Data Privacy Day Prep Part 2: Smartphones

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 2, it's about Smartphones. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

Smartphones

Do note, that while this section is specifically about smartphones, since most popular tablets on the market are based off of smartphones currently on the market a good chunk of this can be applied to tablets too.

 I'd argue that phones and data privacy and security don't even belong in the same playing field. Phones leak information like a sieve, and smartphones are even worse at it. Many scandals related to various smartphones have occurred in recent years. There was the iPhone location scandal, which lead to general coverage of all the information the main smartphone OSes collect on you, and then it turned out that Windows Phone 7 is as bad as the iPhone was at location leaking (Even though Microsoft went on record during the original iPhone scandal saying WP7 didn't do nearly that much), and then we found out about Carrier IQ potentially collecting all sorts of information on you for pretty much all phones (except Verizon phones), Smartphones were the last to revoke DigiNotar SSL certs and a good many smartphones still have these certs active, and there's nothing you can do about it. This year was also a big year for malware on smartphones. Malware on Android continued to get lots of coverage (though it's not as bad as the coverage made it out to be), and even the iPhone wasn't immune to it. Of course why bother with malware when you can just completely own the phone with one SMS message? Throw in some good old GSM ownage, maybe tracking down and eavesdropping on phone calls, and why not even some CDMA compromising as well as WiMAX ownage just for kicks.

 Ok... I think you get the picture, the sad thing is that the above is not even close to covering all there is when it comes to smartphone (and phones in general) insecurity. Smartphones may be wonderful tools, but they definitely aren't secure. There are some things you can do about this, but the best is probably just turning the phone off when you don't need it.  Really though, there's no way many of you can imagine going back to your life without a smartphone, so at least do your best to bolt down what you can, which is mostly physical security.

Locking your phone

Android: Android 2.2 enabled PIN and password locking, prior to that you could only do a swipe pattern*. How to enable a Password, PIN, or Pattern on Android. Later Face Unlock was introduced in Jelly Bean, but I don't really recommend that.
 *Note: If using a swipe pattern, make sure to have at least one part of the pattern trace over itself. If you do not, someone can tell your pattern by looking at your smudge marks.

 For Apps there are two tools: Smart App Protector and Tasker:

Smart App Protector

Tasker - $5-7 (out of market version is cheaper and recommended for file encryption). How to lock an app with Tasker.

 Why lock an app? Let's say you are letting a friend borrow your phone, but don't want them "accidentally" reading your emails or posting something from your Facebook account. Now you can lend them your phone without watching over their every move like a hawk.

 iOS: with iOS4, full password support came to the iPhone. Instructions on setting up a long passcode on iOS4 -- iPhones not using iOS4 or later: 4-digit Passcode video

 Unfortunately I can't find any tools in the market to lock apps. For jailbroken iPhones it looks like there are a few options for locking down your phone, one promising one is Protecti.

Windows Phone 8: Unfortunately, picture passwords aren't an option, but you can have proper passwords now!. WP7 is still limited to numerical passwords. WP8 Lock Screen FAQ

Password Managment on your Smart Phone

USE ONE! KeePass-compatible, LastPass Premium, or something else, just use one! I already listed them all out in the password section, so just pick one out. Here, I'll make it easy for you: KeePassDroid for Android, 7Pass for Windows Phone 7, and either MiniKeePass (free) or one of the others on iOS. For LastPass users, $12/yr isn't much and then you can use their numerous mobile offerings. DashLane will work with limited features on smartphones for free, but you'll have to pay for all that it offers like LastPass. Don't forget pwsafe (iOS) or PasswdSafe (Android) for the Password Safe fans. I can't begin to tell you how many times I've seen someone open their smartphone's unsecured notes to find a password. Stop it! Please. Your phone is insecure enough as it is without you storing your passwords in plaintext.

Remote Locating/locking/wiping

Your smartphone contains all sorts of juicy information on you. You need to be able to remotely wipe it if you ever lose it.

 Android:

The official offering by Google was made available in 2013. It's the Android Device Manager and allows you to remotely locate, lock, and wipe your Android phone. There are also many alternatives for Android, some of which offer features not found in the official Device Manager by Google. Most notably are text commands and app masking.

