1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MUST READ - The Comprehensive Online Security Guide

Discussion in 'BlackHat Lounge' started by xxtoni, Jul 14, 2012.

  1. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    Considering that there have been two security breaches in the past few days, both here at our very own BHW and at Yahoo as well (though they're not the same in nature) I have decided to put together a guide detailing how to effortlessly manage all of your passwords and keeping them as secure as humanly possible.

    Frankly, I was a bit shocked to see that many people, even here on BHW use the same passwords for multiple sites, hopefully this guide will help a lot of people in overcoming the habit of using the same passwords for multiple sites.

    Let's get to it, shall we ?

    My online security system is based on 4 tools:
    LastPass
    KeePass
    Dropbox (optional)
    Google Two Factor Authentication

    Both tools are free and available on all major platforms. In this guide I'll be covering how to secure all of your passwords and having them available on all the computers and other devices that you have (primarily tablets and smartphones).

    With my system you will only have to remember 2-3 passwords, those are:
    Your Email password (optional but highly recommended)
    LastPass Master Password
    KeePass Master Password

    LastPass

    LastPassLogo.jpg

    I'll try to be short here, LastPass is basically a browser extension (or plugin) on the front end. Once you set it up it will generate unique password for each site you register on and save it. Next time when you visit the same site it will automatically fill out the login form so you can just click Login and that's it.

    I recommend that you use a password generator for your 3 passwords since it's not a lot everyone should be able to remember these and chances are you won't change them for years.

    A nice password generator I use sometimes is http://www.pctools.com/guides/password/

    NOTE: Use these passwords only for their respective service, not for ANYTHING ELSE

    After a few weeks of use the passwords will be burned into your memory and you should have no problem remembering them but just in case print them out and store them somewhere safe, just make sure that you don't indicate which password is for what so even if someone finds it, they won't have a point of reference to determine for what it is.

    Moving on.

    Since we're on BHW I don't think that I have to teach you how to install a plugin in your web browser. Once you install LastPass, sign up and setup your master password make sure that you DON'T enable the Remember Password option. You should type your master password into LastPass every time you log in, that is essential. It is OK to remember your email though.

    Once that's done proceed to enabling two factor authentication, I won't explain this step by step in detail here, for instructions how to setup Two Factor Authentication please see the following:
    http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447
    http://helpdesk.lastpass.com/security-options/google-authenticator/

    Once you've setup Two Factor Authentication also make sure that you DON'T mark your computers as trusted. If you do that it won't prompt you to enter your "token" code every time you login into LastPass and that's the whole point here.

    At this point you're pretty much done when it comes to LastPass. When you now register on a site LastPass should prompt you to generate a password for registration and if you accept it will automatically fill in the password in the registration form and save it. If it doesn't you can just click on the LastPass icon in your browser and go to Tools-> Generate Secure Password. Next time you visit your site it should automatically fill out the login form, again if it doesn't just click the LastPass icon and it will show you the password entry at the bottom of the dialog, from there you can just copy the username and password and paste it into the login form, LastPass will then ask you if you want to save your new login and if you click Yes in the future it will automatically fill out the form.


    KeePass

    keepass.png

    I use KeePass for my important Web site passwords and non-website passwords. I won't be going into much detail on how to setup KeePass as there is a very good article on how to do so on LifeHacker:
    http://lifehacker.com/5063176/how-to-use-dropbox-as-the-ultimate-password-syncer

    If you want to sync your password database across computers you can use Dropbox, and that part is also explained in the lifehacker article I provided.

    One thing that isn't provided in the article however is using the KeePass database on a mobile device. I have an iPhone and use MiniKeePass with Dropbox for iPhone for this, but there are many KeePass apps for iPhone so your choice isn't limited to MiniKeePass.

    Securing your Gmail (Google Apps email)

    gmail_logo.png

    You should first change your password for your primary email account and setup a new one, just like you did for LastPass and KeePass. Now that your email has a secure password you proceed to two factor authentication. Since it's already enabled for your account you just have to add it for your email as well, same way you did for LastPass.

    First time you login into your email with two factor authentication enabled it will ask you to Remember this computer for 30 days,just like LastPass did and you SHOULD NOT do that here either since it defeats the purpose of two factor authentication to some degree.

    That's basically it, once two factor auth is setup and you have a unique password for your mail that isn't used anywhere else your account will be extremely secure because for anyone to gain access to your account they would have to both gain your password and your mobile device to get the "token" code.

