Today, my first eBook has launched!
I’m running a $10 off promotion to celebrate the launch until February 15th. Use code password123 at checkout.
Head on over to the LastPass Guide eBook Page.
If you’d like to help me out please share it!
I’m running a $10 off promotion to celebrate the launch until February 15th. Use code password123 at checkout.
Head on over to the LastPass Guide eBook Page.
If you’d like to help me out please share it!
Actually, it is nearly done! It’s exactly 128 pages. But I’m going to have to write one more page causing a buffer overflow!
Launch Date is set for: February 8th
I just finished the LastPass Guide Landing Page! This is the first landing page I’ve ever made so let me know in the comments if you have any suggestions.
Also if you haven’t read it yet, here is the original announcement about writing the LastPass Guide.
First Physical Prototype… I should note I’m not planning to sell physical copies, but I was curious what it would look like printed. If you do want a physical copy you can print it out and bind it yourself. Here is a prototype Kris made:
If you decide to print it out, it is against my wishes that you should do so in black and white. I did a lot of work to make this in full color so please print it in color!
It’s been a lot of work–but the feedback from reviewers has been positive. I’m happy with the eBook and I know people who read it will benefit from it. It turned out a lot better than I had envisioned.
It’s been a fun project, once it’s out I’ll try to post a retrospective about the challenges, the process, what I learned and what I would do differently for the next book.
Here’s what I have left… hoping to get these finished up this weekend.
Well, that’s it for now.
I’m writing a book! I started around July and figured it would take between 6 and 12 months to complete. Turns out I made pretty good progress and will likely be finished in January or February. I plan to self-publish and sell it right here on b3n.org.
The book is called LastPass Guide (although I’m testing other titles), it is a step-by-step guide to teach people how to use the LastPass Password Manager. I’ve helped many people with LastPass and I know where most get tripped up–I often wish there was a guide I could point people at and I finally decided to write one.
It is simple enough a non-technical person could pick it up and not only become proficient in using LastPass; but also have a good foundation of security best practices by the end. The book also covers security essentials: many that I’ve seen cyber-security experts overlook. I’ve had a few tech professionals review the book and tell me they’re changing their security practices as a result.
If you’re interested in getting updates on the progress feel free to sign up for my newsletter. You’ll also get a sample download from the book.
The truth is I’ve never self-published, or published anything other than this blog so I’m learning as I go. My to-do list is very different now than it was at the start. I’m also getting a lot of help and advice from books about self-publishing, and getting help from family and friends. I’ve even had Eli proof reading for me.
Progress (so far):
I’m targeting to release end of January or early February 2020.
LastPass is in a fairly unique position in that it is ubiquitous, fully featured, very well audited and monitored by security firms, has reasonably priced plans and security measures that make it acceptable for individuals, families, small businesses, and enterprises. Some reviewers have asked why I didn’t base the guide on KeePass. While KeePass may be more secure since it is offline, KeePass is missing four key features most people will want: A Dead Man’s Switch, Automatic Sync, Easy Browser Integration, and Sharing.
During pre-launch we will have early release pricing for a few days before it is released to the masses… the exchange for the discount is I want you to be watching for problems in the ordering process and let me know if there’s an issue.
No. While I am trying to learn some marketing strategies, I’m very much against marketing tactics designed to pressure people into buying before they’ve had a chance to think about it. Other than the initial launch I don’t see doing time-based promotions. I don’t ever want someone to buy a book at full price and then find out it’s on sale at half that price a day later.
Not at launch due to time constraints, but if there is interest I can set it up post-launch. Probably at 50/50 revenue sharing. Shoot me an email if you’re interested.
A couple of reasons:
1. I want buyers of the book to be my customers. When you sell on Amazon, buyers are not your customers. This is the main reason I chose to self-publish.
2. This book includes a lot of screenshots and graphics and Kindles are just awful at rendering those. How many times have you seen poor reviews on a great book because of the Kindle formatting issues? This book is much better as a PDF format where I have control of the formatting and design. This is not to say I’m not a fan of Kindles, this just isn’t the best book for it.
Just an eBook. That’s the best format for three reasons:
1. The thing with technology is things can change so I’d rather be able to send out updates as needed which you can’t do with a physical copy.
2. I’m not setup to do fulfillment. I’d have to charge something like $200 a book to make it worth the effort.
3. It’s easier to fix typos and mistakes with eBooks.
Yes, several posts are in the works, including my first guest post.
Dell Latitude E5450.