Avast! Mobile Security - Free for all. Remote Locate, Lock, and Wipe via either a web portal or text messages.

Lookout - Free or Premium version for $30/yr. Not only does it offer remote finding through the website, but also has an antivirus program (the usefulness of an Antivirus program on Android is highly debatable right now, but the location/wipe feature is undeniably good). The Premium features include the ability to lock your phone until you find it or wipe it clean, as well as even more goodies.

Cerberus anti-theft -- One-time fee of $5 or so bucks. Can be installed as a system app and just as capable as the big boys.

WaveSecure - $19.90/yr. You can track your phone, lock it, and back up/wipe the data.

Where's My Droid - Free for basic features (basic locate, basic remote control, basic lock), $4 for full features (remote wipe)

 iOS:

Find My iPhone -- Free for all thanks to iCloud. You can even have it automatically wipe your device after 10 failed attempts.

 Windows Phone 8:

 Built-in feature through connected Windows live accounts using http://www.windowsphone.com/en-us -- See here for full details

Encrypting Files on your Phone

As already mentioned, your device leaks data like a sieve. Using encryption can help secure your device some (either full-disk encryption or folder encryption)

Android 3.0 and higher support full-disk encryption. Though the option may not be available for old phones that upgraded to Android 4.0+

For file encryption, you can use Tasker. The Android Market version used to not have encyption, but I don't know if this changed or not. To be safe just buy the version on the website and manually install the apk. Instructions on how to encrypt files using Tasker. Another option is Crypt4All Lite. The advantage of Crypt4All is that it's based on AES Crypt, which runs on desktops, so your encrypted files can be used on both your phone and desktop.

iOS: The phones have default built-in hardware encryption, but to make it useful you need to set a passcode. No further options exist on stock devices, however for file-level encryption, AxCrypt can be used. AxCrypt also runs on Windows with a prerelease for Mac OS X and Linux.

 Windows Phone 8: Windows Phone 8 has full device encryption through a variant of BitLocker. Unfortunately it appears to be only be an Enterprise option, as it requires Echange to enable. It also doesn't encrypt removeable storage and I still can't find a tool for file-level encryption.

App Permissions

Be careful what you install. Here is a list of some of the worst offenders of apps that invade your privacy: What they Know. On Android, always pay attention to what permissions an app asks for on install and make sure it makes sense.

 There are ways to restrict app permissions on Android, but they all require root and/or special ROMs/kernels:

 1. PDroid -- Doesn't require root to run (but does to install, the difference being the app itself doesn't need superuser privileges), but is quite an involved setup process and only very specific ROMs are supported.

 2. LBE Privacy Guard -- Requires root. Unfortunately, it's very heavy on the CPU (and therefore battery) and the latest version apparently has issues remembering blocked privileges past a reboot.

 3. CyanogenMod can do it natively but it isn't without issues, so about on-par with LBE Privacy Guard.

 Even for jailbroken iOS, I couldn't find anything to restrict app permissions, the best I found was a jailbroken app that alerts you when other apps try to access your contacts: ContactPrivacy.

Android Specific: Apps to Improve your Security and Privacy

1. DroidWall -- it brings a firewall via iptables to your phone (requires root and doesn't work with all kernels)

 2. Get an AdBlocker. Opera Mobile has it built in and you can get AdBlock Plus for Firefox. This doesn't include Apps though... How to fix this? Well if you're rooted you can use AdAway, which modifies your hosts file to completely block all apps. If you're not rooted, you still have some options, but it's not as feature-rich (though if you're rooted, it is), and the option is AdBlock Plus for Android. Yes, AdBlock Plus exists for Android as a whole so will block ads throughout it. If you're not rooted it'll only work on WiFi( and if you have an old version of Android, it'll require manual configuration).

 3. Incoming calls/texts: Some ROMs have native ways of blocking incoming calls/texts. Others don't. If you want this feature you have a few options. On the rooted end, and very feature-rich is Root Call Blocker, but it seems finicky on which phones it works on. Other options that don't require root are Mr. Number and Call Control.

