Google 2-step verification – a usability note

Google’s two-factor authentication system (they call it “2-step verification“) is a good safeguard against online criminals hijacking your account.*

After enabling 2-step verification, whenever you login to your Google account (e.g. for Gmail) you get a text message on your phone. Unless you provide the numeric code of that text message to Google, you cannot access your account.

This is classic two-factor authentication in that it ensures

1. You know the password for your account and
2. You have your phone in your possession

As this would quickly get annoying for people who login/out of their Google profile all the time, there is an option to “Remember this computer for 30 days”. This means that Google will not require two-factor authentication for a month for that particular computer & browser if the user says so.

But how does Google know that this computer is one to be trusted? This information is stored in a cookie. To safeguard my privacy I always setup my browsers to delete all cookies (and LSOs). But this wipes out the Google cookie that “remembers” my machine as well, which means I am asked again and again for 2-factor authentication. This situation quickly gets annoying. Isn’t it possible to tell my browser (Firefox) to delete all cookies EXCEPT the necessary Google cookies every time it exits?

Luckily it is. You need the following settings in Firefox:

• Accept cookies from sites
• Keep until: I close Firefox
• Exceptions…: accounts.google.com – “Allow”

This is what your Firefox Preferences window should look like on Ubuntu Linux:

…and the exception window that does the trick – this is how the critical cookies from accounts.google.com will NOT be deleted. Instead they will be preserved across browser sessions and you will not have to do two-step verification every time you login to Gmail with computers you trust:

For Windows users, the same options work just fine – here is what the options window need to look like on Windows 7:

…and the exception rule:

Try it. Shut down Firefox, start it up again and have a look in the stored cookies from the main settings panel under Privacy -> Show Cookies. There should only be cookies from “accounts.google.com” and perhaps from your browser’s homepage there – nothing else.

You now have

• Better security of your Google account due to 2-step verification
• Better usability because you don’t need to perform 2-step verification all the time on your trusted computers
• Decent privacy & lack of tracking because Firefox deletes almost all cookies every time it exits.

This is the tip of the iceberg (think malware, LSOs, unique browser fingerprints etc), but hey, it’s better than nothing.

* Unfortunately it doesn’t really help when the attacker is the government. As Wikileaks and Privacy International have pointed out with the “Spy Files” project, when it comes to government surveillance Gmail users are screwed.

The financial services industry view on cybercrime

I recently attended Jim Oakes’ “Cybercrime, Global Underground Economy Developments and Challenges” talk. All the hype about his 30-year service for the police, anti-fraud teams, financial services organisations yada yada made me very sceptical to begin with, but the session turned into a quite useful overview of the (depressingly many) ways you can be ripped off by criminals while doing business with/through your bank.

…

I let this draft lie for a few months now, as I wasn’t sure how to digest the hordes of information in Jim’s presentation into a more friendly, easily digestable message. Shall we just say it’s pretty bad out there?

Practical advice:

• DO NOT use the same password for different websites. Use something like Oplop to generate passwords and a password manager to store them.
• DO NOT do eBanking from your smartphone just yet. I have some reservations about the iPhone, but Android phones can certainly currently not be trusted.
• If you need to do eBanking using a computer (laptop, desktop etc) then start the computer with a bootable CD or USB disk and then do your eBanking. Unless you are personally targeted by law enforcement or criminals, this should give you a computer you can trust. Don’t take my word for it – take Krebs‘ word for it. Computer security is in *such* a sad state.

The myth of the pimples-ridden malware author

Overheard in an Internet Cafe recently:

(guy storms in and purposefully walks towards the counter)

Distressed guy: “Hi, I have a virus on this USB stick and I can´t use it, can you clean it for me?”

Internet Cafe attendant: “…”

Distressed guy: “Look, I didn´t do anything funny, just because some little c*** has nothing better to do but write a virus I can´t access my files now!”

I take issue with this statement. It regurgitates the popular misconception that malware (also known as a virus, a worm, a trojan) is software written by someone who hates mankind. It is their effort to take blind revenge on the world, to mindlessly harm everyone for no real reason other than malice.

Er… no.

Malware takes effort to create. This means skill, patience, equipment and time. All this means money.

Slightly paraphrasing Mikko Hypponen, most malware is created for three reasons:

1. Money via criminal activities. See Peter Gutmann’s figures in his “The Commercial Malware Industry” from years ago to glimpse at just how much money is involved in this global underground market.
2. Idealism – which creates the composite term “hacktivism”. Groups like Anonymous fall in this category.
3. Control – this is state-level information warfare waged either against other nation-states or against the state’s citizens.

Some years ago, malware might have been an annoying prank of kids who had a gripe against the world.

