Newsletter 02 – Securing your online content

This is an extract of the newsletter email sent out to a handful of family and friends on 14 Nov. 2014


It's been a while since the first newsletter was sent, so here is a quick summary about the newsletter project and this email.

I apologise if you don't want to receive these emails, and if so please unsubscribe or email me.

~

The first email focussed on resetting passwords where possible following the revelation of the Heartbleed vulnerability, and this carries on with a similar theme on how to better protect yourself following new revelations of similar security vulnerabilities.

It's not just well-known personalities who are targetted and their personal information made public - which is what happened recently in the widely reported 'Celebrity iCloud Hack'. Perhaps the more disturbing part is where there is evidence of organised criminal enterprises that target individuals based on specific requests made by someone close to the intended target. This is particularly dangerous given that a lot of information such as birth date, address, etc. is well known and is often presented to the malicous party.

The following two approaches, when deployed together, can go a long way towards helping protect your personal information.

#1 Strong Passwords (using a password manager)

Creating strong passwords and remembering them continues to be a problem for everyone. A highly recommended way to deal with this is by using Password Managers. Wikipedia has a good overview on this topic...

A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.

A few well known and respected password managers are listed below.

All of these provide different features and are targetted at different price points, and all of them will support all major platforms like Windows, Mac, smartphones and tablets. In many cases they offer free editions which can be used on a single device.

TIP 1: Store your passport details, NI number, car insurance details, door codes for the office, mortgage and other insurance details, and other sensitive information as 'secure notes' within your Password Manager of choice. I'm often surprised by how frequently this information is needed and how much easier it is to retrieve when it's all stored securely and centrally.

TIP 2: Many password managers now support fingerprint recognition on iPhones, thereby making them a lot safer and also much more convenient to unlock quickly when needed.

Get in touch if you want to discuss this in more detail or need help picking out the right solution.

[*] I'm partial to 1Password for its excellent applications across all platforms and very open communication about ongoing revelations in the security industry. However, it's not cheap.

#2 Two factor authentication

While the terminology can be daunting, it's largely what many of us probably already use with our banks: typing a 6-8 digit code generated by a special little device before you're able to access online banking.

This same technique can be used to further protect you online, all without any additional costs. Wikipedia has a good in-depth write up about this.

While total security and protection cannot be achieved, two factor authentication makes it much harder for someone to gain unauthorised access to your content.

There are two options to get started.

Option 1 - SMS

You can request services like PayPal to SMS you a 6 digit code every time you log in. This is the easiest to get started as you don't need to do anything extra other than set it up with Paypal in a one-off exercise.

Option 2 - Authenticator apps

This is a slightly more complicated process, but has a few benefits over the plain SMS authentication outlined above.

The process usually involves something like the following steps:

  1. Log in as usual. I'll use Gmail as an example.
  2. Within the Account Settings/Security section you can enable two-factor authentication
  3. You choose what type of phone you have, for e.g. an iPhone or a flavour of Android
  4. Download a special app to your phone (only the first time you do this).
  5. From within the app you scan a special barcode that Gmail will show on screen
  6. This barcode scan helps establish a trust between Gmail and your phone
  7. Next time you want to use Gmail, you need your normal password, but also the 6 random digits the special app on your phone has generated.

While the above summary of instructions is generally accurate, instructions may differ across services. You can get started with setting up two factor authenticaiton with some of the more popular services by following these links: Gmail, Evernote, Facebook, LinkedIn, Twitter, and Dropbox.

Tip 1: There are two recommended apps for your phones which will generate the security codes necessary once you've enabled two factor authentication.

  1. Google Authenticator [link]
  2. Authy [link]

(For what it's worth, Authy is my current preference.)

Tip 2: Once two factor authentication is enabled, most services will offer a batch of one-time use codes which can be used if you find yourself locked out of your account. These codes can be stored securely within your password manager of choice.

In summary, both the solutions outlined above -- strong password using a password manager and two factor authentication -- will help greatly improve your online security. However, there is the downside of potential upfront cost, added inconvenience at times and the difficulty in getting started.

~

Other technology news

This section is an experiment largely based on conversations at work where I'm in the process of winding things down before moving on to a new job. The aim to is to cover items that may benefit those directly involved in – or vaguely linked to – the technology industry.

  1. Microsoft has announced it is open sourcing the core .NET runtime and that it will also be available for Linux and Mac OS X. This is a brave and bold move. Also, Visual Studio 2013 is now free. As for the implications to the open source Mono project, conversations on Twitter and directly from the founder of Mono suggest that there will be a fair bit of collaboration going forward.
  2. Windows 10 announced and due to ship late 2015. Also, Windows 10 in pictures.
  3. Something to remind your IT infrastructure team: Windows Server 2003 support officially ends in June 2015.
  4. Security
    1. Shellshock, another significant vulnerability that affects a vast number of servers and other internet connected appliances, most likely your home wi-fi router as well. The really scary part: it's extremely easy to exploit. Read more about it here.
    2. SSLv3 'POODLE' - as recently discovered by Google. There is no fix for this, the only way around it is to disable support for old encryption on your servers. The fallout from doing this however means IE v6 can no longer be supported, which also affects the significant number of users still using Windows XP.
  5. Google Inbox is their new take on how emails are read, managed and processed. It has a few clever features, for e.g. deferring an email until you're home and better able to deal with it, or how it bundles similar emails together. It runs on top of standard Gmail, so you're not setting up any new email addresses. This is potentially another step in Google's inevitable breaking support with the standard email protocols, but for now it's interesting at least.

~

Aside

I can't help but indulge in a little space geekery. I've pulled together a collection of updates and details if you're interesting in finding out more about the Rosetta mission which recently successfully landed a spacecraft on a comet.

~

What do you think?

Any and all feedback is most welcome. Also, you can direct anyone who you feel might benefit from this newsletter to the sign up form.

Best,

Mayuresh Walke

newsletter@mayureshwalke.net | http://mayureshwalke.net

// Issue #2. Published: 14 November 2014//

Newsletter archive | More about this newsletter project