Authy on 2FA and Heartbleed
Reading up on some more information regarding the Heartbleed bug, it seems that two-factor authentication, while helping to reduce vulnerability, is potentially vulnerable to Heartbleed itself, with an attack having the potential to obtain the secret keys that help to generate one-time passwords used in most common two-factor solutions:
"What it means for other services? Given the severity of the issue, it is very important that you rotate all of your Two-Factor Authentication seeds. However, to do this for sites which aren’t powered by Authy’s Two Factor Authentication, you’ll have to manually go through each of the websites for which you have an Authenticator token, revoke the current secret seed and then generate a new one. Unfortunately not all sites allow you to do this, so you might have to contact them to find out how to revoke your current secret seed. If you are a site administrator, we encourage you to revoke the current seeds and request users re-enroll their Two-Factor Authentication on their next login." — http://blog.authy.com/heartbleed
The aftermath of the Heartbleed bug is going to stick around for quite a while, it seems. If you’re using two-factor authentication on sites like Facebook, Tumblr, or more, I’d highly recommend disabling and re-enabling two-factor authentication, as this will generate a new secret key
BEES THAT LIVE IN TINY SNAIL SHELLS
*wordless screams forever*
What is Heartbleed?
Heartbleed is a bug in a piece of software known as OpenSSL that many websites use to secure your login when you log in. It’s the S in https:// when you visit a website. Many websites have already taken steps to fix the Heartrbleed bug in OpenSSL by updating their…
Please to be reading this
What is Heartbleed?
Heartbleed is a bug in a piece of software known as OpenSSL that many websites use to secure your login when you log in. It’s the S in https:// when you visit a website. Many websites have already taken steps to fix the Heartrbleed bug in OpenSSL by updating their version of the software to one where the bug has been patched. However it is very possible that people have been exploiting this bug for some time. Using this bug, hackers could observe the secure communications between a your computer (when logging into a website) and the website’s servers, allowing them to potentially view your password information.
Most financial websites and services do not use the OpenSSL software to secure their sites, so most banking websites are not effected by this bug. However, services like Gmail, Yahoo Mail, Facebook, etc were vulnerable.
More complete technical information about Heartbleed can be found at heartbleed.com
What Heartbleed isn’t
Heartbleed is not a virus, it cannot infect a computer, nor would it be used to gain access to your Windows or Mac logins or passwords. Heartbleed primarily affects companies using OpenSSL to secure their websites.
Checking If You Are Vulnerable
Several tools are available to determine whether or not a website you use was vulnerable to the Heartbleed bug. One such tool is 1Password Watchtower. Enter in the URL of a website you would like to check, then click the Check Website button.
This tool will check to see whether a site was vulnerable, and what your next action should be.
Creating New Passwords
When creating new passwords, it has always been a good policy to create strong, unique passwords for each website or service you use. People have a bad habit of reusing passwords across many websites or services, which is why the Heartbleed bug is such a big deal; if a hacker obtains your password for one website and you reuse that password on other sites, they can easily gain access.
There are a number of programs and online services that can help to create and manage strong passwords. Here are links to some of them:
- 1Password - runs on Windows and Mac, iOS and Android
- Dashlane - web based
- LastPass - web based
- KeePass - open-source free software, runs on Windows, Mac, and Linux, with 3rd-party clients for mobile devices
Many services like Google, Microsoft, and Facebook offer users something known as two-factor (or multi factor) authentication when logging into services.
Two-Factor Authentication works by taking something you know, like a password, and combining it with something you have (a physical token or smartphone app) or are (a fingerprint, iris scan). In this way, even if a hacker gained access to your password (One Factor) they would not have access to the ‘something you have’
The video below helps to explain how this works:
Google also has more information on using Two-Factor Authentication here: Google 2FA. Several staff use 2FA to protect their work and personal accounts. Several companies have create free apps for smartphones that can act as a token for two-factor authentication. Google Authenticator and Authy are two such products.
You read the whole thing, congrats. Now what?
- Use 1Password Watchtower to check if a site you have an account on is vulnerable
- Go through the website’s password reset process, which varies from one site to another, but often a ‘Forgot my Password’ or ‘Reset my Password’ link is available on the login page
- Create a new, strong, and unique password for each website and service.
Wrote this up a few months ago, I’ve updated it with some new information about multifactor authentication and some improvements to Undercover.
Recently a totally awesome internet pal (and UI/UX designer on the wildly popular PS3 game The Last of Us) had the misfortune of having her gear stolen from a car.
Total nightmare scenario, right? (she’s taking it in stride, because she’s cool like that)
After a chat, I offered to write up some software recommendations on how to mitigate awful situations like theft or loss through a handful of really great apps, and some might even help to recover your stuff.
There’s two (technically three, but I’ll get to that later) really great pieces of software out there worth looking at that I’ve had experience with.
Prey is a cross-platform application that installs and runs silently on your laptop, desktop, and even Android and iOS devices. When activated, Prey kicks into gear by connecting to nearby open wifi hotspots and starts recording screenshots and webcam photos, IP information, location information (based on Wifi location). All of this data is then available through Prey’s website, downloadable as a running report. It also offers functions like forcing a device to blast an alarm (helpful in finding a misplaced or hidden laptop) or completely locking out all access. Prey is an open-source application, and offers a variety of plans, including a free option, with a limited number of device installs and available reports.