This is no longer the case. Things are far more serious now.

How I managed to donate to OpenStreetMap

Using Internet cafe computers while travelling can be a proper nightmare. I know of people who got so fed up with fighting to clean their USB sticks from viruses all the time that they bought a netbook to use while travelling.

As I have been travelling by bicycle for a few months now, I am very careful about what I carry. Weight and space is at a premium. So I have tried as hard as possible to keep myself from buying a netbook to avoid using Internet Cafes. I am well aware of the risks I am taking, but for the time being I am still finding using Internet Cafes borderline worthwhile. It also helps that my trip will finish in less than 2 months so by this point the investment in a new netbook is just not worth it.

So I use Internet Cafes around Chile and Bolivia. I have seen a couple of well maintained machines (the pinnacle of which are the Ubuntu machines in Rancagua´s bus terminal!), but the overwhelming majority of them is in an appalling state. Illegal copies of Windows XP, not receiving updates, with illegal copies of antivirus software not receiving updates, etc etc… all wrong. Using such machines feels like digging with your bare hands in a patch of mud right after you have seen a flock of sheep relieve themselves on it.

Such a machine gave my USB stick a virus that hid my folders and replaced them with executables. It replaced folder icons with its own shortcuts to ensure you were tricked into executing it with your current privileges every time you wanted to access a folder on the USB stick.

Tricking the user into executing script by double-clicking on a "folder" icon

The antivirus software of public machines proved useless – it did not even detect anything. I had no idea what this virus (call it malware, call it trojan, I don´t really care exactly what genre it falls in) actually does. But I will assume the worst. It eavesdrops on my every keystroke, steals my passwords, my credit card information etc.

As it happens I really wanted to donate some money to the OpenStreetMap Hardware Upgrade Fund, but I didn´t want to jeopardise my credit card information. I needed to use a computer I could trust not to steal my credit card information. Here is how I created one:

1. I found a computer with what seemed like a decent Internet connection with Mozilla Firefox installed. On Firefox, I installed my favourite download manager as an extension – DownThemAll!. Great, I can now make massive downloads easily.
2. I downloaded the latest Ubuntu ISO file with DownThemAll. It´s a large file (700MB) so a download manager is necessary – otherwise you run the risk of the download hiccuping and getting corrupted if the network link goes down for a few seconds. It can also be faster to use DownThemAll, as it downloads multiple segments of the file at the same time.  After a couple of hours I had an Ubuntu ISO file on the (probably infected with malware) computer I was using.
3. I then created a bootable Ubuntu USB drive following the instructions on http://www.ubuntu.com/download/ubuntu/download . Unfortunately this did not help my cause because the public computers I could reboot and attempt to boot from USB where so old that they did not support booting from USB! (we are talking 2003-era hardware, not exactly top-end for its time either…) So my only remaining option was to burn the ISO to a CD. I bought a blank CD and burned the ISO on it, and then booted one of the computers I had access to with the CD.
4. Success! I was now booted into an operating system I could trust not to be infected, since Windows viruses on the computer cannot jump into the Ubuntu Linux environment started from a CD. I was able to simply open a web browser and provide my credit card information for my OSM donation in confidence.

So there you have it. If you are travelling and concerned about your passwords or other sensitive information (and you should!) this is a method of getting a system you can trust. It does suppose that you have access to a computer you are allowed to restart and boot from removable media, but hotel/cafes around Chile seem to be quite laissez-faire about allowing people to restart their computers.

SMS 419 scams

I recently received my first SMS scam message on my ancient mobile phone:

From: +447549354914
FREE MSG: Our records indicate that you may be entitled to £3350 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP

Do not reply to such messages. Just delete them.

The +44 prefix looks like it originates from the UK (where I live, therefore local number, therefore safe) but it’s actually a “personal number” that could be routed anywhere in the world, incurring high fees even for a simple SMS reply.

More examples of such scams in this F-Secure weblog post.

MBNA: Not responsible for viruses

“You just need to read and accept these terms…” but golly, don’t scroll down and actually read what’s in there:

“MBNA accepts no responsibility for any damage caused by viruses contained within the electronic files at this website.“

Sometimes companies go the extra mile to truly make you feel like a “valued customer”. Well done, Bank of America.

How much Java do you need?

Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.

I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.

My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:

Keep Java for local use, but disable Java for the browsers.

This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.

First of all: Get the latest Java

First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)

If you haven’t got the latest version, download and install it from http://www.java.com/

Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:

The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:

Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.

Now, onto the browsers:

Firefox 3.x

Go to Tools -> Add-ons and you see something similar to this:

Click on “Disable” for both Java extensions, to get this result:

Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:

Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:

Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.

After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.

