Last Sunday, I took and passed the CISSP exam. I had made it a personal goal to pass the exam before the end of the year, and I’m happy to say that I have achieved my goal. What was my study plan? Read on…
DropBox is cool. I use it to keep my many computers in sync. This includes keeping my password manager master safe file in sync (you all use password managers, right?) Even though that file is encrypted with a good encryption algorithm, it’s still a file I would like to protect. I used a pretty strong password on my DropBox account, but it’s still just a password.
Fortunately, though, DropBox now supports two-factor authentication. If you have a Google account, and you use Google’s two-factor authentication (like you should!), it’s incredibly easy to add, because it works with Google Authenticator. Just enable two-factor in DropBox, go to Google Authenticator on your phone, add new account, scan the barcode, and done.
Hopefully, this means that two-factor authentication is becoming more mainstream. I’ll be a lot happier when Facebook supports it, but for now, DropBox support is fantastic.
SecurityAuthenticationAugust 28, 2012
No Comment
There has been a lot of ink spilled about the Girls Around Me app that was introduced, and then pulled from the iPhone App Store. For those who are unaware, the app used the geolocation aspects of existing websites, such as Foursquare and Facebook, to show the user where women were located close to them. This was widely decried as creepy and stalker-y, and after Foursquare cut off access to their data, the app was essentially useless. The developer does, however, hope to bring it back sometime soon.
Was the app gross and juvenile? Perhaps. But it’s important to remember that this app was using data that was publicly available. The users who showed up were sharing, knowingly or unknowingly, their location data with everybody in the world. The whole point of Foursquare, and Facebook location tagging, is to tell people where you are: this issue here was that this data was being used in a way that people may not have agreed to, but they were making it public all the same. Plus, let’s imagine that the app wasn’t looking simply for women located close by: let’s imagine that it was looking for mothers with at least two children that have a household income of $70,000 per year. Now we’ve described a micro-targeting app that your favorite retailer of choice is most likely feverishly working on, again using public data to find what is of interest to them. Is that also creepy? Maybe, but it is the future of marketing.
Gizmodo has decreed that today, February 1st, is “Change Your Password” day. I wholeheartedly agree, especially if you re-used passwords (which you shouldn’t!). In fact, I’d go further: change your password, and start using a password manager. Did I changed my passwords today? I did not, because I used said password manager. I don’t reuse passwords, and my passwords are all random. So even if one is revealed, it’s not going to make a difference outside of that one website.
SecurityAuthentication, PasswordFebruary 01, 2012
No Comment
Zappos.com recently had a data breach. As data breaches go, it was not nearly as bad as it could has been: no full credit card numbers leaked, nor any plaintext passwords. What makes it special, then? It’s somewhat special to me, since it is, to my knowledge, the first time that I have been part of a data breach: I have a Zappos.com account, and I received the email about the breach. Notice I said “to my knowledge”; plenty of data leaks don’t get reported. I haven’t been a part of a major one, though, at least according to pwnedlist.com, where you can check to see if your email address or username has been leaked.
SecurityData Breach, Password, ZapposJanuary 17, 2012
No Comment
I’m currently working on my MSST Capstone project, which is going to focus on IT security in small organizations and small businesses. If you work in a small business, especially if you have an IT role, please fill out a short survey I’ve put together. It’s 36 questions, mainly yes or no, so it shouldn’t take up too much time. You can access the survey here.
My GnuPG key was set to expire at the end of this year, so I created a new one. The key is located here. In the extremely unlikely event you need to email me something securely, use this!
I’m a big fan of crypto and secure email. Too bad I so rarely have need to use it.
SecurityEncryption, GnuPG, Public-key cryptographyMarch 06, 2011
No Comment
Google has recently enabled two-factor authentication for Google products like Gmail. What is two-factor authentication? It means that in addition to providing your password, you need to provide a random verification number that Google will send to your phone, either via an app, a text message, or an actual phone call. Thus, to log in, you need two things: a password and your phone. With only one or the other, you can’t get it. This is much stronger than a password alone, which is why some banks have been moving to two-factor authentication for customers. Google’s decision to enable it for email, and for just about everybody with an account, is certainly groundbreaking.
SecurityAuthentication, GoogleFebruary 17, 2011
No Comment
Some time ago I blogged about the password manager I had been using for many years: Password Safe. It’s a great program, one that I recommend wholeheartedly. However, I’ve since switched to a new manager: KeePass. Like Password Safe, it is a pretty functional password manager that allows you to automatically generate and save passwords. Also like Password Safe, KeePass is open-source.
Why did I switch? Well, essentially because I like the interface and functions better in KeePass. The UI looks a bit better, and there is a graphical representation of how strong a password is. Other than that, though, it’s almost identical to Password Safe. Password Safe is even a bit easier to use for the novice, as it doesn’t have quite as many options to fiddle with as KeePass. One issue with KeePass 2.x is that is requires the .NET architecture, which isn’t always available, especially if you plan on using it on a computer that you don’t have control over.
I’d unhesitantly recommend either of the two for your password manager needs. Play with both of them and decide which one you like better. But pick and use some kind of manager. Using strong, random passwords is an important part of security, and password managers help make doing so simpler.
The Obama administration is talking about creating a unique “Internet ID” for web users in the U.S. Commerce Secretary Gary Locke is quick to say it isn’t a national ID card, or even a government-controlled system, but private creation of “trusted digital identities”. Although there are plenty of times where the need for a trusted digital identity is real, I really don’t think e-commerce is one of those times. The benefits of such a system for e-commerce are far outweighed by the costs.
SecurityE-commerce, National ID, PasswordJanuary 10, 2011
No Comment