 4. Use TOR on your phone with Orbot.

 5. Get your Proxy On in Firefox Mobile via ProxyMobile. Note: this plugin is still very much in beta, so you may wish to configure your proxy by hand. This can be done by going to about:config and changing some settings. I'd also recommend changing network.proxy.socks_remote_dns to true. You can also use this with your own SSH server instead of random SOCKS proxies by using SSH Tunnel or ConnectBot (both of which allow creating SSH Tunnels). I personally have configured Firefox manually and use ConnectBot, but that's because I connect to various SSH servers frequently.

 6. Go a step further and use a VPN. Android has built-in support for various VPN protocols like IPSec, L2TP, and PPTP (those are the common ones supported out of the box). VPN settings can usually be found in the network settings. OpenVPN support can be found in various roms like Cyanogen as well as through apps like FeatVPN and OpenVPN for Android.

iOS Specific: Apps to Improve your Security and Privacy

1. Get an Adblocker. Unfortunately the only option I'm aware of requires a jailbreak, and that's AdBlocker

 2. Incoming calls/texts: Once again, jailbreak is needed. It can be done with iBlackList

 3. Use TOR on your phone. This one doesn't require a Jailbreak! A Miracle by any meaure :P Just install the Onion Browser. Unfortunately it doesn't seem like it works out well for most people, so there's a jailbreak option with more success

 4. Set up a VPN on iOS. You can also connect to OpenVPN, but that requires a jailbreak.

Android Specific: Rooting and ROMs (and a bit on jailbreaking for iOS)

To root or not to root is a very good question. There are pros and cons to both. Rooting itself isn't much of a desired thing for your average, though if you are careful with your superuser privileges, it's certainly adds a lot of new capabilities. When flashing ROMs, it's important to make sure that you secure new vulnerabilities you may have gained, such as an ssh server. Same for iOS users: If you jailbreak your device, you now have SSH access that has a default and well-known username and password, so change it. There's been scattered incidents of jailbroken and rooted phones being hacked due to unchanged SSH credentials.

 On to ROMs specifically, I suggest everyone using Android looks into them, especially after your 1 or 2-year warranty is up. The reason? Security patches. Many phones get abandoned and never receive critical android security patches. By running your own ROM you no longer have to wait for slow companies to patch your devices, but rather generally speedy groups of people who want to ship the latest Android in their ROM.

Smartphones: The remaining stuff

Disable Bluetooth when not using it.

 Watch your picture uploads, especially if paranoid. By default the metadata in the picture will include geolocation information that you may not want out there. It's relatively simple to disable by just changing some settings.

Read More

Data Privacy Day Prep Part 1: Passwords

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 1, it's about Passwords. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

 Important definitions for this section:

• Two-factor/multi-factor authentication: The use of two (or more) forms of authentication. They must be different forms, using two items of the same form does not qualify (so two passwords is still considered single-factor authentication). There are three forms of authentication:
  
  
  1. Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
  2. Something you have: A keyfile, ID card, or a token
  3. Something you are: Anything biometric such as a fingerprint or iris scanner


• Brute-force attack: A hacking attack where the hacker systematically tries every possible combination to gain access to your account
• Dictionary Attack: A hacking attack where the hacker systematically goes through every word in the dictionary, followed by every name, followed by any personal information they know about you

Passwords

Passwords are the most common form of security online, and they aren't going anywhere any time soon. Unfortunately, passwords probably aren't the best form of security for numerous reasons: people can only remember so many good passwords (without using a manager or system, which I will talk about shortly) causing password reuse to be rampant, people can easily fall victim of social engineering (either in the form of spearheaded attacks or phishing), the rules for what you can include in a password are not universal (which causes problems for password creation systems), and they can be captured in transmission. Still, as I mentioned, they aren't going away any time soon and making your passwords good is a very simple thing to do.

 Let's start with some questions about your current passwords:

1. Do you use the same password everywhere or almost everywhere?
2. Are your passwords less than 12 characters in length?
3. Do your passwords contain a word from the dictionary or a name properly spelled?
4. Is one (or more) of the following missing from your passwords: a lower-case letter, an upper-case letter, a number, or a special character?

If you answered "Yes" to the above questions, there's a good chance your passwords are weak. If you see your passwords on this list of the 25 worst passwords of 2012, then even more-so are your passwords weak as they are on every password list out there. Some other lists are: 20 most common pins, Top 20 worst Passwords, Top 500 Worst Passwords, and Password analysis of 3 hacked password databases (I quite enjoyed the character frequency analysis, might give you some ideas for characters to use)

 So what is wrong with those 4 things?

