https://community.element14.com/technologies/security/Security and related technologiesen-USTelligent Community 12https://community.element14.com/technologies/security/b/blog/posts/authenticators-share-your-experience-with-2faFri, 10 Mar 2023 02:57:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:1b60a027-e0f3-4fd0-91c4-313cd957b00acolporteurI recently needed an authenticator app to gain access to a security website. I looked at the three the website security vendor recommended for my phone. One I could use for free and the other two were free, only after I purchased a subscription that I could cancel. The free authenticator app generated the numbers but didn’t work on the site. Back to tech support. They confessed to making an error in setting up my account. They corrected the problem and sent me a new link. I tried again to use the free authenticator app following the instructions the vendor provided, still it didn’t work. Instead of going back to tech support, I branched out on my own and found authenticator software for Linux. I loaded Authenticator 3.32. The app generated codes but still failed to provide me with access to the site. I then changed the provider option in the software to Amazon. I entered the 2FA token provided by the security website. The code generated by the authenticator passed authentication on the security website and it permitted me access. What changed when I replaced the provider with Amazon? I’m going to assume it is the algorithm used to generate the codes. I’m going off to do some research, but was hoping someone might have some insight or experience they will share.authenticator appsauthenticationhttps://community.element14.com/technologies/security/b/blog/posts/git-sign-your-commits-with-a-certificateThu, 25 Nov 2021 11:12:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:f0133c3d-8bfa-446d-b780-c35a8b8cde8eJan CumpsWhen you're working on open source projects, they sometimes ask you to sign your commits. That's the common way to confirm that you agree with the software license and development rules. There are different ways to to this. By adding a comment to the commit message, or by using a digital certificate. Commit message signing - plain This is the simplest way, and is accepted by many open source projects. In your commit, you add the --signoff key to the GIT command. git commit -a -m "added unit test --signoff This will automatically add your info. The result (e.g.: on Github) will look like this: (the green check on the right doesn't mean this is a verified commit, it's not related to the signature.) Commit message signing - with a Certificate With this process, you confirm the activity by signing the commit with a key. Create a PGP key First take care that you have a sign key. It's not hard to generate one. I'm using the GIT bash on a Windows 10 PC to launch the commands. Maybe you have a key. Check with gpg --list-keys If you don't have one, you'll see output like this: But if you have one, you can reuse it. Check if it hasn't expired: If you don't have an existing certificate, here's how you create one: gpg --gen-key Register your public key on GitHub This is an optional step. It will take care that the verified tag is put next to your signed commits. Get your public key content into a text file: gpg --output public.pgp --armor --export your.mail@yourprovider.com Then navigate to your your online Github profile, Settings, SSH and GPG keys: Add a New GPG key, and paste the content of the text file you just created into the field. Save. Use your key when committing changes When you commit, add the -S option to the command line git commit -S -a -m "refactured the API" You can check if the signature was successful: git log --show-signature -1 Once you push your changes to the server, GitHub flags them as verified: That's it.securitygithttps://community.element14.com/technologies/security/w/setupWed, 10 Nov 2021 04:22:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:f6bf1aa4-e832-4d6d-8a27-4eac2c8d3317ChristyZThe documents in this Wiki can be used to populate widgets on the group home page. "Featured Content Triptych Setup Doc" contains the 3 featured items - image, descriptive text, and button, that you can edit to change the image, text and link/button text as appropriate for this group. If there isn't already a 3-box widget showing on the home page for this group, to display the document, you will need to get someone with Admin rights (one of the Devs or Pauline's team) to add a Wiki Viewer widget for you and insert the url to the document. From then on, you will be able to update the content of that widget by making changes to the document. "Featured Video Setup Doc" lets you embed a video - YouTube, Brightcove, or an image that links to a document somewhere on the site that contains the video - and that can also be put into a Wiki Viewer (in the skinny column) using the url. From then on, that widget can be updated by changing out the image/link or embedded video that is in that document.https://community.element14.com/technologies/security/w/setup/26674/featured-video-setup-docWed, 10 Nov 2021 04:22:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:39f29309-7822-40aa-b549-f3cc0a71a626ChristyZfeaturedVideohttps://community.element14.com/technologies/security/w/setup/26675/featured-content-triptych-setup-docWed, 10 Nov 2021 04:22:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:6618fe03-166f-4727-8223-a483a234c8ffChristyZFeature 1 Sub Title 1 Description for Feature 1 - enter whatever text you wish to use as the description here Button Text 1 Feature 2 Sub Title 2 Description