Well, that’s all for now. Hopefully I’ll have a progress update in January.
Phones depreciate in value fast, their useful life is less than their lifespan. Not because old phones don’t work anymore. But because manufacturers stop providing security updates after about 3 years (at best!)
You might be hacked now and not even know it.
Exploits like like this and like this are real. Vulnerabilities have been found in the past and exploited. They will be found in the future and exploited. Some exploits require you to do nothing but receive (not even open, just receive) an SMS message and a hacker can do what he wants with your phone. He can install malware, use your phone to launch a DDoS attack against Krebs on Security, he can spy on you (or your kids if your kids have phones) activating the camera and microphone at will listening in on your conversations and reading every message passing through the device.
The only protection against this is either (1) not have a phone (more secure), or (2) if you must have a phone, keep it up to date constantly (not as foolproof but would block all but the most sophisticated hackers).
One of the big problems with phones is security. For iPhones you get your updates through Apple. For Android things aren’t as clean. The Android OS itself gets security updates, but then it has to trickle down through the manufacturer (who often doesn’t provide an update) and then the carrier you bought the phone from.
To calculate the real cost of a phone, find out how long the manufacturer and carrier will support security updates for it. Divide the cost of the phone by the number of months left for security updates and that’s cost of the phone.
monthly cost = cost of phone / remaining life in months
cost of phone: $500
remaining life for security updates: 29 months
monthly-cost: $500/29 = $17.24
Oddly, the price of phones doesn’t usually drop that much after the 1st year even though they have lost 1/3rd of their useful life!
A lot of phone manufacturers / carriers don’t even provide updates to their phones. They’re unsupported from the moment you bought them!
For the sake of security, I only recommend two phone manufacturers. Google and Apple. Both have a track record of providing timely security updates. Google pushes out a security update every month and Apple doesn’t have a schedule but does a good job getting them out timely. I also only recommend Apple with the caveat that you trust them because it is a proprietary closed source OS. You are trusting them to do the right thing and have decent security.
Google stopped selling the Nexus, but they still have 2 years of updates left and are reasonably priced on Amazon.
Google Guarantees Security Patches on Nexus devices 3-years from the release date or at least 18 months from when the Google Store last sold the device (whichever is longer).
As of October 2016, here is the cost per month as I calculate it:
Nexus 5X – security updates until October 2018. $332. – 16GB.
Ben’s cost over remaining life: $332/24mos = $13.83/mo
Nexus 6P – security updates until October 2018. $450 – 32GB.
Ben’s cost over remaining life: $450/24mos = $18.75/mo
(If you get a Nexus, note that there are U.S. and International versions of the phone, if you live in the U.S. you’ll want the U.S. version).
Google has not committed to EOL dates on the Pixel line but if it’s similar to Nexus you’re looking at:
Google Pixel – $650 – 32GB – probably until October 2019
Ben’s cost over remaining life: 650/36mos = ~$18.05/mo
Google Pixel XL – $770 – 32GB – probably until October 2019
Ben’s cost over remaining life: 770/36mos ~$21.38/mo
iOS is closed source so I consider it less secure and less open than Android, but they do a pretty decent job at keeping hackers out. Most compromises I hear about are through hooking your iPhone up to a service like iCloud and not the iPhone itself. I used to use an iPhone, but at the time it was the best phone (better than Blackberry). Now that we have Android I don’t see a huge need to use a closed proprietary system. However, it’s always good to have competition.
Here’s a comparison of iPhone models currently getting security updates with a guess of (but not guaranteed) security updates for 3-years.
iPhone 7 Plus – probably until September 2019
Ben’s cost over remaining life: $650/35mos ~$18.57/mo
iPhone 7 Plus – probably until September 2019
Ben’s cost over remaining life: $650/35mos ~$22.00/mo
iPhone 6S – probably until September 2018
iPhone 6 / 6 Plus – probably until September 2017
iPhone 5S / 5C – probably until the next major iOS update
Mobile carriers typically install a lot of battery sucking bloatware, which can’t be deleted, and often delay pushing out security updates by months, even years, leaving your phone vulnerable to hackers. Not only that some of the extra software installed introduces vulnerabilities.
Also, phones bought from a mobile carrier are usually locked to that carrier so you can’t switch to someone else without purchasing a new phone.
