Posted: September 19th, 2008 | Author: Jeff | Filed under: iphone | No Comments »
Apparently the little prongs on the adapter have a tendency to break off while plugged into an electrical outlet, causing a potential electrocution hazard. Replacements will become available on October 10th at your local Apple store. (If your adapter has a green dot near the prongs, you already have the newer redesigned version)
Check the following link to Apple’s page for all the specific details:
http://www.apple.com/support/usbadapter/exchangeprogram/
Posted: September 18th, 2008 | Author: Jeff | Filed under: Security | No Comments »
How many passwords do you have? More than one? Do you have a separate, robust, easily remembered password for each and every login you have? I’m thinking that the majority of people fall into one of two categories when it comes to passwords; first up are the folks that just find it too annoying or bothersome to try to remember so many passwords so they just use the same password for every site. The other group go to the opposite extreme and utilize great little tools like 1password or PasswordSafe. These tools allow you to create cryptographically strong passwords and they will manage them for you as well. These just require the user to remember one master password, then use a little bit of the cut & paste, never once needing to actually memorize the password.
Somewhere between these two is “Passphrase Mnemonics” (yes, that’s my term for it – don’t blame anyone else). Passphrase Mnemonics allows the average individual to have unique, easily remembered and cryptographically strong passwords for each and every site requiring a login without resorting to writing them down or storing them in a program.
Before we get right down to it though, let me explain why this post is entitled ”Passphrase Mnemonics” and not “Password Mnemonics” It’s really quite simple: the term “password” implies using a single word to verify your login, whereas “passphrase” implies using a string of words or a phrase. Phrases are easy to remember and can provide more security than a single word. And at this point, we should all be using phrases instead of words. Especially words that can be found in a dictionary. Not just an english dictionary; any dictionary such as French, Spanish, Swahili, Finnish, Vulcan, Klingon, Elvish, etc. Any word that’s found in a dictionary can be easily brute forced using one of several freely available tools.
On to the method or the “Mnemonic” (by the way, a “Mnemonic” is simply a memory device that you use to remember something ~ think of the old rhyme “30 days hath September…” That’s a mnemonic to help remember the number of days that each month has)
Step by Step:
- Find a favorite book or movie – I like to choose a book with at least twelve chapters, so for this example I’ll use “Snow Crash” by Neal Stephenson
- Choose a chapter based on the number of the month. Since this post is being written in September, I’ll use chapter 9.
- The initial passphrase will be the first sentence of the given chapter, so in this case the first sentence of the 9th chapter of “Snow Crash” is “The world freezes and grows dim for a second”
- Lets choose a site that requires a login. I’ll choose Yahoo.
- Now create the passphrase for the site by using the first three letters of the site, followed by a special character: yah!
- Appending the first three words of the initial passphrase (substituting underscores for spaces) yields: yah!The_world_freezes
- Last step, change each word by substituting a number or a special character for a letter in each word: yah!Th3_w0rld_fr3ezes
So for every site that requires a password you simply prefix your passphrase with the first three letters of the site. This same password for Amazon would be ama!Th3_w0rld_fr3ezes.
Is this as robust and as secure as using software based password tools like PasswordSafe? No, not at all. But it’s a sure bet safer than using the same password everywhere! And you don’t even need to write it down or have your pda handy to keep it safe. All you need to do is remember your passphrase (Th3_w0rld_fr3ezes) and know what site you’re logging into and viola! Simple, cryptographically strong and easily remembered unique passwords for each site.
If you’re comfortable using software-based password managers, by all means continue to use them. If you’ve considered them in the past, maybe now would be a good time to do a bit of googling on password managers and find one you like. But if not, this relatively simple process will at least provide you with a method of creating decent passwords (passphrases)
Posted: September 17th, 2008 | Author: Jeff | Filed under: Security | 8 Comments »
Now, most of the readers here are probably beyond reproach with regards to how they handle phishing attempts (whether they are email based or fake sites) but I heard of a tactic today that can be used to detect fake sites very easily and is simple enough for your mom to use.
If you’re like me and you know of several people that might not have the technical savvy to be aware of scams that ask you to log into a bad guy’s site which is masquerading as your bank or other trusted online source. Some of these fake sites go to the extremes of mimicking every single part of the trusted site, with the exception of the login form. Entering your credentials here gives the bad guys all they need to drain the victim’s account via the legitimate site.
How can we expect people with little to no technical experience be able to recognize these threats and avoid them?
The answer is so simple even your crazy Aunt Martha can do it. (ok, maybe not crazy Aunt Martha, but everyone else)
Train your userbase (mom, dad, the neighbors, co-workers, etc) to use the double-login method.
The double-login method (my own name for it) has the user enter false information first, and then the legitimate information. A bogus login and password will be accepted by a bad site every time because they have no way of validating the information until later when they attempt to use it to compromise the account.
An example:
Crazy Aunt Martha gets an email from her bank asking her to verify some security settings or transfers on her account.
Unbeknownst to Aunt Martha, the email was fake! It was a phishing attempt that contained a link that was formatted to look like it came from her bank, but in actuality connected her to the bad guy’s site which has been set up to look just like the legitimate bank.
Aunt Martha doesn’t know the difference between the good site or bad, nor was she able to tell that the email link she just clicked on was bogus. What Aunt Martha can do is use the double-login method to protect herself. She attempts to log into the site with her bogus information and it gets accepted! She immediately knows that this is a “Bad Guy’s Website” and promptly closes her browser and forwards the email to her bank’s security contact, which (being the great IT guru that you are) already placed into Aunt Martha’s address book.
A quick follow-up call to the bank can confirm the details and Aunt Martha’s life savings are intact!
If the bogus credentials are accepted, then the site is bad. How easy is that?
In the interest of full disclosure: This isn’t my idea. I heard of it at a small security conference earlier today. I just think it’s a really great idea that needs to be shared!