for Feature 2 - enter whatever text you wish to use as the description here Button Text 2 Feature 3 Sub Title 3 Description for Feature 3 - enter whatever text you wish to use as the description here Button 3 Texthttps://community.element14.com/technologies/security/w/setupWed, 10 Nov 2021 04:22:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:52a3e455-1d52-46f8-9dcd-1099d7a48db7https://community.element14.com/technologies/security/m/managed-videos/18390Sat, 09 Oct 2021 09:15:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:b7e2e7ba-805d-41d7-bd6b-3b02b6e0e0a4MattThese appeared at a local building site.. they look like something from a computer game! They seem to be guarding the digger.securityportalcctvsentryturrethttps://community.element14.com/technologies/security/m/managed-videosSat, 09 Oct 2021 09:15:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:aecba997-2d4a-40c4-9391-ad95d9bec51ahttps://community.element14.com/technologies/security/w/documents/10421/password-strength-get-familiar-with-itFri, 08 Oct 2021 05:12:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:efc3f68b-93fe-46e3-9287-ed80937bebedDebuggerGuysSometimes it becomes a real pain and massive headache when you must remember 20 different passwords for important things every single day, and having the very same one password for more than one account is a dangerous thing to do and a not-so recommendable practice. As well, if you have the idea that it's very unsafe to write them down somewhere, whether digitally or non-digitally, you and I think pretty much alike. Nevertheless, it is something we must get used to somehow, and the methods we use to keep those passwords safe are not handy most of the times, right? Anyway! This post attempts to compile and remind you the best practices in keeping out passwords secure, and dealing in between the vast number of services we daily log into and log out of. Firstable, let's define what are the elements that make our password secure enough. length avoidance of dictionary words avoidance of relevant user information (first name, last name, birth date) avoidance of common patterns the combination of lower and uppercase letters, numbers and special characters. The mixture of different character types makes up what’s called the “keyspace”. The keyspace can be computed through the formula C N , C being the number of possible characters and N being the length of the password. To determine the keyspace of the “oh, so common” example, ‘password’, we would use the above formula C N . This example uses only lowercase letters which would bring the C in the formula to 26, i.e. the number of all possible lowercase letters [a-z]. The exponent N is simply the length of the password ‘password’ which in this case equals 8. For our example, the formula turns out to be 26 8 or roughly 208 billion. So this means that for an attacker to perform a brute force attack, like trying every single possibility in the keyspace, they would need to try roughly 208 billion possibilities. At first glance you may be thinking, “Oh, that sounds like a pretty secure number to me.” But in reality, it really isn’t. There are many advanced programs and techniques that are used to speed up the password cracking process including: GPU based cracking, rainbow table assisted cracking, cloud based cracking, and statistical pattern assisted cracking. Using GPU base cracking, a single AMD Radeon HD 7970 can reach speeds of up to 8.2 billion passwords per second. [1] If an attacker were to use the brute force method he or she would crack our example “password” in just less than 26 seconds. Following the above guideline for password strength is paramount to keeping your passwords secure against the multitude of password cracking attacks. There is a seemingly age old argument of passwords vs. passphrases . That is, use a long, easier to remember passphrase compared to a more compact, but difficult to remember password. An example of a passphrase can be the name of your favorite book, “So Long, and Thanks for All the Fish” which would have a keyspace of 85 36 or roughly around 2 duovigintillion (I swear it’s a real thing). Whereas, an example of a password could be ‘xYaQxrz8!’, which would have a keyspace of 95 9 or roughly 630 quadrillion. Seems strong enough right? Hopefully you will still get those headaches once in a while but you're online services will be secured up. The technique I use to avoid headaches is writting keywords similar to my passwords or linking them with a personal experience...(I guess my memory isn't that bad after all). It can also help writing a big note with a random story that includes them...the matter here is to find a way to maintain them and keep thieves away.securitypasswordaccountstrengthonlinehttps://community.element14.com/technologies/security/w/documentsFri, 08 Oct 2021 05:12:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:77e3a37a-6d39-45f9-8c2e-5b31d1e16018https://community.element14.com/technologies/security/w/documents/9900/websites-tracking-you-online-howFri, 08 Oct 2021 04:53:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:c14bf258-c91e-422e-b6ea-911cd46cadfdDebuggerGuysSome forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how do tracking networks build up profiles of your browsing activity across multiple websites over time? Tracking is generally used by advertising networks to build up detailed profiles for pinpoint ad-targeting. If you’ve ever visited a business’ website and seen ads for that business on other websites later, you’ve seen it in action. IP Addresses The most basic way of identifying you is by