    NOTES


    • After you enable two factor authentication you can't use your normal Google account password to login into software that requires it and third party service like Reeder app for example, for those you have to setup a Application Specific Password in your Google account. For more details on how to do this please see: http://support.google.com/accounts/bin/answer.py?hl=en&answer=185833



    • After you enable two factor authentication you should also print out some backup codes for your Google account. Backup codes are, as the name suggests a way to login into your account just in case you lose access or acidentally delete the "token" app on your phone. I personally have 2 copies printed out and hidden where they're both safe and where nobody has access to them.


    EXTRA BONUS - ENHANCE PAYPAL SECURITY

    paypalicon.jpg

    What always extremely bothered me with Paypal was that they're basically a banking institution and they're no more secure than your email account, heh, actually they're less secure in some ways.

    I couldn't get my hand around the fact that they're not offering a token like device for all of their customers, they do however offer a token for US Customers. Unfortunately, again it costs money and you have to wait for it...it's a hassle.

    Fortunately, for once at least you can use a free app called VeriSign VIP Access as your security key or token. Basically you would download the app to your iPhone or Android device, follow the steps in the app until it's activate and then go to the following link:

    https://www.paypal.com/us/cgi-bin?c...curitycenter/PayPalSecurityKey-outside&bn_r=o

    and click on Activate Now, you'll be prompted to login into your PayPal account, just click on Activate Token on the next page and follow the steps.

    That's about it, your account now has two-factor authentication so any nasty script kiddie or cracker trying to get his greasy little hands on any of your passwords will find a hard nut to crack.

    ____________________

    Phew, that was a long one. If you have any questions, please feel free to ask.
     
    • Thanks Thanks x 18
    Last edited: Jul 14, 2012
  2. Duffers5000

    Duffers5000 Elite Member

    Joined:
    Apr 1, 2012
    Messages:
    2,467
    Likes Received:
    7,615
    Saved this to view later...thanks for the effort
     
  3. N1ckG2

    N1ckG2 Regular Member

    Joined:
    Dec 17, 2011
    Messages:
    301
    Likes Received:
    115
    Great!

    One question (did not read all word by word, but please let me ask you) - can i use this method for my FTP passwords? Most of us use FTP clients to uploads files and the last time my comp was infected with a virus that stole all my ftp passwords and infected all my websites.

    What FTP client do you recommend and how can we generate and store unique passwords?

    Thanks!
     
  4. zoyaraymonds

    zoyaraymonds Regular Member

    Joined:
    Jan 16, 2012
    Messages:
    490
    Likes Received:
    141
    nice share...thanks
     
  5. JohnsonDaniel

    JohnsonDaniel Regular Member

    Joined:
    May 16, 2008
    Messages:
    389
    Likes Received:
    1,385
    Location:
    In a bright place---------------------------------
    Very kind of you to post this write-up, thanks and +rep added.
    Personally, I've used Roboform for years, but, as it's a paid service, Keepass and LastPass sound way better :)
    A question, though...
    Are your passwords stored online, or on your own devices? If on your own devices, and a person has only one computer, for example, do LastPass and Keepass provide a way to backup and/or export your logins for when you change computer/device and/or if it breaks and needs replacing/reformatting?

    I understand Dropbox would probably take care of those situations, but not everyone has, nor knows how to use, Dropbox.

    Again, thanks for taking the time to provide this thread :)
     
  6. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    You're very welcome

    Absolutely!

    I store all of my FTP, cPanel, WHM, mysql and all the rest of these kinds of passwords in KeePass. I understand your pain, recently one of the sites that I developed for a local business got infected and I still haven't completely cleared it, mostly because the site is hosted on a shared hosting and they aren't as helpful as they could be. My problem was (I think) a plugin vulnerability but it is possible that it was somehow a FTP problem as well, though doubtful.

    Here is the setup I use for my management of Web site related passwords. You can create categories and sub categories in KeePass. So I have a Network category and in it I have a Clients category and each client's name in the sub-category (and Web site name if it's mine). Then you just create a new password in that category, KeePass will automatically generate a secure password and the default username, you just have to enter a title and that's about it.

    I'm an extremely organized person so I like categories and things like that but if you don't, you could basically create it all at the same place and use the search in KeePass to find stuff, though I really wouldn't recommend that, you'll sometimes forget all of the data you had entered for that entry and then you'll have to look through all the entries, which can be a pain.

