YubiKey Neo

YubicoYubico the maker of the YubiKey introduced a NFC version at CES 2013 . YubiKey is a One Time Password dongle. It provides a strong two factor authorization to any site or platform.  All versions of YubiKeys use best practice security process. YubiKey works with various password managers such as Last Pass and PasswordSafe. You can also integrate with a VPN and software tokens. The traditional YubiKey works with multiple platforms including Windows, Linux and Mac, along with browsers like Chrome and Firefox. The new NFC version, theYubikey Neo can be used by simply tapping the YubiKey on to a NFC enable device.

The standard YubiKey is $25.00 and is available now. The YubiKey Neo which includes USB and NFC is $50.00. Right now there is a 7–9 week delay in shipping for the Yubikey . If you are looking for a way to keep secure then you may want to look into various Yubico products including the new YubiKey Neo.

Identity Theft Made Easy

Viz Top Tip… Make identity theft easy by posting a picture of your credit card on Twitter or other social media.

Credit Card

(The airbrushing is mine)

Quite unbelievably, this young lady posted a picture of her new credit card on Twitter – “Ahhhhh my first credit card buzzing aint the word my friends” - and it was retweeted to me. I was tempted to DM her and ask for a picture of the back but that seemed churlish. Dumber than a box of hammers, if you ask me.

Miss Alex Mathewson, congratulations on acquiring your first credit card but you might want to check your new statement for some unexpected purchases.

Top 10 Worst Passwords of 2012

Top-Passwords-2012

It’s sad that, even today, lists like this exist.  Unfortunately, security continues to be a major issue for computer users around the world thanks to, not only malware and viruses, but also just plain old lack of understanding by many users.  The biggest problem can be insecure passwords, which account for many of the highest profile hacks that make the news.

Recently the web site Techie Buzz put together the top passwords of 2012 using data from Splash Data.  The results weren’t pretty, with “password” once again topping the list and going along with such favorites as “123456” and many more easy to hack passwords that nobody should seriously consider using.

You can view the list below, but if you have family or friends who are less than sophisticated computer users then perhaps you should share this information with them.  These are the first passwords used in a basic dictionary attack which can brute force it’s way into an account in mere minutes.  If you are using anything on the list below then please change it now.  Add capital letters, numbers and symbols and, especially, more characters.

#              Password                Change from 2011
1               password                 Unchanged
2               123456                    Unchanged
3               12345678                Unchanged
4               abc123                     Up 1
5               qwerty                     Down 1
6               monkey                    Unchanged
7               letmein                     Up 1
8               dragon                     Up 2
9               111111                    Up 3
10             baseball                   Up 1
11             iloveyou                   Up 2
12             trustno1                   Down 3
13             1234567                  Down 6
14             sunshine                  Up 1
15             master                      Down 1
16             123123                    Up 4
17             welcome                  New
18             shadow                    Up 1
19             ashley                      Down 3
20             football                     Up 5
21             jesus                        New
22             michael                     Up 2
23             ninja                         New
24             mustang                   New

Mozilla Pushes 16.01 Update for Firefox

Yesterday Mozilla took the unprecedented step of pulling down a version of Firefox and warning those who had already installed it to stop using the browser.  The move came after a rather bad security flaw was found in the software that would allow a malicious site to potentially be able to determine which websites users had visited and obtain access to the URL or URL parameters.

The company quickly pushed a fix for the Android version of the web browser, but took until today to issue a similar patch for the Windows version of Firefox.  Mozilla has now made Firefox version 16.01 available for download and those who have the browser installed should receive an automatic update upon the next launch.

While it was perhaps a bit of an embarrassing escapade, the company did work fast to fix the issue.  The flaw was less of an actual security threat and more of a privacy concern, but it was an issue that still needed to be addressed quickly.  You can head over to Mozilla to grab the update if you didn’t receive it automatically.

Lookout for Android Can Now Find your Phone Even When the Battery is Dead

Last week I told you that Lookout, the popular security app for Android, was teasing a big announcement for this week.  Today their new update began rolling out to users and it came with several new features, but the one getting the most attention is called “Signal Flare”, which allows users to locate lost phones, even when the battery has died.

Signal Flare works by frequently flagging the location of your device so that if the battery dies, or is removed by a thief, you stand a better chance of still being able to locate it.  The company claims to locate thousands of phones every day for their users, but that when the service fails a battery is to blame in 30 percent of the cases.

While Signal Flare is the hot item in version 3.0 of the app, it’s not the only improvement.  Lookout also rolled out a new user interface, an “Activity Feed” that lets you see what’s going on in a single glance at the app dashboard and a “Safe Dialer” protection which protects against dialer-based attacks, such as the one recently seen hitting the Galaxy S3.

