Security Corner » Security best practice

Twitter now has two-factor authentication

Ken Harthun — Sat, 25 May 2013 16:54:23 +0000

From SANS News Bites Vol. 15 No. 41:

Twitter has introduced two-factor authentication for account access.
Users who opt in to the feature provide Twitter with a mobile phone
number, and whenever they want to log in to their accounts, they will
be required to provide their regular passwords along with a verification
code which will be sent to the specified phone. The introduction of this
feature comes just weeks after several high-profile Twitter accounts
were compromised and misused.

It’s fairly straightforward to set this up on Twitter. Simply log into your account, go into settings, select Password and you’ll see this message at the top:

Click on the link and follow the instructions to set it up on your mobile phone. Once you do, there is a complete range of settings that allow you to customize text notifications. Do what you want with that. My main interest is in the two-factor authentication.

After you get the preliminaries completed, you’ll have to go into your Account menu and activate the option. Here’s what that looks like:

Once you do this, you should be good to go and Twitter will require a code every time you log in.

Sidenote: Twitter is now more secure than my bank which only asks for username and password. Go figure. But more on that in another post.

Same password for every site. Will they ever learn?

Ken Harthun — Tue, 30 Apr 2013 12:57:03 +0000

From Naked Security:

A study by Ofcom, the UK communications watchdog…, “Adults’ Media Use and Attitudes Report 2013″, [comprising] a poll of 1805 adults aged 16 and over discovered that 55% of them used the same password for most – if not all! – websites.

Unbelievable! Will they ever learn? It’s precisely this kind of thing that gives us Network Administrators nightmares, especially when these same people are given access to resources on our networks. Don’t they realize that if one site gets compromised, the hackers have access to all of them?

This is compounded by the types of passwords people tend use, i.e., easy-to-remember passwords such as birthdays, pet names, etc. The study found that 26% of the people polled do this.

If you are one of these people, or if you know someone who is, please see to it that the passwords get fixed as soon as possible.

Log out and shut down!

Ken Harthun — Mon, 29 Apr 2013 19:49:29 +0000

Are you one of those people who leave their computers logged into everything all the time? If not, then good for you, but I bet you know someone who does. It’s a bad idea. Even if you run with a limited user account, you’re at risk. An XKCD cartoon does a fine job of illustrating.

Log out of those sites and shut down your PC or laptop.

Are you personally prepared for disaster?

Ken Harthun — Wed, 27 Mar 2013 02:27:20 +0000

Doomsday Preppers is a popular (in some circles) American reality television series that airs on the National Geographic Channel. I’m not a prepper in the sense of that TV series, but I grew up with Scouting whose motto has always been — and will probably always be – “Be Prepared.” That motto has served me well in my life and has given me a sense of the need to always stay one step ahead of disaster in all meanings of the word. While we in the IT world don’t always phrase it that way, I think it is a motto that we always embrace, consciously or unconsciously.

I saw an interesting video last week that promotes the need to stock up on 37 foods that will sell out quickly during a crisis. I bought the book (actually a CD with PDF files) and started to read it tonight. In the preliminary chapters, the author discusses the need for a “bug out” kit and what that kit should contain. I’m not going to go into great detail here, but I am going to mention that all of your valuable documents should either be carried with you or available in electronic form so they are accessible no matter where you happen to find yourself. Examples of these are:

Passport
Social Security cards
Bank account information
Deeds to your property
Insurance policies
Medical records and prescriptions
Driver’s license

You should do your best to keep all of these documents in a portable fire-proof safe that you can take with you if you have to evacuate. But, you should also scan every single document and store those scans on both a portable storage device and do one or both of these things with them:

Email them to yourself at a cloud email service such as Gmail, Outlook.com, Yahoo, etc.
Save them to a cloud backup service or cloud storage such as SkyDrive, Dropbox, iCloud, etc.

You never want to be at the mercy of a single point of failure, especially in an emergency.

Doomsayers may be a bit over the top sometimes, but there’s no reason you can’t exercise good sense and “Be Prepared.”

How much of your spam contains malware?

Ken Harthun — Sun, 17 Mar 2013 22:27:39 +0000

I am in my second year of using MailRoute.net‘s excellent spam filtering service. I cannot recommend them enough. My main email account is so spam-free that I sometimes don’t even check the admin interface to see what MailRoute has been filtering for me. Today, I was curious to see just how much of the spam I receive contains malware. I was prepared to scan through the list of spam in the quarantine and perform my own analysis, but when I logged in and was presented with their new look, my quarantine had a tab named Virus. That made my job much easier.

My analysis showed that approximately three percent of my spam messages contained malware during the period of February 2 to date. That tracks with Kaspersky’s Securelist’s figures for January 2013:

January in figures

The percentage of spam in email traffic was down 7.7 percentage points compared with December and averaged 58.3%

The percentage of phishing emails halved compared with December, falling to 0.003%

In January, malicious files were found in 3% of all emails, a decrease of 0.15 percentage points

The biggest source of malware in my spam filter was the fake FedEx Tracking Service message, but I’ve seen a variety along the way.

Evernote hacked

Ken Harthun — Sun, 03 Mar 2013 13:46:50 +0000

Evernote, the popular note taking program whose goal is “to help the world remember everything, communicate effectively and get things done,” has had their website hacked and is forcing all users to reset their passwords:

Security Notice: Service-wide Password Reset

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Good for them that they salt their password hashes and good for them for implementing a password change for all users. Others should follow this example.

