Category Archives: Web

Enabling the Google Advanced Protection Program with iOS

Required

Setup

  1. Plug the Bluetooth bridge into your computer. Wait for the Yellow LED to stop blinking. If it does not stop blinking (indicating a problem installing the drivers), try a different computer
  2. In Chrome, add the DIGIPASS SecureClick Manager app to Chrome
  3. Launch DIGIPASS SecureClick Manager and click "Add SecureClick"
  4. Follow the instructions and enter PIN "000000" when prompted
  5. Enable the Advanced Protection Program and pair your U2F tokens. The initial setup only allows the configuration of two tokens, but additional tokens can be added the normal way (My AccountSign-in & security → 2-Step Verification → ADD SECURITY KEY)
  6. On your iOS device, launch the Smart Lock App
  7. Login to your Google account
  8. When prompted to pair your security key, hold down the on the SecureClick until the LEDs flash red, select SClick U2F in Smart Lock, and enter PIN "000000".
  9. Your iOS device is now authenticated and your SecureClick is now paired as a BLE device
  10. Open your Google apps, and enable the account you authenticated in Smart Lock

Notes

You do not need to install the DIGIPASS Secure Click Manager app on your iOS devices. The Google Smart Lock app will handle the pairing.

Enabling Advanced Proteciton clears you 2 Step Verificaiotn methods, so you must re-enroll andy additional security keys.

The only feature I miss is contact syncing.

I had problems using the Bluetooth bridge on my macOS computers for initial setup, but it has started working on High Sierra (10.13.2) and El Capitan (10.11.6).

Chripify Permissions

I was going to link my Marriott Rewards account to my Twitter and Instagram accounts to take advantage of the #REWARDSPOINTS social promotions and start taking advantage of the Extra Point Sunday Twitter trivia, but Chipify is asking too much.

Chirpify Twitter PermissionsTwitter permissions requested:

  • Read Tweets from your timeline. – reasonable
  • See who you follow, and follow new people. – reasonable
  • Update your profile. – why do they want/need to be able to update my profile?
  • Post Tweets for you. – why do they want/need to be able to post tweets?
  • See your email address. – reasonable

Chirpify Instagram PermissionsInstagram permissions requested:

  • Access your basic information: Your media & profile info – reasonable
  • Access public content: Media & profile info of public users – reasonable
  • Comment on photos: Post and delete comments on your behalf – why do they want/need to be able to comment?
  • Follow accounts: Follow and unfollow accounts on your behalf. – why do they want/need to follow/unfollow accounts?

Maximize LastPass Security with a Yubikey

While LastPass is very convenient and I want to be as cautious as possible when putting all of my eggs (passwords) in one basket. I have two factor authentication enabled has native YubiKey support as a second authentication factor

Protections:

  • LastPass Premium – alows simple use of unique passwords for each account
  • Typed/Remembered Password – protects from a stolen YubiKey allowing access to your vault
  • YubiKey OTP – Prevents a keylogger from allowing access to your LastPass Vault
  • YubiKey Static Password – ensures your Master Password is strong enough to prevent an attacker from brute forcing your password if they are able dump the LastPass database

What you need:

Setup Your YubiKey

YubiKey Programming Dialog

YubiKey Programming Dialog (not my real password)

  1. Launch the YubiKey Personalization Tool
  2. Select "Static Password Mode"
  3. Click the "Scan Code" button
  4. Select:
    • Configuration Slot 2
    • Program Multiple YubiKeys
    • Keyboard: US Keyboard
  5. Enter a stong password
  6. Insert each YubiKey, and click "Write Configuration"

Configure LastPass

Add YubiKeys to LastPass

Add YubiKeys to LastPass

  1. Open your LastPass Vault and Click Account Settings
  2. If you have not already configured your Yubikey as a second factor
    1. Click Multifactor Options, Scroll down to yubico, Click the pencil
    2. Set Enabled to Yes
    3. If you use iOS, you will want to set Permit Mobile Device Access to Allow, even though it is slightly less secure
    4. Pick which ever option you like for Permit Offline Access. Since you should only be loging in to LastPass from trusted computers, there not much of a security risk
  3. For each of your YubiKeys, put the cursor in a YubiKey box and press the button on the YubiKey
  4. When all of your YubiKeys have been entered, click Update
  5. Under the General tab, Change Master Password. For your new master password, type a good password (it can be your current password), followed by the password in your YubiKey. This is the only time you will have to type the YubiKey password.

Use

Now when you log into LastPass, you will type your password, insert your YubiKey, press the YubiKey button for 2 seconds. The YubiKey will type its portion of your master password and <enter>. LastPass will prompt you for your second factor. Use a short press on the YubiKey button to enter the YubiKey OTP code.

Mobile Protection

Since my iPhone SE is not compatible with YubiKeys, I had to take a different approach. This one phone is the only mobile device allowed to access my account (restricted by UUID). I authorized it using the Google Authenticator app before disabling Google Authenticator. My phone is protected by TouchID and the LastPass app is protected by a PIN. I store the "YubiKey portion" of my master password in NoteCrypt which is proteced by a different/shorter password.

NoteCrypt https://itunes.apple.com/tc/app/notecrypt-encrypted-notes/id897154139 which appears to be developed by Tom King (LinkedIn). While I can’t audit what NoteCrypt actually does, it says all of the right things about encryption and password based key derivation. It also costs $2.99, so there is an economic model that doesn’t involve ads or selling of user data. Finally, the developer’s LinkedIn profile looks respectable.

Manual Podcast Feed

I recently transition from using Downcast to Overcast. Unfortunately, I was pretty far behind listening to some of my podcasts, and Overcast was not able to "see" some old episodes of some podcasts (e.g. Security Now!, since TWiT only keeps the latest 10 episodes in the feed). I create a javascript/php Manual Podcast Feed Generator that allows for the quick creation of non-updateable podcast feeds. All of the information is encoded in the URL, so I don’t need to store data.

Revisited: Eliminating Mixed Content warnings with Amazon Associates

Links & Banners

I verified that adding internal=1 parameter and removing http: from an iframe banner URL will cause it to load securely. I also verified that the clicks are counted (show up in the link Earnings and Link-Type reports.
Important: This does not work for all banner ads. While reviewing the banner ads, this trick will work on any ad that displays without mixed content warnings on the amazon page.

<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=tidgubi-20&o=1&p=12&l=ur1&category=mp3&f=ifr&linkID=4ZPJJS7R4IXD5OGO&internal=1" width="300" height="250" scrolling="no" border="0" marginwidth="0" style="border:none;" frameborder="0"></iframe>

I have not been able to figure out a way to make the javascript based Banners load all parts securely.

Secure Widgets

Search


Contextual Recommendations


Omakase

This widget can be secured with some work.

Amazon doesn’t sanitize the amazon_ad_tag parameter, so the &internal=1 trick works for this widget.
Remove "http:" from the script src attribute and update the widget script with:

<script type="text/javascript"><!--
amazon_ad_tag = "tidgubi-20&internal=1"; amazon_ad_width = "728"; amazon_ad_height = "90";//--></script>
<script type="text/javascript" src="http://ir-na.amazon-adsystem.com/s/ads.js"></script>

Partially Secure Widgets

These widgets will load securely; however, they load insecure content if the user hovers over a product and causes a popup to load.

Insecure Widgets

Some quick testing showed the non-mobile friendly widgets use flash. While the flash code is loaded securely, it loads insecure content when executed. Using any of these results in mixed content warnings.