1. When you use the same password everywhere or almost everywhere, if any site gets hacked or you slip up and give out the password just once, all or almost all your accounts are compromised. -- XKCD on using the same password everywhere
2. The shorter the password, the easier it is to crack. In some instances, short passwords use weaker hashing algorithms in general than longer ones (for example, Windows XP passwords under 15 characters use LM Hash, which is extremely weak, passwords with 15+ characters use NTLM)
3. Words and names are extremely easy to crack with a modern PC by just doing a dictionary attack. It's all the easier if you have a botnet or supercomputer trying all the possibilities.
4. The more variance in your password, the better. Having at least one of each character type significantly boosts your password strength compared to not. Once you leave alphanumeric passwords, the chances of your password being in a dictionary list, once you get past simple substitution and just appending special characters at the end or beginning, you can even beat many pinpointed attacks such as those that can be created by the Common User Password Profiler

So, just how secure is your current password? Test it out here. If you are paranoid (which in this case is NOT a bad thing), you can view the source. It all runs locally and sends nothing back, it even works fine in offline mode. Still a little anxious about entering your password? Just type in something that is similar to your password. So long as you use the same number of each characters it'll return a similar value. Note that the time that how secure is my password tells you is a best-case scenario, so if you have something like 3.2 years, it can probably be done in a few weeks using CUDA and good NVidia GPU.

Further reading: How I'd Hack Your Weak Passwords -- a bit on the old side, but still a great read.

Keeping Track of your Strong Passwords

The problem with creating a bunch of strong passwords is that it's hard to keep track of them. As I mentioned, this is one of the problems with the password system. Thankfully, there are things you can do about it. I personally have over 100 passwords and have no issue entering them in when needed. The trick is to not memorize all your individual passwords (I personally only have maybe 10 passwords committed to memory).

 One of the more simple ways to do this is, rather than memorizing your passwords, you memorize an algorithm, or system, to creating them. That way, even if you forget the password, you can easily reverse engineer what the password would be. The password remains strong and only those that know the algorithm can come up with the password. The Mozilla Team created an excellent video on this that you can watch here.

 There are problems with algorithmic passwords, though, one of them going back to a flaw with the password system as it exists: the rules for what you can have in your password are not uniformly followed by all sites, so your password algorithm may not work for all your sites. In general, I'd say you need at least 4 or 5 algorithms to cover all your sites, assuming all of them allow all characters: a sub-8 character algorithm, a sub-15 character algorithm, a sub-20 character algorithm, and a 20+ character algorithm. This is due to various sites putting limits on password length, a very unwelcome problem in my book that I wish would go away. The fifth algorithm you may want to implement is a separate algorithm for the most important of sites, such as your bank and email. Even so, remembering 5 algorithms is relatively simple to do, especially compared to remembering 30 different passwords (much less, 100 different passwords).

 The other option (and it's not an exclusive other option, you can more than easily implement both) is to use a password manager of some kind. There are many out there, but the good ones in my book are: KeePass, Password Safe, LastPass, DashLane a physical password list you always keep on you, and an encrypted digital password list. The first two are real password managers, the other two are merely a secured list of passwords. The difference is that a password manager helps simplify entering in your passwords (and that may be an issue with long, complex passwords).

 You may be thinking "What's wrong with my browser's password manager?" and the truth is: many things. Firstly the encryption on the password database isn't very strong. It is extremely easy to brute-force the encryption and many tools do it. Or even more simply, just copy those files over to another computer and place them in the application directory for the same web browser, and the browser will be able to use them (unless you enable a master password) and if these are password databases for Google Chrome or Firefox, they are viewable as well (once again, unless a master password is set). Opera is a step up in that it will never show you the passwords, just the username, but the encryption is still weak and plenty of tools will crack it to display all your passwords. I really cannot recommend Chrome's password manager at all as there is NOTHING you can do at the current time to secure it on Windows. If using Chrome, you really do need to use a third-party password manager. Both Firefox and Opera aren't much better off, but if you are going to use them, you do have some options. You may scoff that no one will get physical access to your computer, but they don't need to on Windows machines. A broswer's password database is stored in %AppData% which is easily accessible remotely thanks to it being included in Window's default share for user profiles. Even if you disable that, the admin share of C$ will include it (of course now I'm starting to delve into network security, which isn't supposed to be in this topic much).