For all of these improvements, Lookout remains a free app (there is a premium version as well).  Version 3.0 is now live in the Google Play Store.  If you already have the service installed then you likely have received the update pushed to your device automatically.

NOTE: I should also, in fairness, note that Avast also produces a very good, and free, mobile security app.  Thanks to Milos over at Avast for pointing it out to me following my post last week.

Lookout for Android Has Something Big Planned

While the vast majority of Android users will probably never need to worry about malware contaminating their smartphone, it never really hurts to play it safe by installing something like Lookout.  If you install non-Google Play Store apps then this can be especially important to you and Lookout is perhaps the best option in this genre of mobile software.  If you are already a Lookout user then you may have received a teaser in your email inbox today.

There wasn’t much, well actually any, information about what is coming.  It was simple announcement that stated “Only 7 more days.  GET FIRED UP!  We’re taking mobile security to the next level. Stay tuned!”  Lookout already works as an anti-virus, allows you to backup your data, scans each download, scans new files on your SD card and provides a phone locator service.

So, what could they possibly have in store?  A couple of things come to mind, such as scanning the sites you visit in your mobile browser or perhaps scanning shortened URL’s received in email and texts.  While both of those things would be handy, they don’t seem big enough to warrant a teaser such as this.  We’ll know for sure next week.  In the meantime, if you would like to check out the app then head over to the Google Play Store where it’s available for free.

Create a One Time Email Using Gli.ph

Gli.ph There is a good chance that you have read about the problem of Matt Honan who was hacked by individuals who used social engineering to do it. One of the things that Matt admitted was he used the same email address for everything and in terms of security that might not have been a good idea. Are there times when you are purchasing something from someone, maybe on Craigslist or through a site you are not familiar with and they ask for your email address. You are reluctant to give it too them, perhaps you give them what I call a junk email address, an email address that you specifically set up to give to online merchants. That is what I do, this works until you forget that is the email you gave them and you are wondering why you didn’t get that package you ordered and there is an email sitting in your alternative folder saying the item is out of stock. Wouldn’t it be nice to be able to give out a fake email so you could get the information you need and then delete that email address and never worry about hearing from them again. That is one of the ideas behind Gli.ph

The first thing that you will need to do is sign up on the Gli.ph service and download the app on your iPhone. If you are using an Android phone you will have to use the mobile web app  for creating the cloaked email address. At the upper left hand corner of the app or mobile Web site you will see a figure that looks like a wizard, click on it. If you haven’t already done so you will need to confirm your email address. At that point you will be given a cloaked email address. When you are ready to send someone an email, just click on send cloaked email. There is the space for recipient, subject and message. To start off with there is no way to add an attachment, you earn that right by getting five of your friends to join Gli.ph. Ones you are done, hit the send button. The receiver will see your cloaked email address. Their reply will first go to the cloaked email address and then be forward to your real email address. This is where the real magic comes in now you can reply to their email through your actual email client and address and the recipient will only see your cloaked email address. Gli.ph will strip out all information that gives away your real email address from the header. Once you are finished communicating with the person or site, simply delete the cloaked email address. Now when they try to send you an email through that address it simply disappears into space. Gli.ph uses HMAC-SHA1 hashes, and stores cloaked Email addresses encrypted using the same AES–256 encryption. They do not store or see the email when it goes through them. It lives only in memory during the time it is passing through.

Right now the biggest complaint I have against Gli.ph is that on Android you have to use the mobile Web site to create a cloaked email address. On iOs you can do it directly on the application. Other than that I really like Gli.ph, their have been several times when I have been reluctant to give someone my real email address and now I don’t have to.

Protecting Your Digital Assets

Two FactorMat Honan’s story (as covered by Todd in the latest podcast) showed me that the strongest password in the world is worth nothing if it can be reset by a straightforward social engineering-based attack. I’m sure Apple and Amazon will be looking hard at their policies and procedures but for the individual, there’s also much to learn from the episode.

i) Two-factor authentication. There’s no doubt that this is a good thing and I enabled it on my Gmail account last night. Turning it on is easy, but it’s a pain in the ass for the first few hours as you re-login to all your Google-based services. With several regularly used PCs, email clients and umpteen mobile devices, it takes a bit of time to get them all setup correctly. Touch wood, now that I’ve been through the re-login process, things are largely back to normal.

ii) Backup, backup, backup. For at least part of the story, Mat is entirely to blame. If there’s only one copy of any piece of data, it might as well not exist. Never mind hackers; theft, damage and accidental deletion make it all too easy to lose data, especially with mobile devices. Disk space is cheap, so even if you have just one PC, have a working set of folders, a backup set of folders and also make copies on a regular basis to a USB drive, which you disconnect from your PC when not in use and preferably store somewhere else.

