Tag: Security

569 – Password migration

Posted on by ewand

clip_image002One of the problems with free software and particularly free services, is that at some point, they might stop being free. The path of freely-provided online services is littered with companies who gave their service away to get the users, then grappled with the reality that more users means more costs to deliver the service – and if they don’t get enough income from whatever sources they can, the free ride will come to an end. Just look at Photobucket. And every web site that makes you whitelist them in your ad-blocker before you can continue.

The latest in a line of what-used-to-be-free but is now tightening its belt is LastPass, an excellent password manager that has a lot of users but may end up with a good few fewer. The day after the Ides of March, LastPass Free will only allow use on a single device type, so if you currently use it to sync passwords across desktops and tablets or mobiles, then you need to start paying (and maybe you should) or stick to either mobile or desktop.

As soon as the company announced its plans, the web sprung up many articles offering “what is the best alternative to…” type advice. Only a few weeks ago, ToW#561 espoused the virtues of cleaning up your passwords, featuring LastPass and also trailing some features that were coming to an alternative that you might already be using to provide 2 factor authentication on your phone – Microsoft Authenticator.

It’s fairly easy to switch to using Authenticator on your device to also sync passwords and to provide the Auto-Fill function which plugs in usernames/passwords not only to sites on your mobile browser but to other apps too. If you already have a load of passwords set up in LastPass or other locations, there are methods to export them and then import the data into Authenticator.

clip_image004

In the case of LastPass, you sign into the Vault (either through the browser plugin or directly on their website) and under Advanced Options, select the Export function. It will immediately drop a lastpass_export.csv file into your Downloads folder; be very careful with this file as it contains all your usernames & passwords in clear text.

clip_image006You can get these passwords into Authenticator either by copying the file to your phone (Not a Good Idea) and importing from there, or by installing the Microsoft Autofill extension for Chrome into Edge (remember, Edge is a Chromium browser under the hood), then click on Settings and choose the Import data feature.

Now navigate to your Downloads folder and choose the lastpass_export file. It might take a little while to complete, but when it’s done, make sure you go back to the Downloads folder and clip_image008hard-delete that CSV file (ie select the file, hold the SHIFT key down and press the Delete key – this makes sure it doesn’t go to the recycle bin). You definitely don’t want that file being left behind, or copied or synced anywhere that is not encrypted.

The LastPass browser extension (like other password managers) remains potentially useful on the desktop as it can help to sync passwords between profiles (eg the Work and Personal profile of Edge, if both have the extension installed and logged in using the same LastPass account), or even between browsers – in the cases you might want to use Chrome for some things and Edge for others.

Edge on the PC does have password sync capabilities, though not quite with the same level of flexibility –

clip_image012clip_image014

clip_image010

Edge will let you sync passwords, favourites etc if you’re using a Microsoft Account (eg outlook.com) for your Personal profile, and it may do if you have a Microsoft 365 account for your Work Profile.

In a twist of fate, if you pay for a Microsoft 365 Family or a small business environment rather than using the free Microsoft Account, your subscription lacks the Azure Information Protection feature that is required to allow syncing. In which case, a 3rd party password sync feature may be your best option, even if you choose to use Authenticator on your mobile device, and perhaps do a periodic export/import from LastPass to keep your mobile passwords in sync.

Or best of all, just install the Autofill extension into multiple profiles (or Edge & Chrome), signing into the extension using the same Microsoft Account, to keep the passwords in sync. Tidy.

561 – Password clean up

Posted on by ewand

clip_image001As most of us look to put 2020 firmly behind us and take some down-time over the festive season, there may be a list of jobs which get left to this time of year – filling out the annual tax return, maybe, or clearing out that drawer with miscellaneous stuff in it.

clip_image003You could set your sights higher, even – like gathering all the papers scattered throughout your house (user guides, receipts, utility bills etc etc) and putting them in one place, as recommended by Getting Things Done guru, David Allen.

Or just scan them all in then recycle…

Maybe it’s time to finally sort out all the passwords you use for different websites. Even though Multi-Factor Authentication is gradually replacing the need to enter a username & password every time you access a resource, there’s still often a need to create a username and password combo when you sign up for something. If you’ve used Edge or Chrome to remember your passwords, you might find there are many hundreds of them, and being weak carbon-based lifeforms, we’re quite likely to use the same ones for many sites. Naughty!

clip_image005There are browser addins and other tools you can use to remember the passwords you use, and (using LastPass as an example) can give you the option of generating something strong and unique at the point of signing up on a site, then syncing that username and password back to a central service so you don’t need to re-enter it next time (or remember something truly unmemorable). LastPass recently announced their 2020 stats – they’ve generated 94 million secure passwords and been used to log in more than 10 billion times.