Having an unlocked phone I avoid the main carriers and instead use MVNOs (Mobile Virtual Network Operator). These MVNOs use the same network that Verizon, AT&T, Sprint, and T-Mobile have, but most often for a better price. For great service and prices I like Google Fi (Sprint & T-Mobile Network), Ting (Spring or T-Mobile), and TracFone (Verizon or AT&T) and there are plenty of other MVNO operators to choose from. You can find one that offers the best plan for your situation. Using TracFone (which is a pre-paid service) we pay less than $10/month for a voice/data/text plan for a Nexus 5X on Verizon’s network.
I used to buy used phones off eBay to save money but now I don’t think it’s a good idea with the recent USB firmware hacks and the amount of malware out there. Used phones are a security risk–you have no idea if a used phone has been compromised, and if it’s been plugged into a compromised USB device that rewrote it’s firmware. Physical security is paramount. To be safe, I always buy my phones new.
Think carefully before using your personal phone for work. If you connect your phone to work email it almost always gives your employer complete control of the device. They can wipe your phone when you leave, track your location, install software on your phone, and have access to all your personal data.
And similarly, if you put your personal information or your personal email account on a work phone your employer has access to that data.
Kris and I both use the Nexus 5X. I’ve reviewed the Nexus 5X here. I will likely replace them both when security updates go EOL which will likely be 2018. Pixel phones are bit expensive so I’m hoping they release some new phones on the Nexus line again next year.
So, you want to hide your email from the NSA’s prying eyes? It’s impossible… but here are some steps you can use to make it harder.
This isn’t theoretical. The NSA has and does intercept this traffic.
The NSA has unlimited resources to compromise your communications. You’re not going to stop them. But that doesn’t mean it should be easy. Below are the easy points of NSA interception. In this example of an email from Mom to Ben the NSA can intercept the email at Mom’s ISP, Mom’s email provider, Ben’s email provider, Ben’s ISP, and any internet hop in between.
I’m going to skip over a lot of important stuff, this guide is not intended for security experts or sysadmins of email systems and how to prevent downgrade attacks, etc. This is meant to be a post about what the average American should do to protect their emails.
Ensure your email client (e.g. Thunderbird) or browser is using a TLS connection to the server. If you’re using any major provider like Gmail, Office 365, etc. they will be enforcing TLS. All email providers should be enforcing TLS so if yours is not that’s a good sign you should be switching.
If using webmail your browser should show https, if using Thunderbird you should be using STARTTLS for both inbound and outbound connections.
Note, the entire CA (Certificate Authority) system is broken, the NSA could generate a fraudulent certificate from an amicable CA and do a MITM attack and still intercept the email, but now they have to take some effort to do so. The point is security comes in layers, and we need to start at the basics, we’ll get to more advanced security below.
In 2013 Google was outraged after finding out the NSA was intercepting it’s server to server traffic. As a result Google started encrypting all internal traffic between servers (Good for Google). Most major internet providers provide server to server encryption. But the problem is not all ISPs use encryption, so it doesn’t do much good if you send an email from a secure service like Gmail to a small-town ISP that has no security whatsoever. Probably the best way to check is to enter in a recipients email address here: http://checktls.com/ and if their email provider’s MX server’s pass all the test they’re probably secure.
Now, the NSA can still potentially intercept your emails at rest through a court order, through PRISM, or through hacking into ISPs. Your email should be encrypted not only in transit, but also at rest. The best way to do that is to encrypt it using OpenPGP. This means even if the NSA gets a hold of your email they can’t read it (at least not without spending some serious time and money).
PGP (Pretty Good Privacy) isn’t foolproof. It doesn’t encrypt the metadata (the NSA can still see that you sent me an email, they can see when you sent it and where you were) but it does encrypt the content.
How go you get OpenPGP? Right here: http://openpgp.org/software/ It’s free, open source, and there are plugins for just about everything. It works on Webmail, Thunderbird, Outlook, etc. Check the link above for a complete list but here are two common options:
Here’s a very quick getting started guide for Mailvelope below. If you’re not going to use Mailvelope the concept is pretty much the same nomatter what plugin you choose. You’ll Generate a Public/Private Keypair, obtain the public key of the person you’re sending an email to, and send them en encrypted email.
Here’s a quick walk-through to set it up. After installing the plugin you should see this icon on the top-right in Chrome. Right-click on it and choose Options.
Next Generate a Key….
I should note that “Password” is traditionally called a Pass Phrase, it should be long, but you don’t ever want to forget it or you won’t be able to read any encrypted messages sent to you. I strongly suggest writing it down and keeping it someplace safe.
