Monday, 30 August 2010

Steam and no copy-paste passwords

I would like to share something with you.
Recently, I got a better Mac and wanted to try some games. Steam is a platform that allows for game to be purchased and played with ease.

So I downloaded the Steam client for Mac. On startup it asked for my account details and gave me the option to create a new account.

And that is where this story starts. Apparently, the client does not allow for a password to be pasted into the password box. That is a pity as I could not create a strong password with 1Password and simply paste it there.
Next, I co contacted the Steam support and asked them why the paste function is disabled. And this is what they responded:

=========

Hello,

A staff member has replied to your question:

Hello Vladimir, Thank you for contacting Steam Support. This is done for security reasons to prevent users from copying and pasting passwords into the login screen. This has always been the case for the password field on Steam. There are no plans to change this behavior within Steam. If you have any further questions please let me know.
=========

So, I would like to ask all of you, security professionals, what you opinion is. Is it a security risk to disable pasting passwords into a password field, and instead requiring users to remember them, likely making passwords less complex?

Don't be shy. I will share the results with the Steam support. I have started a LinkedIn poll.



- Posted using BlogPress from my iPad

Monday, 23 August 2010

Overcoming man in the middle attack on Strict Transport Security

Problem statement

I was listening to an excellent podcast by Steve Gibson today, on the subject of Strict Transport Security. As this is something I have been researching previously it was really an interesting subject.

Strict Transport Security (STS) by Jeff Hogdes is a truly great enhancement of HTTP protocol that delivers end to end security for users, but there is still one glitch. 

The first connection that is made to the server is still susceptible to man in the middle attacks; for two reasons:
a) If I go to http://www.paypal.com my session can be intercepted by man in the middle attack and I never get redirected to HTTPs site
b) but even if I did my browser will not enforce the strict certificate policy. Man the Middle can generate a self-signed certificate www.paypal.com and I might click on "Accept" just to get to the site.

In both cases I might never establish proper HTTPs connection to www.paypal.com, hence never receive the STS header.

Monday, 9 August 2010

LastPass or 1Password

I have been using 1Password on my Mac since the version. Then with the arrival of iPhone and later iPad 1Password folks were quick to introduce versions for these devices.

Sadly, there was no version for Windows. So I started looking around for another password management system that would work across all of my devices and operating systems. I found LastPass. If you want to know more about the security of the LastPass, listen to excellent SecurityNow! Podcast ( www.grc.com/sn).

However, now I am back at using 1Password. Why?

Saturday, 7 August 2010

Why so much fuss about RIM in middle east?

Who has not heard of the story about RIM and UAE, Saudi Arabia and potentially other countries.

Now it seems, at least reported here http://www.bbc.co.uk/news/technology-10896653

I wonder what this actually means:
1. Has RIM given in and allowed access to the data? That is something they say IS NOT possible (encryption key is in the device only and there is not additional decryption key)
2. Have they secretly pushed put an application on RIM devices to spy on users?

But more importantly the questions should be raised why is Saudi Arabia not targeting other mobile platforms? I am concerned that they already know how to spy on the traffic. Remember, that other mobile services, namely iPhone, Android and Nokia phones to name few use POP3 and IMAP to receive emails. That means it is not data that is encryption, just a network connection. Splitting SSL connection on a border gateways is not new, so the question is. Is it being already done? Would device give any warnings of untrusted certificate? And even if they did, users might not have any other choice than accept it in order to receive and send emails.

This reinforces the security principle that secure should be applied oat various levels, more where it actually protects data. Seems like RIM approach to email security is paying off.

What are your thoughts?


- Posted using BlogPress from my iPad

Tuesday, 3 August 2010

Troubles with Apple Mail and multiple certificates

Back from holidays, refreshed and blogging again.

Today I needed to send an email signed with my certificate issued by Czech authorities. I also have Verisign email certificate and both are imported into my Keychain. I was looking for a way to tell Mail which certificate to use, but there is only one button:


I was searching on the Internet and there are two ways to tell Apple Mail which certificate to use:
1. Go to KeyChain Access and disable certificates that should not be used - in my case the Verisign certificate
2. Delete all certificates and import them in the order I want to use them.

Come on Apple, even Outlook can do this as well as Thunderbird, which is by the way much better in handling PGP secured emails.

I hope this helps someone.