Update – Never mind – see bottom of article.
Discovered an interesting flaw in the requirement for two factor authentication with gmail today. I like to use the application on my cell phone to ensure that only I have access to my account – and if somehow a keylogger was in place, my password to gmail is not any use as the 2nd factor authentication would also require access to my cell phone.
However, today I logged into google reader first (which doesn’t support 2nd factor authentication) and used my username and password only. I then clicked the gmail tab at the top of the reader – and hey presto I’m into gmail.
Bottom line – don’t think that just because you have enabled 2nd factor authentication you are safe from keyloggers on a pc or network sniffing/man in the middle attacks. I’ve not reported this to Google yet but it will be interesting to see what they say.
Update After signing out AND restarting firefox I was prompted for the 2nd factor password. Interestingly I wasn’t prompted until I restarted the browser – so as usual – always restart browsers once you’ve finished with them.
Troy Hunt has a nice analysis of some of the passwords that were recently stolen from Sony. As usual, most of the characters are pretty easily cracked, although in this case the hackers didn’t need to as the passwords were stored in plain text. The scary thing is how many of the passwords were the same between the Sony site and the Gawker site that was also broken into earlier. Naturally the key (no pun intended) between the sites is the userid is commonly the email address which then also means there is a fairly good chance of having your gmail account broken into. One of these days I’ll break this information up into a password guide for users to show then how it “really could happen to them” and the risk it generates to the company as well as their personal information. I’m actually surprised at the number of people who use their work email address for things like Facebook and other social applications. After all, work email address’s are not exactly permanent nowadays and definitely not private. It would also be really interesting to take all of our email address’s from our clients and run them against the login id’s from this database to see if anyone was in the database. Alternatively checking previous web site history viewing would give a clue if people were using this site (but would be a very painful and time consuming process). The only problem is the time it would take and the fact that only a subset of the data was made available for download to the general public.
I registered for PodcampOhio 3 months ago but for some reason it was not in my calendar so it’s a good job they reminded us about it on the blog.
It will be nice to take the dellmini with me next week instead of having to lug the normal laptop around. The only annoying thing is the mouse movement and smaller keyboard so I’ll have to type slower. I’m debating on loading OneNote onto the machine (restricting me to just one OS for the day or just using Onenote WebApp(but that assumes web access is always available)
If you’re going – don’t forget to say hello.
I guess I should have got my act together and submitted a session on “securely logging into your WordPress blog at conferences without needing an SSL certificate”. The most embarrassing thing is that I worked out how to do this last year before the conference and said my instructions were coming soon!
This afternoon I received spams from fellow colleagues at work from their gmail account. Emails went to both my personal gmail account and to my work accounts. It looks like the emails are in the sent items, which is rather worrying as it means the spammer sent mail from the account rather than forging the headers to make it look like it came from the account. I know for a fact that the password was secure on at least one of the accounts so a weak password is not the culprit. A quick (ironic) google search shows that several people are twittering this in the past couple of hours (mine came in at 3.43pm (and I had another at 7.30pm).
Google’s standard answer is to change your password, which doesn’t really help when there is obviously a back door that is letting people into the account in the first place. The solutions provided are as follows:
If your account has been compromised/hacked/stolen you will need to check at least all of the following things:
Account Security:
Settings -> Accounts and Import -> Google Account Settings -> Change Password [pick a new secure password]
Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options [verify secret question, SMS and secondary e-mail address]Potential Spam:
Settings -> General -> Signature [make sure nothing as been added]
Settings -> General -> Vacation Responder [make sure it’s disabled and empty]
E-mail Theft
Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address]
Settings -> Filters [no filters that forward or delete e-mail]
Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]Additional Information
Keeping account secure: https://mail.google.com/support/bin/answer.py?hl=en&answer=46526
Protecting your account: https://mail.google.com/support/bin/answer.py?hl=en&answer=29407
If your account is compromised: http://mail.google.com/support/bin/answer.py?hl=en&answer=50270
Ciao is also reporting similar issues today.
It would be interesting to see if any of the compromised accounts were on the Google Apps servers as this probably has greater repercussions for Google’s business model as people will trust Google even less. It will certainly raise questions at work on Monday as to whether we would recommend moving some clients to Google Apps. Even if you haven’t been hacked (check your sent items, filters and your frequent contacts for spam messages) I would still highly recommend you change your password NOW and ensure it is a complicated, non-dictionary based one.
Thanks to Digging into WordPress (a blog I’ve just started reading), it’s possible to easily remove the WordPress version from the header information on a WordPress site. This (slightly) helps security in that the version of wordpress is no longer transmitted to the web browser. It would be nice if this was a toggle switch in WordPress’s admin panel though.
To implement the change, just edit the functions.php file in the Theme and add the following line.
remove_action ('wp_head', 'wp_generator');
One thing to watch is that if you upgrade your theme this change is likely to be undone. I’ve actually created a draft post in WP where I keep my theme changes listed so that they appear in the dashboard and I have a record of what changes are made to the design.
On another theme related post, I have now enabled comments on all the posts on the blog as I had issues where posts that had the enable discussion enabled were not allowing comments to be made on them. Hopefully akismet will continue to do a good job of trapping the spam. I didn’t get any help from the WordPress Support forums so this was my workaround.
I have been using the SuperGenPass bookmarklet for a long time now to allow me to have unique passwords for each website that I need to log into but only one master password to remember but the drawback is that it only works for websites and you need the javascript bookmark (or a web page downloaded). I have the script saved in my gmail account to allow me to save it onto a new machine that is under my control and use, but for those times when you don’t really want to save the bookmarklet on the pc but have access to your blackberry, then you can now save this implementation of SuperGenPass for the blackberry thanks to Michael Gorven. The download page is http://mene.za.net/passgen/ and the script also gives you an option of using the PasswordComposer generation for passwords.
The blackberry is rapidly becoming my thirdparty authentication tool – the ability to run programs on it to generate secure passwords is very handy – I have another post on this coming up shortly.
So Microsoft update a patch today to do with Adobe flash player and I quote “Caveats: This bulletin is for customers using Macromedia Flash Player version 6 from Adobe. Customers that have followed the guidance in Adobe Security Bulletin APSB06-11, issued September 12, 2006, are not at risk from these vulnerabilities. Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition.”
Now XP sp3 has only been out a couple of weeks, if that, Adobe released their bulletin in September 2006 so how on earth is WindowsXP sp3 vulnerable – surely flash should have been updated in the xpsp3 release! This seems to make a mockery of the security focus that Microsoft are meant to be working hard on and coming on the heels of the recent snafu’s with Windows updates and genuine advantage, it’s no wonder people are not very happy with patching.