Physical security: Implementing a card access system

Ken Harthun — Thu, 31 Jan 2013 02:31:10 +0000

At the college where I work, we just implemented a card access system. All staff, students and faculty are required to have badges that have inductive proximity devices attached to them. I opted for the self-adhesive tags shown here because I didn’t want to have to create 300 new photo badges. It was much simpler to have everyone file into my office and get the tag attached to their existing badge. The project took six weeks in planning including notifications to staff and students and a two-week grace period after installation of the scanners.

I was concerned that we would have major issues when I flipped the switch on January 28th. You just never know how these things will play out. I was pleasantly surprised, however. We had a few stragglers who didn’t get their chips and a few people who, for whatever reason never got an ID badge, but the process I put in place worked well and the system is now operational.

If you plan such a security system, here are a few things to consider:

Depending on the size of your organization, begin to notify your staff and/or students four to six weeks in advance of implementation
Send at least three notices of the impending lock down
Give yourself a sufficient window to make sure all card IDs are entered into the security software database.
During the pre-launch phase, explain the process to everyone and make it clear who to contact if there are problems.
Expect Murphy’s Law to manifest itself

I was pleasantly surprised how well our implementation went. Our receptionists handled missing chips and badges extremely well and though we experienced an increased workload in our department, there were no major upsets.

The most interesting problem we experienced was with a student who could not gain access even though he had a valid chip on his badge. The system kept saying “Invalid/unknown security ID.” When I investigated, I found an ID number that was not in our series of chips. I suspected a typo, but found that the student had an access card to his apartment complex that was the same type used by our system. He had all of his cards on the same lanyard and when he held up his student ID, his apartment complex ID was being read by our system instead.

Security is fun, isn’t it?

All your secret are belong to us

Ken Harthun — Wed, 30 Jan 2013 00:39:52 +0000

The eight-character password is dead. All possible combinations of 8 character Windows passwords can now be broken in six hours using some sophisticated, but readily available hardware. A paper from the Oslo password hacking conference gives details of how researcher Jeremi Gosney lashed together 25 AMD Radeon Graphics Processing Units (GPUs) into a specialized computing cluster and used it against NTLM password hashes. You’ll need twenty rack units of space in a server room and an industrial-style power supply delivering 7kW. It’ll cost you about $20,000 to build.

As you probably already know, “NTLM relies on one of the easiest-to-crack hashing systems still in widespread use: a straight, unsalted, uniterated MD4 hash of your password,” according to this Sophos Naked Security post.

Not that any savvy administrator permits NTLM hashes anymore, but 8 characters is simply not enough password length for these times. My shortest password used for critical systems is 10 characters and I’m going to be increasing that to at least 14 in short order.

I recommend you do the same.

Simple password tip to create unguessable passwords

Ken Harthun — Sun, 20 Jan 2013 17:08:39 +0000

Remember the Worst Passwords of 2012? Besides the advice I gave in my post about what you can do about that, here’s another tip: Use accented special language characters. This article: http://www.forlang.wsu.edu/help/keyboards.asp#unicode gives you plenty of choices. Let’s do my name in several variations (I don’t use these as passwords anywhere, in case you are wondering):

kenharthun
kénhårthun
KëÑharthuñ

Because of the key sequence necessary to enter these characters, no one is going to discover them. There is a caveat, however: The program or site may not allow these characters. I suggest you test it in depth.

This is also a password cloaking method if you are one of those people who write passwords in a book and keep it on your desk. Let’s say your password is I@mgreat. You could write that down with the sequence I064mgr101065t.

It’s not likely anyone is going to figure that out.

Who really needs anti-virus software?

Ken Harthun — Sat, 19 Jan 2013 16:17:45 +0000

Every list of best security practices contains an admonition to run anti-virus and/or anti-malware software. I have certainly been one to push such things over the years and have tested and recommended most of the popular contenders. But I got tired of the performance problems, the updates, the scans, the false positives and the generally intrusive nature of the stuff and opted to “run naked,” relying upon safe computing practices instead of a software overlord. I have no regrets and in four years have not had a single malware infection of any kind. I think that proves my point.

Can the average person get away with this? Probably not. But if one really understands the landscape of the internet and adheres to a few basic, common-sense security practices, chances are they’ll be safe. Here’s the configuration of my home system:

Windows XP, Service Pack 3 with Windows firewall enabled.
Linksys broadband wireless router with firewall features enabled and remote administration disabled.
WPA2 Personal with strong pass phrase for wireless access
Third-party spam filter on main email account (MailRoute.net)

Best practices I adhere to:

I do not click on any links in email, social media posts, etc. unless I examine exactly where it it taking me.
I do not download illegal copies of movies, music, books or anything else from torrents or P2P sites of any kind.
I test freeware apps in a sandbox before I allow them on my system.
I use super-strong passwords and manage them with LastPass.
I do not visit sites known to be harbors for malware.
When surfing in unknown territory, I disable all scripting.
My browser security settings are set to ask me before running any plugins.
I don’t use Adobe Reader, Flash must ask and Java is disabled.

What about you? Do you use AV software? What are your best practices. Hit the comments.