I have a new post up on Makeuseof, regarding Firefox Addons for Privacy and Security. Maybe you won’t use all of them but even installing some of them (NoScript in particular) can really lower your chances of getting hit with a javascript exploit.

As soon as I heard PayPal would be offering a $5 Security Key for additional security while logging in, I jumped on it. A few days later, it arrived in the mail. It’s a great idea, but I decided that carrying a little secure key that generates special numbers for the 3 times a month I login to PayPal just wasn’t worth it.

For the uninitiated, two-factor authentication is when two separate methods are used to verify an identity. For example, a thumbprint and a codeword, or a eye scan and a smart card. The most useful in my and many other’s opinion is a One Time password token, like the Paypal/Verisign security key. This device, which is meant to be carried with you at all times (think, belongs on your keychain, and you keep it in your pocket like a key) generates a series of numbers which depend on what time it is. This number, when combined with your password, provides a much more secure way of authenticating that it is really you who is logging into PayPal, and not just some guy from across the world who happens to have guessed, or phished your password.

OpenID is a relatively new technology where you store your personal information at a site called an OpenID Provider, and then other sites authenticate to that site. You then tell the OpenID provider that it is ok to let your target website use your information and itself to authenticate you. After that, when you want to login to this target site, you just need to be logged into your OpenID provider. Maybe this video will clear things up for you.

Some popular OpenID Providers are: MyOpenID, Verisign Labs PIP, and many, many more. I personally use Verisign Labs PIP, simply because I trust Verisign, and established security company, more than many of the other ‘mom and pop’ websites who now all of a sudden are OpenID providers. Call me elitist if you want but that is just how I feel.

So, good idea in theory, but I had a pretty big reservation about it. What if someone was able to get your OpenID username and password? All of a sudden, they have access to ALL of your websites that you use OpenID with, and you are worse off than if you just used seperate usernames and passwords for each one. You do use different passwords for your website logins, right?

So, just today, I thought to myself: wouldn’t it be great to be able to use that Verisign Branded PayPal Security Key with my Verisign Labs PIP account? Lo and behold, a google query later, and I find out that they are one of the only OpenID providers to provide two factor authentication, and that my old PayPal Security key works with it! Bingo!

I didn’t really find too much information online about how to hook the two up, so I thought I would put up an explanation to help others realize the security that this provides them.

1. Get a PayPal Security Key

All you need to do is go to the PayPal Security Key Website, sign in, and place an order for it. A few days later you get a little package with your key, and then you can feel special too.

2. Login or Create an Account at Verisign PIP

The Verisign Labs PIP website has all of the information you need for signing up. Go through all of the steps needed to activate your account before proceeding to the next step.

3. Add your Security Key Credentials to your account.

Go to the “My Account” page, and at the bottom there is a section that says “VIP Credential”.

You will then be asked to enter the credential ID (which are the letters/numbers on the back of your key) and also to push the button to generate a one-time key.

Click add, and you are done!

Next time you log into your OpenID at PIP, you will see the following challenge after you enter your username and password:

At this point, you might be asking what happens if you don’t have your Security Key with you? Well, there is an alternative. They will send you a one-time pin either to your cell phone via text, or to the e-mail account that you have on file with them.

This ensures that even if you don’t have your key with you, access to your websites can still be had. Just make sure your e-mail password is different than your OpenID password!

As an added bonus, they offer a firefox plugin called “Seatbelt” that automatically fills in your OpenID location for you on sites that support OpenID. It’s nice to not have to remember your OpenID URL, which is username.pip.verisignlabs.com. It’s not overly difficult to remember but they definately could use a more catchy URL.

So that is about it - with these two things, you should be sailing along with OpenID using two-factor authentication and minimal effort and money spent!

Found an encyclopedic list of “stupid” .htaccess tricks. Includes many useful ones such as being able to stop hotlinking of images and replacing with your own, increasing speed and security and general good-to-know htaccess information.

If you are a system administrator, you should dread any time you use the normal “ls” command and receive a strange error in return. That is a sure sign that your machine has been hacked and ls has been replaced by an unknown program. Gnist blog has a nicely written step-by-step list of what you can do to track back an intruder.

In his case it sounds like the original owner of the machine may have used a weak root password on his machine, allowing for someone to crack it and break into the box. People, don’t forget to use a hard-to-brute force password, and finally disable root login s. Instead, use normal users and sudo.

Finally, if you are doing this in a legal setting and preparing for a possible future court case, don’t forget to make an image of the drive (using dd or Norton Ghost) before your analysis; otherwise the intruder can get your evidence thrown out.

Some other security resources:

• APF + BFD
• OSSEC
• Sleuthkid
• chkrootkit

If you are a Google user - meaning Gmail, Google Docs, Google Calendar, Google Reader, etc - then you should know that by default, once you log in your sessions are typically not encrypted between your browser and the Google servers.

For some more technical information on this, check out dmiessler’s post on the subject.

He mentions using bookmarks to make force your browser to use Google’s secure connections - however I’ve noticed that occasionally depending on how you arrive to your Google services that you will switch to an unencrypted session without warning.