Firefox's built-in password manager:

 First download the Master Password+ add-on and set a master password. A quality meter will tell you how strong it is. Set up an auto-logout time. You will never be prompted for your master password so long as you don't time out, but if you do you'll need to re-enter it again. Either leave it on a short time but only when inactive or set it to a long time (an hour or so) but always times out. Which to choose depends on your browsing habits and how easily you are annoyed.

Opera's built-in password manager:

 Opera's password manager is a bit more feature-rich than Firefox's and so is it's master password, which is good since there is no extension for it. Tools -> Preferences -> Advanced -> Security -> Set Master Password... and set your password. Set your timeout interval (right underneath it called "Ask for password") as you feel appropriate. Setting it to "Every time needed", the default setting, will probably drive you mad, an hour is good. Finally make sure to check the box for "Use master password to protect saved passwords". If you don't, the master password only applies to client certificates.

 As I said, Firefox and Opera's password manager are only marginally better than Chrome's even with the master password, so a third-party password manager is still best as the encryption is many times better. If you do use them, at least think twice about giving them important passwords for things like your bank account. Please consider one of these good password managers instead.

The Good Password Managers

KeePass 2: KeePass 2 is a Password manager for Windows. That said, it is becoming easier and easier to install on Linux and Mac OS X so long as you don't mind Mono being installed as well to the point it is pretty much cross-platform (just no official releases for Mac OS X or Linux are made). Mac OS X users can head here for an installer and Debian/Ubuntu users have it in the software repos or via PPA. Alternatively there is KeePassX which is fully cross-platform, but it only works with 1.0 databases and doesn't work with browser extensions such as KeeFox, ChromeIPass, or PassIFox. You give it a master password, and, optionally, you can create a keyfile (this is known as two-factor authentication. See "Important Definitions" at beginning of post). Now you only need to remember one password and all your passwords are secure.

 As mentioned there are various plugins for browser integration with KeePass to make entering passwords even simpler than it already is. This includes KeeFox (probably the best integration, but Mac OS X and Linux installs are tricky/beta-ish), PassIFox (not as good as KeeFox in my opinion, but works on Mac OS X and Linux as well as Windows), and ChromeIPass (which is the Google Chrome/Chromium option and also works on Mac OS X and Linux as well as Windows). Of course KeePass works with all browsers and pretty much all applications through an auto-type feature + a keyboard shortcut (default: Left-Ctrl+Alt+A but easily changeable to your preference) so you don't have to worry about a plugin if you don't want to. There is also a portable version available, so you can run it on the go from any Windows computer.

 Finally, in the modern world where smart phones are of great importance, there are programs compatible with KeePass available on all major smartphone platforms: KeePassDroid for Android, 7Pass for Windows Phone, and either MiniKeePass (free) or one of a few paid versions that exist on iOS.

 Pros: Open Source, you control it, portable, highly secure, will tell you the strength of your passwords, can generate random passwords, works with pretty much any program. Works on Android/Windows Phone/iPhone too.
 Cons: The auto-type feature takes a little getting used to, while it works with any pretty much program the overall integration suffers to allow this (Except in Firefox/Chrome where KeeFox/PassIFox/ChromeIPass creates seamless integration).

Password Safe: Password Safe is a password manager created by crypto legend Bruce Schneier. It's a simple program with a single goal: creating a digital safe for your passwords. It was later open sourced and has a derivative project Password Gorilla. Password Safe is Windows-only whereas Password Gorilla is fully cross-platform and that's basically the only difference between the two. Many other derivative projects have been done as well, including many command-line tools. There exists both an iOS app and an Android app, but I don't know of a Windows Phone app.

 Pros: Open source, you control it, highly secure, does one thing and it does it well. command-line versions for command-line junkies.
 Cons: Not as feature-rich, extensible, or simple as KeePass, lacks Windows Phone support.

