The best PGP tutorial for Mac OS X

PGP is a popular ((I use the term “popular” loosely here, since although it’s quite popular in the tech crowd, its quirky setup and confusing usage has made it less appealing for “normal” people.)) way to send secure messages. It is however quite difficult to get started and to know what everything means. Since most people aren’t cryptography experts, it’s hard to get going and use it every day.

The best PGP tutorial for Mac OS X is a tutorial to change the technical hurdle required to get started, and makes encrypting and decrypting messages super simple.

Continue reading

Heartbleed Status

Heartbleed is the name of a recently disclosed vulnerability in the widely used security software called OpenSSL, which is used for securing web communications.

What makes Heartbleed so venerable is the way it stays completely undetectable and is very easy to exploit. Cloudflare posted a challenge for people to extract the private key from their intentionally vulnerable server, and it was just a matter of time before someone managed to break it.

What makes this possible is the ability to send a malformed request to a TLS extension called heartbeat, which makes the server respond with arbitrary memory data up to 64k. It can contain anything, such as user passwords and even the private keys used to secure the connection in the first place.

xkcd provides probably the simplest way of explaining what the Heartbleed is all about in xkcd 1354.

If you are not running your own site, you won’t have to bother with patching the software and issuing new certificates. You will however need to change your password on affected sites, and Mashable provides a list of popular sites and their current status.

Bruce Schneier writes about Heartbleed and his post contain links for further reading and discussions and is well worth a browse.

Apple releases iOS 7.0.6 fixing a serious SSL/TLS vulnerability

Information regarding the vulnerability is currently terribly scarce, but judging by the information in the Apple KB, it sounds very serious indeed and would allow man-in-the-middle attacks on SSL/TLS connections.

The problem was apparently found by Roland Moriz when trying to use curl on Mac OS, where it failed to identify a simple Common Name mismatch. (email proof)

What this means in reality is that someone who sits between you and a target site, such as your bank or Facebook, would be able to listen in on your traffic and potentially modify information as it is being sent to the server.

How I Lost My $50,000 Twitter Username

This is some seriously scary stuff.

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.

Social engineering has been done since the beginning of time. Giving out credit card information, regardless of who is asking for it should just not be done. Since it has the powers to be used as a password substitute, it should be treated in the same manner.

Using two-factor authentication is a must. It’s probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn’t help for everything.

There is no reason to not use two-factor authentication these days. Do however take note ((I use a tag in 1Password for all sites requiring two-factor authentication.)) of all sites using two-factor auth connected to your phone , in case you need to change the phone number in the future ((This happened to me a while ago (a story for another day), which has lead me to always make it a conscious decision when entering my phone number on a website. I keep track of websites having my phone number using a tag in 1Password.)).

Tesla Motors’ Over-the-Air Repairs Are the Way Forward

[…] because of its ability to send software updates to its vehicles wirelessly, the 29,222 Tesla Model S electric cars that were affected have already been fixed.

It seems that Tesla has become the Apple of the car industry by working together with the customers, making their lives easier instead of take the old proven path of having to hand in the car to get it updated.

I just can’t refrain from imagining what may happen if someone were to gain access to the Tesla software update process.

MacRumors forums hack exposed password data for 860 000 users

It seems that MacRumors have joined Adobe, Sony and Ubuntu Forums in revealing a large number of user information, including MD5 password hashes.

One day passwords may be a thing of the past, but in the meantime use a password manager such as iCloud Keychain, 1Password, Lastpass to manage unique passwords for all sites.

Enable Two-Step Verification in Evernote

Evernote has now joined the growing number of online services with support for two-factor authentication.

What this means for the average user is a more secure account, as you will need to provide a second factor when logging in, such as an SMS from your phone, or a challenge/response using Google Authenticator.

Twitter reinvents two-factor authentication

Twitter entered the two-factor authentication (2FA) game earlier this year when they released the de-facto implementation, time based OTP over SMS. It has been working fine even though it had its shortcomings, including the inability to view app passwords created for apps without support for 2FA. Not to mention the lack of carrier support for most operators in Sweden.

Twitter have just superseded their recently implemented 2FA with a new scheme called “login verification”, which uses your mobile Twitter client as an authentication token, which means that they no longer have to rely on carriers to support their service.

The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.

When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app – along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.

A very creative solution to the problem, and since the approval is completely out of band with the authentication, clients do not even need to be aware of the secondary authentication procedure.

The downside is naturally that your phone is ever more important to keep track of, even though they seem to have support on standby in case you lose access to your phone.

Facebook uses a similar strategy in case you have enabled login verification for your account, but instead of relying on RSA cryptography, any logged in client may approve a new computer. The upside compared to the Twitter solution is that the approvals are not locked to one particular device, and the downside is the exact opposite – any logged in client may approve a new client.

When enabling login verifications, you are presented with a backup code, which can be used to access your account in case you lost your phone. I make it a habit of always writing the recovery codes into the current site’s entry in 1Password. That way, you can use any computer with 1Password installed to retrieve it when needed.