your IP address. Your IP address identifies you on the Internet. These days, it’s likely that your computer shares an IP address with the other networked devices in your house or office. From your IP address, a website can determine your rough geographical location – not down to street level, but generally your city or area. If you’ve ever seen a spammy ad that tries to look legitimate by mentioning your location, this is how the ad does it. IP addresses can change and are often used by multiple users, so they aren’t a good way of tracking a single user over time. Still, an IP address can be combined with other techniques here to track your geographical location. HTTP Referrer When you click a link, your browser loads the web page you clicked and tells the website where you came from. For example, if you clicked a link to an outside website on How-To Geek, the outside website would see the address of the How-To Geek article you came from. This information is contained in the HTTP referrer header. The HTTP referrer is also sent when loading content on a web page. For example, if a web page includes an ad or tracking script, your browsers tells the advertiser or tracking network what page you’re viewing. “Web bugs,” which are tiny, one-by-one pixel, invisible images, take advantage of the HTTP referrer to track you without appearing on a web page. They’re also used to track emails you open, assuming your email client loads images. Cookies & Tracking Scripts Cookies are small pieces of information websites can store in your browser. They have plenty of legitimate uses – for example, when you sign into your online-banking website, a cookie remembers your login information. When you change a setting on a website, a cookie stores that setting so it can persist across page loads and sessions. Cookies can also identify you and track your browsing activity across a website. This isn’t necessarily a big problem – a website might want to know what pages users visit so it can tweak the user experience. What’s really pernicious are third-party cookies. While third-party cookies also have legitimate uses, they’re often used by advertising networks to track you across multiple websites. Many websites – if not most websites – include third-party advertising or tracking scripts. If two different websites use the same advertising or tracking network, your browsing history across both sites could be tracked and linked. Scripts from social networks can also function as tracking scripts. For example, if you’re signed into Facebook and you visit a website that contains a Facebook “Like” button, Facebook knows you visited that website. Facebook stores a cookie to save your login state, so the Like button (which is actually part of a script) knows who you are. Super Cookies You can clear your browser’s cookies — in fact, we’ve got a guide to clearing your browser’s cookies . However, clearing your cookies isn’t necessarily a solution – “super cookies” are increasingly common. One such super cookie is evercookie . Super cookie solutions like evercookie store cookie data in multiple places – for example, in Flash cookies, Silverlight storage, your browsing history, and HTML5 local storage. One particularly clever tracking method is assigning a unique color value to a few pixels every time a new user visits a website. The different colors are stored in each user’s browser cache and can be loaded back – the color value of the pixels is a unique identifier that identifies the user. When a website notices that you’ve deleted part of the super cookie, the information is repopulated from the other location. For example, you might clear your browser cookies and not your Flash cookies, so the website will copy the value of the Flash cookie to your browser cookies. Super cookies are very resilient. User Agent Your browser also sends a user agent every time you connect to a website. This tells websites your browser and operating system, providing another piece of data that can be stored and used to target ads. For more information about user agents, check out our explanation of what a browser user agent is . Browser Fingerprinting Browsers are actually pretty unique. Websites can determine your operating system, browser version, installed plug-ins and their versions, your operating system’s screen resolution, your installed fonts, your time zone, and other information. If you’ve disabled cookies entirely, that’s another piece of data that makes your browser unique. The Electronic Frontier Foundation’s Panopticlick website is an example of how this information can be used. Only one in 1.1 million people have the same browser configuration I do. There are surely other ways that websites can track you. There’s big money in it, and people are brainstorming new ways to track every day – just see evercookie above for evidence of that. To surf as anonymously as possible, use the Tor Browser Bundle . For information on tweaking your browser’s privacy settings and determining what exactly each setting does, see our guides to optimizing Google Chrome , Mozilla Firefox , Internet Explorer , Safari , or Opera for maximum privacy. via How To Geek vinternetcookieswebexplorerusergooglenetworksafaritrackingmozillaipoperahttpfirefoxbrowserchromehttps://community.element14.com/technologies/security/w/documents/9830/a-hole-in-windows-8-security-is-it-a-big-dealFri, 08 Oct 2021 04:52:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:6e359f57-db92-49f8-8d37-7ddd1d7f9380DebuggerGuysA security researcher has found a potentially massive security hole in Windows 8 that would expose someone's contacts