Tag Archives: security

A clever bit on passwords and phishing.

I listen to the podcast “Naked Security” from Sophos.com.

Today they had a(nother) great reason to start using a password manager.

Password managers

These are programs to manage your passwords. Yes, duh. But they do that in a clever way. They generate big, complex passwords that you can’t remember, like 3jGrkVvaVNJ$Kv*JRCZsg (note, you will be quizzed on this one later on haha).

You just remember 1 main password to unlock the password manager (and optionally use a Multi Factor code to open it) and the manager does the rest of the heavy lifting.

1Password unlock screen

This is one password manager, 1Password. Because that 1 password is all you remember.

1Password will set you back about $3 / month.

Bitwarden unlock screen

This is Bitwarden. Bitwarden is free and open source, and delivers a lot of good stuff. There is a paid option which will help you keep MFA tokens alive, that costs around €10 / year.

MFA

MFA

You probably know about MFA. Otherwise you should learn it, fast. It is a second login security. If someone has your password (which is something you know) and you enabled the second login safety, there is no way a hacker can break into your account without that second option, which usually is something you own. There are apps for that, like Google Authenticator, Okta Verify or Microsoft Authenticator. A good password manager can handle that as well. You go to a website, the password manager sees you have a login for that, and it will fill in the name and password, and also the MFA code for that site. No need to open another app on your phone and copy the numbers by hand.

Link recognition

Following up on that, as I said, a password manager sees that you have a login for a site.

Suppose you get a mail that sends you to https://your.very.trusted.bank.com. You’ve seen that link a gazillion times, so yep, you know it, you click it. The password manager will handle the login. But then there is no login filled out! What the fork?

The clever bit here is (check the bank link) that the link on the screen looks legit, but the actual link isn’t. The password manager doesn’t recognise the link and so it won’t help you log in. After all, this is a strange place and there might be dragons.

So….

Not yet convinced that a password manager is a good idea? In that case you wasted time in reading this.

If you feel this could be something, check out Bitwarden or 1Password.

No peeking; do you remember the password from up above?

Keeping your data safe in the cloud the cheap way

Security and safety of data. You may not be concerned about it. I am. Especially since I like Cloud solutions.

spideroak_nav_mainI have an account with a cloud provider called SpiderOak where your data are stored encrypted. Your computer first encrypts your stuff and then sends it to SpiderOak’s servers. They don’t have your key, so if you lose it and you lock yourself out of the client on your computer, you’re royally buggered up. They can’t help you. SpiderOak offers 2GB free, other accounts cost money ($100/year, $10/month for 100GB). See their site for other pricing options if you’re interested.

What if you can’t afford that but you have a huge Skydrive with Microsoft, or this enormous space on Google Drive? The answer: Truecrypt.

Truecrypt is a helper program that allows you to encrypt stuff. You can make it encrypt a file, a disk partition or even your entire computer. For this post I stick to the file.

When you start Truecrypt you have the options:

Truecrypt 1

Note that this is a shot from Linux, in Windows it’ll look as good as the same. To set up an encrypted file, you click ‘create volume’, enter the name of the file and follow the prompts (the entire procedure is laid out in their Beginner’s Tutorial, so I’m not copying all that here. When you have followed the wizard, you have created a new volume.

Next step is to mount the file (volume). The fun bit is that you can mount the truecrypt file as a drive (e.g. /media/truecrypt in Linux, or to a drive letter like M: or V: in windows):
truecrypt 2

Via ‘select file’ you browse to your file (or you type in the name) and click Mount. Truecrypt asks you for the password you assigned to the file in the creation process and if that matches your file is mounted as a disk (as mine is in Slot 1. Windows will show you actual drive letters to assign something to).

Stick your work in the new drive, unmount it and back up that file to Google Drive, Dropbox, MS Skydrive etc, provided you have ample space there. If you created a 4GB Truecrypt file and you try to store that to a 2GB dropbox account, you’ll get yelled at by Dropbox.

The file (your new drive) will be fully encrypted, no one can read it. I have read that the FBI spent months trying to hack a Truecrypted drive from the infamous DotCom affaire and gave up. If you need your file back, just download it from wherever, mount it and voila, there are your files. For your eyes only, and no one else’s. Again: lose the password and you’re buggered.

Warning:

! Note that I don’t know if syncing a Truecrypt file “live” to Dropbox (e.g. you have the Truecrypt file INSIDE your Dropbox directory) works fine. I haven’t tried that.

I assume it will, as Truecrypt only has unencrypted data in memory and always writes encrypted data to disk. Dropbox then should move the update to the cloud, but understand that if you update e.g. a 1GB file (your drive), each update will cause the entire 1GB file to be Dropboxed, not just the 25 words you added to the file inside your Truecrypt-drive. For Truecrypt it’s a drive, for Dropbox it’s a big file. That is why I suggest copying the Truecrypt file to Dropbox when you’re done for the day or so.

Questions?

Dutch Ministry Proposes Powers for Police to Hack into Computers

Dutch Ministry Proposes Powers for Police to Hack into Computers, Install Spyware, Destroy Data

Dutch Ministry Proposes Powers for Police to Hack into Computers, Install Spyware, Destroy Data
The Dutch Ministry of Justice and Security has proposed some rather over the line measures and wants to extend such powers to the police that would allow them to break into computers and mobile phones in any part of the world.

According to the proposal [PDF] (in Dutch), dated October 15, the ministry has asked for powers that would allow police to not only break into computers but, would also allow them to install spyware, search for data in those computers and destroy data.

As explained by the digital rights group ‘Bits of Freedom’, which obtained the copy of the proposal, if the Dutch police gets such powers the security of computer users would be lessened and that there will be a “perverse incentive to keep information security weak.”

Another take is that millions of computers would be less secured as Government might not push companies to publish vulnerabilities on one hand and won’t encourage public to patch their systems on time on the other because it might want to exploit those vulnerabilities for its own purpose.

As much as this law is bad for the people, it is more so for the Dutch government as “other governments would be very interested in using such a power against Dutch interests.”

(Original article at ParityNews.com)