Order of the Bath

Archive for the ‘Security’ Category

Security Heresy

22 Mar 2007 17:00 by Rick

You are better off writing a good password down rather than memorising a poor one.

I have already posted the method I use for managing passwords but this relatively high-tech solution is not for everybody. I am not advocating the “post-it on the monitor” that the cartoon in the last post was talking about, but for those important passwords that you don’t use often and can’t remember, write them on a slip of paper and put them somewhere safe. This is a much better plan than using a silly password that anyone can guess.

The point is that everything deserves just the right amount of security. Providing any more is counter productive. You have to balance the potential loss against the risk and take into account the inconvenience; if it is too difficult then you won’t stick with it.

Some accounts don’t need much security at all—a simple password will do for subscription news accounts and you can safely let the browser remember them and automatically log you in (but write them down anyway in case you have to change machines). Most shopping accounts are similar, but email and forum accounts need a little more care because your reputation could be at stake. For financial & eBay passwords make sure that they are good and random and keep them very safe somewhere. If you need an email account on the road then the safe place could be as simple as your wallet. This is not a good place for your online banking account however, as there is a lot of other information in your wallet to help the thief. For most systems an adequate place is a notebook in another part of the house from your PC; you are hardly ever going to use them. And, as I said before, make sure that your heirs know where they are.

Posted in Miscellaneous, Security | 2 Comments »

Password Reminders

19 Mar 2007 15:48 by Rick

Thanks to the Security Buddha for this.

Posted in Miscellaneous, Security | Comments Off on Password Reminders

Fake 20s

10:27 by Rick

These are the guidelines given in a press release from the Bank of England (PDF) about the new “Adam Smith” £20 note.

What should I do if I think I have a counterfeit note?

Counterfeit notes are worthless. It is a criminal offence to hold onto or pass on counterfeit notes. If you suspect a note is counterfeit, take it to the police as soon as possible. They will give you a receipt and send the note to the Bank of England for analysis. If the note is genuine, you will be reimbursed.

That last sentence doesn’t exactly encourage you to look too carefully does it?

Posted in Miscellaneous, Security | Comments Off on Fake 20s

Trojan Horse

7 Mar 2007 15:19 by Rick

Do you remember the story of the Trojan Horse, where the Greeks put a load of soldiers inside a wooden horse and gave it as a gift to the city of Troy? It wouldn’t work now, would it?

Perhaps it would!

Posted in Miscellaneous, Security | Comments Off on Trojan Horse

Vista Security

14 Feb 2007 12:56 by Rick

It has been asserted that “Vista is light years ahead” of Windows XP on security (sorry I can’t find the citation but it is quoted here).

Well we have a good test for that over the next few years. Let us see how many new vulnerabilities are detected in Windows XP and its accomplices which are not applicable to Vista.

Posted in Security, Technical | Comments Off on Vista Security

Privacy, what privacy?

6 Feb 2007 09:20 by Rick

I always find it interesting how single minded the news reports can get when there is a big story about. At the moment one of the big stories is the outbreak of avian flu at the Bernard Matthews turkey farm in Suffolk. In a radio article it was reported that one of the workers (probably a Portuguese migrant) said how good the bio-security was “they even have cameras in the wash-rooms to make sure that you are cleaning up properly.” I am sure that if this was revealed in any other circumstances it would have been picked up and made a major story in its own right; would anyone, not desperate for a job at any price, tolerate this sort of intrusive surveillance?

Posted in Miscellaneous, Security | Comments Off on Privacy, what privacy?

Security alert

10 Jan 2007 10:59 by Rick

According to the news you can now sign up to receive security alerts from MI5 direct. I was going to write about this yesterday but I had no luck in finding it on their web site. Even the What’s New page doesn’t mention it—to save you the effort, the page is here (Contact Us) though I see that there is now (sometimes) a link under the What’s New paragraph on the front page (the secure and plain versions of the home page have different content).

Anyway, I am rather disappointed that they have only set this up using a communication system that is, itself, fundamentally insecure. By this I mean e-mail. It is not that there is any particularly sensitive information being sent, but that is not all security is about. Spoof e-mails are widespread and all sorts of fun and games could be had by issuing bogus MI5 alerts, even if they are not strictly on topic. There is widespread misunderstanding of what MI5 does anyway.

A much better system would be to use an RSS feed, especially as systems to use them are now widely available (IE7, Firefox, Thunderbird etc.) The thing that is lacking is public understanding of the system, but what a good opportunity for education; there is nothing better than a want-to-know to get people to learn.

[Update]
You can get a Firefox plugin that displays the threat level.
The implementation was a shambles. Although the form may be on a secure page (depending on how you get to it), the data is transmitted in plain text straight to a commercial direct mail organisation in the USA.

