passwords from the password hash with a password cracking tool. 1

MyHeritage Supports Uploading GSA Chip Kits

One problem with testing your autosomal DNA (atDNA) on any one of the “Big Four” testing services 2 is that they each maintain a separate database to match against.

When you select an atDNA testing service, your DNA will be compared to that of everyone else who tested with that service. If you test on 23andMe and your undiscovered cousins test on Ancestry DNA, you will not appear in each others’ match lists because those databases do not communicate with each other.

You can download your raw DNA representation … your DNA “kit,” and upload it to GEDMatch, which will match it against everyone else who has upladed to GEDMatch. It would be great if everyone who tested uploaded their kits to GEDMatch. There is something of a learning curve to using GEDMatch, and most of the testing services include documentation that can frighten the average person away from downloading their kit.

MyHeritage allows anyone who has tested on the other services to upload their kit and compare to their database for matches. Until now, 23andMe kits that were processed after August 2017 could not be processed by anyone other than 23andMe. MyHeritage now supports matching kits that are based on the GSA chip. See more details on their site:

Categories
SPOIL - Security and Privacy Online and In Life

Never Enough Backups – Part 1

Have you ever thought about what would happen if you suddenly, without warning, did not have your desktop computer, your tablet, or your smart phone?

I know that there are exceptions out there, but most of us live in a symbiotic love/hate relationship with our computer devices and our online vendors. Most of our lives are online these days.

  • Do you still receive paper bills and pay with paper checks? When you run out of paper checks, do you renew online, or did you save those little paper slips that let you reorder without going online? Do you receive your bank statements on paper or online?
  • Do you take photographs with your digital camera or phone? Do you store those photos on your computer, or “in the cloud?”
  • Do you have any important documents; receipts; family documents stored on your computer? Do you need the data on your computer to file your next tax return?
  • Do you need your computer to reproduce your resume, find details of your security clearance applications (you really want to answer consistently every time), remember dates of birthdays or anniversaries (perhaps even your own)?
  • Do you have hobbies that have significant work product that is stored on your computer. I have been thinking specifically about genealogy, but unless your hobbies are completely offline, you probably use the computer.
  • Do you store names, addresses, your creative writing, your shopping lists, etc. on your computer?

You get the picture. If you answered “yes” to any of the questions above, you need the data in your computer. If you lose your computer, or you lose access to it, you lose your data. Then you lose your mind. If you need your computer, you need a good backup strategy.

In my thirty-something years of work in Information Technology (IT), the most heartbreaking situations that I have had to deal with is when a scholar or a student brings their dead computer to me (usually on the night of a deadline).”My computer stopped working.”

Sometimes a family member or friend will bring me a dead computer. They say “I can’t get in. I have ten years of family photos on here. Help me!”

My first question is always “Do you have backups?” My second question is “When was the last time your actually ran the backup or plugged in the drive?” This is usually when the tears begin.

Computers have become more powerful and less expensive at an exponential rate. Technology has made remarkable strides, but computer technology is fragile. If you use a multi-million dollar fully-redundant super-mini-computer node like a Stratus or a Tandem, you might feel safe not storing your backups reliably offline. Even then, there are disaster recovery scenarios that justify backing those nodes up.

Here are a few things that can go wrong with any computer:

  • Motherboard failure. This might not directly cause data loss, but it could take you a few days to get the motherboard or the entire computer replaced.
  • Fixed disk drive failure.  This is very common. Very common! Sometimes the data can be recovered, usually at a cost of about $2,000 per drive.
  • Flash / solid-state memory failure. Even more common than disk drive failures. Usually there is no consumer-level recovery possible. The useful lifetime of consumer flash / solid-state memory is three (3) years
  • Physical accident: spills, drops, pets, kids, etc.
  • Environmental events leading to destruction or unavailability: floods, earthquakes, mudslides, fires, explosions, quarantine, explosion, zombie apocalypse, etc.
  • Hackers, malware, including viruses, cryptolockers, Trojan Horses, etc. deleting or making your data unavaible.
  • Human error. It is remarkably easy to accidentally and unretrievably delete critical computer data. Try it. No … don’t … take my word for it.

Remember, even if much of what you do is “In the Cloud” … your usernames, passwords, email addresses, account numbers, etc. are probably stored in your web browser’s memory (you do have that password protected, no? Different topic though).

A computer is a tool, but unlike a hammer or a saw, which you can buy in any hardware store, your computer is your tool, customized with your settings and containing your data. If something bad happens to your computer, nobody can bring back your data unless you have backed it up.

Here are the three “Rs” of backups: Redundant, reliable, restricted and repeated. OK, four R’s.

More soon …

Meanwhile, if you have a backup disk that has not been introduced to your computer in a while, why don’t you do that right now? You might thank me later.