Category Archives: Security

Why I still have faith in LastPass

I’m sure I am not the only one who saw this news from LastPass yesterday and almost had a heart attack.

After reading and digesting the news (and changing my master password) I concluded that I am still more secure with LastPass than without it.   I would also make that statement about any of the other popular secure password managers out there, I just happened to land with LastPass and am a satisfied user.

For those who are customers of other products, don’t be so quick to jump on LastPass, it was simply their turn now, clearly anyone in this space is going to be a target.

So I will continue to rest easy knowing my data is in LastPass for the following reasons

  • They were completely transparent about what happened, explained it clearly, and immediately implemented additional security measures to protect their users data
  • I have Two-Factor authentication enabled, so even if my master password was stolen (which it was not) I am still in pretty good shape
  • I take advantage of LastPass’s feature which allows me to limit the countries from which my account can be logged in t0 (sure  the United States is a big country and there are ways around this, but every little bit helps)
  • I like the way LastPass has reacted to other security issues (like Heartbleed) where instead of using it as a promotional opportunity which is what some of their competitors did, LastPass released a tool to help you figure out which passwords should be changed immediately

I am infinitely more secure having unique, secure passwords for every site, than what I had before I went all in with LastPass, so I think I will continue to use LastPass and sleep at night.

Adding Two Factor Authentication to IBM Connections Cloud

Yes, it’s true 🙂

When I looked at the schedule for IBMConnectED, there was one session that was a can’t miss.  Steve McDonagh was talking about adding Two Factor Authentication to IBM Connections Cloud.   If you know me, you know I do a lot of work with IBM Connections Cloud and I am obsessed with two factor authentication, of course I had a conflict and could not be there, so with the help of Devin I managed to get a video of the session which Steve was nice enough to let me publish.

On a side note, if IBM Connections Cloud and two factor authentication is of no interest to you, consider watching the first 5 minutes regardless it’s brilliant,

Check out Steve’s Blog for more on Two Factor Authentication with IBM Connections Cloud 

IBM Updates on SHA-2 and POODLE

Two new Technotes have been published

How is IBM Domino impacted by the POODLE attack?

The Short version it is and IBM will provide Interim Fixes for the following Domino releases:

    • 9.0.1 Fix Pack 2
    • 9.0
    • 8.5.3 Fix Pack 6
    • 8.5.2 Fix Pack 4
    • 8.5.1 Fix Pack 5

Planned SHA-2 deliveries for IBM Domino 9.x

The Short version

SHA-2 support for Domino 9.x is planned to be delivered over the next several weeks via an Interim Fix.

  • With this Interim Fix, Domino administrators will be able to configure Domino 9.x to use a SHA-2 certificate over HTTP, SMTP, LDAP, POP, and IMAP. With a SHA-2 certificate in place, users will be able to use a browser to connect to iNotes, XPages, traditional Domino Web apps, and Sametime (based on Domino HTTP).
  • Once the Interim Fix is applied, browser users will not receive a security alert since Domino will be configured with SHA-2. Domino administrators will be able to import a 3rd-party SHA-2 cert or generate SHA-2 certs with the Domino Administrator client with Domino 9.x running the Interim Fix on all supported platforms.
  • As mentioned in the above section, the cryptographic infrastructure needed to provide these features was new to Domino 9.x. For this reason, we will not be able to support SHA-2 on Domino 8.5.x.

IBM Domino, Google, and SHA-1

There is a lot of talk these days about Google’s decision to accelerate the deprecation of SHA-1, and IBM Domino’s lack of support for SHA-2 .  Right off lets get this straight IBM absolutely should have plans to add SHA-2 support in Domino and an implementation date should be communicated ASAP.  At the same time the pressure should really be on Google to back down from what is an arbitrary deadline they announced out of the blue, and to support the previously announced 2017 date for the deprecation of SHA-1.

