Many would consider me an Internet Old Timer. I used ‘The Internet’; then ARPAnet back in the days when I worked as a Software Engineer for a US defense contractor. Securing communications and having confidence in message integrity; both in the identity of the sender and in the integrity in the content have always been important if not vital to communications over the Internet. I was struck by this blog post in part because I have heard of Filippo’s work but most of all because I completely agree with his message.
Thoughts about an interesting article that appeared in today’s New York Times about the use of cellphone numbers.
It’s always interesting when a technology story makes the front page of the Sunday New York Times. On this day ‘Your trusty Cellphone Number: 10-Digit Code to Trove of Secrets’ by Steve Lohr grabbed mu interest from the lower left corner of the paper. Lohr writes an interesting and well researched article about about the use of an individual’s cellphone number effectively not only taking place of another more sensitive value (the social security number). Lohr also points out that the importance in communications (as people move away from landlines) as well as a means of creating a numeric index.
The article references a second line service available for smart phones; a free application called Line 2. Computerworld’s Rick Broida wrote a good review of second line services in May of this year. That article features a comprehensive comparison chart that included services such as Google Voice, Sideline, and eVoice in addition to Line 2.
Over the past two weeks I’ve noticed that on my iMac 1Password and Chrome have not been playing nice together. When i try to use 1Password to fill in passwords in Chrome I’m seeing the message “code signature could not be verified” pop-up. In typical 1Password fashion the message includes a link to the troubleshooting guide with steps that need to be taken to resolve the problem. I thought I ran this down twice or three times. Was it my AV? Was it a needed login? Was it a needed update? It turns out the fix was incredibly simple. Chrome had gotten stuck on a version upgrade. Opening up Preferences from the Crome menu you need to look at the ‘About’ section. My instance was not up to date. The fix was easy; I just selected ‘Relaunch’ from that same menu. Problem solved.
It wasn’t just me. The folks at Wired have noticed that some web sites are not really very password manager friendly.
I travel fairly often. Lots of that travel is for work but I do get around on personal business and to get away. One of my go to sites for travel is Hilton dot com. I’ve been a Hilton customer for a long time. I like their hotels. I think they treat me well where ever I go. This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.
When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser. This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.
The annoying thing is that Hilton has added a check to see if you are a robot. It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached. I found the test usually involves matching text to pictures. The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).
If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails. Once that fail happens I have to complete the form and the robot test manually and then submit.
It is mildly annoying but I’m still spending lots of time at Hilton properties.
After reading Thomas’ article on re-evaluating the safety of Mac OS/X last week I finally managed to bring most of my Apple equipment up to current. I checked all the network devices and updated most of those. My Windows machines are all current. I do have that one Mac that won’t run a current OS. I read a great tips article over at Naked Security about bringing that as close to protected as possible.
While many folks enjoy the iPhone and all of the apps that are available for the device from iTunes or Apple’s App Store; there are people out there who want to do more. The only way to run software on your iPhone that isn’t available from iTunes is to run another operating system other than Apple’s iOS on the phone. The process of installing and running another operating system on an iPhone is known as ‘jailbreaking’ (see this great post at iphonehacks.com for more info).
Who does this? People who want to listen to music obtained from sources other than iTunes (DRM free). People who want to run apps that Apple has not approved. And then there are people who obtained their iPhone through other than normal commercial channels.
The downside to jailbreaking used to be that you had to trust whoever wrote the new operating system and whatever apps you wanted to run. That’s not Apple. If you jailbreak you can’t take your phone to the Apple Store for help or service. You also can’t use iTunes or the App Store to use iOS apps.
When you read about iPhone ‘hacks’ or attacks it is important to find out if they are against iOS or jailbroken devices. Often these hacks and even research (see touch logging) into how to attack iPhones are against jailbroken devices.
Five years ago I made a decision to move from PasswordSafe to AgileBits 1Password. As someone in the security field I’ve always tried to practice what I preach and using different passwords for different sites and cycling passwords (changing passwords every N months) is important. I looked at a number of different password management solutions. I enthusiastically moved to 1Password as it offered everything I was looking for. Early on I used a local database but after becoming comfortable with the product I moved to using a shared database stored at DropBox.
One of the other password managers I looked at was PasswordBox. PasswordBox offers an application that includes the capability to sync passwords back to ‘cloud’ storage at the developers site and is available for Mac, Windows, and mobile platforms. When I first looked at this my concern with PasswordBox was that there was no knowing how my passwords would be secured given the applications storage model (i.e stored where?). With 1Password storage is either local or at DropBox. The 1Password folks have been called out on encryption (Cult of Mac 2012, Lifehacker 2013, TraxArmstrong 2013 ) numerous times over the past years. I followed that controversy and think the AgileBits team handled it well so I have no reservations recommending 1Pasword with DropBox.
Using any password manager one of the harder problems seems to be keeping the browser plug-in alive. As Firefox has marched through release after release I’ve had to update the plug-in and recently had to uninstall / reinstall the plugin after the 1Password major version change. That’s just one browser. I try to keep 1Password running in Firefox, Safari, and Chrome.
Something that I have been looking for as a feature of a password manager has been some way to do password escrow. That is creating the means to pass on information in my password manager should something happen to me. The simple way of doing this is to give someone I trust the password to my password manager. The downside is that the act of giving that password information creates a potentially huge point of friction. You have to ask yourself ‘Will the person I gave that password to do the right thing at the right time?’. Giving someone the password also equates to giving them the keys to everything. You lose the capability to purge some information you don’t want to pass on. One way around that is the capability offered by an application such as Legacy Locker.
Legacy Locker and other apps like it (Perpetu) offer a service that passes on usernames and passwords that you select to some person or people that you designate in the event that you ‘in theory’ pass away or become permanently incapacitated. All of these offer some form of credential or service escrow capability. They solve a very difficult problem that is faced by virtually all Internet based service providers; how to allow someone other than the user who agreed to the terms of agreement and opened the account into an account.
My advice regarding password managers is that more people should use them. They are an important tool to maintaining one’s individual security on the Internet. In order to be truly useful across multiple devices a password manager needs to use some common storage point and using Internet Cloud based storage works. The key to using Cloud based storage and keeping your passwords secure is making sure the manager supports strong encryption.
I read an excellent article by Nate Anderson in Ars Technica, “How the FBI found Miss Teen USA’s webcam spy” about how they broke the recent Miss USA ‘sextortion’ case. It got me thinking about how many of my friend and colleagues become temporary IT support personnel at the end or the year trying to help their parents and loved ones through their various computer problems. While remote access tools are a tremendous help in solving these issues without having to travel to someone’s home; they do pose a risk. Even my wife’s favorite support tool; Teamviewer has been targeted. By their design these tools are developed to sit and listen for an incoming connection. If you do use these tools make sure that you are using a non trivial password or pass-phrase. Try to make sure that the tool doesn’t load upon start up and requires that someone find and execute the program before a remote connection can be created. If possible move the link to the utility out of the normal applications folder and into a sub folder so that it is that much harder to ‘accidentally’ launch.
Interesting journal article
Sometimes reading about security can get boring. How many times can you read about a particular vulnerability? How many times can you read about a particular tool? When news of a vulnerability breaks or a new tool is released; many of the news out…
Sometimes reading about security can get boring. How many times can
you read about a particular vulnerability? How many times can you
read about a particular tool? When news of a vulnerability breaks or
a new tool is released; many of the news outlets and bloggers will
jump on it. I was kind of bored and it was a Sunday morning and i
happened upon this article (http://bit.ly/k2GHG8 ) written for CNN
Money. You have to read the entire article to really understand the
author’s point of view.