Now, to send an encrypted email to me, you’ll need to import my key. Go to “Import Keys” and type in my email address and hit search. You should click on the keyID: 13E708FC. A key will pop up, click on it to import my key.
Now, you can send me an encrypted email. Go to compose a new email in Gmail. You’ll notice a button in the compose menu. Click the button.
Write me a message…
When you receive an encrypted email, it will look like this. Click on it and enter your passphrase to decrypt.
And there you have it. I wouldn’t say this is foolproof…. it doesn’t protect against a lot of other attack vectors…
But I say if the NSA is going to intercept my communications it shouldn’t be easy. I want them to spend some effort and money to do so.
For further reading I might suggest https://futureboy.us/pgp.html
The last few days I have been getting a lot of calls from “Unknown Caller” for which I didn’t pick up. This morning I got a call from a number in the 845 area code so I answered.
Hello, this is Dell support, we detected some malware activity on your computer.
The guy had all my information: my name, the phone number I gave Dell, and even knew the Dell model I had and about a tech support call I made last year to replace a bad motherboard. He even had an Indian accent just like Dell Support!
I can see how some people would fall for this, this is known as “social engineering” where an attacker attempts to social engineer someone into going to a website to “scan your computer for malware” which of course will turn up positive (and may actually install malware). Then “Dell Support” will charge a fee to remove the malware that was just installed.
Since Dell isn’t as forthcoming as they should be, I thought I’d post this, because it’s obvious the hackers have been able to obtain data from Dell. At the very least Dell support data has been compromised which makes the scam sound more convincing.
One thing I am disappointed in is that Dell hasn’t told me that my information has been compromised despite being aware of a breach since the last 7 months! As far as I know Dell hasn’t made any effort to notify their customers of the attack. But they should.
Last year I started looking at 2FA (Two Factor Authentication) solutions and came across YubiKey which is a fantastic little device. I ordered a few NEOs to play with. There are several models, I opted for the NEO since it supports the most features and has an NFC chip that Android phones can use. It’s $50 on Amazon or can be ordered direct from the Yubico Store for $55.
YubiKeys purposefully have firmware that can’t be overwritten. The downside is it’s impossible to upgrade them when new firmware features become available, but the benefit is it’s more secure. So far Yubico has stood behind their product and done what’s right–last year a security issue was discovered with the Yubikey NEO’s OpenPGP card applet and Yubico issued free replacements to everyone affected.
A few things I wanted to try:
The rest of this post is sort of a guide on some of the things I’ve experimented with.
Open up the Yubikey NEO Manager, insert a YubiKey and hit Change Connection Mode.
All three modes need to be checked:
And now apps are available.
I followed a well written post: Securing Keepass with a Second Factor – Kahu Security but made a few minor changes. I think some of the options I used such as variable input were not working right when the above guide was written. The below is the configuration I used when testing. If you want more details and screenshots see the Kahu Security post.
Open the YubiKey Personalization Tool and program SLOT 2. If you might use YubiCloud in the future don’t reprogram SLOT 1. There are two options, one (which I don’t want) is Yubico OTP. This will generate one time passwords based on a counter (HOTP). Since I want to use multiple YubiKeys, HOTP will not work well because the counters will get out of sync. I suggest using HMAC-SHA1 which allows a program to send a challenge that only the YubiKey would know the correct response to based on the secret.
Select Slot 2, if you want to be able to unlock Keepass with multiple YubiKeys then select those options and choose “Same secret for all keys” Generate the secret key, hit “Write Configuration” Then insert any additional YubiKeys to program them all with the same secret.
Assuming KeePass 2 is already installed,
Grab the KeeChallenge plugin, install it by extracting the contents, including folders into the root of: C:\Program Files (x86)\KeePass Password Safe 2.
Download the Yubikey Personalization Tools (command line) for both 64-bit and 32-bit. Under ykpers-1.17.3-win32.zip/bin extract the .dll files to C:\Program Files (x86)\KeePass Password Safe 2\32bit overwriting any files, and do the same for 64-bit.
Once that’s setup create a KeePass database using YubiKey’s challenge-response as part of the composite master key.
Obviously save the secret to recover the database someplace safe in case the Yubikey(s) should fail or get lost. And once again, if you’d like more details or screenshots see the Kahu Security guide.
