I didn’t mention it in my previous post “Usable Browser Privacy & Security” but another Firefox plug-in I normally use is the popular online LastPass password manger. Well, the other day I noticed a new feature but hadn’t seen much discussion of it within the security community. Yes, I use LastPass and find it very useful in managing many of my passwords for low to medium value websites. I use roughly three different computers on most days and having to regularly sync a password archive across them is cumbersome so the online aspect of LastPass is a welcome solution.

Although I probably wouldn’t store high value passwords using an online service like this, LastPass provides an simple way to use different strong passwords for every site you need to authenticate to. It allows good password practices while keeping the web easy to use. For this reason I recommend it to many of my non-technical family and friends as a more transparent way for them to follow good password practices without too much of a usability hit.

The key to LastPass’s security is the master password a user creates for their archive. Of course it goes without saying that they need to choose a really strong password here. While the implementation details are somewhat complex … basically LastPass stores all passwords as an encrypted blob on their servers. Even LastPass supposedly can’t decrypt it since they never receive your master password. When a user logs in the browser plug-in downloads their blob and decrypts it on their local machine using the master password.

Although using a strong master password is a good first step, perhaps using multi-factor authentication is best used due to this authentication’s importance. That’s where LastPass comes in with several existing multi-factor options. In the past these factors included one-time passwords, grids, Sesame, Yubikey, smartcards, and fingerprints. All these options were great but none were industry heavyweights that could provide some type of de facto standard.

Well that all change about a week or so ago when LastPass announced support for Google Authenticator!

via LastPass.com

We’re happy to announce the inclusion of Google Authenticator as a new multifactor authentication option for LastPass. With the latest LastPass plugin and a supported mobile device, you can now use your phone in conjunction with your master password to generate a secure key that is needed to login to your account. Authenticator token support has been a hotly anticipated addition to LastPass, and we’re happy to make good on that obligation to our users.

Continued here.

So be sure to update LastPass’s plugin or application to the latest version to take advantage of this new feature. And if you have non-technical family and friends, you may want to suggest them trying it out as well. Although they may need help setting it up, it’s MUCH better than them using the same easy-to-guess password across all their sites.

#####

I know many of us in the security community don’t trust online password managers like LastPass. However with support for multi-factor authentication, does this update add enough of a mitigation for it to be trustworthy? Let us know in the comments below. Today’s post image is brought to you be LastPass.com.

There have been a few articles over the past week describing some general suggestions on protecting mobile devices. Coincidentally, I’ve been doing some research on advice we could provide “average” everyday iPhone users on this topic and these articles confirmed much of what I’ve found. Yeah, we could consider using one of the newfangled commercial MDM solutions but for Mom and her personal iPhone this probably isn’t an option.

Below you’ll find my favorite suggestions in priority order with some commentary. Note as with the original articles I’ve kept these suggestions high level as to not focus on any specific platform. That will be coming in a later post…

Configure to Lock Automatically & Require a Password to Unlock: I’m fairly paranoid so I configure it to lock after 5 minutes. And of course I use the password option versus a PIN. Some devices might not support passwords so you may unfortunately be stuck using a PIN. Pair this capability with a password/PIN-based failure auto-wipe feature and you should be good to go. Another great nugget of info encompassed in this suggestion is to set a PIN on your connected voicemail account to avoid being murdoched.

Regularly Back Up Your Data: This suggestion is especially important if you are using the password/PIN-based failure auto-wipe feature mentioned above. For most platforms just periodically syncing should take care of this for you. Be sure to also protect your backups as well … possibly encrypting them if your software supports that capability.

Accept All Mobile OS Patches: Whenever Apple, Google, or whoever puts out those patches, get them applied as soon as possible. It’s as simple as that…

Only Buy Apps from Recognized App Stores: Definitely a good starting point but I would also be cautious as malicious apps periodically do get through their vetting processes. If the app looks too good to be true … then it probably is. As with the OS, apply any app patches or updates as soon as possible.

Do Not Jailbreak Your Device: Yeah, you’ll loose out on doing a few cool things but for your average user I think using the built-in capabilities and sanctioned apps should be fine.

Monitor Bills for Irregular Charges: Although this isn’t directly something you do on or with the phone, this suggestion is the Mom-equivalent of reviewing those logs.

Some of the other tips that I thought were out of scope for this article included thinking twice about accepting app permissions (I don’t think most people even know what all the options are), employing security policies to protect employer-issued devices, being mindful of employees introducing personal devices into the office, and remembering that mobile devices are tiny handheld PCs (um … ok).

For additional details on each of these suggestions check out the following two articles.

• Smartphone and tablet security tips
• 5 Essential Mobile Security Tips

And don’t forget … I’ll be putting out a post soon specifically for iPhone users so be on the look out for that.

#####

So what do you think? Is the prioritization right given the “Mom” use case? Are there any other tips we should add? Also the post photo is by Which Mobile. See ya!

In a previous post I talked about one aspect of making sure URLs you visit are safe. While writing that post, I started thinking about what I do and would recommend to browse securely while still keeping the experience usable. Of course the “usable” requirement here means excluding efforts such using a separate computer or browser for sensitive activity or only browsing in a VM or LiveCD environment.

First off, my recommended browser of choice is Firefox … not because it’s necessarily the best browser out there but more based on the number of available add-ons … especially the security ones I suggest below. One thing to consider though is to try to keep the number of add-ons to a minimum. This not only helps Firefox start and run faster but it also minimizes the risk of getting p0wned by a vulnerable add-on. Anyway, the security add-ons I use in almost all of my Firefox installs include:

• NoScript: This add-on is always the first plugin I install. Most malicious websites require JavaScript in some form to infect their victims and taking NoScripts’ disabled-by-default approach goes a long way.
• HTTPS-Everywhere: Ever since FireSheep was released last year this add-on is a must-have. It forces your browser to always use HTTPS when visiting a number of popular websites. Of course better yet is to purchase a personal VPN or use your company’s if they allow.
• Adblock Plus: This add-on is a fairly new one I’ve added to the mix based on the proliferation of malicious ads. Since most content on the web is free and ad supported, I almost hate to use it … but I value online safety more.
• Google (SSL) Search Engine: This nice search engine add-on forces you browser to use Google’s encrypted search engine when using the built-in browser search bar. I use it just in case HTTPS-Everywhere misses requests sent from this field rather than a web page.

Over the years I’ve tried many other security plugins but these are the ones I always come back to from a usability perspective. And of course be sure to add some quick bookmarks to UnmaskURL, URLVoid, and VirusTotal as these services provide additional ways to research potential malicious websites.

Now from a usable privacy perspective I usually head on over to Firefox’s Privacy preferences area and uncheck “Automatically start Firefox in a private browsing session.” Make sure all the other sub-options are checked except for “Accept third-party cookies.” Under the “Settings” button associated with “Clear history when Firefox closes,” verify everything is checked.

One of the usability consequences of locking your browser down is that you may loose your open tabs and/or sessions if your browser crashes or is running slow and you want to restart. This could be a problem if you’re like me and keep tabs open as placeholders for pages you want to look at later. To make sure Firefox gives you the option to save your tabs, verify the following preferences.

• General: Select “Show my home page” from the Startup drop-down.
• Tabs: Ensure “Warn me when closing multiple tabs” is checked.
• Privacy: Under the “Settings” button associated with “Clear history when Firefox closes,” uncheck “Browsing History.”

Unchecking “Browser History” does create a risk that some sensitive information could be carried over between sessions indefinitely. On the main Privacy tab changing “Remember my browsing history for at least” to 0 days helps mitigate this concern since any history storage would expire in less than a day.