Microsoft Edge offers some password management capabilities – as well as being able to remember passwords within the Edge browser, and sync them between different machines or mobile devices, Edge is also getting to be capable of suggesting and storing complex passwords for new sign-ups.

clip_image007Edge is beefing up its password security in other ways, offering proactive warnings if your passwords have shown up in databases of leaked credentials (at the moment, this is a test feature in the dev builds). One-by-one, you can use Edge’s “fix leaked passwords” function to check what the existing password is for each site, and then click a button to jump to the site to reset it – in some cases, going straight to the change password part of the site.

clip_image009Finally, the password sync feature is getting some extra legs – using the Microsoft Authenticator app on your phone and it’s new beta Autofill feature, you can use that app to provide the username/password for website or even mobile app logins. There’s a Chrome extension too, so if you want to switch back and forth between Edge & Chrome on a PC, your passwords will be available to both.

In some senses, storing passwords and allowing them to be automatically filled in feels like a security risk – anyone with access to your unlocked computer or phone could potentially access your online services. Using Autofill and Authenticator, though, the default setup is to require biometric authentication – so you’ll need a fingerprint or camera, or unlocking with a PIN, before the auto-fill will happen.

Also, it’s more important to have complex passwords that are hard to break or guess, and to have different ones for each and every site or app you use.

This is the final ToW for 2020. Let’s hope ’21 brings us all better luck.

In the meantime, have a great holiday season, stay safe, see you on The Other Side!

556 – Using MFA more widely

Posted on by ewand

{10B132AF-CB81-488A-9B6B-27D6F996ACBA}Previous Tips have covered making use of 2FA – or 2 Factor Authentication – with your Microsoft Account (ie your account from Outlook.com/Hotmail/MSN/Passport etc) and how to manage passwords better, so you don’t end up with P@ssw0rd1 for every single one of your website logins. Dealing with passwords can be complicated and since humans are typically weak and seek the path of least resistance, this can often lead to huge security lapses.

So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them.

Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials…

MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it.

2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app?

Once you have Authenticator set up and running, It’s really easy to add many {6CB942E5-5D57-48E1-BE97-E89CA2CF482B}services or apps to it – let’s use Twitter as an example. If you’re using a browser, go to Settings and look under Security and account access | Security | two-factor authentication.

{3D294F5C-25AA-4DA7-8C84-C13CF43B7321}If you enable 2FA and tick the box saying you want to use an authenticator app, it will ask you for your password again, then show you a QR code which can be used to enrol in the app.

In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc).

{E43FB7C2-CE71-430B-A0BC-21A7CB912CD0}

After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text.

As you can see from the description, there are lots of other 3rd party apps and websites that support MFA using authenticator apps –

503 – OneDrive Personal Vault

Posted on by ewand

clip_image001A previously-announced capability of OneDrive has been widely rolling out – the Personal Vault. This is a special area of your OneDrive Personal storage which is invisible until you choose to unlock it, using a second strong factor of authentication (such as 2FA and the Microsoft Authenticator mobile app). On a mobile device, you can use a PIN, fingerprint or facial recognition to provide the additional identity verification.

clip_image003When you unlock the Personal Vault from the OneDrive app on your PC (eg. right-click on OneDrive’s white cloud icon in your system tray), it appears as a special folder clip_image004under the root of your personal OneDrive folder list, on PCs where your OneDrive content is synchronised.

Browsing in your OneDrive data folder, you may need to enable Hidden Items in the View tab to even see it.

You can treat it like any other folder, adding files and other folders that are particularly sensitive – scans of important but infrequently-accessed documents like passports, driving licenses and so on.

Why infrequently accessed, you may ask?

clip_image006When the PV is visible, it will re-lock after 20 minutes of inactivity (or can be locked manually) and would need another 2-factor authentication method to unlock it again (text message, phone-app approval etc). On the PC, when the PV is locked, the “Personal Vault” folder (and therefore everything under it) is completely hidden and therefore any files within it do not exist as far as Windows is concerned.

clip_image008In fact, the PV isn’t just a hidden folder – it’s treated by Windows as another physical volume that is mounted on the PC for the duration of it being unlocked; a Junction is then created so it can be accessed as if it’s part of your OneDrive data folder. When the PV is locked again, the volume is clip_image010dismounted and the junction disappears, so there is no way to access the data using the normal file system.

If you had a file in your now-locked PV that you tried to access from clip_image012the most-recently-used files list in either Windows itself or within an appclip_image014, you’ll get a jarring “file does not exist” type error rather than a prompt to unlock the PV and the file within.

Maybe apps will in time come to know that a file is in PV, and prompt the user to unlock before opening?

