We discussed securing gmail and hotmail accounts. We now will secure Yahoo! accounts. First login into your Yahoo! account then click on account info on the top right of the page, select the account security tag, and the toggle two-step verification.
After toggling two-step verification a window pops up. Select your country and enter in your mobile number and then either select ‘Send SMS’ or ‘Call Me’. For the purpose of this assignment I will go with ‘Send SMS’.
Enter the verification code that you are sent.
We discussed securing Google accounts before. You can reach that content from here. The following walk-through illustrates how to install two-factor authentication for a Hotmail account. These instructions assume you have the following: an Android smart phone and an alternate email address registered with your Hotmail account. If you don’t then don’t fret, continue up to Step 3 then follow the on screen instructions.
Step 1: Go to https://account.microsoft.com/proofs/Manage and sign in to your account. Once signed in, click on the ‘Set up two-step verification’ link.
Step 2: Click next.
Step 3: Select a method to verify your identity. (If you don’t have an alternate email address or Android, select the method that best fits your needs.)
Step 4: Download and install the ‘Microsoft account’ app onto your smart phone.
Step 5: Open the app and follow the on screen instructions to sign in to your account. After signing in, you will be asked to verify your identity by having a security code emailed to your alternate email address.
Step 6: Back on the website, select ‘Next’ to complete the setup. Optionally, you can proceed further to create an app password for use on any devices that do not accept security codes.
The next time you or someone else tries to log into your account from another device, an alert will be sent to your phone to verify the login is authorized. If not, reject the attempt.
Microsoft FAQ: http://windows.microsoft.com/en-us/windows/two-step-verification-faq
- You will first need to log-in to your Gmail account.
- Click on your profile picture near the top right corner and a box with a few options will appear. You will need to click on the blue button named “My Account”.
- A new tab will open with different kinds of options for your account. You will need to click on the “Sign-in & security” option.
- Under “Sign-in & security” there is an option named “Signing in to Google”. You will need to click that link next.
- Under the section “Signing in to Google” you need to click on the link option “2-Step Verification”
- You will now be taken somewhere to begin the set up process. You will need to click the blue button named “Start setup”
- You will be told to re-enter your password to continue with the set up process
- The first step of the set up process would be to enter a valid phone number to be able to be sent the codes. You will also need to choose how to receive the codes they will be sending you for verification.
- After you have entered the phone number a code will be sent to that number that you provided
- The third step will ask if you trust the computer you are using to set up the two step verification. Leave the box checked if you do and if you don’t then make sure to uncheck the box.
The last step will just need you to confirm that you would like to turn on the 2-step verification.
- After confirming you will be sent an email that tells you that you have successfully turned on the 2-step verification. The set up process is now done and no more steps need to be taken.
Security techniques are getting better and better. Account recovery is one of the example of this. Before we have people to answer their security questions (that might be well known for other people) and give their password: How To Hack A Celebrity: Miley Cyrus Is An Idiot Edition
If you set up your second e-mail address, and your phone number, now you need to have access for those in order to recover your account. Of course you should provide this info to your service providers. Otherwise like Miley Cyrus, you can be easily hacked. (Of course she should have provided fake answer that only she knew)
Most of online banking websites in US now start to use dual authentication. They now ask your username password but also ask security code they send your mobile phone. This is much better than using only password based authentication.
Besides the improvements in security we have to come up with a new and better way for authentication. People forget. That’s the reason they use same password for several sites. You cannot just say don’t use it. They will use it. You cannot just say use one-password or its variants. As security community it is our responsibility take a better approach and this approach should bring more security as well as easiness for regular users.
Security Policy and Compliance
- Ignore regulatory compliance requirements.
- Assume the users will read the security policy because you’ve asked them to.
- Use security templates without customizing them.
- Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
- Create security policies you cannot enforce.
- Enforce policies that are not properly approved.
- Blindly follow compliance requirements without creating overall security architecture.
