Security

Bypass two factor authentication to gmail?

Update – Never mind – see bottom of article.
Discovered an interesting flaw in the requirement for two factor authentication with gmail today. I like to use the application on my cell phone to ensure that only I have access to my account – and if somehow a keylogger was in place, my password to gmail is not any use as the 2nd factor authentication would also require access to my cell phone.
However, today I logged into google reader first (which doesn’t support 2nd factor authentication) and used my username and password only. I then clicked the gmail tab at the top of the reader – and hey presto I’m into gmail.
Bottom line – don’t think that just because you have enabled 2nd factor authentication you are safe from keyloggers on a pc or network sniffing/man in the middle attacks. I’ve not reported this to Google yet but it will be interesting to see what they say.
Update After signing out AND restarting firefox I was prompted for the 2nd factor password. Interestingly I wasn’t prompted until I restarted the browser – so as usual – always restart browsers once you’ve finished with them.

Fixed: DigitalPersona fingerprint reader with roaming profiles not saving passwords

The new laptop has a fingerprint reader included and comes with DigitalPersona’s fingerprint software. At first glance, this looks like a useful piece of software but after trying to use it, I’ve found it very buggy and the support is non-existant.  DigitalPersona offer no support for the product and refer  you to the OEM partner, in my case Dell, who have nothing in their knowledge base about this product either.

My problem was to do with our roaming profile. After receiving the laptop last night I synched (or so I thought) to the domain, took the machine home and logged in. Windows7 decides that it can’t load my profile and uses the temporary saved copy – all well and good for now, my desktop background, images, shortcuts etc all exist.  However every time I go to add a new website in DigitalPersona, it seems to take the information but does not actually save it to the machine.  Suspecting roaming profiles, I created a local user, logged on as that user and registered my fingers. Note that if you do this, when you use the Windows Login Screen and your finger to login, the pc automatically logs you in without asking which user you want to use. I’m not sure how it determines which user to use, but in my case it used my local user (which was also the most recently created user).

After logging on as the local user I was then able to launch Internet Explorer (9), log into gmail, facebook and this blog and register my usernames and passwords and DigitalPersona kept the information. At this point I also used the option to download and install updates to the software – the most recent version that is now running on the pc is 5.30.252a. Note to get to the updates, click on the plus sign by central management and then the update tab appears.

I then logged off the machine and logged back as my domain account. Tried to use DigitalPersona and yet again the software refused to take my passwords.  I opened explorer up, browsed to %appdata% and sure enough – there was no DigitalPersona directory.  I then browsed to c:\users\localusername\appdata\local and checked out the DigitalPersona directory. This contains an OTS directory and then a _dp_ots_tmp and DPIconCache directory. The tmp directory was empty and the DPIconCache directory contained an icon for the sites I’d saved the password to. I copied the DigitalPersona directroy from the localusers\appdata\local directory to my own %appdata% directory and magically was able to start saving passwords in IE9.

Unfortunately I’ve yet to get the program to work with Firefox or Keepass – the program is unable to detect Firefox or Keepass having a login window.

If anyone has a better (preferably free) password manager that works with IE, Firefox, Chrome and Keepass (last is optional) then please let me know.

Interesting analysis of Sony password

Troy Hunt has a nice analysis of some of the passwords that were recently stolen from Sony. As usual, most of the characters are pretty easily cracked, although in this case the hackers didn’t need to as the passwords were stored in plain text. The scary thing is how many of the passwords were the same between the Sony site and the Gawker site that was also broken into earlier. Naturally the key (no pun intended) between the sites is the userid is commonly the email address which then also means there is a fairly good chance of having your gmail account broken into. One of these days I’ll break this information up into a password guide for users to show then how it “really could happen to them” and the risk it generates to the company as well as their personal information. I’m actually surprised at the number of people who use their work email address for things like Facebook and other social applications. After all, work email address’s are not exactly permanent nowadays and definitely not private. It would also be really interesting to take all of our email address’s from our clients and run them against the login id’s from this database to see if anyone was in the database.  Alternatively checking previous web site history viewing would give a clue if people were using this site (but would be a very painful and time consuming process).  The only problem is the time it would take and the fact that only a subset of the data was made available for download to the general public.

Fixed – Warning, an attempt to check your OpenID Provider login status returned an invalid SSL certificate error

Using firefox on my main computer at home this morning I started to get a message stating “openid provider login status returned an invalid ssl certificate” and it took me a couple of minutes to work out how to fix this.

Warning, an attempt to check your OpenID Provider login status returned an invalid SSL certificate error.

About 2 years ago, I installed the Verisign Labs PIP seatbelt extension for firefox. This enables me to sign in with an OpenID account and not have to pass my real credentials across the internet all the time. This works great for securely signing into my WordPress account without passing my credentials in cleartext when I am at a conference etc. However, Verisigns certificate expired a couple of days ago and they replaced it with a new one.

Unfortunately it seems that the seatbelt extension knows about the old certificate but does not trust the new one.

The solution is quick and easy, but not obvious from the error message. However thanks to Doug at TakeALeft from back in 2009, you just need to update the seatbelt extension.

In firefox go to Tools, Addons and scroll down until you get to the Seatbelt extension. Select Options and then click on the OpenID Providers tab.

