Tag Archives: Security

the Google Apps Logo

Field Notes: Google Two-Factor Authentication

the Google Apps LogoThere’s been a lot of discussion recently about GMail’s two-factor authentication thanks to the Matt Honan hack publicity. I’ve been using it awhile and figured I’d share my thoughts and experiences. I had been using it for an account that I just used for email so it wasn’t much of a hassle. But I recently added it to a second Google account and it’s been more of a hassle. It’s probably needed more on this account, since it’s used for more than just email so I’ve kept it enabled. In the case of Google the two-factors are a password (something I know) and something I have (my phone).

Here are my notes from using Google’s Two Factor Authentication. For the record, I used my own domain with Google Apps accounts in both cases.

There’s plenty of backup available should I lose or break the phone with the authenticator app:

  • I have the Google App on my iPhone so I don’t need a cellular connection to get the code.
  • As backup I have another phone set up to get the code via SMS.
  • As another backup there’s also printable one-time backup codes. The assumption is that Google can keep these codes secure.

If an app or device doesn’t recognize Google Two-Factor authentication there are Application Specific passwords:

  • “Application Specific” is more a description of the intent, rather than a technical requirement.
  • The Application Specific passwords can be used on multiple devices and applications. I’d prefer they be locked to the first app or device they’re used on.
  • If you use the password in a malicious or poorly written app the password can be used my someone else to access your email. So common sense still needs to be used when using the application passwords.
  • While 16 characters is a long password it’s not as complex as it could be, All passwords are 16 characters and there seems to be a limited character set. While this could be more secure, it would still be extremely hard to crack and isn’t a reason not to use them.
  • The application specific passwords only provide limited access to the account, even if compromised, such as accessing email.
  • Application specific passwords are easy to revoke so they can be used to try out a new app and then revoked if the app isn’t used.
  • I’ve had some issues where my iPhone email (for example) decides it needs a new app password and I have to re-enter it. This is a pain as I have to go to the website and generate a new one then type it into the iPhone.
  • While I can see the last time the application password was used, I can’t tell where it is used, so if the password is taken I wouldn’t notice, unless I stopped using it.

Misc Notes:

  • The initial setup is a bit of a pain. When two-factor authentication is turned on all the existing logons will break and have to be redone.
  • PCs can be made “trusted” and then for the next 30 days it won’t be necessary to enter the code when logging on.
  • If Google Sync is used (in Google Chrome) it’s necessary to use a encryption passphrase specific to Google Sync, the account password can’t be used since an application specific password is required. Well actually, an app specific password can be used, but it would have to be remembered and used as the app password for all Google Chrome logons, which goes against the design of the application passwords.

Anyone else using Google two-factor authentication? What’s been your experience?

Quick Bits tile

LastPass: Still My Choice

Earlier this morning LastPass announced that they noticed some anomalies in the network traffic to one of their servers.  And…

… it’s prudent to assume where there’s smoke there could be fire.

I’ve been a longtime LastPass user and fan. While I rather this not have happened at all, I’m an even bigger fan now. I like paranoid people protecting my stuff. I also think some of the stuff they do is pretty cool and shows a serious commitment to security. They monitor traffic in their network and noticed some abnormal traffic that they couldn’t track down.

Unfortunately their response caused the real problems. They began forcing password changes which caused a heavy load on their servers (which was probably already heightened once the news hit) and things began to grind to a halt. It appears password changes could take an hour or more to take effect, making it appear data was lost (since it wasn’t being decrypted with the right password).

I have to admit, I didn’t have any problems during the day the few times I used LastPass. And when I got home they changed things from forcing a password change to selecting an option to not change my password or to temporarily postpone the change and only allow logons from personal computers. I chose the permanent postponement. So did I permanently postpone the change”?

The worst case risk is that someone got the password hash (the actual passwords aren’t saved or known to LastPass) and the salt used to hash them, LastPass needs to keep the salt  in order to log us on. With both those items a dictionary attack could be launched to find the password. Only passwords that matched the dictionary could be broken. I’m protected by two things:

  1. My password is a long string of symbols, numbers, and both cases of letters. Not likely to match any dictionary.
  2. I use a Yubi-key for two factor authentication. If my password is cracked it’s useless without the Yubi-Key

Still, once things die down and their performance returns to normal I’ll go ahead and change my password. Can’t be too cautious. And the LastPass folks get that – they’re changing their hashing algorithm in a way to make brute force attacks unreasonably long to execute.

Unlike other recent breaches in the news, this possible attack hasn’t lessened my trust in LastPass. It’s only increased it because they take their responsibility seriously.

Tile for Windows Security Patch articles

Security: DLL Search order Vulnerability

This vulenrability is a little old, reported about a month ago, but I’m just getting around to patching it and Microsoft isn’t. The “Insecure Library Loading Could Allow Remote Code Execution” vulnerability was announced by Microsoft back in late August in bulletin 2269637.  Unfortunately Microsoft has not rolled out a patch with their normal patch rollouts. Probably because of the potential to break apps. They did publish knowledge base article 2264107 which has a workaround to the problem.

In short, because the working directory is included in a DLL search path and could be a remote directory it was possible for an attacker to compromise a system with a remote DLL. Applications could avoid this by not relying on the default search order.

I ran through the steps and haven’t had an issue. Since I don’t expect any of my applications to run a remote DLL (WebDAV or SMB file share) I’m not expecting any problems. I’ve installed the patch and changed the settings on Windows 7 64-bit only, but the patch is available for other OS’s and the process seems the same for them.

To patch the PC:

  1. Download and install the appropriate OS patch from the KB article. I needed to reboot and I suspect the other OS’s will also need a reboot.
  2. The patch doesn’t change anything, it just enabled the use of the registry keys described in the article. You can create the registry key(s) manually or do like I did, and click the “Fix It” link in the article.
  3. The Fix It link creates the global registry key with a value of “2” which prevents searching the working directory for DLLs in the location is WebDAV or SMB (remote).

The working directory isn’t the directory the application is installed in (I suppose it can be, but that would be coincidence). This patch also affects the search order (based on the article) so if the app is installed remotely, and properly written to not rely on the remote working directory for a DLL, I would expect the app to continue to work. But, I don’t have any remotely installed apps to test this out.

This is the first time I tried one of those “Fix It” links. It’s a little scary but worked well. I’ll post an update if I have any app issues, but so far so good.

TrueCrypt Logo

TrueCrypt: Full Disk Encryption

After seeing how easy TrueCrypt worked when I used it to encrypt files (or more accurately, create a encrypted container to hold files) I decided to give full disk encryption a try on my new Dell Inspiron laptop. I was planning to take the laptop on my vacation trip and wanted to encrypt the data. The laptop was new and not a critical part of my workflow so if full disk encryption cratered the laptop, requiring a rebuild, it could wait until after my trip without causing any serious problems.

As it turned out, the full disk encryption worked without any problems. While I hadn’t used the new laptop enough to gauge any before/after performance differences, the benchmarks showed a negligible difference.

I’d already installed TrueCrypt on the laptop so all I needed to do was encrypt the system drive. I decide to encrypt the entire system drive (the only drive in the laptop) and I’ll just use normal encryption. I won’t bother with the hidden option since I mainly care about preventing someone who steals my laptop from being able to access the files. The encryption  process is wizard based and the screens are shown below. I don’t have any plans to dual boot this laptop so I can keep it simple with a single boot configuration. I also stick with AES encryption since it benchmarks better than the other options.

System Disk Encryption Wizard Screen 1 System Disk Encryption Wizard Screen 2

System Disk Encryption Wizard Screen 3 System Disk Encryption Wizard Screen 4

At this point I was presented with a UAC prompt as TrueCrypt looked for hidden sectors in the host protected area. The process was too quick to get a screenshot or even read the entire message. TrueCrypt apparently liked what it found (or didn’t find) and moved on.

System Disk Encryption Wizard Screen 6 System Disk Encryption Wizard Screen 7

System Disk Encryption Wizard Screen 8 System Disk Encryption Wizard Screen 9

System Disk Encryption Wizard Screen 10

At this point I’m prompted to create a rescue disk which I do. Should something happen to the hard drive that prevents the PC from booting.  The Rescue Disk can be used to boot the PC and then unencrypt the hard drive so that the data can be copied off the drive.

System Disk Encryption Wizard Screen 11 System Disk Encryption Wizard Screen 12

System Disk Encryption Wizard Screen 13 System Disk Encryption Wizard Screen 14

System Disk Encryption Wizard Screen 15

After the detour to create the rescue disk we’re back to work on setting up the full disk encryption. At this point no actual encryption has happened yet.

System Disk Encryption Wizard Screen 16 System Disk Encryption Wizard Screen 17

Now things will begin to happen so a couple screens provide instructions on what to do should things go horribly wrong.

System Disk Encryption Wizard Screen 18a System Disk Encryption Wizard Screen 18b

Then the PC reboots and does it’s thing. I’m told the pretest was successful. After clicking the encrypt button there’s more instructions about how to recover if there’s a problem.

System Disk Encryption Wizard Screen 19 System Disk Encryption Wizard Screen 20a

System Disk Encryption Wizard Screen 20b System Disk Encryption Wizard Screen 20c

There was another UAC prompt when I clicked “OK” on the message box. As the encryption is going on the status is displayed.

System Disk Encryption Wizard Screen 21 System Disk Encryption Wizard Screen 22

My 580 GB Hard Drive with about 75 GB in use (both as reported by Windows) took about 8 hours to encrypt. I didn’t use the PC during this time so the encryption process should have gotten all the available resources.

Conclusion

After the encryption was finished I rebooted the PC to make sure everything was OK. The reboot was fine although things seemed to be slower than before. I hadn’t had the laptop long enough to really get a good feel on the performance so it may have been more perception than reality. I had benchmarked the Dell Inspiron laptop prior to encryption so I did it again now. There was a significant drop in the disk benchmark score.