Posted in email, Miscellaneous, Security | Comments Off on Security alert

IE7

16 Oct 2006 18:24 by Rick

In case you haven’t heard, Microsoft are about to release Internet Explorer Version 7 to the world—I am not exactly sure when. Anyway, they are so keen on it that, soon after it becomes available, they are going to push it out as a “fix” on Patch Tuesday like the monthly security repairs.
My opinion, for what it is worth, is that the average user should resist installing this for a while to give it a chance to settle down. Many web sites will not be prepared for the changes. I have not tested it yet because I don’t want to install a pre-release version onto my only working computer, so I haven’t tested and adjusted my web site for it. I expect there are many people in the same position. Give it a few weeks for the gremlins to be worked out and see what the press is like before committing yourself. This is the same even if you use an alternative browser; a surprising amount of internal Windows relies on Internet Explorer, not the least of which is Windows Update.
Of course, if you are configured for automatic updates then you will need to turn this off and set it for notify-and-manual-install for a while so you don’t wake up one day and find it has just happened.

Posted in Browsers, Security, Technical, Windows | 3 Comments »

Managing passwords

6 Oct 2006 14:21 by Rick

The prompt for this post came from an unlikely source. Taking passwords to the grave (via Bruce Schneier) which talks about the problem of accessing a person’s assets after they are gone. We will come to that at the end.

My problem was an ageing memory and dozens if not hundreds of passwords to remember together with other important information. This had to be kept securely but readily accessible, even when away from my desk. The solution I came up with is as follows.

Store all of the passwords and related information in a database. I chose one that is designed for the purpose and had a good encryption scheme. This is PINS. It is a freeware product which seems to have minimal support but it works well so no matter. The encryption is blowfish and it comes with a useful random password generator.
Put the database and the software on a USB flash drive. To some extent this steers the selection of the software above because it has to be capable of running without being installed on the PC. It does however limit it to the Windows platform.
Take regular backup copies of the database. To do this I use “Pen Drive Manager.” This is not free but very low cost. What it does is every time you plug in your flash drive it synchronises it with a copy on the PC hard drive. I run a copy on my home machine and my office machine so I have two backup copies of the database at all times.

To run this successfully you must make sure that the database that you update is always the one on the flash drive so that it is the master copy. I install a copy of PINS on each machine for convenience but you don’t have to. Also you must have a good password for the encryption of the database. Once you have got it running, all you need to remember to do is update the database copy of the passwords when you change them in real life. Of course the password you cannot store on there is the password to the database itself. You don’t even have to remember the passwords to get into your own PCs because, if pushed, you can borrow someone else’s, plug in your flash drive and run the copy of PINS loaded on there.

If I forget my flash drive, firstly, PINS locks down after a few minutes so no one can access the database. Also I can still access the passwords on the other machine by pointing at the backup database. All I have to remember to do is not update anything and also switch it back to the portable copy as soon as possible. If I lose the flash drive completely then not only is it secure but I have all the information I need to recreate it.

You don’t have to just have passwords in the database. I have network configuration details, software activation keys, credit card numbers and PINs, web upload addresses, and any other information that I mustn’t forget. There are a couple of minor bugs in the software but nothing to stop me using it which I have for over two years now.

And back to the problem that prompted the post. Give your executors a copy of the database password, perhaps in a sealed envelope (and some instructions). This will give them access to all your other passwords and the further instructions and information on the database. That way, if you are lucky, your web site will be kept online containing your life’s work, they will be able to access your email and online banking accounts and anything else they need to manage your estate. Of course if you want to take anything to the grave with you, then keep the password somewhere else.

Posted in Security, Technical, Windows | 5 Comments »

Windows phone home

22 Jun 2006 15:13 by Rick

I meant to write about Windows Genuine Advantage communicating back to base every day when it was first announced, but first I wanted to check that blocking it did not hinder the monthly patch cycle—then I forgot. It happens a lot these days.

Anyway, the main problem was first reported at the beginning of the month. I blocked mine immediately and since then we have had Patch Tuesday and all went well.

As far as I can tell there is no need to allow WGA to contact the internet in its own right at all. It does its proper job via an ActiveX call from Windows Update which does the communication to verify that you have a good licence before allowing patch updates.

The sub-agenda function of sending a message back every day is not needed for anything so it is quite easy to block with an outgoing firewall like ZoneAlarm. Just look for the program under W and mark it forbidden for Internet. There is no need to use extra fancy programs like RemoveWGA.

Posted in Security, Technical, Windows | Comments Off on Windows phone home

^ Top