OpenID Providers tab - select the provider and choose Update

Note that in my screenshot above, I have already updated mine, but select the Provider and then click Update.

You will then be prompted with “Your Primary OpenID provider has published a new configuration file. Say OK  to this message.

image

 

OK your way out of all the dialog boxes and the error message is no more.

More gmail accounts are being hacked.

This afternoon I received spams from fellow colleagues at work from their gmail account. Emails went to both my personal gmail account and to my work accounts. It looks like the emails are in the sent items, which is rather worrying as it means the spammer sent mail from the account rather than forging the headers to make it look like it came from the account. I know for a fact that the password was secure on at least one of the accounts so a weak password is not the culprit. A quick (ironic) google search shows that several people are twittering this in the past couple of hours (mine came in at 3.43pm (and I had another at 7.30pm).
Google’s standard answer is to change your password, which doesn’t really help when there is obviously a back door that is letting people into the account in the first place. The solutions provided are as follows:

If your account has been compromised/hacked/stolen you will need to check at least all of the following things:

Account Security:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and secondary e-mail address]

Potential Spam:
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it’s disabled and empty]

E-mail Theft

Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]

Additional Information
Keeping account secure: https://mail.google.com/support/bin/answer.py?hl=en&answer=46526
Protecting your account:  https://mail.google.com/support/bin/answer.py?hl=en&answer=29407
If your account is compromised:  http://mail.google.com/support/bin/answer.py?hl=en&answer=50270

Ciao is also reporting similar issues today.

It would be interesting to see if any of the compromised accounts were on the Google Apps servers as this probably has greater repercussions for Google’s business model as people will trust Google even less. It will certainly raise questions at work on Monday as to whether we would recommend moving some clients to Google Apps. Even if you haven’t been hacked (check your sent items, filters and your frequent contacts for spam messages) I would still highly recommend you change your password NOW and ensure it is a complicated, non-dictionary based one.

Adobe Reader download still at 9.1

I can’t believe that after all this time the Adobe Reader offered from adobe.com is still version 9.1 requiring another 27.6mb “upgrade” after the initial installation.

Seriously – how hard is it to provide an installer with the latest version of your software when old versions are extremely vulnerable to attack?

In case you are wondering, this is not my machine – so I don’t really have much choice on what pdf reader is installed. At home I am using Sumatra pdfreader as it is one small 1.4mb portable exe file rather than adobe’s 27mb download. It’s a tag ugly due to the bright yellow page displayed when no pdf is opened but once a pdf is opened it looks great.

SuperGenPass support now available for the Blackberry

I have been using the SuperGenPass bookmarklet for a long time now to allow me to have unique passwords for each website that I need to log into but only one master password to remember but the drawback is that it only works for websites and you need the javascript bookmark (or a web page downloaded).  I have the script saved in my gmail account to allow me to save it onto a new machine that is under my control and use, but for those times when you don’t really want to save the bookmarklet on the pc but have access to your blackberry, then you can now save this implementation of SuperGenPass for the blackberry thanks to Michael Gorven. The download page is http://mene.za.net/passgen/ and the script also gives you an option of using the PasswordComposer generation for passwords.

The blackberry is rapidly becoming my thirdparty authentication tool – the ability to run programs on it to generate secure passwords is very handy – I have another post on this coming up shortly.

Windows 958644 direct download locations.

I have spent all day patching servers, workstations and trying to find a direct download for the 958644 patch that got released last night. I was amazed when Microsoft even called us to join in a webconference for Microsoft partners about this patch – that is something new.
I was not so pleased when I called PSS to ask for a direct download to the patch as kb958644 does not have direct links, windows update services was timing out and the catalog website is badly broken. PSS informed me that as it was not a hotfix they could not provide me with the file and there was an 8-12 hour delay on callback from the server team. So instead I’ve been configuring wsus for servers (that were not already configured), approving patches and downloading by visiting windows updates – a VERY time consuming.
Anyway, without wasting more time – here are the download locations – I’d grab them before the server falls over too.

Thanks to Larry and Derek for the help in finding these.

Does your ISP spy on you?

Listening to Security Now a few weeks ago they had a couple of podcasts (sn153 and sn151 about isp’s using software such as phorm or nebuad to track the surfing habits of their users. Thanks to LightBulb Interactive, who just happens to be a local blogger, I have discovered a list of isps that have admitted to this over at Silicon Alley Insider.
Time Warner was not on the list but WOW cable was (which is a bit worrying) – I’ll pass this information on to a couple of my work colleagues.

XP service pack3 vulnerability – already!

So Microsoft update a patch today to do with Adobe flash player and I quote “Caveats: This bulletin is for customers using Macromedia Flash Player version 6 from Adobe. Customers that have followed the guidance in Adobe Security Bulletin APSB06-11, issued September 12, 2006, are not at risk from these vulnerabilities. Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition.”

Now XP sp3 has only been out a couple of weeks, if that, Adobe released their bulletin in September 2006 so how on earth is WindowsXP sp3 vulnerable – surely flash should have been updated in the xpsp3 release! This seems to make a mockery of the security focus that Microsoft are meant to be working hard on and coming on the heels of the recent snafu’s with Windows updates and genuine advantage, it’s no wonder people are not very happy with patching.