iii) It’s your data. Convenient as “the cloud” is, remember it’s your data and your responsibility to keep it safe. If you push information directly to the cloud, don’t forget to include this information in your backup routine. Google has tools to download data from its services. Or don’t bother with someone else’s cloud and build your own, using a PogoPlug or similar.

iv) Download email using POP3. I use web-based Gmail and IMAP-enabled apps to manage my email and if email is deleted from Gmail…poof, it’s all gone. By using a POP3 email client like Thunderbird, you can have a copy on your PC as well.

v) Spread the load. Convenient as it might be to have all your eggs in one basket, either with Apple or Google, consider spreading your digital assets across different services, e.g. email on Gmail, work files on Dropbox, personal files on Box, photos on Flickr. If someone does compromise one of your accounts, all is not lost in one go. But don’t use the same password across all the systems.

vi) Remote kill-switch. The ability to kill mobile devices remotely is very handy if they are stolen but there’s a risk that the kill-switch can get into the wrong hands as in this case. However, the benefits probably outweigh the risks in that you are far more likely to lose your device than be hacked, so it’s perhaps better to focus on minimising the fall-out from both physical loss and a remote wipe.

There’s certainly plenty of food for thought there and even if you only take on one or two of the suggestions above, you’ll make yourself much harder to attack while lessening the impact.

Picture courtesy of Brian Ronald.

Nothing to Hide, Nothing to Fear?

Interception of Communications Commissioner“If you’ve nothing to hide then you’ve nothing to fear” is often trotted out in the debate around privacy and secrecy. Superficially it seems reasonable but even with a modicum of critical thinking, the adage becomes trite and flawed. However, even if you did believe that “nothing to hide, nothing to fear” was reasonable, then the latest report from the British 2011 Annual Report of the Interception of Communications Commissioner (.pdf) ought to give food for thought.

The report covers the Regulation of Investigatory Powers Act (RIPA) which includes the postal service, telephony and electronic forms of communication, and can be carried out for both law enforcement and national security purposes. There are two distinct areas, the first being the interception of communications and the second being the acquisition of communications data. Simplistically, the first area is about directly listening in on a communication and the second is about who, when and where a communication took place.

In 2011, the total number of lawful interception warrants for the UK was 2911, and this all seems quite reasonable, given the population of the UK (60-odd million). However, in amongst the successful security operations, we also find that the security and associated agencies made 42 mistakes (1.4%), usually through typographic errors. In all instances, the error was discovered before the intercept took place or else all the material associated with intercept was destroyed.

Communication data requests cover information about communications, mainly subscriber data, service use data and traffic data, rather than the content of the communication itself. There were 494 078 communication data requests in 2011, an 11% decrease on the previous year. As you might guess, there were a few errors there too, with 895 mistakes being reported. Although this represents an error rate of only 0.18%, I’m sure it will be of little comfort to the two wholly innocent individuals who were arrested by the police because of these mistakes. Again typographic errors in the transcriptions of phone numbers or IP addresses were largely to blame but of additional concern was that nearly 100 of the errors were identified by auditors and weren’t recognised at the time of the requests.

If you think that because you’ve nothing to hide then you’ve nothing to fear, think again. You’ve everything to fear from the transposed digit, the wrong post code look-up and the minimum-wage flunky copying and pasting from the wrong records.

Probably not what you were worried about at all.

Formspring Had a Security Breach

Those of you who have a Formspring account might want to take a minute to go and check on it. Formspring announced today, July 10, 2012, that it has had a security breach. and that some user passwords may have been accessed.

They are taking a precautionary measure and asking all Formspring members to change their passwords now. The same blog post that announces the security breach has advice about some guidelines that they recommend you use in order to create a strong password.

I found out about this just a few minutes ago when Formspring sent me an ominous sounding email.

At first, I wasn’t sure if this email was legitimate, or if it was some sort of phishing scheme. So, I opened up a new window in my browser and attempted to log in to my Formspring account. The result wasn’t good.

Since I was getting nowhere, I decided to click the word “resend”, in the hopes that this would help me to recover my Formspring account. I rarely use it, but even so, I didn’t like the idea of it potentially being accessible by someone other than myself. It took a few tries, but I was, eventually, sent an email that gave me a link to click on so that I could reset my Formspring password.

I was able to click on the new link that I was sent. However, this did not enable me to achieve a desirable result.

Uh-oh! I ended up having Formspring resend another email, with a new link inside it. That one worked, and I was able to successfully access my Formspring account, and change the password to something completely different than what it was before the security breach. I figured it was worth it to send out this little “heads up” to other people out there who are using Formspring. Hopefully, after reading this, you won’t panic if Formspring sends you an email like the one it sent me.