    So you can use this method for FTP passwords and I have used it for years.

    On Windows I used FileZilla which is a very good client, probably the best on Windows but I have 2 notes on security in a second. The passwords are generated and stored in KeePass.

    I would strongly advise AGAINST storing passwords in FileZilla or any other FTP software. As far as I know, most if not all of them store the files in a less-than secure file, FileZilla stores it in a text file, so the trojan you mentioned could have just been programmed to find the location where all of the popular FTP programs store their "databases" and jsut send them to the hacker.

    The other thing is FTP, sending data over FTP is extremely insecure, while that usually isn't an issue it can be, especially if you're using public networks for doing work. IF the server supports it just use Secure FTP, if it is supported it is simply a matter of choosing secure FTP in FileZilla instead of FTP.

    Another advantage of KeePass is that you're copying the password it is to some degree secure against keyloggers, because you're not typing the password on your keyboard ordinary keyloggers can't get it, though if your system is keylogger infected you have a whole other set of problems.

    Welcome

    I used Roboform ONCE, for about 20 minutes and I just couldn't handle it...it was awful, though if it works for you great.

    With LastPass the passwords are stored in the cloud, but honestly if that's making you anxious I'll tell you something that'll either make you worry more or put your mind at ease. LastPass actually had a security breach last year, within 24 hours of the breach (of which they weren't sure) they contacted all of their users and recommended that they change their passwords BUT, there was no reason for that either. Even if the hackers did get into LastPass servers the stuff they got is useless to them. If you create a password like the one I recommended earlier they would get a hash that's basically impossible to crack if your password isn't based on a dictionary word. The passwords are hashed and salted and peppered (the latter is a joke).

    Not to mention if you use two-factor auth even if they have your password they still can't login because they don't have access to your token.

    Your next question was about backups. I have been using LastPass for 2 years and never lost a single password, but you can export all your passwords to CSV from both LastPass and KeePass.

    This is also where the case of Dropbox comes into play, which is free by the way. Dropbox keeps several copies of every file in your Dropbox folder called revisions.

    What does that mean for you ?

    Well, imagine the following scenario, you are busy doing something and ACCIDENTALLY press some weird key combination that switches you from your text editor to KeePass, you don't notice this and press CTRL+A and delete and somehow even CTRL+S (weirder things have happened, at least to me, especially when you're working at full speed). If your KeePass database was hosted on your computer, without dropbox you would be pretty much fucked.

    BUT in Dropbox you get this great feature called Revisions or Previous Versions. What that basically means is that each time you edit a file that is located in your Dropbox folder the previous version is still stored in Dropbox, and if you realize that you fucked up something you just click on the current file, go to the Dropbox option and click on Previous Version, that takes you to the Dropbox site where you can select one of the previous versions of your file and you don't have to blow your brains out because you lost 400 of your most important passwords.

    Hope that answers your questions

    If not, please, feel free. If you have any questions regarding setup or need help, just let me know.
     
    • Thanks Thanks x 1
    Last edited: Jul 14, 2012
  7. N1ckG2

    N1ckG2 Regular Member

    Joined:
    Dec 17, 2011
    Messages:
    301
    Likes Received:
    115
    Can I link FTP client with KeePass so it gets login info automatically when KeePass is active (master password entered)?
     
  8. nipunn12

    nipunn12 Regular Member

    Joined:
    May 30, 2011
    Messages:
    372
    Likes Received:
    98
    Permission to post this on my Wordpress site
     
  9. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    Not as far as I know and that is also one thing I forgot to mention. You should configure KeePass to lock itself automatically after 3 or so minutes, that's a nice security measure in case you ever forget to lock it (happens).

    This really shouldn't keep you from using KeePass because for me it takes 10-15 seconds (actually measured that for you) to bring KeePass up (mine is always in the taskbar, you can configure that in it's settings when setting up) using ALT+CTRL+K , to type in the master password and to click CTRL+F and to type in what I'm searching for and copy the password to my FTP manager.

    If you can't spare 15 seconds every once in a while to copy a password but have a secure and hassle free password solution then this isn't for you :)
     
  10. florflor

    florflor Senior Member

    Joined:
    Mar 9, 2008
    Messages:
    822
    Likes Received:
    307
    I am in UK and also have a Paypal token so it's not limited to the US.

