I’ve had two factor for gmail enabled for two years. This morning, I set up two factor for github. Due to Heartbleed (check if sites you use are affected), I checked who else permits two factor to revisit what I should turn on. Twitter has it’s own post because it didn’t go smoothly like the others did.
I had originally decided not to turn on two factor for sites that don’t provide an app as I prefer not to get texts. However, I notice they only text you when you log in from a new device. And I get enough junk texts by now that this is a rounding error.
I have a paypal account but hardly use it. It was so secure that I didn’t even know my main password.
- Go to this page.
- Choose the option to use a mobile number (vs a $30 device)
- Enter your phone number
- Enter the code sent via a text to prove you control that phone number. Do so quickly. The code expires in 5 minutes.
Dropbox was similar to github. It uses Google Authenticator plus a backup phone code and backup text string. The only annoyance was that I had trouble scanning the QR code. I had to drag the browser to my second screen (which is larger so has better resolution.)
Dropbox didn’t make me re-connect my existing sessions. I left them alone because I don’t want to sync all that data again. Presumably two factor will protect me against anyone else using my login.
- Go to the security page,
- Click Turn on for two factor
- Enter your phone number
- Enter the code sent via a text to prove you control that phone number
I hadn’t secured yahoo because I use it as my “backup” email provider. Why not though.
- Go to this page.
- Enter your phone numbe
- Enter the “six digit” code sent via a text to prove you control that phone number. (My “six digit” code was five digits. I guess they are counting invisible leading zeros)
Two years ago, I set up two factor authentication for my gmail account. Last year, github announced the ability of two factor. I hadn’t noticed at the time. Today, I logged on to change my password since github was in the list of applications affected by Heartbleed and saw the option.
How it works
Github gives you a choice of second factor
- Google Authenticator mobile application (I already had the iPad app installed for gmail so this was convenient)
- text to mobile phone (I have this set a secondary)
- written down one time use passwords (kept as tertiary)
Linking the mobile app to github
- Open the mobile app
- Click “edit” pencil
- Click “+” to add an account.
- On your computer, go to your github account settings and click to enable two factory. You will be given a QR code to scan which automatically links the two. There is also the option of typing in a long text code.
That’s it. Now Google Authenticator generates two numeric codes. One for gmail and one for github.
Actually using two factor
Unlike gmail, you probably don’t usually sign on two github using the browser. Let’s look at three ways of signing in.
Through the browser
- I immediately logged out in the browser.
- Enter my password to sign back in
- Enter my two factor code
Through the github Mac app
- Github > Github preferences
- Click sign out
- Enter my username/password to sign back in
- Enter my two factor code
Through the command line
- On the account settings page, create a new personal token
- Leave the default privileges checked. (It’s great there is this much control)
git credential-osxkeychain erase
- git pull (or any other operation that requires a network call to github)
- Enter your user id
- Enter your new generated token (not your password)
As you might expect, the account settings page shows which apps have access. I saw “GitHub for Mac” and “GitHub for Windows” on there. My first thought was “I don’t use Windows.” Then I remembered that I use git to communicate between my Mac and Windows VM.
I also had to update my web service code to call the two factor version.
If you haven’t already, please change your passwords for sites in this list or enabling two factor will protect you in the future. Also change your passwords for any sites which use the same password as one of those in the list.
The NYC Cyber Security meetup had Jeff Williams as a speaker. He’s really good so I decided to go and blog about it. All three sessions were really good! Which sets good expectations for the Appsec USA conference which I’m thinking about attending in November.
Before we move on to security – a bit of humor. I asked where the ladies room was and an employee pointed at what appeared to be the elevator bank. On the end was a door with the word “womens” on it. It looked just like the wall. Camouflage!
Jeff Williams from Aspect – Is OWASP the New Rainbow Series?
Jeff is a very dynamic speaker so this was fun.
Rainbow series and security models
- The Rainbow Series is colored pamphlets/thin docs. Stopped printing due to internet. Community evaporated and group folded. Info still holds – access control, encryption, etc. nobody shepherded knowledge over tech gap.