Then again, security through obscurity (the most sophisticated form of protection, right?) might be a good thing here; when the PV is locked, there is no such folder therefore no apps can get access to it without the user taking specific and separate action to unlock it first. Not being seen is indeed a useful tactic.

clip_image016Personal Vault can be accessed from the PCs or mobile devices through the OneDrive app, or in a browser – at onedrive.com. No Mac support is planned.

Unlike in the PC scenario, the PV folder is always shown and indicates if it’s open or locked based on the icon.

The Web UI offers other help and advice about how to use the Personal Vault effectively.

clip_image017

OneDrive on PC – Setup error 0x8031002c

clip_image019Enabling Personal Vault for the first time might throw an error if your PC is corporately managed with a BitLocker policy.

To work around this and get up and running, try:

  • Press WindowsKey and type Group Policy, then open the Edit group policy control panel (if you don’t see this or get an error, try running mmc from a WinKey+R prompt, then File | Add/remove Snap-in | Group Policy Object… | clip_image021Add | Local Computer | Finish | OK)
  • Expand to the Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Fixed Data Drives node
  • Double-click on the Choose how BitLocker… setting and update it to Disabled then hit OK
    clip_image022
  • Press WindowsKey+R and type cmd then hold SHIFT+CTRL when pressing ENTER, to run the command prompt with administrative rights
  • In the ensuing command prompt enter gpupdate /force and, assuming everything runs without blowing up, you can close the command & Group Policy windows down and try enabling Personal Vault again.

Tip o’ the Week #221 – Stay safe on WiFi

Posted on by ewand

clip_image002

Following last week’s misty-eyed retrospective on WiFi and Bluetooth, it’s worth pausing a little to pass on a few safety tips too. If you’ve a WiFi network at home which does not have encryption enabled (using a decently strong password – known as a Pre-Shared-Key or PSK – and a modern encryption method, such as WPA2) then you must hang your head in shame immediately, that is, immediately after you go and put a strong password on your WiFi.

What should you call your home WiFi network? Well, if it’s “NETGEAR” or similar, then make sure you call it something else (in case a well-known exploit is found in every NETGEAR router, in which case you’ve just told every kerbside hacker how to break into your network). Also, it’s worth making sure you change the admin password for your router – it’s a piece of cake to find out the default password for well-known routers, such as NETGEAR ones.

How to name your SSID might depend on where you live, if you have any neighbours, if you trust them and so on.

clip_image004Serial ToW contributor Paul “Woody” Woodman has the mischievous idea of setting his SSID to be something eye-opening – in fact, the WiFi network set up by his phone’s Internet Sharing (as covered in last week’s ToW) has an interesting name…

So, Woody’s on the train, using his phone to connect to the internet, and all the other WiFi users in the same carriage are on their best behaviour…

The Huffington Post wrote about this phenomenon a few years back.

To get a more reliable connection, it’s worth setting your WiFi channel to be something that interleaves well with your neighbours, so you’re not both trying to blast out on Channel 6 – as a guide, check here. Try using a bit of software called inSSIDer to sniff your neighbourhood, see what their networks are called and what channel they’re on, then set yours to something complementary, if you can.

Stay Safe Online

Yvonne Puley made a suggestion about checking what WiFi networks you connect to, after reading a report on the BBC website and seeing an article on the BBC’s Click programme. The gist of the piece is that public WiFi networks – a hotspot set up by your local coffee shop, or even well-known WiFi networks provided by telco’s and the like – are not necessarily all they seem. A simple scam could be for a ne’er-do-well to set up a spoof WiFi network on their own laptop, and the unsuspecting browsers could connect to it and all their online movements could be recorded and tracked. Other hackers could stage a “man in the middle” attack using software that intercepts traffic on legitimate networks and can even decrypt supposedly secured SSL traffic.

In short, there’s no way for you to guarantee that what you do on any public WiFi network is safe from prying eyes. Europol (not to be confused with Interplod, as Arthur Daley might have ventured) says, basically, don’t use public WiFi networks for anything private, like online banking. If you want to scare yourself silly, then watch this Click clip.

clip_image006Anything that goes over VPN or DirectAccess should be OK, as the encryption mechanisms used are less susceptible to having a breaker on the side. Even when connected back to base using a more secure connection, though, ordinary web surfing and background updating of apps will typically go out via the public WiFi network. It’s worth also making sure you don’t give too much away – like when you first connect to the network, unless you control it, then you don’t want to “find PCs, devices and content” etc.

For more info on this setting, see here. Looking in the PC’s settings at the connection properties (as described in that article) also lets you see what kind of encryption you have running on the network. If you’re connecting to a WEP network (the traditional method for putting a password on a wireless connection), then think twice about trusting it – Wired Equivalent Privacy is anything but, and can be relatively easily cracked.

