Friday, December 21, 2007
Security Researcher Promotes Concept of 'Safe' and 'Promiscuous' Web Browsers
In this brief article (http://www2.csoonline.com/exclusives/column.html?CID=33396) we find an excellent tip for safe surfing that applies to wired and wireless networks:
It involves having two browsers: One, which he calls the “promiscuous” browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking.
Also, you can read the commentary on Slashdot here: http://it.slashdot.org/it/07/12/21/1317217.shtml
Friday, December 14, 2007
Secure Email on the Road
If you use a laptop and you need to check your email on the road -- in other words, using a network or a computer that you can't be sure is safe -- you need to establish a secure point-to-point connection to your server for both sending and receiving email. In an earlier post, I described the safest way to connect to Gmail on a public network; this post describes a similar approach for email at your domain.
There are several ways to check your email over a secure connection:
- Use your email provider's web interface, and connect to the web mail page using SSL (https, not http).
- Use SSL to connect your email client (Outlook, Thunderbird, etc.) to your mail server.
How To Send Email Securely
The approach I describe here will work on any wireless network, or any insecure wired network, to protect your email login and downloads. Otherwise, your email transactions, especially your login, are transmitted in clear text, which means anyone who's watching can see your user name and password. That's right, the default setup for most email programs is to transmit everything, including your login, unprotected in the clear! To protect your email accounts, you only need to configure your email client once to use a secure connection, and then you will be safe every time you use that email client software.Web Mail
If your email provider offers a web mail page, use it, with SSL. Our company's email provider, DNS Made Easy, offers webmail in two flavors: SquirrelMail and and some email services even build their own This approach works quickly and easily. Just use SSL by adding an "s" after the "http" like this: https://webmail.mydomain.com That's right, substitute your domain. This approach works exactly the same way as the safest way to connect to Gmail on a public network, so see that post for details.Secure IMAP with SSL
Your communications with your incoming email server need to be protected so an eavesdropper can't steal your password and read all your email. I'm a big fan of using the IMAP protocol for my incoming email, instead of POP. That's really a separate discussion, but for now you should know that IMAP is really the way to go if you check your mail from more than one computer. Here's how to encrypt the traffic between your email program and your incoming IMAP email server:- Use a provider (such as DNS Made Easy) that supports an IMAP SSL connection; or, for a corporate email system, ask your IT guy to set it up (he really should, anyway).
- In your current email client (Outlook, Thunderbird, etc.) open the account settings dialog box. Usually, this opens a tabbed or many-sectioned dialog box. Select the tab for your incoming or receiving email server.
- Check or select the "SSL" encryption option. Note: this may be hidden under "Advanced" or some similar secret place -- one of the reasons why most people don't do this.
- Enter your
Secure SMTP
You need to protect your connection with your outgoing (SMTP) server so spammers don't hijack your user name and password to use your account to send spam. Because of this problem, many ISPs don't allow you to use their SMTP servers unless you are connected through their network, even if you need to authenticate with a username and password. One of our ISPs, Verizon, is an example of this approach. So, even though I need a user name and password to send email via Verizon, I usually can't do this when I'm on the road, unless I'm at a client's that uses Verizon, too. So, here's what I did:- Set up a secure SMTP server at DNS Made Easy.
- In my mail client, I opened the account settings dialog box, and went to the outgoing (SMTP) server settings.
- I selected the "SSL" option for encryption.
- I typed in my username and password.
- Just to be safe, I changed the SMTP port to a port that only accepts SSL, in my case, port 465 -- this may be different for your SMTP server.
- I clicked [OK] to save my changes.
Wednesday, December 12, 2007
Strong Passwords
One of the foundation stones of a secure wireless computing, or any computer security for that matter, is strong passwords. Here are some of my favorite tools for generating strong passwords:
- The Security Guide for Windows - Random Password Generator: this web-based tool generates passwords of any length you specify (the default, 8 characters, is an excellent choice). Other great features include: “no similar characters” (e.g. i, l, o, 1, 0, I); and the option to generate multiple passwords with one click, which is very handy if you need to set up several accounts all at the same time.
- GRC’s Ultra High Security Password Generator generates long (63+ characters) password strings, using Hex, ASCII, and alphanumerics, every time you refresh the page. Plus, the page itself is transmitted via SSL! There’s plenty to read about each password string, as well as information on WPA keys and technical details of how the password is generated. Plus, check out the GRC | Security Now! podcast, where this password generator page is often mentioned -- a great computer security podcast.
- Finally, you may need a place to store all these passwords. I use the open source Keyring for Palm OS to keep all my passwords close at hand, safely encrypted. This Palm OS program also generates passwords, so you might not even need the web sites noted above.
Subscribe to:
Posts (Atom)