    What if you want to use 2-factor auth for Yahoo Mail and GMail but do not have a smartphone?
     
  11. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    That's good to know, unfortunately they don't offer it for my place. I even called support, explained that I already have a "token" that I just need the steps to activate it and they said, not possible, great support as always!

    Google offers to call you or to send you an SMS each time. Though if you have any iOS device like iPhone, iPod Touch or iPad you can install the authenticator on that. Same should go for Android
     
  12. assassinmarketing

    assassinmarketing Regular Member

    Joined:
    Jun 16, 2010
    Messages:
    248
    Likes Received:
    179
    Occupation:
    SocialPrenuer
    Location:
    Darkside
    I have NSA encryption and throw away dummy passwords with trackback :)
     
  13. N1ckG2

    N1ckG2 Regular Member

    Joined:
    Dec 17, 2011
    Messages:
    301
    Likes Received:
    115
    Can we create an encrypted file within dropbox folder (TrueCrypt is free) and then store there all FTP passwords?
     
  14. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    Sure thing but KeePass is already encrypted and in my opinion a much better solution for storing passwords of any kind, not just FTP. I store all my web site credentials in KeePass. cPanel, WHM, WordPress logins and so on and so forth.
     
  15. superriku11

    superriku11 Newbie

    Joined:
    Aug 25, 2012
    Messages:
    15
    Likes Received:
    1
    Good quality information! Though it'd be good if you included something about VPNs for obvious security reasons.
     
  16. silentthunder

    silentthunder Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 6, 2009
    Messages:
    525
    Likes Received:
    1,342
    Occupation:
    cpa
    Location:
    In the pink
    Isn't there something flawed about using an online password generator?
     
  17. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    I don't use or see the need for a VPN on my office/home network, it should be secure enough. As for VPN's on random WiFi networks and stuff like that. If you have a home connection that is fast enough you can basically setup something simple like Hamachi on your home computer. If your home computer isn't always on you can configure Wake On Lan (WOL) and using that you can turn your PC on remotely from anywhere. Hmm now that I'm thinking about this I might create another thread detailing remote control...moving on. Basically by setting up a VPN on you home computer and connecting to it from random location with your laptop all your data will be tunneled to your home computer so if your home network is secure this is a pretty good method.

    If on the other hand your home connection isn't fast enough for this your best bet is just finding a reputable VPN service and pay for it. Reputable and safe ones will cost a tiny bit more than the usual dirt cheap ones but as the saying goes...you get what you pay for.

    No, why ?

    The passwords stored in LastPass are just as secure as your gmail password stores in Google's service or your bank account password stored there (actually I read that some banks don't even use two factor auth so LastPass is probably safer). Basically from their end your passwords are secure, the only concern I see is from your end and as long as you use the tips I outlined here I see no realistic way how someone who isn't out to get you can access your passwords. Even those who are out to get you will have a hard time accomplishing anything.

    Please keep in mind that none of us are truly secure, not to mention our data. The possibility always exists that someone will gain access to it but I think that this setup is the almsot perfect blend of security and convenience.

    Even if you were to host your data only locally there is the same chance of someone getting to it. On LastPass your account is identified by your email address. When you keep it on your computer it is in some ways much easier for someone to gain access to the data, especially if it's someone who you know or knows you. But in either case, as long as the data is encrypted and you use a decent password that isn't written down anywhere I don't think you have anything to worry about.
     
  18. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    Just a little update for those who still follow this thread. Facebook and Dropbox have added two factor authentication. So if you're worried about someone breaking into your Facebook account or grabbing your files from Dropbox, enable two factor auth.
     
  19. LOL-Blaster

    LOL-Blaster Regular Member

    Joined:
    Aug 29, 2012
    Messages:
    342
    Likes Received:
    706
    Two factor authentication is created by google.

    Are you comfortable giving out your sensitive info to google.

    They can ban you anytime.
     
  20. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    Obviously you don't understand how two factor authentication works so I'll explain. While on the back end Google does host the access for this particular authenticator I mentioned (there are many more, but that's not the point here) they still don't have access to your passwords.

    To login into a account with two factor authentication you need two components, one is the token code generated by the authenticator and the other is your password. So even if Google has access to your token code they don't have access to your password and without that the code is useless.

    Ergo you're not giving any information to Google you don't want to give them.