Saturday, August 13, 2022

Identity theft has gotten out of hand. Here are basic ways to protect yourself.

It's not a matter of if you will be the victim of a breach, but when.

Wired is starting to track breaches by halves (as a general tech publication), and security vendors are moving to monthly reporting due to the volume.

It's 2022, and it seems everyone loves to over-share on social media. This may feel good, but introduces substantial risks. Let's talk about cyber hygiene.

Information security is a frame of mind, so the most effective way to protect yourself is by being smart. ISC2 has started an institution - The Center for Cyber Safety and Education -  to provide further effective education on how to comprehensively protect yourself online.

Here are some brief tips to help keep an eye on when you shouldn't disclose information online. Always ask "Can I dial this back? Do I need to provide this much information?"

  • Personally Identifiable Information (PII) can provide adversaries with methods to fake your identity
    • Birthdays. social media companies love to collect them, and they're used for ID verification everywhere. Facebook doesn't need your exact birth date, and storing it there increases your risk. Avoid storing your full birth date whenever feasible
    • Credit Card Numbers, Expiration Dates, CVVs
    • Any image of any ID card you own. Drivers License numbers are particularly popular.
    • Hometowns or birth locations are fun to socialize, but fit in this same category
    • Full Middle Name
    • "Mother's maiden name" and other names unlisted and typically used by financial institutions or security questions. Social media quizzes aggressively try to steal information like this!
    • Previous Employers
    • Home address / shipping address. These are typically used to validate credit card transactions, particularly large charges
  • Personal Health Information (PHI) are typically protected by HIPAA, with large exceptions for non-medical institutions. Don't share any of this information without full disclosure on how that information will be used!
    • Medical history, surgeries, etc.
    • Ancestry information

It's worth re-iterating, your children are much more likely to be targeted as well. Here are some guidelines on how to protect them from discovering they have a mortgage and a compromised credit score in junior high.

This is the most important, but also the most difficult. We can use products or services to protect your identity and shore any gaps.

Credit Locking / Credit Freezes

Now that we're done scaring you, the good news is that providing some basic level of protection against identity theft isn't particularly hard. Crime does pay, and the most effective way to terminate the pattern is to pursue every avenue to prevent new credit being opened with your identity. Most banks, utilities and other services won't open a credit account without a credit report, so the most effective method of countering compromise is to disallow any and all credit report attempts. The neat thing about this method is that people who are providing legitimate services to you can be sneaky and execute reports without your consent, dinging your credit score in the process.

If you don't do anything else I suggest, do this. It's going to take 5-10 minutes to do all three. Here are the links to "freeze credit" (prevent credit reports from being executed with your information):

Note: You'll need to create a new account for each of these services! Don't lose this information!

Use a Password Manager

To quote Mel Brooks: "12345! That's amazing! I have the same combination on my luggage!". Cryptography isn't magic, and all the transport security and firewalls in the world can't protect you from weak identity material. 

The most effective way (for the least effort) to de-risk yourself is to set up a password manager. We see some peripheral advantages outside of password storage like storing confidential documents, sharing passwords between family members, etc.

I'm not going to recommend a specific product here, because needs can vary quite a bit depending on needs. Here are some typical requirements I keep in mind when evaluating a password manager:

  • How strict is its MFA? Can you disable SMS TOTP? Is a hardware security token like Yubikey supported?
  • Does it support a family plan?
  • What are its breach response plans?
  • How securely to store their data?
  • Is it compatible with my devices?

Personally, I use 1Password for the Yubikey support and family plan support. It gives me piece of mind, and has a feature where all passwords are released to my family if I fail to log in for a month. Here are some others, in no particular order:

Using one is better than not - so all of these would be an improvement over nothing at all. I've used Dashlane and LastPass and dropped them in favor of 1Password.

Multi-Factor Authentication

Multi-factor authentication can be broken out into the following major categories:

  • Something you know: Passwords are an example of this "authentication factor". If a credential is publicly exposed (e.g. used on the Internet) it should be unique to that service to ensure that your banks don't get compromised if your Twitter password leaks
  • Something you have: The most common MFA tools fit in this category. Yubikeys are fantastic (if supported), and the following Time-based One-time Pad (TOTP) apps are good options. I don't personally have any strong preference other than AVOID SMS / TEXT MESSAGE MFA!
  • Something you are: Murky waters abound here, because you have to be completely fine with submitting your biometrics to a third party. I'm not keen on doing this, given its potential for misuse. Most consumer fingerprint scanners are "passable" at best, so I don't consider this a good standalone authentication factor.
  • Somewhere you are: Location-based services are usually somewhat iffy as well for private non-enterprise non-government, as they aren't particularly accurate. If you're consuming a service like Gmail, the company should provide this for you.
  • Something you do: This is a real propeller-hat scientific factor. Capturing behavior patterns can reveal whether or not you're behaving normally. Again, this is mostly the responsibility of the group providing you a service.
    • There's a really low-tech way to provide this authentication factor in the real world - paying a security guard. They're good at this and don't need a Ph.D to do it.