- Security IMPLIES a model – what does security mean? Possibilities include: policy, no high exploitable vulnerabilities, standards, compliance , your tool’s ruleset, what pen tester interested in, whatever just got hacked (reactive). Need a model to say secure. Compliance is what others care about. It’s like delegating your security model to someone else.
- Rainbow had positive view – assurance world. said controls must be analyzable – must know if good. Completeness, patterns, policy, etc.
- OWASP uses a negative model. Top 10 is what thou shalt not do. Negative model is harder, but ok. Current world is negative and risk based. Assume ok until prrove otherwise.
- Goal – rational, defensible, confidence that our apps are “secure” – id important threats, strong defense for each, implement correctly and evidence defenses are working
- Code coverage – Static analysis tools only look at your custom code. They don’t look at libraries, frameworks, app server and runtime. Only a small percent covered. On the dynamic side we hit all te layers but only part of the app. 25-30% is typical.
- Weakness coverage – NSA has a test suite called Juliet. You run static analysis against it to see how good the tool is. Found 80% failing test and more than 60% false alarms. And Juliet is less complex than code real apps would have.
- Portfolio coverage- most apps unreviewed because not critical. A small percent are scanned/penetration test. And an even smaller portion get manual code review
Aspect Top 10
- Jeff hates top ten lists Negative, incomplete (for example: clickjacking not in top 10), abstract (all of session management in one item), arbitrary, retrospective. Not a good model. [This is sort of in jest as he does find them better not thing; it’s more frustration that we haven’t moved on]
- Was needed in 2002. Goal was to set a bar so can keep raising bar. That didn’t happen. First top 10 was forward looking. Then started relying more on data and people doing reviews. This is a problem. Because auditors behind casual hackers and way behind organized chrime and espionage. Compare to the crypto community who looks at what the threat will be in 10 years. Better capability,better tools.
- Owasp top 10 is most widely used project at owasp. Failure because nothing has changed. Also biggest success because raised awareness.
- Security efforts and tools focused on apps of 2005. Not ajax, sockets, gwt, html 5, inversion of control, aop
A9 in top 10 – using components with known vulnerabilities
- New to the top 10. (In case you are wondering, nothing got removed. Insecure cryptography and insecure transport layer got merged.)
- Reddit quote: “One of the vulnerabilities is having known vulnerabilities”
- The amount of custom code in our apps hasn’t changed much in 10 years. Amount of library code growing quickly. Now 80% library code. Hudson core has 103 open source library. You are trusting ALL that code on your machine. Dependency resolution brings in other dependencies so don’t know what using.
- One single vulnerability (cve-2010-1622) on spring beans tainted 1447 projects!
- Developers don’t update libraries in general. Sometimes not using that part of project. Some bad like spring EL injection policies
- 2313 organizations using esapi and it is built into cold fusion
- Rougly 26% libraries are vulnerable.
- Maven can list what libraries using
What to do
- Focus on soeed and scale. If need an expert for technique or tool, introduces feedback lag and cant scale. Looks good for one app. Which causes pressur to compromise on scope and accuracy to increase throughout. Better to use experts to id threats, build automated tests, create rules, strategy, etc. security HAS to work in parallel.
- See if can embed sensors in app and report back data about security. Instrument code and organization so it feeds you info. Think big data.
Panel – from Morgan Stanley – the hosts (I confirmed with the moderator from Morgan Stanley that it is ok to blog)
Securing the enterprise – what means to you
- Protect developers from selves. Not have to think too much about what take off shelf and put in app
- The enterprise used to be a building when gates, guards and guns were data security because thats where the data was.
- Now have to worry about employees sending stuff out , not just attackers coming in. Threat landscape changes, tech advances quickly. If rush and hurry, can roll out globally in 12-18 months
What would you do if owasp releases new findings?
- New data – threat intelligence – can mitigate, detect or respond with technologies in house. Big enough to have a team of people will full time jobs focused on this.
- Financial industry grouos to share info. Move in a pack. Exchange info.