Now if the browser crashes with 30 or so tabs opened, you at least get all your tabs back however your active sessions were probably lost. And if your browser is running slow and you want to restart, simply go to Preferences -> Privacy and uncheck “Clear history when Firefox closes.” Then close the browser and select the option to save your tabs. Now everything from your prior session should mostly reappear as you left it. Just be sure to go back in and recheck “Clear history when Firefox closes.”

#####

Do you like some of the plugins I mentioned above? Do you know that many of these plugin authors don’t make a dime off of their work? If you use any of these plugins on a regular basis, please consider heading over to their site and donating a few bucks. This kind donation helps ensure that these valuable tools remain free and up to date for the community to enjoy. See ya!

Yeah, you read the title right. It’s based on an article I read the other day titled “Scrub Your PC Clean: Remove Malware in 4 Easy Steps” on Gizmodo. The article mostly focused on Windows-based malware caught through web browsing. I’d also say it was probably more than four steps – yeah maybe four major steps … but then each of the major steps have like eight minor steps. And even if you follow everything they recommended, it won’t guarantee a clean machine. But I understood what they’re trying to say based on their target audience, who probably aren’t as paranoid as most of us.

The Internet contains plenty of other articles, mailing lists, and forums dedicated to this very topic but I think trying to carve malware out from a system is often too time consuming and in most cases impossible. The only sure fire way to guarantee you have a clean machine is to reinstall the OS or reimage to a known good baseline.

For those of us that are paranoid, here are the four steps I recommend YOU need to know when restarting from scratch.

• Copy Needed Data to Secure Device: By “secure device” I usually recommend a write-once data DVD. This limits what files can do on subsequent systems assuming you’ve temporarily disabled autorun or autoplay. Alternatives could include thumb drives with a read-only switch or external drives mounted only for data access.
• Wipe the System’s Drive: Use whatever the appropriate command is for your system. Although not its intended purpose, I also like using DBAN just in case a normal wipe leaves any traces of the old OS (and possibly a piece of malware) behind.
• Reinstall OS & Applications: Next, start the long and arduous process of reinstalling your OS and any applications you use. Alternatively if you have a baseline image, you can simply reimage to that baseline here as well.
• Copy Data Back onto New System: Be sure to disable any autorun or autoplay features. Windows makes this setup quite complex but on Macs all settings are under System Preferences > CDs  & DVDs. Next, insert your data DVD and manually scan it for malicious files. Finally, copy all clean data back onto your system.

Beyond getting rid of malware, starting from scratch offers several other benefits as well. Some of these advantages include:

• Forcing you to do some general data housekeeping,
• Helping you remove applications you know longer use, and
• Clearing out all the OS gunk that’s been accumulating over the years.

Advanced malware on an infected machine is a very tricky beast to conquer. Rein these infestations in using a not-so-easy four step process to start from scratch. Additionally, periodically restarting like this can help keep your system running healthy.

I’m a big fan of the Dailydave email list … always great discussions going on over there. Well, this afternoon I received my monthly “mailing list memberships reminder” from their Mailman service and I had my usual reaction.

Why the f$#@ are they emailing my password?

For being a security-focused group it would seem that they are not practicing what they preach. I’ve noticed this reminder many times in the past but for once I had some time to investigate getting this turned off.

Mailman has been THE application that most security groups use to communicate. Although now a lot of organizations seem to be migrating to Google Groups, giving up data privacy for convenience. Regardless, it is still the most dominate player for the groups I participate in. For those who aren’t familiar with Mailman, their website states that it…

… is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.

After doing a little research and searching around I found that there is actually a user option to disable this “feature” (enter me doing the Jean-Luc Picard “hand to face” move). From the email reminder you just received click the link to the management interface, enter the password they sent you in clear text, and log on. Scroll down a bit and look for the following option text.

Change this option from the default of Yes to No. If you are signed up for more than one list on the that server, select the “Set globally” option as well. Then just hit the “Submit My Changes” button below and you should be all set.

Now, I never remember setting this option to Yes so I’m assuming this is the default setting. Sure enough after searching around I came across the following server option from the Mailman admin manual [PDF], which states that email reminders (with passwords) is enabled by default.

