For Paranoiacs Only? 2FA Remains A Hard Problem

I’m convinced 2FA is an excellent idea, and I’m already using it for a few situations like my Apple devices and a Google account. Of course I use two-factor authentication on my Apple devices – but that only goes so far, of course. Google also bugs me when logging in to another Google account on those devices, but keeps sending the confirmation to an Android device that I do not always have near me (and I haven’t found a way yet to alter that setting).

But I have always hesitated to apply 2FA to all the applications and websites I use. Why? Because it’s hard to pick the right tool – which one can be applied to most/all sites (and I have a lot of those)? Should I pick a hardware solution, or an application? What about backing up your keys? What if I lose my phone? Etc.

Dan Goodin confirms the complexity of the situation, and tries to give an answer in “Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to” (on Ars Technica).

Don’t get me wrong: Goodin does an excellent job introducing the complexities of choosing a 2FA solution. But there are many more solutions available – just try any search engine and look for “2FA”. Years ago, I already looked at FreeOTP and andOTP, but I did not feel confident enough in their backup strategies to actually use them. I would also like to know more about privacyIDEA and its application to the problem.

The article mentioned however can be used as a measuring stick, to see whether your 2FA choice ticks the points that you really want/need. And if you don’t use any 2FA solution yet, at least make sure that you have all your (complex!) passwords in a decent password manager on all your devices – I still find Keepassium and the other members of the Keepass family very valuable.

Read Full Post »

A Once Great Chrome Extension Has Become A Security Risk – Get Rid Of It!

You will have to read the original Github ticket – or one of its copies, in case the Github ticket were to be closed/deleted/… –  but the essence of the message is that Chrome extension “The Great Suspender” (TGS) has become a very suspect suspender. According to the ticket, version 7.18 in the Chrome Web Store does not correspond to the source on Github, and has been modified in such a way that it could (can/will/…?) be used to invisibly execute tracking or malicious code!

I was a great fan of that extension: I’m always juggling reading material and lots of browser-based applications at the same time, and that extension made it possible to keep them all open yet limit the memory and CPU footprint of Chrome to more reasonable sizes. I read about the trouble yesterday, and did not hesitate to delete this extension from all my computers!

There is mention of a few alternatives to The Great Suspender; at least one of them is a copy of the latest “pure” version of  TGS. But at the moment it isn’t available at the Chrome Web Store and requires a bit of manipulation to get it installed properly: that’s not for everyone.

By the way: if the ticket mentioned above is too technical for you, hop over to Life Hacker or The Register get their take on the subject.

Anyway, the worst part of the whole story is that Google does not seem to be interested in doing what it should do, that being to kick the extension out of its Web Store, at least while investigating the matter. But so far there seems to have been no reply from them, even though several people, including me, reported the extensions as incompatible with the rules of the Chrome Web Store. In the words of The Register:

The Register asked Google whether it plans to implement any measures to help make it easier for people to understand who maintains Chrome extensions and to understand code changes that have been made. We’ve not heard back.

Read Full Post »

Now That The Second Wave Is Clear To All (I Hope)

I was wondering: should I install the belgian Coronalert app to help me know whether or not I have been in contact with COVID-19 contaminators? Many solutions to such “contact tracing” apps from all over the world have been found to be guilty of privacy invasions. I like to be on the side of the maximum privacy camp, so I went looking for serious discussions about the Belgian app. Sorry to say so, but the only valid discussion I could find was the report of the official security assessment, on the website of the application:

https://coronalert.be/wp-content/uploads/2020/10/Report-Coronalert-Application-Security-Assessment-Public-Report_vFINAL.pdf

The report seems to be well done, and the conclusions in it are encouraging: there seem to be no serious issues when it comes to the security of the app and its data. I would have loved to see an independent review by one or more security researchers… But in the meantime it won’t hurt to install this; let’s just hope it does not drain the battery too much!

Read Full Post »

KeePassium Made The Cut After All

A couple of months ago I started my search for a good iOS app to replace MiniKeePass; I even wrote about it briefly on November 15th. The situation became very urgent when I switched iPhones two weeks ago: everything moved swiftly from iPhone One to iPhone Two – except MiniKeePass, which had disappeared completely from the App Store!

It took me a couple of hours to read up on the current state of KeePass affairs in the iOS world (thank you, reddit!), and a few more to test and re-test a few candidates. Since my wife will also be using the application, and we both also have an iPad, syncing with the iCloud was a must-have feature.