LastPass: LastPass is a cloud-based password manager that works in all major browsers and the browser version is cross-platform. There is a desktop version for application passwords and whatnot, but it currently only works on Windows and requires a Premium (paid) account. It also does not appear to have a keyboard shortcut auto-type feature like KeePass. You can find more information about the Desktop version for applications on their website helpdesk. Likewise for smartphone use, you need a Premium (paid) account; apps for all major smartphone platforms exist. Offline access to your passwords is possible through a cross-platform program called LastPass Pocket and is available with a free account. They also offer One-time Passwords for use on untrusted computers that instantly expire (which reduces the risk of your master password being compromised). There are also many options you can enable to make LastPass even more helpful and secure, and it'll even alert you when it detects an account tied to your email address has been leaked.

 Pros: always with you so long as you have Internet Access, instantly syncs, highly integrated, audits your passwords, can generate random passwords, one-time passwords, very secure (before you ask: It's been verified that LastPass NEVER gets your encryption key -- see here)
 Cons: You must trust that they will stay around, have to pay for use on your phone, if your Master LastPass password is compromised, all your passwords are compromised*

 *Note: LastPass Premium offers USB-based two-factor authentication (see here). More recently, LastPass added Google Authenticator two-factor authentication for free. The Free version also has grid authentication, which I don't quite consider unique enough of "something you have" to be two-factor authentication, as if someone knows what your card looks like, they can access your account without actually having your card, but still a significant security boost. One-time Passwords also lower the risk of your master password being compromised.

DashLane: DashLane is a newcomer and competitor to LastPass. It offered some features before LastPass like and securly sharing notes and passwords with friends and securly sharing notes and passwords with friends. It specializes in autofill, and does a very good job at form detection (hence the name: it dashes you through the checkout lane for online orders) and doesn't seem to miss a beat security-wise, keeping up with LastPass. As an added bonus, basic smartphone support is included for free (though you don't get all the benefits on the phone or note sharing unless you go premium). It also enforces a basic two-factor authentication before allowing you to install it on new devices.

 Pros: Always with you any where you have Internet access, instantly syncs, highly integrated, very secure, free basic phone support.
 Cons: You must trust that they stay around, gotta pay for the premium and full features, if your master DashLane password is stolen, all your accounts are compromised.

Keeping a list always on you: Obviously no software is involved, you just simply keep a list on you at all times, say in your wallet (or anywhere else, so long as you always remember to keep it on you). This method, while once frowned upon, has been gaining popularity in recent years among security experts*. Why? Because it is always on you, so you know it is safe. If it isn't on you, then you know it is time to change all your passwords. For extra security you can do a trick to the list that only you know. For example: inject a random number in every password at a specific spot (or in a pattern that you know). If the list falls into the wrong hands, they can't tell those numbers aren't part of the actual password and as such cannot use your passwords right away or at all. This gives you more than enough time to verify you didn't just leave the list at home and to change your passwords to something secure again.

 Pros: Pretty secure, you are instantly aware if your password database is compromised since it is always on your persons. Always with you in all circumstances
 Cons: You must diligently keep it always on you for the security aspect, obviously if you do no trick and lose the list, all your passwords are potentially compromised, likewise it is obviously 100% manual. Just don't leave them in the usual spots.

 *Bruce Schneier on writing down your passwords(Source under "Safe Personal Computing"):

Passwords. You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet, or in a program like Password Safe. Guard them as you would your cash. Don't let Web browsers store passwords for you. Don't transmit passwords (or PINs) in unencrypted e-mail and Web forms. Assume that all PINs can be easily broken, and plan accordingly.

Encrypted Digital Password List: To some, a digital password list would be preferred to a normal one. There are risks to leaving your passwords just in plain text on your computer through (some malware looks for things like passwords.txt and whatnot and uploads them to some far-off place), so encryption is a must. The advantage of a digital list is it's easy to back up, lowering the risk of you losing it as well as allow you to synchronize the file onto multiple computers (though it begs the question: why not just use a password manager?). A simple and effective cross-platform encryption program is TrueCrypt. TrueCrypt is an on-the-fly encryption tool and allows you to create encrypted file containers in which you can store your password list.

 Pros: Extremely secure. Truecrypt in particular offers many options for creating your encrypted file container (including a hidden volume).
 Cons: Obviously not integrated at all with any application, so you must do everything manually. Must use a third-party program to synchronize the file across computers.