While it is easy to blame IBM here (and again IBM needs to communicate a date they will support SHA-2 in Domino) the immediate deprecation by Google is an arbitrary move that does not have a lot of support.

Some facts

  • Microsoft previously announced their plans to deprecate SHA-1 in 2017
  • Currently 92% of certificates on the Internet are SHA-1 signed
  • Google then decided to begin deprecating SHA-1 in November of this year
  • SHA-1 has not been compromised or hacked
  • Google as an Intermediate CA is issuing them with SHA-1 (but their deprecation policy exempts their own certificates)


Here is a statement from the CA Security Council 

Although the CA Security Council (CASC), comprised of the seven largest Certificate Authorities, supports migration to SHA-2, members are concerned about the impact on website users and administrators alike. Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeline is aggressive. In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades.

With fall shopping season nearly here, this policy may be particularly concerning for small internet stores, which could be impacted just before the holiday rush. Because many large sites have lockdown periods leading up to the end of the year, companies that have not transitioned may find themselves restricted from making the move until January, or beyond, due to lack of SHA-2 support. Although a migration to SHA-2 is necessary as computing power increases, because of the significant impact in migration and the lack of a practical attack until 2018, the CASC members recommends thetimelines announced by Microsoft in November 2013, which deprecate SHA-1 in code signing certificates by January 1, 2016 and in SSL certificates by January 1, 2017.

If you want a clear explanation on all this, listen to what Steve Gibson has to say about it on Security Now (If it does not begin there automatically pick up the podcast at 48:37 for the SHA-1 discussion)

Making Two Factor Authentication (even) easier

If you pay attention to the news you know you should be protecting your accounts with strong unique passwords, and two factor authentication wherever it is supported.  Two factor authentication improves your security by requiring (as the name implies) as second piece of information to authenticate which is usually a number generated by an app on your phone or received via text or email.  A while ago I posted this tip to make two factor authentication a little easier, now I want to follow that up with another tip.

I recently moved all my two factor authentication from Google Authenticator  to Authy.  The big difference is Authy will let you sync your two factor authentication between multiple devices as well as serve them up via a Chrome App.

I recently replaced my phone and instead of having to open up all my QR codes I was able to simply authorize my new phone in Authy and decrypt all my sites in seconds

Making Two Factor Authentication (a little) easier

I am a big fan of Two Factor Authentication.  If you are not familiar with two factor authentication, there is a good explanation here.  I have enabled  Two Factor authentication pretty much on any account I have that supports it.

Many Two Factor implementations use the Google Authenticator app to provide the authentication code.   Setting up  the authenticator is easy, you generally scan a QR code, and then enter the code to confirm the setup.

One of the difficulties when using Two Factor authentication is setting up the Authenticator app on a new or additional device.  When you initially set up Two Factor authentication you are presented with a QR Code that is scanned by the app to automatically configure the account.   Typically to set up another device you have to invalidate the original configuration, and sometimes even disable and then re-enable Two Factor Authentication altogether.

Recently listening to an episode of This Week in Google they shared a tip so simple I don’t know why I never thought of it.  When you first enable Two Factor authentication for a given account download the QR Code image and save it somewhere securely.   Since I use Lastpass as a password manager I create a secure note which allows me to securely upload and save the QR code image.   Configuring the Authenticator App on an additional or new device is as simple as opening up the secure note and scanning the bar code.

Hacked? Google Wants to Help

Here was my experience a few months ago

Oxford University Blocks Google Docs

This story caught e eye this morning, Oxford University made a decision to block Google Docs on the campus network at least temporarily for security reasons.  You can read the article for why Oxford made this decision, the key though is how they see Google’s response (or lack thereof) to Phishing attacks running in Google Docs

Unfortunately, you then need to wait for them to take action. Of late that seems typically to take a day or two; in the past it’s been much longer, sometimes on a scale of weeks. Most users are likely to visit the phishing form when they first see the email. After all it generally requires “urgent” action to avoid their account being shut down. So the responses will be within a few hours of the mails being sent, or perhaps the next working day. If the form is still up, they lose. As do you – within the next few days, you’re likely to find another spam run being dispatched from your email system.

