App of the Week: 1Password

So far today, I've logged into a dozen or so accounts on the Internet. I've logged in from my iPhone, my iPad, and my Macs. I've done some shopping, commented on some blog posts, reviewed RSS feeds, and more. Every one of the accounts has a complex password made up of a random set of numbers, letters, and punctuation. As an expert in cybersecurity, it'd be pretty embarrassing to have my accounts cracked. So, I'm careful. And the most useful tool in my arsenal is 1Password. When you do log into your accounts, how do you do it? Do you use one password for multiple accounts? Are your passwords easy for you to remember? How can you be sure they won't be easily guessed?

While there are a number of strategies for coming up with strong passwords, like this one from xkcd:

there are alternatives in the form of applications like 1Password that simplify the entire process, and given the large set of accounts we all typically have, I highly recommend it.

1Password is one of a set of applications called "password vaults" or "password managers." These applications provide a number of functions related to passwords and related sensitive information like credit cards, including encryption, generation, storage, and retrieval. From my perspective, having a password manager is a critical step in protecting yourself online.

1Password Workflow

1Password provides a broader range of functions than I use every day, and some that I don't use at all, but it is an application that I use multiple times every day on each of my devices. Here's the general workflow:

  • When I visit a new web site and create an account, I use the 1Password icon in my browser to generate a new password. 1Password prompts me for my 1Password master password to unlock the application, then allows me to generate a password with whatever characteristics I prefer. I typically use passwords that are as long as the site will accept, and as complex as it will accept, including upper- and lower-case letters, symbols, and numerals. 1Password will automatically fill in the password as I'm creating the account. 
  • When I submit the new account information, 1Password remembers the new account, including the username and password. It prompts me to store that information into the 1Password database. 
  • The next time I visit the site, I use the 1Password icon to fill my username and password.

The result of this workflow is the following:

  1. I only have to remember one password (hence the name!): the password to unlock 1Password.
  2. The password for the sites are on all of my devices, synced all the time.
  3. All of the passwords are use are long random strings of characters that are for all practical purposes impossible to guess or brute-force crack.

1Password offers a number of methods to keep your database synced across all of your devices, including Dropbox and iCloud. They also offer applications on iOS, OS X, and Windows.

I count 1Password as one of my essential applications, and you should, too.

More Phishing... Don't Fall for It!

This morning I was scrambling with a bit of last minute packing before heading out for a few days at a business event in Clearwater Beach, Florida. I grabbed my various electronic devices, and quickly checked my email. When I did, I saw this email with the subject, "Account Re-Activation (Please Reply)" Dear Webmail Account Users,

This is to inform you that we are having congestion's due to the anonymous registration of webmail accounts so we are shutting down some email accounts and your account is among those to be deleted, so we like to know if you still want this account on our e-mail database/mail server.

To enable us upgrade you account and give you the best of our services please you must reply to this mail and Re- confirms your login information to avoid interruption.

Full Name: ............................... Full Email Login: ...................... Password: ................................ Current Password: ...................

After following the instructions in the sheet, your account will not be interrupted and will continue as normal because series of maintenance process need to be carried out on your mailbox.

Warning code:.....VX2G99AAJ

Failure to do this will automatically render your e-mail account deactivated from our e-mail database/mail server. To enable us upgrade your email account, please do reply to this mail.

Webmail Regional Mail server Technical Support.

It was obvious to me that this is a "phishing" email, but people fall for these expeditions every day. Help people by showing them why email like this is a scam designed to steal their email credentials. What do you see in this?

Here are a few of the things I see...

First, and foremost, it asks for my account information in the plain text of an email. That's what got me thinking: do people actually fall for this? They must!

Never email a password to anyone. Ever.

What else do I see in this? Well, it's not written to me personally, but to a generic title. Any real business with my account information would auto-fill my name, at least.

How about a webmail company who doesn't ask me to login to my account to make a change? Or at least to use a web page for this interaction?

Of course, the mistakes in the English in the email are keys, too. As are the "From:" address and header, which I haven't included here.

What do you see? How will you warn your friends?

Facebook's Security Mess

Last week I was sitting in my office working away on a client's iPhone app when my iPhone's text message bell alert rang. I picked up my phone to see my daughter's text message: "Free iPad event?" After an exchange, I learned that my Facebook account had sent her an event request with a link to a rogue quiz site that was offering quizzes for the amazingly low price of $19.99 a month. I also started getting emails from other friends who were getting the invitation from me. So, I got mad.

First, I deleted the event. Then, I posted to my wall about it. And then, I went on the warpath.

You see, I am very careful about my Facebook account. While I explore aspects of Facebook as part of my research for clients, I am aware of the dangers and am diligent in working through the possible issues. But, I got caught. So, I went looking for the source of the issue.

