Teaching Cybersecurity to Our Kids Part 4 – Updates and 2FA
In the first 3 parts of this blog series about teaching cybersecurity to our next generation, our kids, we discussed ways to help school-age children raise their cybersecurity IQ, the basics of how to scrutinize email and maintain good email security, and how to implement good password practices. In this blog, we’ll cover the importance of software updates and two-factor authentication (2FA).
Picture this: It's Friday afternoon, you're sitting in your classroom anxiously waiting for the bell to ring. Time is passing so slowly that you can literally see the wall clock's second-hand bounce with every tick. The classroom is half empty. The lucky kids ... those with nice parents, are home "sick". That's because last night at the stroke of midnight, the mother of all video games was released. You watched the trailers for months, knowing how perfect your life would be when you could slip into that sweet frag-filled nirvana. They even delayed the release for a whole month, just to torture you. Finally that day arrives, and all you could do at lunch was watch your feed fill with posts reaffirming that the promise of total awesomeness had been fulfilled. You had the foresight to get the game downloading before you left for school, so it will be all teed up for you when you get home. The bell rings, you rush home, you drop your book bag, not sure or even caring whether you left the front door open. You power on TV and see the message 'Update Downloading 451 MB / 2.97 GB (2 Hours Left)'.
And that's how I found him. Standing there in a daze, staring at the progress bar, controller hanging from one limp arm. I wanted to hug him but couldn't stop from laughing.
Undeniable Truths About Updates:
- Updates appear at the most inopportune times.
- Updates will probably break things that were working just fine.
- Security updates are your friend.
- Gaming console vendors are the most heartless, evil people on earth for forcing mandatory updates (and some are massive).
A zero-day is an attack that exploits a vulnerability that is unknown to the public. It can remain secret for days, months, and often years until someone (usually a security researcher) discovers it. Creating a new zero-day that would, say, own your system with the click of a link, would fetch a nice sum on the dark web. A very skilled hacker needs to spend time studying a system or specific piece of software figuring out how it works (usually without source code), and then determine where it's vulnerable. Such expensive exploits will get used sparingly to limit the chance of their secret being discovered. So, the good news is that we "regular" people are highly unlikely to be hit with these unknown exploits.
Stay Patched My Friends
If we aren't likely to be hit with a zero-day, does that mean we are only likely to be hit with known exploits, those that already have fixes available? Yes. This is why we put up with the pain of updates. Keeping all our computers and devices patched in a timely manner is our best defense. Normally, Microsoft will distribute update patches on Patch Tuesdays, which likely land on your systems the following day or two. On the rare occasion they make an update available on a different day, update right away, those are likely very serious. Windows 10 systems will default to automatic updating, so unless you have a highly compelling reason to block automatic updates, let them proceed.
Challenge : We-boot Wednesday, a new Habit
I know you love to have 57 browser tabs open at any given moment, in addition to a few other active applications with in-progress, unsaved work. While Mac and Windows don't have the same mandatory 'update now' policy, automatic updates can hit unexpectedly. With Windows the updates by default will install during an inactive period, say overnight, which you will observe one morning a day or two after Patch Tuesday. You think about all of the unsaved data that you might have lost! We now know that updates are important, and we shouldn't wait too long to apply them. Therefore, we should develop a habit of making ourselves ready for those days. If you get in the habit of saving all your work and closing extraneous browser tabs every Wednesday afternoon, you will be ready for anything. It is usually simpler to have closed most apps than to be presented with recovery files or have streaming videos blast into audible play mode at your next login after the reboot.
Another Positive—Use Multifactor Everywhere
If there is something positive to say about kids spending their time playing video games on Steam, other than the fact that I just have to unplug the internet connection to get them to come out of their rooms, it is that they are already well-trained to use Two-Factor Authentication (2FA) for their online accounts. If you read the third installment in this blog series then so are you. That's pretty awesome!
Something you know, something you have, and something you are
That is the trifecta of authentication. Passwords or pin codes are what you know, a device or smart card is what you have, and ideally a biometric like a fingerprint verifies what you are.
- The problem with what you know is your limited memory and the guess-ability or discoverability of what you know.
- The problem with what you have is that it can be lost or stolen or copied.
- The problem with what you are is that it can’t be readily changed, so it can be vulnerable to replay attacks.
App, Not SMS
Your kids might not yet have a need for 2FA, depending on what types of websites they are using. When they start using their own Amazon or Facebook accounts, or anything tied to spending, that would be a good time to take them to the 'next level'.
SMS text is by far the easiest (but less secure) method to add 2FA (as we noted last article). Receive a code, enter it, boom good to go. Well, as far back as June of 2016, Wired reported the problems with using SMS for 2FA. Unfortunately many smaller banks continue to employ SMS texting for their second factor, when they should support any of several good 2FA apps like Authy, Microsoft Authenticator, and Google Authenticator.
I Lost My 2FA Device. Now What?
DO NOT USE 2FA WITHOUT HAVING MULTIPLE DEVICES ENROLLED
You always need a backup device. If you use your phone as your 2FA device, and it falls into Lake Superior while on vacation, you are now locked out of all accounts with 2FA enabled. It can often take days to recover, after dealing with customer support.