Aaaah once again … convenience wins out over security when it comes to default options.

So now what? Well if you subscribe to any Mailman-based lists, please log in and make sure this option is disabled if you haven’t done so already. Also if you are someone that manages a Mailman installation, please log into your server and consider configuring “send_reminders” to be disabled by default.

#####

Regardless of this one weak default setting, Mailman is still a great piece of open source software and I encourage everyone to head on over to their website and donate so we can continue to enjoy it. See ya!

You know … periodically you get an email or tweet with a link in it. Doesn’t happen that often, right? Should you click on the link or not? Of course we all know to copy the URL from the source, paste it into the address bar directly, and look for a seal like the one to the right. But is that enough? Or is it too late at this point? Today, even many legitimate sites are being compromised and distributing malware … and they don’t even know it. We need something that potentially detects malware BEFORE visiting the site.

Then last Friday I came across an article on CNET titled “How to check if a Web site is safe” that seemed to address this problem. In it the author mentions several great services (e.g., Unmasked Parasites) as well as accompanying browser add-ons (both independent and those that come in security suites) and application installs (e.g., AVG LinkScanner). He additionally mentions that most modern browsers have web site checking built in as well as a few tools for Android (Mobilation Android & Lookout Mobile Security).

I’ve been meaning to write something up like this for a while now and so this article gave me the motivation to push forward. Where the CNET article seemed to be targeted for general web users with several OS or browser integrated services, my goal is to target infosec pros that want both breadth of service coverage as well as depth in detail. Hopefully, this post will give you the additional details you need to perform a bit more research for our curious minds.

1. Expand Shortened URLs and/or Check for Redirects Using UnmaskURL.com: For whatever reason the meta-scanning sites mentioned below do not effectively expand shortened links or take into account safe-looking sites that may redirect to potentially malicious ones. That’s were UnmaskURL comes in. Sure, you could learn all the extra ways of previewing URLs from the different shorteners (e.g., appending “+” to bit.ly addresses) but UnmaskURL does it all for you in one shot. It unshrinks URLs (even nested ones) as well as traverses redirections. Also be sure to check out the links at the top of this website. They offer several other tools that allow more detailed analysis, including encoding/decoding base 64 (unmaskBase64.com) and grabbing the raw HTML of a webpage without rendering it (unmaskContent.com).
2. Scan Ultimate Domain with URLVoid.com: This service scans the entered domain or sub-domain with 18 malware website detection services (e.g., Google Diagnostic, hpHosts, Norton SafeWeb, and TrendMicro Web Reputation). After each scan it conveniently allows you to drill down further by automatically submitting the URL to any of the services individually to get more details or several other analysis sites (e.g., VScan that scans it with multiple AV engines). URLVoid also offers IPVoid.com that does the same thing but just by IP instead of domain, URL Dump that mimics unmaskContent, and Extract URL that performs limited unshortening.
3. Perform Backup Scan with VirusTotal.com: Known in the security community for being able to upload files to be scanned with 40 or so antivirus engines, they also offer a site scanning capability that inspects URLs with 16 website malware services. I generally use this site as a backup for verification. Check out http://bit.ly/nScS8W for a direct link to their site scanner.

Now there are plenty of other ways to do this… What do you use to check if a website is safe to visit BEFORE actually going there? Let us know in the comments below.

Last week the SecTechno Information Security Blog brought to my addition some new home security guidelines in their article “NSA Presents ‘Best Practices for Keeping Your Home Network Secure’“. If you are an infosec pro, there’s nothing new here however it is a great little eight page reference on what home users should consider security-wise. It covers host-based recommendations for Windows and several Apple products, network recommendations, operational security/internet behavior recommendations, and enhanced protected recommendations.

The only provision is that I wouldn’t advise passing this along to your non-technical friends and family. Although the NSA’s recommendations cover a wide range of areas, it does not cover how to configure their best practices or suggest products in most cases. Given that they are writing a mostly technically-neutral guide I understand why; however, a typical home user wouldn’t even know where to start by themselves.

