Tip for Creating Secure Passphrases

Need easy way to create a strong passphrase with minimal effort or thought?

Here’s how:

  1. Roll 16 virtual dice at random.org
  2. Write down the numbers from the dice rolls in groups of 4.
  3. Match those numbers to EFF’s short word list.
  4. Add some capitals, numbers, and punctuation that makes sense to you.
  5. Presto you have a new password.

It takes less than 30 seconds and its a great way to create a secure passphrase.

Why does this work?

Generally, people aren’t very good at coming up with passwords or passphrases. So the Electronic Frontier Foundation (EFF) has created wordlists that can be used to select passphrases using dice. You can read more about the science behind this and see more of their lists at their blog post “EFF’s New Wordlists for Random Passphrases“.

Since I generally don’t carry dice with me I just use Random.org’s dice roller and I bookmark the one that rolls 16 dice every time.

 

PS: The best answer to passwords is still to use a Password Manager, I trust and recommend LastPass

Heartbleed blah blah blah – What does it mean for me?

Question Mark

I’ve read a lot about Heartbleed lately but I don’t really understand it. What does it mean for my family?

A friend texted me this question yesterday and I’m going to do my best to answer this question in non-tech talk because I feel like the message to normal folk is getting lost in technical language and there are likely more friends and family wondering the same thing.

 

Heartbleed is a bug in the code that many sites use to secure websites. The webcomic xkcd actually did a great job of explaining it

Heartbleed explained by XKCD

Heartbleed explained by XKCD

Heartbleed is going to affect you in 2 primary ways.

Lots of password changes

Every account you have with a website that used OpenSSL should be considered compromised and you need to go change your password. Thankfully many sites are sending out emails and publishing blog posts to notify their users. This password reset is to prevent any unauthorized access (folks other than you) from logging in to the site or app just in case your password might have been exposed using Heartbleed.

What sites are affected? Mashable has a very good list but don’t go changing everything just yet. Websites really need to take 2-steps to fix the problem before you change the password (more on that in a bit). Without these changes the new password might be exposed. It’s akin to having your phone tapped and giving out your new number to anyone eavesdropping.

So how do you know a site is fixed and is ready for you to change your password? Well there isn’t a single good answer. Check the website of the company, ask them via Twitter do a bit of research. If you are a user of Lastpass then they did their users a huge favor and added a feature to their security check to show every account saved in Lastpass that may be affected and indicating whether it was now safe to change your password or not. Don’t you wish you used an incredible service like Lastpass 🙂

Facebook, Pinterest, Tumblr, Soundcloud, Yahoo and most of the big sites are safe know so you can change those passwords anytime.  Some of the notable sites that aren’t secure as of this writing are Imgur, Instagram, and Flipboard.

Malicious Websites using a stolen “valid” certificate

Let’s start with an oversimplified explanation of Secure Websites.

When you login to your bank the little lock in your browser means that your bank bought a certificate from the web trusts and is using it to encrypt your data so other folks at the coffee shop don’t get a peek at your password. That security lock means 2 things: 1) you are really dealing with your bank and 2) information submitted through that webpage is secure and only visible to your bank. That is what SSL technology does in a nutshell. You can see that when that system is compromised its a big problem. Welcome to Heartbleed.

If you are familiar with phishing then you know that attackers will craft an email or website to look similar enough to your bank, google, yahoo etc… to fool you into typing in your username and password. If you fall for it then you’ve handed your account over to an attacker. This OpenSSL bug opens the door for attackers to not only impersonate website but now they might be able to steal that websites certificate and make their forgery even more convincing.

I mentioned before that websites have 2 steps to secure themselves. 1) Apply the OpenSSL patch which fixes the bug 2) Get a new certificate and revoke the old one that marks it as bad.

Once they mark the old certificate is marked as bad your web browser should flag you that the certificate used on this website is no longer valid. The only catch? Chrome and Firefox don’t do this by default. Follow the instructions here to change those settings to check for revoked certificates in Chrome and Firefox.