I personally use Google docs (personally not professionally) but the lack of response, or knowing when they will respond to a security incident is pretty scary.

Google Blocks


Hacked! Now What?

Earlier in the week a couple of friends were nice enough to let me know that Google was reporting that my site contained malware.  Unfortunately when I investigated it appeared that malicious code had found its way on to my site.

Fortunately I take regular backups, and the easiest way to fix was to restore the WordPress files from a backup (after of course confirming that the backup was Malware free).  My Database was not impacted so I did not have to restore it.

I am still trying to determine how the malicious code found its way in,  I am careful with my site using secure SSH and WordPress passwords, the only WordPress Plugins I use are well known and trusted, but I would like to solve this mystery.

In the mean time some lessons learned (or reinforced) and action items

  • Backups, Backups, Backups, make sure they are running and TESTED
  • I changed all my passwords related to my blog, including my Dreamhost account password, my SSH Account, and my WordPress password
  • Changed my password since the account is linked to my blog via JetPack
  • I changed my database password even though it did not appear to have been compromised
  • After the cleanup was complete I submitted my site to Google for review and removal of the Malware flag which fortunately they were quick to do
  • I am following up with Dreamhost to see if they had any known breach, though they are generally 100% transparent on the rare occasions they  experience any Hardware or Software issues

Thanks to having working backups this was not a big deal, but I would like to figure out how the malware found its way in, and what I can do to better protect myself in the future.

Has your site ever been hacked? Did I miss anything on my cleanup?  Have any suggestions to better protect my site? Please share them in comments below.

Will you Enable Two Step Verification on your Google Account?

I tweeted a little about this over the weekend, Google has now enabled Two Step authentication for all accounts (if it has not hit your account yet it will soon).

2-22-2011 7-50-49 AM

What is Two Step authentication? Simple in addition to your password, you need a 6 digit random code, which you can obtain via an app on Android, Blackberry and iOS, or via SMS or Phone.  The code is randomly generated, unique to you, and time based changing every 30 seconds or so.  What this does is make it so that a hacker just getting your password alone does not allow them to hijack your account.

I have had a PayPal Security key for my PayPal account for a couple of years now, and am very happy to see Google add this option, I would like to see my banks, credit card providers, and others add this option as well.

When you enable Two Step Authentication you are given 10 codes to use in emergency in case you don’t have access to your phone to retrieve a verification code.  You do need to decide how to securely save them where you will have access to them if you need them (hint: don’t store them somewhere protected by your google account).

On a PC after initially logging in with a verification code, you have the option to only require a verification code every 30 days. 

Mobile devices and other Google Apps that don’t yet support Two Step Authentication no longer use your google account password, but use a password you generate for your account, so your actual google password is no longer stored on your mobile device or in other applications, you can also revoke the application password at any time from your google account page.  In this example I named this password ‘Android’ as it is the one I created to use on my phone.

2-22-2011 7-41-48 AM

You can create multiple application specific passwords, after you clear the password off the screen there is no way to retrieve that password again, if you need it again you simply create another one (and preferably revoke the ones no longer in use).

So Two Factor Authentication adds a little overhead to your account, requiring you to retrieve and enter the code on logon, and manage application specific passwords.  To me the few seconds it will cost me here and there is completely worth it for the security it adds.  I have seen far to many people have their accounts hacked recently, and even though I use secure passwords, and change them (somewhat) regularly, I really feel better about my account security with Two Step Authentication enabled.

Will you turn it on for your account? It is available for Gmail accounts, and Google Apps for Domains accounts, though in the latter the option has to be enabled by the domain administrator.

The Official Google Blog: Advanced sign in security for your Google account