You should get the following result:

Congratulations – Java has been disabled in Firefox!

Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.

The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.

Internet Explorer

If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:

First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.

Now, let’s disable Java in Internet Explorer:

Go to the menu “Tools” -> “Manage add-ons”.

(this example is from IE version 8 on Windows XP, your version might be slightly different)

In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:

Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:

The final result should look like this: (all Java add-ons disabled)

Now click the “Close” button on the bottom right and close your browser.

Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…

Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:

Save & close with “OK” – you will get a popup similar to this:

Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.

You should get one or more of the following popups:

(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)

(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)

If you’ve disabled everything appropriately you should see the following:

Clicking “OK” will eventually land you in this page:

…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.

If you need to use Java for local applications, that’s the best place to be.

Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.

How difficult can Denplan make it for customers to protect their personal information?

It turns out the answer is “quite”.

Consider the following gem from the “corporate claim form” – this is a piece of paper you have to sign and send to Denplan if you’ve had treatment and are claiming back the costs, as covered by your corporate dental insurance:

(Click the image for a larger version)

This is how I understand this part (let’s call it “Part 1″):

• As long as you use our services, we’ll send your personal information to anyone we like.

Reading on, we reach Part 2:

(again, click on image for larger version)

Here we are told: “You may be contacted by phone, telephone or electronically if appropriate. If you DO NOT wish us to do this please tick below as appropriate.”

This is how I understand this:

• Ticking below will stop us from contacting you.

And then, the million-dollar statement:

“Denplan Limited may send you details of other products and services.”

The way this is phrased, putting a tick right next to it directly implies “YES, you may”! Even though the sentence above implies the exact opposite.

The lunacy continues with Part 3:

(click on image for larger version)

This part says “To enable them to send you details of their services we may also share some of your details with other AXA group companies based within the European Economic Area [TICK?] and with other carefully selected companies based within the European Economic Area [TICK?]“

Again, it’s not clear how the customer can indicate “No, I don’t want my details shared with others!”, as both phrasing and intuition say “don’t tick here”, but the instructions tell you to “tick as appropriate if you don’t want this to happen”.

Absolute rubbish. Certainly a strong candidate for the Plain English Campaign‘s Golden Bull Award.

If you’re a Denplan customer, I’d suggest writing to them to point out this gobbledygook and get it fixed.

It’s a simple web page!

No it’s not.

Most pages on the web nowadays:

1. draw content from multiple sources
2. execute programs (scripts) on your computer, also from multiple sources

What does this mean for you?

Well, for starters it’s important to leave behind the misconception that a web page is a simple thing. There is usually a lot going on in the background that you don’t see. But it’s there. This is how online advertising revenue is generated, and how “advanced” online services operate.

It’s also important to realise that “trust” is a very thorny issue. Visiting the website of (for example) National Geographic shouldn’t be an issue – I mean they’re a respectable business, right? But hang on, on closer examination, look what happens when you visit a single page:

All of a sudden it’s evident that this web page, hosted on nationalgeographic.com  is requesting content from EIGHT (8) different domains, not all of which have an obvious relevance to the web page you are trying to see.

Do you know and trust all of them?

Further, aggregating content from many different domains in one web page usually translated to executing code in your browser, on your computer, from all those different domains you had no idea you were communicating with!

In summary:

All you did was request to see a web page from nationalgeographic.com – which you trust.

Subsequently, and without your express permission or knowledge, your computer was instructed by nationalgeographic.com to download content from virtualearth.net, zozi.com, google-analytics.com, 207.net, quantserve.com, dl-rms.com, imrworldwide.com and ngeo.com.

Your computer also downloaded and executed programs (scripts) from the following domains: googleadservices.com, google-analytics.com, 2o7.net, quantserve.com, virtualearth.com, dl-rms.com, scorecardresearch.com, and doubleclick.net.

I’m only aware of this carnage because of two Firefox addons I use: NoScript and RequestPolicy. But they’re cumbersome to use and require constant adjustments.

Have that in mind next time you catch yourself thinking “I’m safe online because I don’t visit random websites”.

Here come the “smart” phones

I’m very glad someone took the effort to prove this can be done, for all the denialists and optimists-to-the-point-of-criminal-negligence out there to get a grip:

“A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.”

Source: ThinkQ article

This means that installing a single malicious “app” for your smartphone can turn it into the ultimate tool to steal any of your confidential information. Notice that anything you *say* over the phone is also suspect.

Blog post by Bruce Schneier with good links here.

The funny part with this is that the optimists will say “yeah, but it needs user permission!”, as if they know exactly where each and ever piece of software they installed on their computer/phone came from. Or as if automated remote installation of smartphone apps will not come knocking on our doors as it did for personal computers.