You can find the full guide here (PDF) but I’d like to make a few comments on some of their suggestions. In honor of Mothers’ Day I am viewing this in terms of how my Mom would view these suggestions.

Host-Based Recommendations

Network Recommendations

Get ready to become Mr. Helpdesk on all of these recommendations… I won’t go into too much detail here since my basic recommendation for all these is to do it for Mom instead of letting her try. These recommendations include making sure you have a secure 1. Home Network Design, 2. Implementing WPA2 at a minimum if you use a Wireless Network; 3. Limiting router Administration to the Internal Network, 4. Implementing an Alternate DNS Provider; and 5. Implementing Strong Passwords on all Network Devices. My only suggestion here is to use OpenDNS as an alternative DNS provider.

#####

Well, I think this post is long enough for now. Be on the lookout for our follow-on post that covers NSA’s operational security/internet behavior and enhanced protected recommendations. Again, Happy Mother’s Day… See ya!

A few weeks back I noticed a great little CSI newsletter being passed around the office that provided links to three great guides on how to lock down your profiles on MySpace, FaceBook, and LinkedIn. As a paranoid security person I’ve severely restricted my activities on these sites but have always yearned after the possible networking opportunities. Using these guides you can somewhat minimize the risks associated with putting your personal information online. I haven’t tried any of the suggestions yet but I’m guessing that if you implement them all, it probably makes the service a lot less usable. Such is the tradeoff between security and usability… When skimming the guides I was shocked to discover the one site I thought was most secure, LinkedIn, actually had the least amount of security controls in place. I’m still treading lightly but maybe you’ll see me more active on these sites some day. Here are links to the guides: MySpace, FaceBook, and LinkedIn.

You may want to pass these nice little guides around to any family and friends so they can tighten down their profiles as well. Also for anyone out there that uses these services more than I do, what do you think of these guidelines? Will they severely limit their usability?

Securing Internet Explorer’s (IE) Zones can go a long way toward protecting your non-technical family and friends from malicious web sites.

Security Background

Many non-technical users in your life probably use IE for most of their computer activities. From checking email to editing photos, these cloud computing applications make the web browser the most prominently used tool on most computers. With firewalls in operating systems and abundance of inexpensive hardware routers, many attackers are turning towards browser infection techniques by luring unsuspecting users to web sites that compromise the computer. Therefore one of the most basic things you can help non-technical family and friends with is locking down their browser. There are entire treatises written on how to secure IE, but the most basic approach involves locking down IE’s Zones settings from its default promiscuous settings to a more secure white list approach. This simple technique disables most of the common exploit vectors, such as ActiveX and scripting.

Setup Internet Explorer Zones Security

• From most versions of IE double-click the zone area in the bottom-right of the browser (typically it shows Internet.) to open up the Internet Security Properties window.
• Set the Trusted zone to Medium by selecting each zone, moving the slider to Medium, and pressing Apply.
• Set the Intranet zone to Medium using the same steps as above.
• Next set all other zones (i.e., Internet and Restricted Sites) to High using the same steps as above.
• Click OK to close the window.

Add Proven Sites to Trusted Sites List

Most sites should still be functional enough for users to get the information they need or to at least check out the site to see if it seems trustworthy. If the site requires ActiveX or JavaScript, for example, and the user has determined the site trustworthy, then they can add it to their Trusted Sites list using the following steps.

• Open up the Internet Security Properties window by double-click the zone area.
• Select Trusted Sites and press the Sites button.
• In most cases you’ll have to clear the “Require server verification…” checkbox.
• Enter the site’s domain name (e.g., domain.com) and press the Add button.
• Select Close to dismiss the Trust Sites window and press OK to close the Internet Security Properties window.

This setup isn’t as user-friendly at first, but it’s a lot safer. After adding many of their commonly used sites, it hopefully won’t be as annoying for your family and friends.