The pre-TrueCrypt encryption disk results were 21% better than the post encryption score. While I expected some performance hit, this seemed extreme. I rebooted one more time and there was a noticeable improvement. I ran the benchmark again and the disk actually scored about 10% better than the pre-encryption benchmark. (I don’t stop all background tasks to do the benchmarks so some variation is to be expected.) Like I said before, I didn’t have the laptop very long before I encrypted it so I didn’t get a good feel for performance, but I don’t have any complaints and it seems peppy enough. It was interesting that it took two reboots after the encryption finished for things to settle down.

I haven’t had problems running any software and there hasn’t been any instability with the system. My Windows Home Server backup runs just fine. Since the disk is decrypted at boot the WHS backup software sees the file system the same way it did prior to encryption.

Overall I’m happy with TrueCrypt full disk encryption, it’s worked well and I’m happy with the performance. While I certainly don’t want to lose my laptop, I’m happy to know that if I do the data will be protected.

TrueCrypt Logo

TrueCrypt 7.0–Install & Encrypt USB Flash Drive

With the arrival if my new Dell Inspiron laptop just before some planned vacation travel I decided to try out disk encryption. My plan was to encrypt a USB drive and add an encrypted container for files on my laptop. Using Windows Bitlocker would have required upgrading to a more expensive version of Windows 7 so I went with the free Open Source TrueCrypt. In addition to being Open Source, it’s also cross-platform and runs on Windows, OS X and Linux.

Installation was simple, after downloading the latest version I ran the installation executable and ran through the wizard. There’s only 5 screens during the install. They’re shown below, along with the options I used. They’re pretty self-explanatory and don’t affect the operation of TrueCrypt itself, just how you want to access it. Nothing gets encrypted during the installation.

I decided to do the full install, rather than install in “portable mode”. Portable mode is used when the extract option is picked on the first screen. It allows encrypted containers to be created but can’t encrypt the system drive. I do the full install so that I have the option of full drive encryption should I decide to go that route. It’s a 64-bit application and uses less than 8MB for the installation.
TrueCrypt Install Screen 1 TrueCrypt Install Screen 2

TrueCrypt Install Screen 3 TrueCrypt Install Screen 4

TrueCrypt Install Screen 5

The beginner’s tutorial referred to on the last screen is available on the TrueCrypt website. Starting up TrueCrypt presents the main screen:

MainScreen

Creating A Encrypted Volume

My USB Flash Drive is already in a USB port (as Drive F:) so I click the “Create Volume” button to start the process of creating an encrypted container on the flash drive. The hidden volume (an encrypted volume within a encrypted volume) is more security than I need. So I’ll create a standard volume. The volume location screen is asking for the name of the encrypted container to be created, and not an existing file to be created.

Volume Creation Wizard Screen 1 Volume Creation Wizard Screen 2 Volume Creation Wizard Screen 3

I pick AES encryption since it benchmarks with the best performance. The benchmarks are based on the current computer and will vary from PC to PC (or even on the same PC run at different times). I took the default AES selection.

Volume Creation Wizard Screen 4 Volume Creation Wizard Screen 5

I have the USB Flash drive formatted with the FAT file system (which is also the original format) for maximum compatibility across Windows, OS X and Linux. So I’m limited to a maximum container size of 4GB since the container is one file and FAT has a 4GB limit. I also enter a nice long phrase for the encryption password and accept the default FAT file system and cluster size. I spend some time moving the mouse around to generate some nice random keys. Once I click format the volume is quickly created.

Wizard6 Wizard7 Wizard8 Wizard9

The final screen in the Wizard lets me know all is well.

Wizard10

TrueCrypt Travel Disk

Since TrueCrypt 7 may not be on every PC I will use the USB flash drive in I want to create a Traveler install on the flash drive. This is done by selecting Tools –> Traveler Disk Setup from the menu. For the file location I entered in F: since that’s my USB flash drive. This does not mean the flash drive must always be mounted as F:, it’s simply where to install the TrueCrypt files. I don’t bother with the autorun options since I dislike any autorun.

traveler1 traveler3

The traveler files occupy less than 4MB on the flash drive and get installed into their own directory (F:TrueCrypt in my case).

Finally, when I want to mount the encrypted volume on the USB drive I run TrueCrypt.exe, select a drive letter to mount it on, enter the path to the volume file and click mount.

use

The encrypted files within the volume are now available just like any other drive. Since the file system is FAT, both on the USB stick and within the encrypted volume I can access the files on my Windows or Mac computers. Linux should work too.

Conclusion

TrueCrypt includes several features I’m not using since I want to keep things simple and I’m not concerned about someone making any effort to crack the encryption. But if my USB drive is lost or stolen, it won’t be easy for the thief to get to my files.

Installation was easy and straight-forward while usage is simple. The hardest part is typing in the passphrase. The longer it is, the more secure it is so mine exceeds two dozen characters and considering my lack of typing skills it’s not uncommon to need two tries.