A while ago my colleague blogged about the importance of secret questions in keeping your online accounts safe. We came to the conclusion that security questions, in many implementations, can actually decrease your overall level of security. Security questions are a secondary means of authentication used when the primary method fails. So when you forget your webmail password, you’ll be asked a pre-arranged secret question that you must answer to reset your password and regain access to your account. During the presidential election last year, VP candidate Sarah Palin’s Yahoo email was hacked, because of weak secret questions and a little googling. A paper was published recently with some hard data, it can be downloaded here, and makes for an interesting read.

From the abstract:

All four of the most popular webmail providers — AOL, Google, Microsoft, and Yahoo! — rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

Read the rest of this entry »

An often overlooked aspect to security is the swap partition. A swap partition is a partition used to temporarily store data when ram is low. Any thing that might be stored in ram could be placed in your swap partition, such as passwords and encryption keys. These passwords and keys could be retrieved by a malicious person, and used to access your online banking accounts, e-mail accounts or encrypted files.

Today we are going to walk you through simple AES encryption of your Linux swap partition. All data stored in your SWAP file will be seamlessly encrypted with a different random key, every time you boot. This will render any examination by a malicious person worthless.
Read the rest of this entry »

So last week I got my new Acer Aspire One, awesome little netbook here. First things first, I had to remove Windows XP Home and put Ubuntu 9.04 on it. Everything runs pretty good, the webcam works, and the microphone works properly after setting the sound capture to ‘HDA Intel ALC268 Analog (ALSA)’.

Being so small I wanted to encrypt the hard drive with luks, in case it was stolen or lost. Initially I used the alternative install ISO to do this. The install was complicated due to the installer complaining about the lack of a CD drive, and the performance hit was just too big. So, I decided use the Netbook Remix and do just /home encryption, as that is where most settings and personal files should be stored.
Read the rest of this entry »