Final thoughts

Its difficult to predict the fallout of Heartbleed. It will be learning process for both the security community and everyone involved from Certificate authorities to browser vendors.

TL;DR The best you can do is to change your passwords, use something complex and unique to that site (don’t reuse passwords, seriously— don’t) and make sure your web browser settings give you the most security and to keep your wits. If something looks off or strange don’t type in your password.

Further Security Tips

  1. Passwords: You can’t remember complex 22 character passwords. Use a password manager like Lastpass. Stop using passwords and start using passphrases 4 words add punctuation. BlueElephantlovesYanni! is an incredible password and you can remember it.
  2. Enable 2-Factor Authentication: This is an extra step and uses your mobile phone as a 2nd form of authentication. Use it on Google, Apple, Yahoo, and many more. Start with this article Here’s Everywhere You Should Enable Two-Factor Authentication Right Now, I use the Authy App on my phone to keep track of all my 2-factor enabled accounts
/image credit ryanmilani

Heartbleed and your web browser

There is a very nasty vulnerability known as Heartbleed that has been discovered within OpenSSL. While you may not be familiar with OpenSSL you are familiar with the hundreds of thousands of sites that use it to protect your passwords and encrypt your data. It is estimated to be implemented on a 1/3 of all secured webservers and it is used by sites like Yahoo, Imgur, and many others.

The vulnerability allows an attacker to gain plaintext chunks of text in 64k segments. These segments have been proven to expose visitor cookies, user passwords, and perhaps most worrisome the private keys of Web Server SSL Certs. In laymans terms that means I not only broke into your house but I changed the locks. (infosec folks please don’t take the analogy too far, I realize it is more akin to being able to spoof locks but I digress). Because of this potential key compromise Yahoo and many other companies are going through the process of revoking and regenerating their SSL certificates.

Why should you care?

If an attacker has gained the private key of a certificate they can then use that certificate to make themselves appear legitimate unless your web browser checks for certificate revocation. Chrome nor Firefox do this by default. (they should and I’m hopeful they will).

You can manually enable this feature and I would suggest that you do so. It is not a cure-all nor fool proof but the fall out from heartbleed is going to be significant and honestly this future should be enabled at all times.

How to change your browser settings:

Chrome – go to settings, click “Show Advanced” and find this setting

ChromeRevocationSetting1

ChromeRevocationSetting2
Firefox – settings, advanced, Validation, then check both boxes

FirefoxRevocationSetting1

2014-04-09_1152_001

IE – I believe these are on by default but to be sure, go to settings, advanced and find these settings

IERevocationSetting1

Further Reading

For further reading regarding Heartbleed:

Time to Patch Java

Java Patch Released

As you may have heard there is a significant security vulnerability in Java that is currently being exploited widely on the internet. This bug can be used to silently install keyloggers or other types of malicious software from compromised websites. Oracle has released a patch that you should install as soon as possible on all your computers and servers.

In addition, security researchers are recommending that you disable Java functionality in your web browser after installing the patch. This will help limit your exposure to bugs that will be exploited in the future.

You can download the patch here and then read below for instructions on how to disable java in your web browser.

Chrome

  1. Click on the Chrome menu, and then select Settings.
  2. At the bottom of Settings window, click Show advanced settings
  3. Scroll down to the Privacy section and click on Content Settings.
  4. In the Content Settings panel, scroll down to the Plug-ins section.
  5. Under the Plug-ins section, click Disable individual plug-ins.
  6. In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
  7. Close and restart the browser to enable the changes.