- Create a security policy just to mark a checkbox.
- Pay someone to write your security policy without any knowledge of your business or processes.
- Translate policies in a multi-language environment without consistent meaning across the languages.
- Make sure none of the employees finds the policies.
- Assume that if the policies worked for you last year, they’ll be valid for the next year.
- Assume that being compliant means you’re secure.
- Assume that policies don’t apply to executives.
- Hide from the auditors.
- Deploy a security product out of the box without tuning it.
- Tune the IDS to be too noisy, or too quiet.
- Buy security products without considering the maintenance and implementation costs.
- Rely on anti-virus and firewall products without having additional controls.
- Run regular vulnerability scans, but don’t follow through on the results.
- Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
- Employ multiple security technologies without understanding how each of them contributes.
- Focus on widgets, while omitting to consider the importance of maintaining accountability.
- Buy expensive product when a simple and cheap fix may address 80% of the problem.
- Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
- Make someone responsible for managing risk, but don’t give the person any power to make decisions.
- Ignore the big picture while focusing on quantitative risk analysis.
- Assume you don’t have to worry about security, because your company is too small or insignificant.
- Assume you’re secure because you haven’t been compromised recently.
- Be paranoid without considering the value of the asset or its exposure factor.
- Classify all data assets as “top secret.”
- Don’t review system, application, and security logs.
- Expect end-users to forgo convenience in place of security.
- Lock down the infrastructure so tightly, that getting work done becomes very difficult.
- Say “no” whenever asked to approve a request.
- Impose security requirements without providing the necessary tools and training.
- Focus on preventative mechanisms while ignoring detective controls.
- Have no DMZ for Internet-accessible servers.
- Assume your patch management process is working, without checking on it.
- Delete logs because they get too big to read.
- Expect SSL to address all security problems with your web application.
- Ban the use of external USB drives while not restricting outbound access to the Internet.
- Act superior to your counterparts on the network, system admin, and development teams.
- Stop learning about technologies and attacks.
- Adopt hot new IT or security technologies before they have had a chance to mature.
- Hire somebody just because he or she has a lot of certifications.
- Don’t apprise your manager of the security problems your efforts have avoided.
- Don’t cross-train the IT and security staff.
- Require your users to change passwords too frequently.
- Expect your users to remember passwords without writing them down.
- Impose overly-onerous password selection requirements.
- Use the same password on systems that differ in risk exposure or data criticality.
- Impose password requirements without considering the ease with which a password could be reset.
Thanks for Lenny Zelster for its awesome cheat sheet. For original document please see http://zeltser.com/security-management/suck-at-security-cheat-sheet.html. If you have any suggestions other than the ones at above, let me know! firstname.lastname@example.org
One of my friend recently has a problem with one of his gmail account. The account was compromised. He was sure that he was using strong, unpredictable password. I asked him if he has ever used internet on the public places. His answer was no. He also uses ssh proxy so this cannot be a man middle attack by using arp poisoning.
I am not sure if password database of google got attacked and compromised or it was just an individual problem, but I wanted to check my g-mail account to see what security features gmail has.
My friend understood his account got compromised once he discovered there is a back up e-mail address which he has no idea with it.
The problem is even tough he can change the password, the current sessions would be open. This is bad since attackers still can read/send e-mail from his account.
After I checked my gmail account I found followings:
As you see gmail tell us last account activity by giving the login time.
If you click the details, you will see this screen:
There are 5 IPs listed here. Now you can check if you see any unfamiliar IP. I saw one IP in there. I have checked it on whatismyipaddress.com and I was surprised it was from NY. I have iphone so when I was in 3G network, I may use NY IP. However, it was listed IMAP instead of mobile, that makes me a little uncomfortable.
I used my iPhone and see that if it was using same network number in the IP address field. Yes, it did! And, I felt much better:)
There is a button at the upper left to sign out all of the open session except the current one. This will make sure that we are now the only one using this account.
I hope you enjoy with these tips:)