Also, this is easily setup in Linux. Using Ubuntu Gnome 16.04 Beta:
sudo apt-get install keepass2
sudo apt-get install libykpers-1-1
wget --content-disposition https://sourceforge.net/projects/keechallenge/files/latest/download?source=files
sudo cp KeeChallenge_1.4_win.zip /usr/lib/keepass2/
sudo unzip KeeChallenge_1.4_win.zip
(although KeeChallange doesn’t need it, I’ve found most plugins for KeePass2 on Linux need mono-complete installed or it fail to load the plugin with a plugin incompatibility error).
This method causes KeePass to encrypt the database which can only be unlocked with a response to the challenge stored in an XML file in the same location as the KeePass database. Only the YubiKey (or of course the recovery key) can provide the answer and it does so without revealing the secret which means an interception doesn’t give an attacker the ability to respond to future challenges. This challenge/response changes each time the KeePass database is modified. If an attacker were to intercept the Challenge/Response he would only be able to use that information to decrypt that particular version of the database–not future or past versions–and only if he also was able to intercept the rest of the composite key (such as the password). This isn’t foolproof of course, and there are certainly other attack vectors that this offers to no protection against, but adding challenge/response to the composite key does add another layer of security.
I should note that if you’re using something like DropBox, Google Drive, Syncthing, etc. to keep the KeePass database on multiple devices in sync that both files: the KeePass KDBX file and corresponding XML file must be kept in sync. The XML file is updated with a new challenge/response for the kdbx file on each KeePass save. An older version of the xml file will not open the latest kdbx file and vice-versa. Probably the only time the files would go out of sync is if changes on one file synchronized but you lost connection before the other one was updated. It’s probably a rare event but something to be aware of and another reason to have decent, versioned backups and also have a recovery key.
KeePass2Droid can use Challenge/Response encrypted databases if YubiKey’s YubiChallenge app is installed. Open KeePass2Droid, select “Password+Challenge-Response”, enter your master password and hit “Load OTP Auxiliary file…” which should open YubiChallenge. I think it may prompt for the auxiliary file the first time, if so choose the .xml file with the same name as the KeePass database.
Swipe your YubiKey to unlock the database.
LastPass also supports Yubikey using OTP for the paid versions of LastPass. The YubiKey isn’t used as part of a master composite key to encrypt the password data like it does with Keepass, instead it’s only used to authenticate against the service.
Some services like Google, GitHub, etc. are starting to support FIDO U2F (Universal 2 Factor) auth. The main disadvantage I’ve found to this method is you need a backup method for logging in if you lose the YubiKey since you can (with the services I’ve tried) only associate one YubiKey with an account using U2F. That said it is very simple to use… and some services let you use OTP, an Authenticator or SMS as a backup which I think is reasonable. Typically after providing a username/password the service will have you insert your YubiKey to authenticate the user.
OTP Auth codes can also be stored using the Yubico Authenticator for Android (just swipe the key near your phone’s NFC antenna to get your auth codes) or the Desktop Authenticator (Win, Mac, or Linux).
Yubico Authenticator works like the Google Authenticator, but the auth secrets are stored on the YubiKey instead of the Android device. I like this because it means if my Android is dead I can just use another Android phone, or run the desktop authenticator app on a computer and insert the YubiKey. Password protection is also available to secure the auth codes adding one more layer of security.
I was able to get YubiKey to work with pretty much any service that works with the Google Authenticator. And I was also able to program the secret into multiple YubiKeys.
(Note that this is not supported by Battle.Net, use at your own risk).
I found a project called WinAuth and the latest BETA version is able to generate a virtual Battle.Net Authenticator.
Create the virtual authenticator…
Export the WinAuth config to a text file…
Copy the secret…
Add it to YubiKey and you’ve got a Battle.Net Authenticator! This should work with all the Blizzard games like StarCraft and WarCraft and whatever else they have these days. Register the device with Battle.net using the Serial number in WinAuth.
I also tried to emulate a Steam Guard Mobile Authenticator but it won’t work with YubiKey’s Authenticator out of the box–however, since the YubiKey Authenticator is open source I’m sure it would be fairly easy to implement for someone that has a bit of time on their hands.
I certainly haven’t explored everything that can be done with the device… it can store PGP keys and be used for SSH authentication, be used for PAM or AD authentication, etc. What I really like about Yubico is the devices are affordable, the company stands behind their product, the software is open source (with pages of projects on GitHub) and works on Linux, Mac, Windows, and Android making it a great cross platform solution. For people that use several different 2FA methods against a variety of services this single USB device will probably handle most, if not all of them.
Of course, 2FA isn’t going to make anyone immune to hackers, but it does add an additional layer of security on top of passwords.