When my son's phone died, he lost his 2FA device, so he was unable to login to his Steam account. After contacting support, they removed the phone from his account, but slapped him with a 2-week trade ban as a safeguard against fraud. Apparently there is a whole virtual economy for games like Counterstrike, where they spend real money for things that don't exist (knife skin, hat, etc for their characters), and trade items for other virtual items. Whatever, apparently the absence of trading privileges was deeply felt for the two weeks.
Most authenticators allow you to use an application on your computer. If have $36 to spend, you could be as cool as Google, and buy a hardware 2FA key like Yubikey or Titan to use as your main or backup device.
Challenge : Start using 2FA for one Account
There's a good chance that you aren't using 2FA, so before you can pass on this Jewel of Knowledge to your offspring, lead by example and use it for a couple of weeks before having a child try it. Setup 2FA for a single account. - Devices: You will need a computer and a mobile device (phone or tablet). One is your main 2FA device, and the other is your backup. - 2FA App: Let's go with Authy. Install the app on your computer and mobile device. - Website: I recommend using an Amazon account. If your child does not have one yet, you can set them up with an account without needing a credit card. Add a small Amazon gift card and they have some credit they can use.
How To: Setup Amazon 2FA using Authy
Even Strong Authentication Can Be Defeated
Even with perfect authentication with the strongest available combination of factors, you are still vulnerable to man-in-the-middle (MITM) attacks.
- The attacker compromises your device, planting malware.
- The attacker waits for you to complete authentication to a valuable account.
- The attacker hijacks the session and redirects you to an error page.
- The attacker robs your account while you are attempting to re-login.
If you want to protect against MITM attacks, one way is to use an uncompromised device, duh, foiling Step 1 above. For the paranoid or for those with very high value accounts, this means dedicating a device to that high value account, only using it for those account logins. That’s not a perfect solution, the account website itself could be compromised, but it drastically reduces the chance that your device will become compromised (versus using a promiscuous device that surfs the world-wide web). An inexpensive Chrome box or tablet can be reserved for this purpose and has a much smaller attack surface than a normal PC or Mac.
If You Do Suspect an MITM Attack
If you do receive a login error message and you believe you entered your credentials correctly, that is a potential red flag. Immediately switch to an alternate device, get into your account, and check for unauthorized transactions in progress. Have your password manager change passwords. As a precaution, run a full scan of the first device to check for any irregularities. Your antivirus product should be able to do this, but even so I like to run an independent scan, as attackers will often compromise your endpoint security when they compromise your device. One handy backup AV scanner option is Norton Power Eraser, since it does not install (so you can keep it on a USB stick with your other emergency troubleshooting tools), nor does it conflict with any primary endpoint security. It has three different scan level options, one of which will perform a reboot to check for rootkits. I like to run all three scans in succession.
How To: Setup Amazon 2FA using Authy
1. Download Authy Mobile App
On your mobile device, open it's app store equivalent and search for 'Authy'. Below is how that looked on an iPhone. Download the free Authy app.
2. Amazon Settings
On your computer (Desktop or laptop), open your browser to amazon.com. On the top navigation bar, click on the button labeled 'Account & Lists'. If there is a 'Sign In' button present, you will need to do that first. At the top of the Accounts page, you will see several options. Click on the 'Login & security' button. You may be prompted to sign in again.
3. Advanced Settings
Now click on the Advanced Settings button at the bottom of the Login & security settings page.
4. Enroll New Device
On the Advanced Security Settings page, there is a section labeled 'Preferred method', with an 'Authenticator App' category. Click the 'Add new app' link. You will be presented with a screen like the following, with a QR code and instructions to open your authenticator app.
5. Scan Code With Authy App
Open up the mobile app and click on the 'Add Account' button. There should be an explanation and a blue 'Scan QR Code' button at the bottom. Press that button and point the mobile device at your computer screen. Follow the steps to complete the enrollment.
6. Your First 2FA
Let's give it a shot. On your computer, open your browser to Amazon.com. Sign out and then Sign in. Once you enter your password, you will be presented with a new screen. One that asks for a 'Two-Step Verification' code. This will take a bit of getting used to. Everytime you login you then have to pull out your phone open the Authy app, and enter the code. Alternatively, you can just have the Authy Desktop running (see next step) and use that instead. Either way, you can appreciate how hard this makes it for someone other than you to access your account. Make sure you complete the following steps... 2FA without multiple devices is a recipe for pain.
7. Install Desktop Authy App
On your computer, visit the Authy Download Page and select the MacOS or Windows Direct Download for your system. When finished downloading, select and run the installer from Downloads. Installation of the app is rather straight-forward.
8. Run the Authy Desktop App
When you run the Authy Desktop app for the first time, you will be prompted to login with username and password. You will then be prompted to authorize using your mobile device. Open the Authy app on your mobile device and you will see a dialog like the following. Once completed, your desktop app will populate with all of your accounts (currently only Amazon). Done! You have reached a new level of wizardry only reached by the savviest techies.