Note: Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

Firefox

  1. Click on the Firefox tab and then select Add-ons
  2. In the Add-ons Manager window, select Plugins
  3. Click Java (TM) Platform plugin to select it
  4. Click Disable (if the button displays Enable then Java is already disabled)

Safari

  1. Choose Safari Preferences
  2. Choose the Security option
  3. Deselect Enable Java
  4. Close Safari Preferences window

Internet Explorer

  1. Open Internet Explorer. (See Screenshots below for help)
  2. Type ALT + T to activate the Tools menu and choose Manage add-ons. Choose “All items” from the Show drop-down menu. Disable “Java Plug-in –version number–.” It is safe to simply disable all of the items that begin with Java, but be sure to get this one. Close Internet Explorer.
  3. Type WINDOWS + R and type regedit (approve UAC prompt if necessary). Browse to HKEY_LOCAL_MACHINESOFTWAREJavaSoftJava Plug-in{version}UseJava2IExplorer and change (Default) to 0. 64-bit Windows users will need to change HKEY_LOCAL_MACHINESOFTWAREWow6432NodeJavaSoftJava Plug-in{version}UseJava2IExplorer to 0.
  4. Download this text file, open it and save as disablejava.reg, run it to disable Java completely in IE.

 

Many Thanks to Naked Security and Shashi.co for these instructions

Type "Alt+T" then "Alt+A" to open Manage Add-Ons

Type “Alt+T” then “Alt+A” to open Manage Add-Ons

Show all addons

Show all addons

Select Java and choose disable

Select Java and choose disable

More Info

For further reading about this vulnerability I suggest:

Is your Multifunction Copier a Security Risk?

I consider myself to be fairly well informed on issues concerning data security and privacy and I found this to be absolutely astonishing. Could your Multi-function Copier be on the of the most high value data targets in your organization?

I discovered this 2010 CBS News Investigative report this morning via my friend @pulrich. It’s quite disturbing.

 

Before I contribute to uninformed alarmism it should be noted that CBS made quite a splash with this investigative report and at least to a degree the industry has responded.

Several of the major MFP manufacturers have published security portals or papers that outline how they are addressing these issues.

What should you do?

ASK QUESTIONS

If you are a business with an MFP or considering an MFP ask questions of our Print Services provider or account rep. Don’t let them try to dazzle you with standards, ask clear questions about automatic wiping or encryption and then ask for certification documentation.

If you are evaluating a new printer I’d suggest starting with this list of Common Criteria Certified Products, (Click on Multi-Function Devices)

HAVE A POLICY

Before you sell or end the lease of your current MFP have a procedure to wipe the Hard Drive and clear the NVRAM. If the MFP is end-of-life yank the data storage components and use a secure destruction service to dispose of them.

 

 

Tips to Secure and Customize your USB Flash Drive

No sexy headlines or social insights today just tweaking out our ubiquitous USB flash drives. I use mine on a near daily basis and here are the tips I use to make my drive more useful and more secure.

If you want to skip the work and get the goods, scroll to the bottom.

Customize the Drive Name and Icon

I like giving my USB drive a custom name so it’s readily identified then I throw in a custom icon to give some personalization.

Here’s how:

    1. Create a text file called “autorun.inf” and save it to the root of the flash drive.
    2. Edit the file to include these 3 lines of text:

[sourcecode language=”text”]
[Autorun]
Icon=usb.ico
Label=CustomDriveName
[/sourcecode]

  1. Save a custom icon or image as a .ico file to the root of this drive as usb.ico
    1. Note you can also place the icon in a subfolder and use a structure like Icon=SubfolderImagesusb.ico
    2. Make sure the image file is a .ico for it to show up correctly. Use irfanview and you can save any image as a .ico

Put your drive to Work

There are lots of ways USB drives are used and it can be quite handy to have a few applications ready to run just by inserting the drive.

myportableappsPortableApps.com is the starting point of this journey because they’ve built a full suite of tools and interface for managing apps and backups. Download and Run PortableApps, just have it extract itself to a folder on your desktop and you can copy it on to the drive in a later step.