In the end, KeePassium turned out to be a winner after all. This time (and ever since!) it does open our .kbdx files without issues, and is well integrated with iOS and Face ID. That’s all we need at the moment. Thanks, Andrei!

PS. It must be happening more and more these days: apps that are no longer compatible with current OS versions, or that are no longer actively maintained by their developers. But I feel it might be worthwhile to keep a trace of them in the App Store (and similar repositories), if only when you search for them by name. I’ll give bonus points for a small explanation as to why they disappeared from current search results…

Read Full Post »

A Good Intention For 2019: Improve Your Online Security

The list proposed isn’t perfect, but multiple items on the list are a good start: “Security Checklist: Be safe on the internet“. It’s an “open source checklist of resources designed to improve your online privacy and security“, and it does cover the basics: a password manager, strong passwords, two-factor authentication where possible, device encryption, etc. As a Belgian citizen, I don’t know what a “credit freeze” is, so I ignore that suggestion.

I’m not certain if I should classify it as a minor or a major flaw, but I feel that Keepass (and its variants/derivatives) should have been mentioned explicitly. I have written about Keepass in the past, and in my mind it’s still the best password management solution. Yes, it requires a bit of tinkering, but you really don’t need any advanced computer skills to build a strong, working solution for multiple devices that works online and offline. I prefer that to a paying solution which at the same time stores your precious data in a place that you just have to trust…

Read Full Post »

Good News From The European Front

In the words of Julia Reda, MEP for the German Pirate party:

[On January 18, 2019, the European] Council firmly rejected the negotiating mandate that was supposed to set out Member States’ position ahead of what was supposed to be the final negotiation round with the European Parliament, Politico reports. National governments failed to agree on a common position on the two most controversial articles, Article 11, also known as the Link Tax, and Article 13, which would require online platforms to use upload filters in an attempt to prevent copyright infringement before it happens.

So for the moment the proposal on copyright reform isn’t going anywhere. This is not the end of the battle, however. But in the mean time, many thanks to Julia and to all of the people who helped to increase the pressure on the European politicians. Stay alert, and let’s keep fighting bad legislation!

Read Full Post »

Telegram Banned In Russia? Good News!

It’s all over the Internet: the Telegram messaging application will be banned in Russia. Censorship is never good news, so why am I happy about the news?

It’s simple: if even the russian secret services/hackers can’t break the Telegram encryption, then their protocol and encryption must be very good! That’s good news for Telegram users and privacy lovers all over the world (except Russia, of course). And that makes me a happy user of Telegram.

Read Full Post »

As Usual, Security Stuff Is Hard To Get Right

Want to learn something about SSL and SSL certificates? I sure do, having just encountered an revoked certificate blocking an app at work. So I read “Revocation is broken” by Scott Helme. In summary:

We have a little problem on the web right now and I can only see this becoming a larger concern as time goes by. More and more sites are obtaining certificates, vitally important documents that we need to deploy HTTPS, but we have no way of protecting ourselves when things go wrong.

As you can guess, that didn’t really help to solve our problem – but it’s a clear explanation of the current state of affairs in certificate validation land, at least for browsers!

Read Full Post »

I’m Sticking With MiniKeePass On iOS, Thank You

From time to time, I spend some time (sometimes way too much) to check out the applications I’m using. Certainly on mobile devices the available options for a given function can change quickly, and it’s always useful to see if you’re missing out on something a newer application has to offer.

My most important app on any platform is, of course, a password manager. I have already spoken out in favour of the KeePass family of tools. Currently on the iPad Mini I’m using MiniKeePass, which is not very sexy to look at (or to use). But the app can read your database when stored in the cloud (Dropbox, Google Drive, etc.), and the source code is available on Github – so we are reasonably certain that the app does what it is supposed to do, nothing less and certainly nothing more.

The MiniKeePass settings screen

My search for ‘Keepass‘ on the App Store turned up another candidate: KeePass Touch. Glancing over the specs made me want to try it out. Indeed, the “Touch” part of the name indicates that you can unlock access to the passwords by using Touch ID, and I must admit that I have grown fond of that functionality on multiple mobile devices.

However, a bit of study stopped me from switching from MiniKeePass. Here’s why:

• KeePass Touch displays ads, that can only be avoided by paying.
• KeePass Touch claims to be “Open Source”, but I’m guessing the quotes are there for a reason: I wasn’t able to find the source code of this app, nor did I even find any website for the company that publishes the app.
• As I found out by comparing both apps, MiniKeePass can also be unlocked by Touch ID. That’s perfect for use on my new iPad Pro ;-)

I’m very suspicious of KeePass Touch, since there are no guarantees that your passwords are safe from the eyes of its developers.