Undercover by Orbicule Software is a Mac-only recovery software. They offer many of the same features of Prey (screenshots, webcam snapshots, IP and location data) along with a few unique tools to thwart a would-be thief. Once you’ve reported a theft to the police, Undercover’s web portal allows you to build a report consisting of the logged data that will automatically email the detective assigned to your case.
Undercover v6 has added a new feature called **Undercover Watch** that allows it to trigger it's tracking mode as soon as your computer connects to an unfamiliar wifi network or when a user logs into the Guest account (or a dummy account you create)
Keylogging & On-Demand
Keylogging can be a very helpful tool to help recover a stolen laptop. The thief, thinking they’ve gotten away with it, starts using their new laptop for the things people do with computers; pay bills, shop online, and waste time on Facebook. While all of that is going on, Undercover is quietly tracking every keystroke, getting you valuable info like logins, credit card info, and phone numbers, all of which can be invaluable to the police in their recovery efforts. Undercover also includes an On-Demand mode, giving you the option to monitor a thief’s activities in realtime.
Another clever tool in Undercover’s arsenal is “Plan B” mode. By emulating a hardware failure (a dying backlight on the laptop) it forces a thief to either resell the laptop or bring it in for repair. At that point, the next time the laptop is booted up, the screen is locked displaying a message indicating that the laptop was stolen, and instructions on how to turn it in.
So which one should you use? If the only item you’re worried about is a Mac, Undercover is an excellent pick. It’s a one-time $60 for a license, vs the subscription models of several other alternatives like Prey. Orbicule, Undercover’s creators, also offers recovery assistance.
If you have several devices, or a Windows or Linux laptop or desktop, Prey is a great choice. As both services have similar feature sets, it’s more a matter of ‘Does it work with my devices?’
Heck, if you wanted, on a Mac you can install both and have two layers of recovery protection, as the folks at 1Password suggested:
Backup Backup Backup!
Backups. Everyone thinks about getting around to making one, or maybe they have one sitting in a drawer on an external drive they haven’t touched or updated in months. A good backup can make the difference between a minor inconvenience or the loss of hours of work or years of important documents, family photos, etc.
Both Windows 7 and OSX have built-in backup tools, but what happens if a thief makes off with the backup drive, or you discover your backups are corrupt or otherwise unusable?
Cloud-based backups are an excellent place to start. Most are fairly affordable. I’ve been very pleased with Backblaze. At $5/month per computer (with discounts for annual plans) it’s a very affordable way to securely back up your entire computer. After an initial backup (best to do it over a weekend when you’re away or during the week while you’re at work) Backblaze monitors your system for new files and changes, and pushes them out to their storage centers. Backblaze even has a locator feature, similar to that of Prey and Undercover to help locate a lost or stolen laptop!
In the event you need your data, their site provides a file-browser-like experience for digging into specific drives or folders. If you just need a few small files, they can provide you with a downloadable zip file. Larger files or entire drives can be mailed to you on thumb drives or hard drives for a moderate fee. There’s no storage limits for backups, and it’s a very simple install on Windows or OSX.
The best backups are the ones you don’t have to think about, which is why I feel that Backblaze (along with similar software like CrashPlan or a personal cloud alternative like Transporter) are excellent because they tend to be set-it-and-forget-it affairs. Dropbox is another option, though it’s not meant to be a whole-drive backup (their plan pricing isn’t the greatest, in my opinion), and is geared more toward backing up a small set of important files.
Passwords & The Rest
Most people (my past-self included) get into a terrible habit of reusing passwords. With as many different sites and services people use on a regular basis, it’s hard not to fall into the trap of password reuse. This is where software like 1Password shines. By coming up with one really great, memorable, but otherwise un-guessable password, 1Password handles the heavy lifting of generating lengthy and inscrutable passwords like
J}mDeVQE7gVFtt26v/gB<7zg8B]sfNMMhdWVjwaCETAWnY7dCM data-preserve-html-node=”true” and keeping them safe for you. Combined with their browser extension, you can easily log in to sites with just a few keystrokes (⌘+\ on Mac). In addition to passwords, 1Password is great for storing credit card info securely (for faster online shopping) and software licenses (when you replace/recover that stolen laptop.) With cross-platform support on OSX and Windows (and a fantastic new iOS app, and Android client) and sync via Dropbox, it’s one of the first apps I suggest to people who keep using
password1 to get to their sites.
Multifactor Authentication (more commonly known as 2 Factor Authentication) is a way to secure your online accounts by combining two forms of authentication
- Something you know, like a password
- Something you physically have
2FA has been around for a long time in the corporate and banking worlds, but many personal sites and services over the past few years have started to implement it. Evernote, Dropbox, Google, Mailchimp, Microsoft and more are getting on the 2FA bandwagon.
Several companies have replaced the more traditional hardware token (think old-school Blizzard Authenticator) with software tokens, accessed through smartphone apps, making it easier to manage multiple 2FA-enabled accounts. Authy provides on such app. Google has their Google Authenticator app available for iOS and Android. There’s also Duo Mobile, Toopher, and several others that are cross-platform. Some are using Low-Power Bluetooth to help authenticate you without even needing to enter in your authenticator one-time password.
Adding this extra layer of security makes it tougher than ever for someone to access your accounts. Think of it like adding a deadbolt to a door. That little bit of extra effort will make would-be hackers pass on cracking your account for easier pickings.
In summary, I hope this gives you some options and something to think about. You certainly can’t predict something as unfortunate as theft or disaster when it comes your digital goings-on, but with software you can gain some peace of mind by knowing that even if something happens, you’re prepared and your stuff is safe.