Tip o’ the Week #123 –Windows 8: sign in, with Pic & PIN

Posted on by ewand

clip_image002A short but sweet Tip this week, aimed at those of you who are running Windows 8: if not, why not check out the Release Preview page.

Out of the box, the logon security model that Windows 8 supports offers a variety of ways to log into or unlock your PC, though ultimately it could still requires a complex password just like before and network admins could disable certain features. It might be decided, for example, to not Both the Picture Password and PIN approaches are really aimed at making it easier to sign in when you don’t have a keyboard – unlocking a slate device using a strong password can be pretty laborious with an on-screen keyboard, so both provide a more touch-friendly way of logging in.

Picture-based logon

clip_image003

Picture Password allows the user to take any photo, to choose 3 features of it, and to make a gesture on each of them. An obvious (and therefore – seriously – not recommended… do not do this) choice would be a picture of your child/spouse/dog/self, where you touch on both eyes and then the nose, or swipe along the smile. This don’t-pick-the easy-to-guess-feature approach is somewhat reminiscent of the great Monty Python “How Not to be Seen” sketch*. Fans of the original Halo game may like to hark back with this spoof video.

Anyway, best practice says to choose a picture with lots of potential points of interest, so that you and only you will know which people to tap on, or which trees in the forest to swipe the trunk of, etc. Although Picture Password can be operated with a mouse, its sweet spot is really if you have a clip_image004touch-capable device.

PIN

This is something of a secret gem, since it’s as useful on a desktop or laptop as it is on a touch device. In a nutshell, setting a PIN on Win8 will allow you to unlock your work PC with only 4 keystrokes (you don’t even need to hit ENTER). As with Picture Password, you need to set your strong password first, and when your password changes, you’ll need to go back in and edit the settings for the PIN. Essentially, PIN and Picture Password are just used as way of unlocking the strong Alph4numer1c Pa55!w0rd that’s been stored already.

clip_image005To enable either of these options, go into the Settings charm from the main Start Screen, and choose More PC settings, then go into the Users option on the left, and look under Sign-in options.

Do bear in mind that it’s possible that your company’s information security folk (if you have them) may decide that they don’t want people to use the new Picture Password feature, or the ability to unlock your machine with a simple PIN, if either won’t meet their security policies. For the moment, you might find that both are allowed, and if you get your funky Windows RT slate device later in the year (like this one?), you’ll still be able to use these techniques to unlock it.

*Mr Nesbitt learned the first lesson of not being seen: not to stand up. However, he did choose a very obvious piece of cover…

Tip o’ the Week #64–Some IE9 tips

Posted on by ewand

This tip was originally written shortly after the release of Internet Explorer 9, however it’s still valid today. IE9 is the fastest, most modern and most secure browser we’ve ever made (some would say, that anyone has made – recent independent analysis from NSS Labs shows IE9 blocking the vast majority of malware, versus all other tested browsers which fared less well – less than 20% effective, in fact).

If you haven’t installed IE9 yet, just head to http://microsoft.com/ie9 and click the “Download Now” – it’s as simple as that. Reasons to install are here, if you need convincing.

What’s new?

There’s a good overview of the new features in IE9, here. Far too many to cover in one Tip o’ the Week – so it’s a subject we will be returning to.

One key usability improvement is the ability to Pin sites to your taskbar, so you can launch them (or return to them) with a single click: just open the site, click on the tab it’s located in, then drag & drop the tab to the taskbar in order to pin it. Another is the simple display of recent & popular sites you’ve visited, when you create a new tab in IE9 by clicking on the clip_image002end of the tabs list, or by pressing CTRL-T.

The overall UI is much sleeker and simpler, doing away with lots of icons and even the separate search bar – if you want to search for something, just start typing it into the Address Bar and if it doesn’t get returned via your favourites or your recent history, then it will query your defrault search engine directly from there.

There’s even a “suggestions” option that can be turned on with one click, to suggest search results as you type. This is the off by default, as it would also send keystrokes of URLs you might type in… so the user has to opt in.

Show me the intranet! (add a “/”)

If you enter an intranet URL in the address bar, it will generally try to search online for that “word” – but in the background, IE9 can check if there is a web site available with just that name, and will offer you (displayed at the clip_image003bottom of the screen) the option  of going to that site. Try it with a site you haven’t visited since upgrading – eg hrweb

Once you’ve said “Yes” once to the offer, if you next enter the same phrase, IE9 will check from your history and see that you really did want to go to http://hrweb, rather than search Bing for it…

If you want to force IE9 to take you straight to the intranet site (and miss out the whole “search Bing, then confirm that you do want to go to the intranet..”), simple put a “/” at the end of the term. So you enter “itweb/ into the address bar (not bothering with http:// etc) and IE9 will take you straight to the designated site. Thanks to MSIT’s John Owen for this tip.