I would be very happy if someone made MiniKeePass read and write its files directly from/to Dropbox, Google Drive or a similar cloud service. But even without that I will continue to use MiniKeePass – if only to prove that real Open Source is important to me.

Read Full Post »

Security Flaws In Signal And WhatsApp Aren’t Too Scary

Online security remains a hot topic in 2018. I was alarmed a few days ago, when messages showed up in my RSS feeds about weaknesses in Signal, Threema and WhatsApp. I use Signal almost every day, ever since it replaced its predecessor TextSecure. It’s my default texting app that covers SMS messaging in general and secure messaging with other Signal users. Logic dictates that I pay attention when Signal is mentioned in the news, especially on the subject of its security features.

So I consulted Matthew Green, through his blog post “Attack of the Week: Group Messaging in WhatsApp and Signal“. He writes that things are not as bad as they might have been:

…due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat. However, the caveat is that these attacks are extremely difficult to pull off in practice, so nobody needs to panic.

So one-to-one conversations are still very private, and that’s what I care about most – I don’t think I have ever tried to send a message to a group in Signal.

Still, as Green notes, “The great thing about these bugs is that they’re both eminently fixable“. Now, I trust Open Whisper Systems to correct the issue in a short time (if it hasn’t already been fixed: the issue is seemingly not that complex to solve). But WhatsApp does not seem inclined to do the same, according to Wired’s “WhatsApp security flaws could allow snoops to slide into group chats“. So you have been warned!

Read Full Post »

I Still Have A Few Of Those Non-Intel Macs…

Rich Stevens has a point in his “Comic: Classic Mac Meltdown“.

Click to see the full comic.

But let’s face it: most of the old Macs are nice collector items, but not much use for actual daily use on the Web these days!

Read Full Post »

There Is No Such Thing As ‘Perfect Online Security’. But You Should Try To Get Closer!

I have known for a long time that there is no such thing as ‘perfect online security’. But I do try to apply at least some of the guidance taught by experts. Not just on my computers, but also (and foremost!) on mobile devices – even your phone texts (SMS traffic here in Europe) give away a lot of information to anyone who cares to intercept it. But it’s hard to know what to do exactly, and for a long time advice was scattered all over the internet, in blog posts, articles, etc., each mostly about a single subject.

The last few months, the situation has improved considerably, thanks to the efforts by a number of essential players in the field. I’ll enumerate the most prominent of sources here.

The Electronic Frontier Foundation created the Surveillance Self-Defence website. This site contains a whole series of articles ranging from explanations on how parts of the web work to tutorials on how to manage passwords or using PGP for your email. You’ll need a lot of time to read and digest all the information on this site, but the level of detail provided is certainly worth the effort. In their own words:

SSD includes step-by-step tutorials for installing and using a variety of privacy and security tools, but also aims to teach people how to think about online privacy and security in a sophisticated way that empowers them to choose appropriate tools and practices even as the tools and adversaries change around them.

I hope I don’t have to tell you that the EFF is an essential resource to keep up to date with subjects like digital privacy, free speech, and innovation?

The Security Planner project is an initiative of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. The project has a strong academic approach, including peer review of all its publications, and its advisors include Bruce Schneier (whom I have quoted already several times on this blog!).

The principal motivation for Security Planner was our shared experiences (and frustrations) when we are regularly asked the question: “what could average people do to protect themselves online”? Although there are some good guides out there, there is also a lot of conflicting advice.

The advice on Security Planner is organised around themes like ‘Computer’, ‘Online Accounts’ and ‘Phone’, and they clearly indicate what you can gain w<hen you implement their advice. Currently available in English, they are promising versions in Spanish and French soon.

On the WIRED website, you’ll find their ‘Guide to Digital Security’. Just ignore the garish design of the home page, the articles are worthwhile reading.

In this guide, we’ve included a few ways to improve your online security posture based on those different levels of risk. These won’t prevent the next megabreach or banish ransomware from the earth. They’re not all-encompassing. But they’ll help get you in the mindset of the types of steps you should be taking based on your particular situation.

Wired includes a discussion of Google’s Advanced Protection, and talks about the use of Faraday cages and blankets (yes, blankets!) as part of a sophisticated security approach. Specialised stuff, indeed, and overkill for most of us – but it may help you be aware of all the threats that exist in the real world.

