How Do You Enable Better Security? Two Factor Authentication

2 Comments

What is two factor identification?

Typically, we login someplace with an ID and a password. That combination is good everywhere, everyplace, everytime and is often saved on the device. It’s convenient but if someone knows your ID and password, they can login anywhere and get to all your stuff controlled by that account. If it’s something like a Google account, that might include your email, files, calendar, and sites that let you login using your Google credentials.

With two factor identification, logging in on a new  or untrusted device requires that ID and password, plus a code delivered to an independent device.  Even if someone knows your ID and password, they won’t have access to your device.

2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Why? Because hackers would have to not only get your password and your username, they’d have to get a hold of your phone.

Here’s what I had to do to enable two step authentication on my Google apps account

  • logged in at https://accounts.google.com/ and went to the account security page at https://www.google.com/settings/security
  • installed the “Google Authenticator App” on my iPhone to receive verification codes
  • set the computer I’m setting this up on as trusted (the default setting). It’s my home desktop and it’s reasonably secure.
  • turned on 2 step verification
  • added backup phones (home phone, wife’s mobile)
  • clicked the button to go forward with creating application specific passwords and to review aplications with access to my Google account — WOW, there are sure a lot of them.
  • at this point, all sorts of unable to login boxes are popping up on things
  • generated and entered app specific passwords for
    • iphone mail
    • ipad mail
    • desktop mail
    • mac mail (had to also enter the password for the calendar app)
    • chrome synch
  • Enabled browser logins to Google services on each device and checked the “good for 30 days” box.

On my account management page, https://accounts.google.com/b/0/SmsAuthConfig, I can disable all of those verification codes. It would be nice if I could see what codes had been used an deactivate individual devices, but in an emergency situation, I suppose its best to disable any device not marked as trusted.

The total setup time, including taking notes and typing really difficult strings was about 20 minutes. I like to think that my 9th grade touch typing teacher, who didn’t see much promise in me or my attitude, would be very proud of me as I typed those 16 character passwords.

The Google Authenticator is interesting – it works like those RSA keys that present a new code every 30 seconds or so.

Current Version of the Application on iPhone
Current Version of the Application on iPhone

Six ways to safer computing

I got an email today from a Yahoo subscriber that had no subject and contained only a link to a website.  The website claims to sell pharma products, but looking more deeply into the page, appeared to try to do a lot more.  There was a lot of JavaScript getting loaded and it wasn't clear what it was about to do. 

At some point, the password for the sender's Yahoo account was compromised.   Although the horse is out of the barn, it's still worth securing the building.

Here are six suggestions to lock the barn:

1)  NEVER EVER login to ANYTHING from a public computer.  You should assume the computer is full of malware and  keyloggers.  Resist the temptation to "just check my mail for a sec."

2)  If you use your computer on a pubic wifi hotspot, only login to websites that start with HTTPS, not HTTP.  HTTPS traffic is encrypted. HTTP is not. Anyone using the hotspot can record all network traffic. There are programs that output Excel spreadsheets of sites, userids, and passwords.  This does not require a sophisticated hacker.

3)  If you read mail in Outlook, Thunderbird, or some other program and you use your computer in a public hotspot, do not read mail unless your mail provider supports encrypted connections. The connection types should be POP3S, IMAPS or there should be a "use SSL" checkbox in the configuration. Check with your provider if you're not sure.

4)  Use a hard to guess password.  Your name is not a good password. What's your favorite line in a movie? I like Citizen Kane and one great line is "I think it would be fun to run a newspaper."  So, for a password, I could use "ITiwbF2ran".  On the piece of paper I carry around to remind me of passwords, I'd have "email psw:  Charles Foster Kane". That will help me, but won't help anyone else.

5)  If you must use Windows, use it safely.  Use Internet Explorer 9 or Firefox as your web browser.  Install a good antivirus. (I like NOD32 from ESET.)

6)  Use different passwords for different services.  Your mail password should be different from your bank password, which should be different from your voicemail PIN, etc.  If you use the same password across systems, everything is only a secure as the weakest one. Do you really know who's running every system to which you login?

Making it easy for the bad guys

Seveny five percent of all users use the same password for email and social network sites, according to a story in Security Week magazine, citing a study by Bit Defender.  Want to bet a good number also use the same password for their bank accounts, credit cards, Starbucks card, and every other web site?   

We all probably trust the security of our bank, but what about that website where you had to register, then take a survey to get a chance to win an iPod? Who's running that site?  Did they ask you to pick a user ID, enter your email, and select a password?  And did you use your "usual" ones?

When you say it out loud, does it seem like a good idea?

Is your wifi router a talk radio station?

