Sunday, 26 August 2012

Added Security part 2


Mat Honan
Many might have already heard about the Mat Honan case by now. If not you should read this story and this story. Those posts contain a lot of important information on what to do, and what not to do, when living in this online world. In brief Mat Honan was hacked through social engineering. The hackers got access to all Honan's important accounts (Amazon, Apple, Google and Twitter) and deleted most of his data by wiping his iPhone, iPad and laptop.


Password Security
The only practical way of using safe passwords for accounts online is by using a password management system. Personally I've gone with LastPass, and I have not regretted. However there are alternatives.


Millions of passwords has been lost lately, due to poor security at major Internet companies. LinkedIn lost about 6.5 million passwords, Last.fm lost their passwords (read more about these two cases at this page). Gamingo lost 11 million passwords (read more). Yahoo lost 400.000 passwords (read more). And the list do not stop there. The amounts of passwords that has become publicly available lately is massive. This has led to hackers, and others, having a great knowledge about what passwords people are using. For more info about that read this blog post.

To cut it short, rule number one of having a safe password is by using a long (preferable 20 to 30 characters) password generated by a password generating tool, like the one in lastpass. An example of a good password, generated by this tool, is:
vUa$L4tJ$*Ow^eRdOveBAweUFx#2RU
Please do not use passwords like "monkey", "love", "ninja" or what have you got (some list of commonly used passwords can be found here, here and here).

The password generator in LastPass

Rule number two is to never reuse the same password across different sites. Because you just can not know how sites are storing your passwords (many big sites store passwords as plain text) nor what type of security different sites has.

To follow rule one and two you do need a password managing tool for helping you out. If you are using LastPass you should properly secure your LastPass account. You do not want your LastPass account hacked, hence you should read this post and this post. Do use two factor authentication for LastPass and consider using restricted login from selected countries.

Using Google Authenticator is very wise.

Restricting logins from certain countries improves security.

LastPass Security Challenge
If on LastPass do take the security challenge to:

  • Analyzes data you have stored in your LastPass Vault
  • Tells you how secure you are by giving you a score from 0 to 100
  • Tells you how you can increase your security
  • Compares your score against all other LastPass Security Challenge participants


The result of the challenge will show you how to improve your security online. Like pointing out your insecure passwords, where you use the same password across sites and so on.







Browser improvements
Browser Lock extension
If running Chrome there is an extension that you can use to secure yourself at the office. The extension provides a way to lock down the browser, to prevent others with messing with your open accounts. This extension is far from bullet proof, as it can be forced removed. However it can save you from a few pranks by co-workers. Check out the Browser Lock extension.




Securing Facebook
I'm very far from a huge fan of Facebook, however I do have an account and I want to keep that safe. The following tweaks will improve your Facbook account security. You should consider doing the same with your account.

Log into Facebook and chose "Account settings" > "Security", then:

Enable "Login Notification".

Enable "Login Approvals".

Possible to install code generator on your phone.

A more secure Facebook account.

List of recognised devices.



Tor Project
If you want to surf online without leaving any traces you should check out the Tor Project (wiki page, and Tor Browser- What is it, How Does it Work, and How Does it Relate to Using a VPN?). Next to using DNSCrypt (mentioned here) your online activity is getting quite hard to track when using Tor.

Tor: The Onion Router

Information about Tor (about page):
Anonymity Online. Protect your privacy. Defend yourself against network surveillance and traffic analysis.


Inception
Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others.

Overview
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.


Super simple setup.

Connected in no time.

Surf  anonymously using the TorBrowser (a bundled version of Firefox preconfigured to use Tor) to stay safe.

Appearance in log files.


Encryption
Duplicati was mentioned in my previous security post. Bellow is another highly regarded security tool for encryption worth mentioning.

TrueCrypt
TrueCrypt is a free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux.



Main Features:

  • Creates a virtual encrypted disk within a file and mounts it as a real disk. 
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time (on-the-fly) and transparent.
  • Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
  • Encryption can be hardware-accelerated on modern processors.
  • Provides plausible deniability, in case an adversary forces you to reveal the password: - Hidden volume (steganography) and hidden operating system.






The Right Way
I'm summarising this security post with an interesting read about insane password restrictions. Do check out the article at defuse.ca, where you can read about "the right way to store passwords".

Important keywords are hashing and salting.


No comments:

Post a Comment

Allowed HTML tags:
<b>bold</b>
<strong>strong</strong>
<i>italics</i>
<em>emphasis</em>
<a href="">hyperlink</a>


Please, show the courtesy of identifying yourself when adding a comment. Anonymous comments will, most likely, be removed.