 Some Mac OS X-specific Password Managers:

 1Password -- It's also available on Windows, iOS, and Android, but I'd only recommend it if you don't want to deal with KeePass 2 with Mono and Mac OS X is your primary OS. It's free only for 20 or fewer passwords, otherwise you have to pay, and it's on the expensive side ($50 for one license for one desktop platform, $70 for a license for both desktop platforms, $100 for 5 licenses for both desktop platforms). Still, it's very user-friendly on Mac OS X.

 Keychain -- Keychain is the default password manager for Mac OS X, but it's not without flaws that have come up over the years (usually patched though). It can be integrated with both Safari, Google Chrome (uses it by default), and Firefox, but it's not easily synchronized across your computers and definitely not cross-platform or portable.

 And of course the 4 password managers listed above all work on Mac OS X.

 Two-Factor Authentication

 The need for two-factor authentication is becoming more and more prevalent every day. Luckily, it is also becoming more and more widespread every day and easier to implement. Two-factor authentication can make it so even if your password is compromised, your account isn't. It would have stopped Mat Honan (see below) from having his life destroyed by a hacker. By far the easiest to achieve implementation of two-factor authentication is through the Google Authenticator platform, which is open source and has derivative implementations. What makes it great is that you don't need to buy an expensive security token like RSA SecureID, just need a supported device. This is most commonly done through a smartphone using the Google Authenticator app, but as the Wikipedia Article shows, there are other implementations of Google Authenticator you could use. Many services that support Google Authenticator will also allow you to sign up for two-factor authentication through SMS messages, so you can even use it with a regular phone.

 Debunking Myths of two-factor authentication | List of places you can enable two-factor authentication

 Pros: VASTLY increases your security.
 Cons: does make logging in sometimes a bit harder, but with Google Authenticator, it's pretty easy. I would suggest printing out the offline one-time use codes through, just to be safe.

What you can't Protect Against

 Strong passwords won't protect you against everything: you have no control over how a website handles security. Mat Honan is all too familiar with this.. This shouldn't be discouraging, though. You just need to do the best you can do. In the event a site you use is compromised the best advice is to change the password ASAP. Changing your password will nullify any danger after a compromise. Most services are kind enough to alert you after a breach, but not all. There are some other steps you can take as well: Oftentimes when a hack is done, the hacked database is released and can be downloaded if you know where to look (sometimes it's free, other times it isn't depending on the purpose of the hack). Services like PwnedList will look for your email address in leaked databases and alert you of matches. If you use either LastPass or DashLane, you can use this feature through their services too (they partnered with PwnedList).

Passwords - the remaining stuff

 To note, there are other methods for creating secure passwords. Popular ones include using phrases from a book or song, and recently just stringing together 4 random funny words, popularized by an XKCD comic strip. If these methods work for you, that's great, but personally I see them as relying too much on human memory, which is too easily fallible. There's no way I'd be able to keep track of all 100+ of my passwords by using different strings of 4 random words or remembering which phrases from a book go with which sites. I see these methods, in the long run, as encouraging password reuse. Password reuse is the enemy to be stopped at all costs, as password databases get compromised, and once you start repeating password -- no matter how strong, you run the risk of multiple accounts being compromised from a single password leak. Still, if you only have a handful of passwords, these methods can create strong passwords provided you can remember them.

 At this point your passwords are nice and complex, secure, and easy to remember/access, but that is not all there is to say on password security. Remember those password hints and pesky security questions you set up for most services? Those can be an Achilles heel to your accounts if you are not careful.

 For password hints there are a few things you can do: You can do away with them completely, typing in gibberish when forced to have one (what I currently do), or you can use things you know you know to help you remember the pattern you use for your passwords. Along the lines of "That place where I put that thing that time" - It means absolutely nothing to anyone but you. In all cases you should be careful here and any hint you give should use word associations or have a meaning that only you would understand relying on your personality or life.