Identity Theft Protection

Now, it's time to bring out the heavy hitters. We don't always have the time to keep an eye on the entire internet, or to research recommendations to reduce our online footprint.

Leaning on the experts in identity theft protection services is the way to go. The industry is awash with good options, and the providers of these services aggressively drive costs down to make it affordable.

Full disclosure, I am employed by Allstate, who provides ID theft services. These recommendations are my own and not my employer's.

Here are some guidelines when evaluating ID Theft Protection services:

  • Do they have a family plan? Children's ID theft is on the rise, mostly because it's easy to predict SSNs given a birth location, easily available information like birth date and addresses, etc. You'd think creditors would avoid opening up a credit card in a newborn's name, but you'd be wrong. Add them to your ID theft protection, freeze their credit!
  • What services do they monitor? A minimum should maintain tracking your credit score without affecting it!
  • What insurance do they provide?
  • What guidance and periodic advice do they offer to customers and the public?
  • What recommendations do they make to improve your online presence?

I'd avoid the ones provided by the credit industries - the Equifax breach impacted my confidence, and nothing brought it back.

As an aside, if you've been a victim of any of the wave of breaches recently, you're probably eligible for free ID theft protection services from multiple companies. Use this as a way to shop around, if you like one, stick with it. If you don't find any you like, here are some popular ones:

Shop around!  The worst thing you can do with your online presence is to do nothing, and there's a wide variety of good products to help you out. All of these services provide a trial, use it to evaluate if it's a good fit.

Conclusion

Society has passed the "age of innocence" with identity theft, and cybersecurity will need to become a routine for anyone living in it. Pandora's box has been opened, and criminals are not going to forget how easy and low-risk cybercrime is. Protecting yourself is a rabbit-hole where all effort is valuable - but you don't need to be a security expert to get the basics in place.

Saturday, August 6, 2022

NSX Data Center 4.0.0.1 is now available!

NSX 4 is now available, and it was a surprisingly sparse release in terms of new capabilities.

NSX 4.0 appears to be a "clean house" initiative, so while it's missing "whizz-bang" new data plane features it does address a variety of issues I am happy to say are now closed:

  • Numerous documented API deprecations. Normally this wouldn't be that big of a deal, but NSX 3.x dropped several experiments (NSX ALB front-end, for example) that stayed available throughout the release train
  • Deprecating host-based N-VDS
  • Deprecating KVM and older Linux support (RHEL 7.8, 8.0,8.3) KVM was announced early in 3.0, and the affected EOL dates for RHEL releases have already been exceeded. It is an odd choice for physical servers, though.
  • Lifecycle Management improvements (I can't test these until the next upgrade).
  • IPv6 Management Plane support. Unfortunately, VTEPs aren't part of this release, and vSphere is still behind the curve in terms of IPv6 support, limiting efficacy. It's unsurprising to see the Network teams be ahead of the Virtualization teams on network goals.
  • HSTS is implemented for the WebUI as well. New installs will need to run an override prior to installing a new certificate.
    • API endpoint to replace API certificate: /api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=""
    • API endpoint to replace cluster certificate: /api/v1/node/services/http?action=apply_certificate&certificate_id=

Let's review how a new deployment may differ from previous installations:

IPv6 options have now been added to the OVA:

When deploying new workloads with IPv6 support - it's important to have a plan to access those addresses. The best strategy for enterprises and home labs is roughly the same, but with different products. Make your DNS dual-stack, and enter AAAA (IPv6 host records) for each service that supports IPv4 and IPv6. Let your client services do it seamlessly and transparently. End users shouldn't have to care about IPv6 being used. Configuring DNS as-code from a source repository makes this migration easy.

The browser add-on IPvFoo can tell you if you're using native IPv4 or a fallback mode. It'll also tell you what IP addresses you're talking to for a given page to load, which is incredibly useful.

To access an IP address with IPv6 in a web browser, the notation is a little different:

{{protocol}}://[{{site}}]/

Example:

https://2001:dead:beef::2.

To fully leverage IPv6, you need to give vCenter the same treatment. VMware's documentation on it is here. I executed the change from the VAMI (https://vcenter:5480) under Networking using the supported wizard.

Note: This will incur brief downtime for vCenter, and interrupt services like VCHA! Execute a vCenter backup before executing this work!

And that's about it! We can see NSX Manager with an IPv6 address in the Appliance UI:

And, IPvFoo reports all IPv6 for the front-end:

NSX 4.0 was a mellow release by VMware standards - but according to the Semantic Versioning rules, breaking changes automatically increment a major version. The API deprecations justify the version increment on these terms.

Note: The most important part (NSX Control Plane, VTEPs) are still to be completed.

Popular Posts