For that reason, If you are using Firefox and greasemonkey, I highly recommend installing the “Google Secure Pro” userscript. It automatically switches you from using http:// to https:// to ensure your data is encrypted to Google’s servers. This will increase your security greatly from using the unencrypted connections, which is good if you transfer confidential data over e-mail - like most normal people do!

The situation is: you have an web application or URL that you would like to force your users (or yourself) to use the secure https protocol rather than the unencrypted http protocol. This is easy to do with Apache and .htaccess.

Create or add to the .htaccess file in the root of the web directory you would like to force redirect for. Add the following lines:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This says that if https is off, reload the page at the same location using HTTPS instead.

I’ve been using the VPN Software Hamachi for several years now and thought I would share my experiences with it.

Previous to being purchased by LogMeIn, Hamachi was a smaller company which designed this great software. It is now offered in 2 versions, the free “Basic” version and the paid “Premium” version. The premium version is currently around 3.25-4.95 a month, depending on how many licenses you need and how much you pre-pay.

The free version gives you basic VPN connectivity and allows you to control smaller networks which is great for your own personal secured network. There are some pretty cool features in the “Premium” version - to see all of them click here.

The idea is that you install Hamachi on each of your PCs which you would like to connect to your VPN. In my case, I have my Home PC, my home File Server, my Work PC and my laptop all connected. The great thing about Hamachi is you are not just limited to Windows machine - my file server is Linux and works great with Hamachi. It officially supports Windows, Linux, and OSX - so you could install it onto your Mac as well.

Once hamachi is installed, follow the directions on how to set up each client. With the first client you set up, you will want to create a new Network that will include all of your personal PCs that you wish to connect. From there, each client you add you will need to add to this network so the can all talk with each other.

After all computers are connected to the network - you have your VPN up and running. It works just like with any VPN - those IP addresses can be accessed just like the PC is on your local area network.

So, what does this mean? You can map a network drive to be a local drive, which is actually being served off of your VPN. You can connect to VNC using this IP address - which is a secure way to do this so all of your traffic is encrypted over the internet. You don’t have to worry (as much) about sending information over the internet in plain text. I even have my media server connected so that I have my entire music library available through the program of my choice (MediaMonkey).

So if you haven’t tried it already, give Hamachi a try!

When you generate a key pair in SecureCRT, it generates it in this format:

—- BEGIN SSH2 PUBLIC KEY —-
Subject: dave
Comment: “something”
ModBitSize: 1024
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDQNXZosE8eAu6t9dsznpimQAXdaqkSmgKAgZ4+
gP9tW/j+wKtsEOBGasp4/AQu89Avscku+zp6lEuy9PCtBt03IdaQwls9GBl67EUzrKM
3NLNscuCt/LAsdjHfjvBL4q0Oh+MsHu0c6G6ltICqYmvAHYNAYBoPJv+0RMvxPdoNQ==
—- END SSH2 PUBLIC KEY —-

This key if fine, but if you run a linux server such as CentOS, RedHat, Fedora, or many others which use OpenSSH for it’s sshd; then this key does not work in ~/.ssh/authorized_keys. In order to convert this key to the one liner necessary for openssh, first upload it to the server. Either cutting and pasting into your text editor of choice, or uploading the file directly will work.

Then run the following command to add this key file to your authorized keys:

ssh-keygen -i -f /tmp/identity2.pub >> ~/.ssh/authorized_keys

You can then log in using your private key.

Here is the switch we are using:

-i Convert IETF SECSH to OpenSSH key file.

For Firefox and Opera only: Use the Google Secure Pro Greasemonkey script to force these Google programs to use SSL in your browser. It changes any accesses via http to https which is supported by Google, this secures your connection between your browser and Google’s servers.

If you do any type of work using Google’s services where private data is exchanged, I would highly recommend this greasemonkey script to secure your communications!

If you have ever run a blog, forum, or any other interactive site on the internet, then you probably already know about the great spam problem that there is. Not only do spammers bug us over e-mail, but also on interactive forms - where they post false topics, comments or replies, where the sole intent is to spread a website, or get google to rank a website higher in it’s search engine.

Stopping automatic registrations is easy enough. You can use CAPTCHA to make sure a remote user is a human. Also, confirming that an e-mail address is valid will pretty much ensure that you only have humans registering on your site.

But what about that person who is sitting at their computer, registering on your site, and submitted spam in an input area? Not only is it hard to detect when a person is spamming or not even if you are manually policing your site, imagine how a server would try to determine this.

The only sure-fire way I have found of keeping manual spammers out of your forum is a 3 step process.

1. Use CAPTCHA to ensure remote user is human
2. Confirm E-mail Address before allowing posting of comments/topics
3. Refuse to post links of users under a certain amount of posts

This way, spammers would need to invest quite a lot of time on a forum if they wish to spam it. The general idea is that if a spammer needs to spend too much time working at a location, they will move on to another site. Some administrators also think that adding a NOFOLLOW tag to links of all users who do not have a certain amount of posts helps as well. However, this still allows the posting of nefarious links.

An alternative to the “no link rule” is using a service to check all posted links, and see if they match the links that spammers have been reported as using. This system is used by wordpress in Akismet very successfully. However, in this case you need to rely on a 3rd party system to filter spam messages. Other blogs rely on plugins to perform these same tasks.

Does anyone have other methods they like to use to defuse spammers?