 Security questions are similarly a dangerous thing, much more dangerous than password hints as they can reset your password. Weak questions mean your strong password is worthless. If you are confident in your passwords to the point you are certain they will never be forgotten, once again you can make these complete gibberish so they are impossible to break into. Security questions have two pitfalls: 1. They are susceptible to social engineering since they are questions about you. Make sure you NEVER post your answers to your security question anywhere ESPECIALLY social network sites like Facebook and Myspace. If you do that, then all your security efforts go down the drain. 2. is security questions are often just a word or name, making them HIGHLY susceptible to dictionary attacks if the security questions don't have a lock-out. To combat this make your answers always at least two words, and maybe throw in a special character at the end or the beginning that is your "trick" for them. One thing growing in popularity that does a good job to combat both, is to create a pattern to your security questions that does not answer them and only you know -- ([url="http://www.zephoria.org/thoughts/archives/2007/11/15/algorithms_for.html"]see here). My advice is to do that, but also make sure to include a special character or two.

 Over the last year, I've seen comments on GPU password cracking coming up more and more frequently. I see this as missing the point. GPU cracking only applies with offline password hashes/databases. It's not something you need to worry about as a threat to your online accounts. In the event your passwords get leaked by a website getting hacked, having strong passwords is your best defense for you having time to change your password before it is cracked using GPU cracking. So my advice is: don't worry about it, and just change your password as soon as you find out a site's been hacked.

 You'll see some people recommend you change your password periodically. It's also a common enforced policy in some offices/for some services. I personally don't subscribe to this train of thought. After a password is compromised, it'll instantly be exploited. the probability of you changing a password due to some 90 day password change policy actually stopping someone from using your compromised account is slim to virtually zero. Now there's nothing wrong with occasionally changing your passwords, and it's a good way to maintain them, but something being a good idea for maintenance and something adding real security are two different things. Takeaway: Don't feel pressured to change your passwords frequently, but the occasional password change isn't a bad thing.

 If you follow through with everything, your passwords will be very secure and any backdoors effectively shut to anyone but you.

Read More

Welcome!

Hello! I'm Defron and this is my blog. To be precise, this is my first blog... ever. I've managed some blogs before (specifically self-hosted WordPress blogs) but never had one myself. It'll be interesting to see how this goes.

I suppose saying what this blog is going to be about, why I decided start it, and a bit about me is in order. This blog is going to be about technology. Not technology like the latest gadgets, but technology in general, and definitely geared more towards software. I've always been fascinated by technology, and technology has been very nice to me. I also have a deep passion for security and online privacy, so expect quite a bit on that too.

I've toyed with the idea of starting a blog for some time now, but only recently really decided to do it. I had bought defron.org, .net, and .info and just using them for email and some url forwarding seemed like such a waste. That was the last bit of motivation I needed to start blogging. Having a domain isn't expensive at all and a lot of fun. There's a lot of cool things you can do with one for just $10 or so bucks a year. More if you get hosting.

I actually have both shared hosting with HostGator as well as a VPS, but I decided to go with Google's Blogger for my blog. That may seem odd for you, but I decided to do it for experience's sake. I have experience with WordPress and hosting some blogs for my family with it, and I've been messing around with Drupal as well. The major CMS I haven't touched, then, is Google's Blogger. Nothing better accelerates learning than repeated contact. I'll probably eventually change to WordPress on a VPS, though (and for those of you who noticed the lack of Joomla being mentioned: no offense to Joomla, but I didn't enjoy my brief time messing with it).

That just leaves... Me. My name isn't actually Defron: it's Kevin Thomer (no point hiding my last name since you can see it on my Google+ profile); Defron's my online handle. I came about using Defron during my childhood when I wanted to save my score in Commander Keen; I just blindly slammed the keyboard, and ended up typing "defron" and have since used it most of my life online. The real-world me works at an optometric office (Grant Optometric Group) as a one-man IT shop and also goes to school studying to get a bachelor's in Information Systems. I hope to continue down the road of systems administration, possibly working for a hospital or government institution.

I hope you enjoy my blog and find my posts useful and helpful. Feel free to drop a comment, I'd love feedback from you guys. Feel free to follow me on Twitter too. My Google+ account is more personal, so you might not find it enjoyable to listen to my dribble on there (mostly about anime stuff).

Edit (1/23/2013): Oh, one more thing: I prefer to be called Defron by those who know me online and Kevin only be those who know me in-person. I dunno why, I just do. It feels odd being called Kevin online.

Read More