- In small company with 20-30 apps can have one guy look at it. hTis doesnt scale to 20,000. Need to know what apps and people permitted on network
Thoughts on mailing plaintext passwords
- Finanical sector means saving for 7 years in an archive. Authentication and sso – have internal docs for developers so get this right so doesn’t happen.
- Importance of keeping your personal email account secure.
- Different passwords for all sites, password management system. Beyond what the average person will do. Need to hold system accountable. Shouldnt be able to email password to user. [I’m surprised nobody mentioned two factor for email – I use that for gmail.
- Need to give vendors feedback so can improve
- Discussion on standard self declaration of password handling practice. Another panelist refuted because additional intelligence – “if they know that, they wouldn’t be emailing you your password”. Don’t want it to be a hitlist when a vulnerability comes out.
- Jeff Williams from audience said likes idea of making model public. Morgan Stanley folks cringed. View as challenge or a boast. Jeff said make public internally. Financial sector – you know what minimum standards are. For internet sites, don’t know threshold. Only held to FTC 15 years of supervision after breech.
Is data the thing that enables us to move into the future?
- Data has always been at the core. After a breech, one of the first questions is what did they get.
- Libraries should have an end of life or expiration date so doesn’t last with vulnerabilities forever.
- Ability to process the data is catching up. Easier to find the holes. And what went thru that hole
- From vendors – need better metrics and inteligence. Currently get more graphics not intelligence
- Can get badge saying ran automated scanning tool against site
- New perimeter – bring your own device (BYOD) – access corporate intranet from whatever device
- No such thing as a perimeter any more. Or more perimeters on the inside. Not dead. Can’t just trust the inside. Contain breech. Compartmentalize.
- Bring your own tech – bringing network connections too – Starbucks is in your enterprise
- What enterprise thinks it can control will shrink – byod, cloud, paas, saas
- If 20 person company, have a lot more control
- On the AP Twitter hack (white house bomb false story.) It affected the market because some high frequency trading was keyed into twitter. This is the danger of being first and fastest. Corners cut. Want to know about twitter but not automated based on it. Is Twitter in your security perimeter?
- Cant just have tech. Need policies to back up. So can enforce and prosecute. Need management support
- Wouldn’t consider having just 1 isp. If all 5 isps under siege, trading is the least of your problems. Extreme resiliency
- Wouldn’t care if password policy published. Not a surprise because know vague idea in finance. Thousands of people. Every year. Assume info is out there. And give info to suppliers for confidence
Tom Brennan -Trustware global security report
The report contains a collection of interesting stats. You can read the report online (or at least last year’s version; see the resources section below for the link).
- They focus on monetary loss.
- Top victims – us, australia, canada, uk, brazil
- Top attackers – romania, us, unknown, ukraine, china
- Websites and email most utilized vector
- Mobile malware on the rise
- Breach quadrilateral – propagation, aggregation, exfiltraton, (how get data out of environment) and infiltration. – much emphasis on perimeter but not propagation. Once gets in, need to be able to stop. If can stop any phases, you beat the bad guy
- 82% of apps they looked at have xss and 72% csrf. Wow. I shouldn’t be surprised. CodeRanch only fixed CSRF (read about how) this year.
- What to do: Train developers, Review code, Test a lot, Protect in real time and patch
- Mobile malware up 400% last year. Top findings are insufficient cache controls, replay attacks on sensitive transactions, sensitive info in server response.
- Use case: Malicious game sends hidden sms messages. Similarly can use receiving hidden sms to launch botnet
- Apple did better job than android. Android kitered with malware
- Can’t patch. With byod, phone not owned by company
- Spam down to 2007 levels but nearly 7% of spam links to a malicious website.
- Still 75% ompanies email is spam
- Weakest links are employees and users
- Password1 is 38% of top 25 password
- Lot of passwords are top child and dog names for reset questions
- Peak password length is 8 characters because default active directory minimum length
Six security pursuits
- visualize events
- unify activity logs
- register assets
- educate employees
- identify users
- protect data
Problem: Businesses focus on making money in version 1 and security in version 2. And then forget about version 2
I learned about the following at the event: