passwords

Workable two-factor authentication

Dave Farquhar security , , , , , , ,

I’m several months late to this party, but I just saw Marcel’s post on Google’s two-factor authentication with a smartphone.

He’s right. It works until someone steals your phone. Once someone steals your phone, you’re in a world of hurt. It’s just a compromise, until we find a way to do two-factor authentication the right way.

The right way is with a smartcard, issued by some sort of central authority. Read more

Two more questions about wireless security

Dave Farquhar security , , ,

I got two good questions last week, via Facebook, that I answered briefly in the comments, but are worth further exploration: Does it beef up wireless security to hide the SSID and only allow the MAC addresses of hardware you own?

Those are good questions. Smart questions. I like those kinds of questions.

Unfortunately, neither measure gets you a whole lot. Against a sophisticated attacker, that buys you minutes, compared to the security of a strong password, which buys you years. It’s like having a locked screen door in front of the vault door at Fort Knox. (Assuming you’re using a strong password–if you’re using a weak password and these measures, it’s like having multiple locked screen doors.)

Then again, not everyone is a sophisticated attacker.
Read more

Don’t let what happened to Mat Honan happen to you

Dave Farquhar security , , , , , ,

Technology journalist Mat Honan infamously had his entire digital life hacked and erased this week. Slate published some advice to keep the same from happening to you, and my former classmate and newspaper staff mate Theo Hahn asked me to comment.

Read more

Some lessons from cracking the compromised Linkedin password database

Dave Farquhar security , , , , , , ,

Here’s a blow-by-blow account of a security researcher’s attempts to crack the compromised Linkedin database. This is a very good example of ethical hacking.
Read more

Change your Linkedin password now

Dave Farquhar security , ,

If you use the professional social networking site Linkedin–which I recommend, albeit now with caveats–you need to be aware that someone stole at least part of its passwords database and leaked it onto the Web. You should assume your password is among the stolen passwords and change it.
Read more

Chained-word passwords

Dave Farquhar security

Tom Gatermann asked me about a new password concept. How about, instead of 16 characters of gobbledygook, you chained together three unrelated words and separated them with garbage characters?

It would be easier to remember. But is it strong enough?

I think he’s just trying to get me to do math. But let’s look and see. Read more

Things I wish everyone knew about home Mac security

Dave Farquhar Macintosh, security , , , , , , , , ,

On Wednesday evening, I wrote about basic computer security from a Windows-centric perspective. I knew some people who needed help in a hurry, and given there was a 90% or so chance they were running Windows, I took that route.

Some of my buddies who use Macs passed it along. And much of what I said then does apply, but I’d like to clarify a few of those points.
Read more

Things I wish everyone knew about home computer security

Dave Farquhar security , , , , , , , , , , , , ,

I’m a security professional by trade, with two certifications. I’m not responsible for defending your computer networks, but I want your networks to be secure. There’s a really simple reason for that. If your computer and your network is secure, then it isn’t attacking mine. Or anyone else’s.

Several fellow subscribers to a train-related interest group that I like got hacked recently, and have been sending out spam messages. They’ve received a lot of advice in the hours since. Some of it has been good, and some not as good. So I tried to think of some things that people could do in about 30 minutes to keep the crooks at bay.

Incidentally, the computer crooks won’t be going away. Computer crime happens because the criminals can make more money doing that than doing something legal. The only way to make it stop is to make it too hard, so that getting a real job becomes more profitable. You won’t solve that problem in 30 minutes, but if we all take that single step down that road, we’ll make the world that much safer. So, with that, let’s roll up our sleeves. Read more

Security+ test taking tips

Dave Farquhar security , ,

One of my coworkers is being required to get a Security+ certification, and asked me for advice. She’s gone to class, read some books, and she’s going to another class on TCP/IP, but she’s just not comfortable yet. I gave her some Security+ test taking tips.

Since other people might be in her situation, I figure it’s worth writing about. Read more

Don’t call the war on hackers unwinnable

Dave Farquhar security , , , , , , , ,

John C Dvorak asks what war we’re waging on hackers. While war may not be the best choice of words, because it’s not exactly a conventional war, there’s no question there’s something going on, and we’re not winning it right now.

The latest salvo is that someone in China is building a botnet using Macintoshes. Read more