Once you are setup on the platform here are a few apps to get started with. (See the full list at PortableApps.com/apps)

  1. Firefox Portable – carry your favorite browser and have it sync using Firefox sync to automatically update your bookmarks and preferences. *Bonus tip: Add the Lastpass for Firefox addon to access your passwords and secure notes.
  2. Irfanview Portable – you might need to work with an image quickly
  3. Filezilla portable – Great portable FTP client
  4. AbiWord – Lightweight word processor that works with MS Word files
  5. Foxit PDF Reader – So you can open a PDF file without waiting an hour for Adobe to download and install
  6. VLC Media Player – Is a universal player so you can run almost any media file

PortableApps integrates lots of great tools and apps and you can implement most any program that doesn’t require install. Just look for a “portable” version and drop it in to the Apps directory. It will then find the executable and add a shortcut icon to the list. It’s easy.

Geek Note: PuTTY, 7zip, Sysinternals, SoftPerfect Network Scanner, are great apps to have in your USB toolkit. What would you add?

Improve the Chances that your lost Drive will be returned

The good folks over at Daily Cup of Tech created a little file that improves the chances that someone finding your drive will find out it’s lost. Most of us have done this by creating a text file that says “ReadMe” and we include contact info in the file. This takes it a step further.

Download their LostDrive.zip file and extract it. Delete the autorun file. Then edit the readme text file to say whatever and then if someone clicks the Help! program it gives them a popup window with your info displayed.

It’s easy to setup and just maybe an honest person will find your drive and then contact you. Can’t Hurt.

Secure your Flash Drive with Encryption

There might be files you don’t want to have just anyone be able to pickup and view. So we’ll create an encrypted pocket on the drive. If you are new to encryption stick with me here… This isn’t hard and it is worth learning.

Overview

From a 10,000 foot view, we are going to enable the Truecrypt software to run from a USB drive, we’ll create and encrypted container on that drive, and then you can open that container from the flash drive itself. Very secure and quite handy.

Before you dig in go download the full version of Truecrypt. Create a couple of small encrypted drives on your computer to get the feel of creating, mounting and dismounting the drives.  You can do this and you’ll have this geek superpower in your pocket.

Install Truecrypt Portable:

  1. Open Truecrupt, go to Tools, then “Traveler Drive”
  2. Point this to most any folder and tell create.
  3. Move the created TrueCrypt folder, with the new 4 files contained, into your PortableApps directory.
  4. That’s it you can now run TrueCrypt directly from your thumbdrive.

Create an encrypted volume on the USB Drive:

True Crypt has detailed beginners guide with screenshots and I usually recommend their guide as a starting point.

Here’s the short version:

  1. Click “Create Volume”
  2. Select the top radio button “Create and encrypted file container”
  3. Choose “Standard TrueCrypt Volume”
  4. Select a file, and browse to the USB folder. Type in a file name like IMG_546 (image files can be large and may not open, so this helps cloak its true nature)
  5. Take the Default Encryption options
  6. Choose how large your Encrypted Drive should be. This will vary depending on the size of your USB flash drive but 500Mb to 1Gb should be sufficient.
  7. Choose a long and complex password. Recommend 20+ characters. *Hint: Use a sentence with capitalization, punctuation, and spaces added. DO NOT FORGET THIS PASSWORD.
  8. Move your mouse in a random pattern a lot. Yes Really.
  9. Now you have a private encrypted briefcase for your files.

mount_volumeNow you just open TrueCrypt from your flash drive, click “select file” point to the file you used as your encrypted container, select the drive to mount the drive to and click Mount. Voila a Whole new drive appears on the computer that you can use like normal. When you finished just click “Dismount” all.

 

And now…

Skip the work and download all these tools at once.

Like all these tools but don’t have the time to set them up? I’ve done all the hard work for you. I’ve created a folder that is ready to drag and drop onto your drive and you have all these features ready to use.

What you get:

  • Portable Apps Platform installed including Firefox, Irfanview, VLC Media Player, Foxit PDF Reader, and AbiWord
  • Custom drive name and custom icon.
  • Truecrupt is installed and ready to run directly from the USB drive
  • 1Gb Encrypted partition on the drive configured for use.