The French National Commission on Computing and Liberty is shocked to find that Google’s street view vans have recorded snippets of wirless traffic, including email content, user ids and passwords. Apparently, the French are easily shocked.  What many people seem to forget is that wifi is radio and they’re running a radio station, starring all of the computers in the network.  Like any radio station, anyone with the right type of radio can listen and record your shows.

There are two things that everyone using wifi should do.

  • First, encrypt your wifi using WPA2.  It’s not foolproof, but defeating WPA2 is difficult and time consuming.  Anyone who’s after you, in particular, may want to invest the time, but the drive-by vans will skip you and read your neighbor’s unencrypted signal.
  • Second, whenever possible, login to websites using SSL.  SSL provides secure encryption from your computer to the server at the other end of the connection.  If you visit websites using “https” instead of “http”, you’re using SSL encryption.

Using SSL is for all data exchanges is critical when you’re on a shared, public wifi network.  Anyone at Starbucks, or the library, or your favorite place to park yourself with your notebook or phone could be recording network traffic.  On such networks, you should have absolutely no expectation of privacy.  It’s critical to encrypt your data before it goes out over the air.

Check with your email provider to find out if they support POPS or IMAPS and Secure SMTP.  The “S” at the end of POP and IMAP means that the connection between your computer and the mail server is encrypted via SSL, too.  All major mail clients support the protocol. If your mail provider doesn’t, it’s time to find a new mail provider.

If you use Gmail, click “Settings”, then “Always use https”.  Gmail will then enforce an SSL connection whenver you access it on the web.

Nine Top Tools for Thunderbird

Mozilla Thunderbird is my day in, day out favorite email client. When most people think about email, they think Outlook.  Outlook is a great program, but it’s very expensive.  Unless you need to connect to an Exchange server, you can do better with the free Thunderbird.

In a previous post, I talked about add-ons that improve Google’s web mail interface.  Here’s a list of some tools that extend Thunderbird and make it both easier to use and more powerful.  Top 10 lists are popular. Here are my top 9 addons for Thunderbird.

  1. Folder Account  selects a default “from” account for any given folder.  I have some accounts on external systems that are forwarded to my primary email address.  Message rules move these into particular folders. When I reply, this addon selects the address on the external system as the from address.
  2. Lightning is a calendar that integrates with Thunderbird. In thas all the features you’d expect, including invitations, recurrence, etc.
  3. Provider for Google Calendar syncs my Google calendars with Lightning.  Google Calendars provide the link to the calendar on my iPhone. Changing the calendar on the desktop, on the web or on the phone is automatically synched to the other two places within seconds.
  4. .vcs Support add support for .vcs files to Lightning.  It handles .ics natively.
  5. GContactSync synchronizes my Google and iPhone address book with Thunderbird.
  6. EnigMail adds support for PGP/OpenGPG signing and encryption to Thunderbird.
  7. Signature Switch adds a toolbar button easily swaps signatures. I use it for switching among formal and informal signature lines.
  8. Manually Sort Folders lets Thunderbird override the folder ordering defined on an IMAP server. Sometimes, you just don’t want things alpabetically.
  9. Compact Headers reduces the screen geography used by message headers, providing more space for the message itself.

What do you use to make Thunderbird work better for you?

 

In Sync — email, contacts, and calendar

I’ve finally untethered my iPhone from iTunes, at least for keeping my calendar and contacts up to date.  I’m using Thunderbird to manage email, contacts, and calendar, and using Google as a back end to keep it all synchronized between the iPhone, my Linux desktop, my Windows Vista notebook, and Google Apps on the web.

This will work with any Google mail account, whether it’s @gmail.com or a google apps account like @sterndata.com and will work with any phone that can synchronize directly with Microsoft Exchange.

  1. Contacts
    1. Import contacts into Thunderbird from Outlook.  The steps are here.
    2. Install the gContactSync addon for Thunderbird.
  2. Calendar.
    1. Install Lightning as an addon to Thunderbird. 
    2. Synchronize your Outlook calendar with Google using the free tool from Google.
    3. Install the Provider for Google Calendar as an addon for Thunderbird.
    4. Create a new calendar in Thunderbird following these directions.
  3. On the phone, create an Exchange account that points to your Google account and enable Calendar and Contacts.

Be sure to back up all of your address books, calendars, and phones first, just in case.

Thunderbird 3.0 beta 3

Some cool new features in Thunderbird 3.0, beta 3.  It seems fairly stable, too.

  • Auto archiving
  • Messages and threads can be opened persistent tabs (like Eudora)
  • Global indexing and search
  • Thread summary when looking selecting an unexpanded thread
  • Attachment reminder — YES!  If you use the word "attached" or "attachment" in your message and there’s no attachment, Thunderbird will warn you when you try to send the message.
  • Virtual folder merging to create a virtual inbox across multiple accounts.

The full list is at http://kb.mozillazine.org/Thunderbird_3.0_-_New_Features_and_Changes.