You may also have a look at the (long) article titled ‘The Motherboard Guide to Not Getting Hacked’ over at the website of Motherboard (part of Vice). It’s not as comprehensive as the previous sources mentioned here, but it contains a lot of links that may be of use to you. And for my part you can quote them when talking to your employer:

And if your employer asks you to change passwords periodically in the name of security, please tell them that’s a terrible idea. If you use a password manager, two-factor authentication (see below), and have unique strong passwords for every account there’s no need to change them all the time—unless there’s a breach on the backend or your password is stolen somehow.

The above sources are mainly directed towards individuals. If you want some pointers about how to deal with privacy and security for groups, have a look at the ‘Cybersecurity Campaign Playbook’, published by the Belfer Center for Science and International Affairs (Harvard Kennedy School) in November 2017. The approach here not only includes subjects talked about in the previous sources I mentioned, but includes the ‘human factor’. In their words, when talking about a campaign to get elected for public office:

In today’s campaigns, cybersecurity is everyone’s responsibility. Human error has consistently been the root cause of publicized cyber attacks, and it’s up to the candidate and campaign leaders to weave security awareness into the culture of the organization.

That brings us back to the main point in all these publications: if you’re using computers, tablets, smartphones and other devices, be aware of the risks – and act accordingly!

Read Full Post »

Sort Of An ‘Encrypted Email For Dummies’, But For Smart And Privacy-Minded Users

I like my privacy a lot, and anyone checking out my blog or the apps on my computers great and small will see proof of that. That also explains why I have a ProtonMail account, although I must admit that I don’t use it very often – to make full use of it, you need correspondents that use the same tool.

To make the use of the ProtonMail service easier, the company makes a new tool available:

The ProtonMail Bridge is an application for paid users that runs on your computer in the background and seamlessly encrypts and decrypts your mail as it enters and leaves your computer. It allows for full integration of your ProtonMail account with any program that supports IMAP and SMTP such as Microsoft Outlook, Mozilla Thunderbird and Apple Mail.

(Click the image to read ProtonMail’s blog post on the subject)

Compared to the hoops you had to jump through in the past if you wanted to encrypt your email with PGP, this looks like a dream!

Read Full Post »

Can Keybase Make Us Forget The Complexity Of Using PGP ?

A few (5 or more?) years ago, I was looking into PGP as a way to encrypt email. At some point, I bookmarked the Keybase homepage… and then forgot about that link, just like so many other URLs about PGP – PGP was pretty hard to use in those days. At that time, if I remember correctly, Keybase promised a way to store (and publish?) PGP keys.

While cleaning up the bookmarks section of my browsers I stumbled upon that URL again, and, unlike many other websites, Keybase is still up and running. Better yet, they seem to have succeeded in making a tool that could actually be useful and uncomplicated at the same time. In their own words:

Keybase is for anyone. Imagine a Slack for the whole world, except end-to-end encrypted across all your devices. Or a Team Dropbox where the server can’t leak your files or be hacked.

(Click to go to the Keybase website)

Creating an account and adding a device to your account is a simple and painless procedure. Why would you do so? Well, I’m still exploring the possibilities. One thing to do with Keybase is to authenticate accounts on systems like Twitter and Github. Keybase allows you to store (and share) files in an encrypted format over an encrypted channel. And the (encrypted) chat function has recently been extended with a Team chat that is supposed to resemble Slack. “Supposed”, because I haven’t been able to check that out – you need multiple members to make up a team ;-)

Anyway, it’s certainly an interesting product, and I intend to do more than keep an eye on Keybase!

Read Full Post »

Regular Updates To Enhance Software Security Still Missing On Many Devices

I do not want to pretend to fully understand the exact nature of the so-called KRACK Attack vulnerability in many implementations of the WPA2 protocol that is supposed to make WiFi network connections secure. All details about the KRACK Attack can be found on the webpages of the (Belgian) researcher that found the issue.

I do worry about the fact that MacOS and Android are both mentioned as being particularly vulnerable to this issue. On October 31, 2017, Apple released updates for MacOS EL Capitan, Sierra and High Sierra to solve the problem (at least, that’s how I interpret their report on the subject).

Samsung, however, hasn’t published any updates to their Android version for my Galaxy S7 since August 1st. Perhaps there is no problem on the SGS7? Or is Samsung just being lazy – after all, my phone is still running Android 7.0 – no word on 7.1, let alone 8.0…

And how about all those other devices, IoT and others, that use WiFi connections? Have you already updated your router? How about the wireless hard disk vaults that photographers use? Or the photo cameras themselves? Etcetera.

Matters such as this will need to resolved on a large scale before I will put my trust in the “Internet of Things”, no matter the type of connection used to talk to each other.

Read Full Post »