You can download the file for the price of a cup of coffee.

Defending the Internet and Yourself

I’m often asked, most usually by a friend or client that recently suffered a virus infection, why are computer viruses so rampant? Who is writing them and why?

This video is an excellent explanation to the driving forces behind the current state of computer viruses.

Mikko Hyppönen shares the story behind PC viruses

 

Make sure to watch through the 15-min mark and then think about your own defense and preparations.

4 Steps to Protect Yourself

 

  1. Backup – You will be infected, computers do break so backup your data. I prefer to use an online backup like Mozy or Crashplan and I also make a copy to an external Hard Drive.
  2. Keep your Antivirus Updated – Do not allow your antivirus subscription lapse. Save some money and use an excellent free antivirus like Microsoft Security Essentials.
  3. Use a firewall – This is especially critical if you use a laptop on public wireless networks. The Windows firewall has improved but I suggest ZoneAlarm’s Free Firewall
  4. Apply Updates – This applies to your operating system, your applications, and your web browser.
    1. Windows Updates – Turn on automatic updates to receive the latest patches
    2. Applications – This is a bit more difficult but try a tool like Secunia PSI to scan and update vulnerable applications.
    3. Browser Updates – Your web browser uses little add plugins like Flash and Java and they are continually updated (and exploited) so check your addons with Mozilla’s Plugin Check, it works with any browser.

Yes this seems like a lot of trouble but a PC requires regular maintenance and the headache of being infected is much greater.

Finally, use common sense.

  • Don’t click links in spam. If an offer seems too good to be true it is.
  • Don’t click suspicious updates from Facebook and especially don’t authorize some app just because it asked you.
  • Did your friend send you a strange attachment? Ask them about it before opening.

Understanding Your Exposure in a Social World

Embracing social networking means your privacy is dead.

While some will bristle at this notion, I contend if you spend long enough using social platforms you will ultimately reveal some if not all of the following:

  • Where you work
  • Where you live
  • Who you hang out with

Yes, you can use privacy controls and moderate what you share but if your goal is truly connecting with others you’ll find this strategy is often unsustainable and always limiting.

Facebook and Twitter have allowed us to share our daily lives in very intimate ways and these communities reward authenticity and openness. The risk means we are putting a ton of our lives in the public spotlight.

enemy2CNN recently posted, The internet and the ‘end of privacy’, where they profiled my friend LouisGray, @louisgray, and {gasp} published his phone number. For more read his followup and see the #endofprivacy tweetstream.

You might consider folks like Louis and I extreme cases but it doesn’t diminish the fact that many of you are trending this direction.

Individual social networking is a risk vs. reward equation.

The more you open up = the more opportunities to connect = the more most anyone can learn about you.

I love social networking and I can’t begin to list the amazing people and opportunities its brought into my life but I also understand my exposure. Heck I joined twitter to follow smart hackers and to this day I’m known by a pseudonym due to my initial notions of maintaining privacy.

What I discovered is that I liked the reward side of the equation and in the past 5 years I’ve done a complete 180, but I did it with full knowledge of how this data can be used.

You should be sharing from an informed perspective.

Be aware how all of this shared data can be used to profile you. I’m not an alarmist but there are bad folks in the world. Take your personal safety into consideration.

To give you an idea what digital profiling can produce watch this excellent presentation by @DaveMarcus, Director of McAfee Labs Security Research. He’s a hacker (on this blog that is a good word by the way) and he’s showing a roomful of hackers what he can learn with nothing more than twitter, geotagged tweets, and Foursquare checkins.

Hat tip to my man IronGeek for posting the video.

“The only privacy left is inside your head, and maybe that’s enough” – Jon Voight’s character in Enemy of the State

While you may not agree with the sentiment it isn’t far from being accurate.

Stuxnet hints at the future of cyberwarfare

The year is 2015 and you want to take over or destroy a country.