The first thing I learned is that I am not alone. There is even a Facebook group that has grown up to oppose it. But, no one seemed to know how it was done, so I began to investigate.

Given the invitation text and the targets, I figured out that it had to have come from an application with access to my account. I dug through my entire list of applications, eliminating many that were either old or that I don't use. But, it's important to understand that Facebook makes this process far more painful than it needs to be. If only Facebook would make a note on the wall posts, event invites, and other items noting what application was used to create it, we could track down the reprobates who build these cheap cheats. Twitter even does it:

So Twitter, with its informal nature, trumps Facebook in one of the most important aspects of security: transparency.

In my next few posts, I'll outline what you can do to scrub your Facebook account in a way that will make it much more hardened against this kind of attack. However, with the limited transparency of Facebook's system right now, there is only so much you can do.

iOS Update Fixes PDF Vulnerability

I wrote earlier about the PDF vulnerability in iOS that impacts every iPhone, iPod Touch, and iPad. Yesterday, Apple made an update available to fix the vulnerability. If you own an iOS device, be sure to update it as soon as you can. If you don't see the update as soon as you plug your device into iTunes, select your device in the sidebar and click "Check for Update" to get the update.

Being Careful Isn't Enough

"Want a free iPad?" That's an email that my Facebook friends received from me this morning. The problem is, I never sent it. In fact, I never saw it until it had been sent on my behalf. Being careful isn't enough. I wrote here on this very blog last year about the various trojans and other attacks made on and through Facebook.

Today, I was used.

This morning as I was starting work, my daughter sent a text message asking me about a free iPad. I didn't know what she was talking about. Then, after a bit of investigation, I learned that some rogue application that I had approved for access to my Facebook account, had sent an event invitation to everyone on my Friends list.

This is a big deal.

It's a big deal because I cannot even easily send a message to everyone on my friends list. Therefore, my apology email took a while to create, since I had to manually create a list with all of my friends on it.

It's also a big deal because there was no way for me to find out from the invitations which application sent it. Was one of the seemly appropriate applications like Twitter or Foursquare the issue? Or how about that Fast Company Influence Project app that I set up yesterday? I can't tell. The invitation does tell anyone how it was created, and I have no way of working backwards from the invitation to the app and removing its permissions.

This is a Facebook security problem, and Facebook needs to address it. As a result of this issue, I have removed a number of apps from my Facebook page and will remove all of them if it happens again.

In the meantime, I'm committed to doing what I can to track down this rogue app. If you have any insight into how this was done or what app might have done it, I'd love to get your insights. I'll update this post as I discover more.

Your iPhone and iPad are Vulnerable

Mashable reports today that Security Exploit Can Give Hackers Control of Your iPhone or iPad [WARNING]. You will want to be careful not to load any PDFs that you don't know for sure are safe. This is a buffer overflow bug in the PDF rendering engine having to do with font management. While obscure, it's actually the bug that was used to provide a web-based jailbreak of the iPhone running iOS 3.1.2 or higher.

How Safe are You?

It was the late '70s in a suburban Michigan neighborhood when I first felt it. I had bought my ten-speed bike--a beautiful brown Schwinn Varsity with tape-wrapped drop handlebars--back when no one had ever seen one. People would stop and ask, "Why do your handlebars go down?" That bike was special to me. I used it on my paper routes for years and rode it everywhere. But it was gone.

Someone had come into our garage and left with it.

I felt violated. If my garage wasn't safe, what was? It churned my emotions for a while, and I still remember those feelings.

Today, thieves don't have to break in to your garage. They can break into your computer. If they did, what would they find? Do you know?

I do, and now you can, too.

Identity Finder, created by the company of the same name, scans your PC, Mac, or enterprise systems for telltale content like credit card numbers, passwords, social security numbers, and more. I'm willing to bet that it will find content that you forgot. For example, remember that time you emailed your social security number? What about that friend who sent you their VISA card number for your trip?

Identity Finder will find them and remind you.

These scans show you the files where the content is found. The application also shows you a browse view of the file with the content highlighted. It let's you decide what to do with the information it finds, including allowing you to encrypt and archive the report.

In my case, between the first and second times I ran Identity Finder on my Mac, I had packaged information for my bookkeeper, including my credit card statements. Those files had my credit card numbers in them. I had been careful when getting them to her, but I had left them on my system unencrypted! And I had forgotten. Identity Finder reminded me.

There are, of course, a few imperfections. The application displayed some of the file previews with the entire file highlighted so it was difficult to determine what it had found. It took me a little bit of time to figure out what to do with files where multiple triggers had fired. But, these are small limitations, and I can still unequivocally recommend Identity Finder as protection against leaving your personal identity information just sitting on your computer storage.

What have you left laying around that a black hat could steal?

Identity Finder is an excellent way to find out.