and other information from social networking services and email including Gmail, Facebook, Hotmail, LinkedIn, and Twitter, among others. It sounds serious, but there may be less to the security hole than meets the eye. Woody Leonhard, an old friend of mine, first reported on the hole in Infoworld . The hole comes about because Windows 8 can grab contact and other data from multiple external sites so that you can see them all in one place. That's one of the benefits of Windows 8 -- Metro is designed to be a central hub for information across the Internet, and then bring that information to you rather than you going out and seeking it. Leonhard notes, though, that in the current Consumer Preview of Windows 8, all that information is kept on a machine even after the PC is turned off, and that someone may be able to get access to all of it. He writes: "Windows 8 doesn't build its Contacts list dynamically. Instead, it keeps a cache of contacts from all of those sources stored on the machine. The cache persists even when the user logs off or the machine is turned off. That means anyone who can sign on to your PC with an administrator account can see all of your contacts and all of their data -- names, email addresses, pictures, telephone numbers, addresses -- whatever you have on file or whatever's been sucked in from Hotmail, Gmail, Facebook, Twitter, and LinkedIn." Leonhard found out about the hole from a white paper written by Amanda C.F. Thomson, a graduate student at George Washington University. (You can get the white paper and more information from her blog, PropellerHeadForensics .) It's certainly frightening stuff. But keep in mind that for anyone to get access to that cache, they'll need to log in to the Windows 8 machine with administrator access. And in that case, they'll be able to get access to a lot of this information without having to dig into the cache -- Metro will be grabbing information from multiple services, and that information will be displayed in plain sight. However, it is true that the cache will make it easier for someone to grab all the contact information in one fell swoop, so it is an added security threat. The real problem isn't as much Windows 8 as it is the overuse of an administrator account. People should use such an account only rarely, and not for normal operations of their PC, because of the access it gives to all parts of the operating system. And they should never share that account with others. Mark Baldwin, principal researcher and consultant at InfosecStuff, told Taylor Armerding of CSO that "If an unauthorized person has admin rights on your machine, then you have more problems to worry about than your Facebook and email contact information." I think it's likely that Microsoft will protect the cache in some way, so that even administrator accounts won't be able to directly view it. The cache is only there to improve performance, so that it doesn't have to be rebuilt every time someone logs on. So don't be surprised if it's eventually encrypted. Woody is certainly right -- the cache is a potentially security danger. But it's not as bad as it seems at first glance, and Microsoft may fix it before the operating system's final release. via COMPUTER WORLDinformationmicrosoftholesecurity8networkinfowindowssocialhttps://community.element14.com/technologies/security/w/documents/9734/keep-an-eye-on-your-e-mail-account-harrowing-taleFri, 08 Oct 2021 04:50:00 GMT93d5dcb4-84c2-446f-b2cb-99731719e767:4108c34a-bb71-47e7-875d-f196d9387c55DebuggerGuys..."When [my wife] came back to her desk, half an hour later, she couldn’t log into Gmail at all. By that time, I was up and looking at e‑mail, and we both quickly saw what the real problem was. In my inbox I found a message purporting to be from her, followed by a quickly proliferating stream of concerned responses from friends and acquaintances, all about the fact that she had been “mugged in Madrid.” The account had seemed sluggish earlier that morning because my wife had tried to use it at just the moment a hacker was taking it over and changing its settings—including the password, so that she couldn’t log in again The greatest practical fear for my wife and me was that, even if she eventually managed to retrieve her records, so much of our personal and financial data would be in someone else’s presumably hostile hands that we would spend our remaining years looking over our shoulders, wondering how and when something would be put to damaging use. At some point over the past six years, our [email] correspondence would certainly have included every number or code that was important to us – credit card numbers, bank-account information, medical info, and any other sensitive data you can imagine."... Jeff Atwood Your email is the skeleton key to your online identity . When you lose control of your email to a hacker – not if, but when you lose control of your email to a hacker – the situation is dire. Email is a one stop shop for online identity theft. You should start thinking of security for your email as roughly equivalent to the sort of security you'd want on your bank account. It's exceedingly close to that in practice. The good news , at least if you use GMail, is that you can make your email virtually hacker-proof today, provided you own a cell phone . The fancy geek technical term for this is two factor authentication , but that doesn't matter right now. What matters is that until you turn this on, your email is vulnerable. So let's get started. Not tomorrow. Not next week. Right. Freaking. Now. SOURCE: Coding Horror.accounthacker-proofhackersonlineidentitye-mail