Let’s examine the options-

  • Launch a Nuclear Attack – Effective but has the drawback that retaliation will thrust all of mankind into obliteration.
  • Build a traditional Army – Expensive and time consuming

or…

Use cyber warfare to disrupt your enemy’s financial markets, disable their weapon systems, handicap their ability to provide electricity and water, wait 72 hours and show up with water pistols and take control.tin-foil-hat-3

This may seem like the start of a cheap sci-fi novel or tin foil hat conspiracy theory but this is the not-so-distant future of warfare.

CNET reported today, “Symantec researchers have figured out a key mystery to the Stuxnet worm code that strongly suggests it was designed to sabotage a uranium enrichment facility.”

If you aren’t familiar with Stuxnet, it is a nasty bit of code that made big waves in the security industry this past summer by targeting “specialized industrial control equipment”. Specialized as in nuclear facilities in Iran.

It doesn’t take a genius to do the math. Sophisticated code targeting Iranian nuclear assets = some nation’s cyberwar beta test.

The Truth is what the Computers say it is

Do you remember what happened to the U.S. stock market this past May during the flash crash? A single typo trade and the entire market bounced 20% in 15 minutes.

Would you be bothered by the fact that US Senate computers were compromised by Chinese hackers? (in 2009 no less).

Want a better glimpse of what this might look like? Take a look at what happened to Estonia in 2007.

World War 2.0–The botnet that took down Estonia

Literally in the middle of writing this post my friend @scepticgeek shared this article, “Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies…

…In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

18 minutes!! Holy Smokes.

Takeaway

I hesitated at even publishing this post because it isn’t my intention to scare you but to make you aware that our complete dependence on technology has some serious ramifications.

I wish I had some brilliant insight or light hearted conclusion but the fact is I hope the 3 letter agencies in Virginia and our allies are better at cyber security than they are at finding underwear bombers.

‘till next time here’s your tin foil hat

Responsible disclosure should apply to Social Media

A few days ago I discovered a site that I hoped would go mostly unnoticed, unfortunately I was wrong. Hutch Carpenter blogged about it and I decided to expand on my thoughts with this post.

The site is PleaseRobMe.com, @PleaseRobMe on Twitter, (not linked intentionally) and it got some attention by telling the world about people who were not home.  They analyze location aware social network data, mostly Foursquare checkins, and determine when a user is away from home. It’s not magic, if you tell the world you are at Starbucks you are obviously not at home.

UPDATE: It appears that Twitter has suspended @PleaseRobMe. Bravo Twitter

PRM is not an opt-in service, they are scanning the public data stream.

It’s stupid and wrong. Here’s why

The veil of Awareness

From their site,

“The goal of this website is to raise some awareness on this issue and have people think about how they use services like Foursquare, Brightkite, Google Buzz etc. Because all this site is, is a dressed up Twitter search page (link). Everybody can get this information.”

Darn near public servants right? Not hardly.

Yes it’s essential to educate people about the ramifications of the sharing information publicly and geo-social services make this conversation even more important. Are there reasons to be selective about where you check in or if you use the service at all?

Absolutely.

This past evening I had a discussion with a friend who has stopped using Foursquare/Gowalla because she is a single Mom and as she put it, “too many weirdos out there”. I couldn’t applaud her decision enough. She knows the risk, she chose to stop.

But playing the awareness card isn’t a do-what-you-please ticket. Plenty of sites and blogs are talking about social media, privacy, and security concerns and none of them are exposing users.

If you are aware of a problem and others aren’t then you just became responsible with what you do with that information. How we tell others is very important.

Responsible Disclosure in Web 2.0

In the Information Security community there is a practice called responsible disclosure.

In laymans terms if you find a security hole you make the effort to work with the vendor or manufacturer to resolve the issue prior to releasing it to the public. It’s simply a process of fixing the problem without putting people at risk.

Its a concept the folks at PleaseRobMe should take to heart.

There are a 1000 ways to raise awareness and all of them are better than this.

It’s a publicity stunt with marks of juvenile and irresponsible behavior.